Changing the system security profile
You were asked to choose a
security profile
at installation time.
It is possible to later select a different profile by using the
Security Profile Manager located in the System/Security
directory
of the SCOadmin hierarchy.
Use the Current security profile
button to change the profile and select Save from the
Security menu to save the new profile. You may be asked
to reboot your system before the change takes effect.
WARNING:
After using lower security profiles it is possible to select the
Improved or High defaults, but this does not mean your system
conforms to the requirements of a C2 system.
By definition, a C2 system must adhere to the requirements
from initial installation.
This is because modifications made to the system
while at the lower level potentially violate those associated with the
higher level.
These profiles are available:
High-
recommended for systems containing
confidential information and accessed by many users.
Passwords are strictly controlled and assigned to users;
users cannot choose their own.
User accounts cannot be removed or reactivated.
All C2 features are engaged and account database corruption results
in a lockout of all users until the administrator fixes the problem.
Improved-
recommended for systems accessed by groups of users who can share
information.
Password expiration is more lenient and users can choose their
own passwords. LUIDs are not enforced, and user accounts can be
removed or reactivated as desired. Account database corruption results
in system lockout.
Traditional-
Provided for compatibility with other UNIX systems.
Passwords do not expire and standard System V password checking
is used. Passwords are not required. Database corruption is
handled transparently.
Low-
Recommended only for systems which are not publicly
accessible and which have a small number of cooperating users.
No C2 features are engaged and no password checking is done.
The /etc/shadow does not exist by default.
The High and Improved defaults are designed to meet the requirements
set forth by the Department of Defense's
Trusted Computer System Evaluation Criteria
(also known as TCSEC or the
Orange Book).
You can change the security profile from the command line using
relax(ADM).
For example, this command sets the Improved profile:
relax improved
The security profiles are merely a set of values that can be customized
as desired. If The security subsystem has been
modified
appears on the screen, that means that you
have made changes to individual
security parameters. Customized values are overwritten when you
select a new profile.
Next topic:
Security profiles
Previous topic:
Example environment files
© 2007 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 05 June 2007