System Administration Guide

About this book
        How this book is organized
        C2 security documentation requirements
        How can we improve this book?

Administering user accounts
        The Account Manager interface
                About default selections
        Adding and modifying user accounts
                Using account templates
                Removing or retiring a user account
                Reactivating a retired user account
                Setting and changing user and group IDs (UID/GID)
                        Changing ownership of files with an obsolete UID/GID
                Changing user login groups
                Changing a user's group membership
                Changing user login shells
                Login shells
                Restricted shells
                Changing user home directories
                Changing user type
                Changing user priority
                Adding and modifying default environment files
        Managing groups
                About groups
                Adding or modifying a group
                Removing a group
                Setting the group ID for file creation in a directory
                Changing the limit on simultaneous group membership
        Managing passwords
                Setting or changing a user password
                Controlling password expiration
                Controlling password selection
                        Allowing accounts without passwords
                        Preventing users from changing their passwords
                        Allowing users to generate passwords
                        Restricting password obviousness
                        Customizing password checking
                        Setting password length
                Setting passwords for dial-in lines
        Setting login restrictions
                Setting login restrictions on accounts
                Setting login restrictions on terminals
                Locking or unlocking a user account
                Locking or unlocking a terminal
        Assigning user powers
                Assigning subsystem authorizations
                        Primary authorizations
                        Secondary authorizations
                Changing system privileges
                        System privileges and authorizations
                Allowing users to skip login messages
                Allowing users to execute superuser commands
                Accessing other accounts with su(C)
                        Logging su(C) usage
                Controlling the use of job scheduling commands
                        Changing the default permissions for job scheduling
                        Changing the job scheduling permissions for a user
                        Using environment files for the at or batch commands
        Changing the system security profile
                Security profiles
        Understanding account database files
                Configuring database precedence and recovery
                Editing the /etc/passwd file
                Configuring the shadow password file
        Copying user accounts
                Copying user accounts to non-SCO OpenServer systems
                Copying user accounts from SCO XENIX or non-SCO OpenServer systems
                        Password compatibility across UNIX systems
        Troubleshooting the Account Manager
                Illegal specification for a user or group attribute
                Remote administration problem
                Missing or corrupted database files

Administering filesystems
        The Filesystem Manager interface
        About filesystems
                Filesystem types
                Adding support for different filesystem types
        Adding and removing mount configuration
        Modifying filesystem mount configuration
                Modifying HTFS, EAFS, AFS, and S51K root filesystem mount configuration
                Modifying DTFS root filesystem mount configuration
                Enabling users to mount filesystems
                Filesystem mount options (HTFS, EAFS, AFS, S51K)
                        Mounting as a temporary filesystem
                        Checkpointing your filesystem
                        Logging filesystem transactions
                        Versioning filesystems (undelete)
                Filesystem mount options (DTFS)
                        Data compression
                        Forced data writes to disk
                Filesystem mount options (High Sierra and ISO9660)
                Filesystem mount options (Rockridge)
                Filesystem mount options (DOS)
        Mounting and unmounting filesystems
                About mounting DOS filesystems
                        DOS filesystems and access permissions
                        DOS filesystem limitations
        Creating filesystems on floppy disks
        Checking and repairing filesystems
                Check and repair options
                Filesystem check phases (HTFS, EAFS, AFS, S51K)
                Filesystem check phases (DTFS)
                How UNIX systems maintain files and filesystems
        Maintaining free space in filesystems
                Displaying filesystem and directory usage statistics
                Locating files
                        Finding temporary files
                        Executing commands based on find output
                Checking and clearing system log files
                        Using the System Logs Manager
                        Clearing system log files from the command line
                        Clearing log files automatically
                Adding disk space and restructuring filesystems
                Moving a subdirectory to another filesystem using symbolic links
        Maintaining filesystem efficiency
                Reducing disk fragmentation
                Monitoring and limiting directory sizes
                Removing empty directory slots
                Out of inodes on filesystem
        Troubleshooting the Filesystem Manager
                Remote administration problem
                Missing or corrupted database files

Backing up filesystems
        The Backup Manager interface
        About backups
                About media devices
                About block and volume sizes
                Preparing media for backups
        Running scheduled backups
                Maintaining backup archives and records
                        Labeling backups
                        Keeping a backup log book
                        Rotating and archiving backup media
                        Removing file lists from the backup history
                Verifying backups
                Performing unattended backups
        Running unscheduled filesystem backups
        Running unscheduled backups of other remote filesystems
        Adding, modifying, and removing filesystem backup schedules
                Modifying scheduled filesystem backup options
                About the backup schedule
                Understanding incremental backups
        Adding remote filesystems to the backup schedule
                Establishing backup user equivalence
        Examining the backup history
                About the backup history
                Browsing backup file lists
        Examining the contents of a backup
        Restoring a scheduled filesystem backup
                How backups restore complete filesystems
        Restoring files from a scheduled filesystem backup
        Restoring files or directories from backup media
                Selecting directories or files to restore
        Specifying the Backup Manager default values
                Setting the default backup device
                Setting the default media values
        Using the command line to create and restore backups
        Troubleshooting the Backup Manager
                Remote administration problem
                Missing or corrupted database files

Managing printers and print jobs
        The Printer Manager interface
        Adding local printers
                Duplicating a local printer
        Connecting to remote UNIX system printers
                Configuring Hewlett-Packard network printers and print services
                        Setting up a BOOTP server
                        Configuring hosts to use an HP network printer
                        Performing maintenance with the HP Network Printer Manager
                Configuring an UUCP dialup printer
        Removing local or remote printers
        Servicing printers and print services
                Enabling and disabling printers
                Accepting or rejecting print jobs
                Starting and stopping the print services
        Changing printer names and connections
                Specifying the system default printer
                Modifying printer creation defaults
                About printer device connections
                About serial communication parameters
        Controlling access to printers
        About printer classes
                Grouping printers into a class
        About the print service
                Overview of print request processing
                About the print request log
                Print service command summary
        Managing print jobs
                The Print Job Manager interface
                Selecting and deselecting multiple jobs
                Viewing jobs in the print queue
                Deleting print jobs
                Holding and resuming print jobs
                Transferring a job to another printer
                Moving jobs to the top of the queue
                Setting print queue priorities
                        Setting the priority level for a print job
                        Setting individual and default priority limits
                        Setting the default priority level
        Customizing printer configuration
                Setting default printer page size and spacing
                Bypassing the spooler
                Specifying the number of banners
                About printer interface scripts
                        Creating printer interface scripts
                        Setting up printer interface scripts
                Adding a new printer manually
                        Adding a printer entry to the terminfo database
                Creating and using printer forms
                        Mounting and unmounting forms
                Creating and using printer filters
                        About content types
                        Detecting printer fault indicators with filters
                Font cartridges, character sets, print wheels
                        Specifying character sets
                        Specifying font cartridges to use with a printer
                Setting up printer fault alerts
                        Specifying the print fault recovery method
                        Alerting to mount forms and font cartridges
                Setting up a printer with multiple names
                Attaching a printer to a serial terminal
                        Handling different stty settings
                Configuring a spooled local terminal printer
                Initializing parallel printers with an init device file
                Customizing the toolbar
        Troubleshooting the Printer Manager
                Remote administration problem
                Transferring jobs between printers
                Missing or corrupted database files
        Troubleshooting the print system
                lpsched print scheduler is not running
                Printer does not print
                Cannot redirect output to printer
                Port does not respond
                Printer output is illegible
                Printer output spacing is wrong
                Parallel printer is slow
                        Setting up polling
                        Changing the MODE_SELECT kernel parameter
                Printer reports UUCP errors

Maintaining system security
        Understanding system security
                Physical security
                Trusted system concepts
                        Trusted computing base
                        Discretionary access control
                        Object reuse
                        Authorizations and privileges
                        Identification and authentication (I&A)
                        Protected subsystems
                Security in a networked environment
                        Network Information Service
                        The graphical environment
                        Network mail
        Administering a trusted system
                Assigning administrative roles and system privileges
                Controlling system access
                        Password restrictions
                        Terminal use restrictions
                        Login restrictions
                Logging out idle users (non-graphical sessions only)
                Restricting root logins to a specific device
                Using auditing on your system
        Protecting the data on your system
                SUID/SGID bits and security
                SUID, SGID, and sticky bit clearing on writes
                The sticky bit and directories
                Data encryption
                Imported data
                        Imported files
                        Imported filesystems
                Terminal escape sequences
        Creating account and login activity reports
                Reporting password status
                Creating an account summary
                Reporting terminal access status
                Reporting user login activity
                Reporting terminal login activity
                Logging unsuccessful login attempts
        Detecting system tampering
                Stolen passwords
                Abuse of system privileges
                Unsupervised physical access to the computer
        Dealing with filesystem and database corruption
                The authentication database files
                Checking the system after a crash
                Using the override terminal
                Automatic database checking and recovery: tcbck(ADM)
                Database consistency checking: authck(ADM) and addxusers(ADM)
                        Creating UNIX system and TCB account database reports
                System file integrity checking: integrity(ADM)
                System file permission repair: fixmog(ADM)
        Understanding how trusted features affect programs
                LUID enforcement
                stopio(S) on devices
                Sticky directories
        Disabling C2 features
        Troubleshooting system security
                Account is disabled -- see Account Administrator
                Account is disabled but console login is allowed Terminal is disabled but root login is allowed
                Audit: filesystem is getting full
                Authentication database contains an inconsistency
                Can't rewrite terminal control entry for tty Authentication error; see Account Administrator
                Cannot access terminal control database entry
                Cannot obtain database information on this terminal
                Login incorrect
                login: resource Authorization name file could not be allocated due to: cannot open;
                Terminal is disabled -- see Account Administrator
                You do not have authorization to run ...
                Unable to remove files

Using the Audit Manager
        Understanding the audit subsystem
                Audit subsystem components
                        Kernel audit mechanism
                        Audit device driver
                        Audit compaction daemon
                        Audit Manager interface
                        Data reduction and analysis facility
                Audit methodology
                        Audit privileges
                        Audit record sources
                        Accountability for audit
                        Audit event types
                        System audit event mask
                        User-specific and process event masks
                Guidelines for effective system auditing
                        Performance goals
                        Reliability goals
                        Security goals
                        Administrative concerns
        Collecting audit data
                Choosing audit events
                Auditing individual users and groups
                Displaying current audit statistics
                Enabling and disabling auditing
                        Maintaining audit trail continuity
                Adjusting audit performance parameters
        Managing audit files and directories
                Listing audit sessions
                Backing up audit files
                Restoring audit files
                Deleting audit files
                Monitoring disk space consumption
                Maintaining collection directories
                        Listing collection directories
                        Creating a collection directory
                        Deleting a collection directory
                        Adding a collection directory entry
                        Removing a collection directory entry
        Generating audit reports
                Creating or modifying a report template
                Viewing a report template
                Listing report templates
                Removing report templates
                Running an audit report
                        Example report and template
                Understanding audit reports
                        System call record formats
                        Application audit records
                        Login/Logoff record
                        User password record
                        Protected database record
                        Audit subsystem record
                        Protected subsystem record
                        Terminal and user account record
        Extending auditing capabilities to users

Connecting to other computers with UUCP
        Setting up a simple UUCP connection
                Testing the UUCP connection
                Changing the system name
        Configuring UUCP
                Setting up maintenance scripts
                Setting up polling
                Creating login accounts for sites dialing in
                Adding entries for remote sites to the Systems file
                        Creating login scripts
                Specifying dial-up parameters with the Devices file
                        The speed field
                Limiting access with the Permissions file
        How UUCP works
                        A sample UUCP transaction
                        How a UUCP transmission proceeds
        Advanced UUCP configuration
                Defining a communications protocol
                Creating a portable UUCP Systems file
                Specifying alternate UUCP configuration files
                Preventing unknown sites from logging in
                Configuring UUCP for 7-bit systems
                Connecting two local systems using a direct wire
        Troubleshooting UUCP
                Checking for a faulty ACU or modem
                Errors when testing the connection with cu
                        Connect failed: CANNOT ACCESS DEVICE
                Common ``UUCP failed'' messages
                Checking the status of a UUCP request
                Alarms in UUCP audit output, data is not transferring
                Generating log reports on usage: uulog
                Common UUCP log and status file messages
                        DEVICE LOCKED
                Common UUCP error messages
                        UUCP STATUS error messages
                Checking UUCP files and permissions settings
                Verifying that your site name is unique
                UUCP truncates system names to seven characters
                What to check if UUCP is abnormally slow
                What to do if UUCP works, but uux does not
                UUCP troubleshooting utilities
                The UUCP spool directory contents

Administering virtual disks
        About virtual disks
                Disk arrays and data striping
                Hot spares
                Redundancy and parity
                Virtual disk types
                        Simple disk
                        Concatenated disk
                        Striped array (RAID 0)
                        Mirrored disk (RAID 1)
                        Block-interleaved undistributed parity array (RAID 4)
                        Block-interleaved distributed parity array (RAID 5)
                        Striped, mirrored array (RAID 10)
                        Striped array of arrays (RAID 53)
                How configuration information is stored
        Planning your system layout with virtual disks
                Application and filesystem requirements
                        Distribution of I/O
                Performance and reliability requirements
                        Planning for increased reliability
        The Virtual Disk Manager interface
        Adding virtual disks
                Allocating or modifying disk pieces
                Creating nested virtual disks
                Adding a configuration backup
                Mirroring boot, swap, and root onto virtual disks
                Adding hot spares to virtual disks
                Setting virtual disk defaults
                Creating additional virtual disk nodes
                Creating a RAID 10 virtual disk array
                Creating a RAID 53 virtual disk array
        Modifying virtual disks
                Examining the current configuration
        Deleting virtual disks
        Creating filesystems on virtual disks
        Converting filesystems to virtual disks
        Tuning the performance of virtual disks
                Monitoring virtual disk performance
        Troubleshooting virtual disks
                Disabling and re-enabling virtual disks
                Forcing virtual disks online
                Checking and restoring parity data
                Repairing a failed drive
                Possible problems
                        Invalid timestamp on root device mirror
                        Mirror root failure
                        Offline disk array
                        Kernel virtual memory shortage
                Warning messages
                Notice messages

Customizing UNIX system startup
        Changing the /etc/inittab file
        Changing scripts in /etc/rc2.d
                Starting daemons on a trusted system
                Daemons that must run without an LUID
        Modifying .profile and .login files
        Changing the /etc/motd file
                Other message files

Using the system console and non-graphical displays
        Using multiscreens
                Reducing the number of multiscreens
                Multiscreens and multiple video adapters
        Using the console screen protection feature
        Changing non-graphical video fonts
        Controlling non-graphical color displays with setcolor
                Changing the foreground and background colors
                Changing reverse video colors
                Changing the screen border color
                Sounding the keyboard bell
                Resetting the screen
        Setting the console keyboard type
                Switching keyboard modes manually
                Changing modes permanently
        Using serial multiscreens with mscreen
                Adding pseudo-ttys
                mscreen troubleshooting
                Advanced mscreen configuration

UNIX directories and special device files
        The root directory
        The /bin directory
        The /dev directory
        The /etc directory
        The /lib directory
        The /mnt directory
        The /opt directory
        The /shlib directory
        The /usr directory
        The /stand directory
        The /tcb directory
        The /tmp directory
        The /var directory

Using the crash(ADM) diagnostic tool
        Running the crash command
        Defining the default dump device
        Examples of using crash
        Examining processes
                Examining the process table
                Examining the u-area of a process
                Finding out which files a process has open
                Determining the size of a process
                        Finding regions shared by processes
                        Finding the largest processes on a system
        Examining kernel text
        Studying a system panic
                panic command
                Examining a kernel stack trace
                Determining the kernel component that failed
                Using strings(C) to find kernel component
                Using nm(CP) to find kernel component
                Additional help from SCO OpenServer Technical Support
        Examining tty and cblock structures
        Examining the values of kernel tunable parameters
        Monitoring memory allocation
        Examining use of STREAMS resources
        Translating virtual addresses to physical addresses