IBM 10 SP1 EAL4 Server User Manual


 
The chfn command allows users to change their finger information. The finger command
displays that information, which is stored in the /etc/passwd file.
The date command is used to print or set the system date and time. Only an administrative user
is allowed to set the system date and time.
The groupadd, groupmod, and groupdel commands allow an administrator to add, modify, or
delete a group, respectively. Refer to their respective man pages for more detailed information.
The hwclock command is used to query and set the hardware clock. Only an administrative user
is allowed to set the system hardware clock.
The minimal form of getty, mingetty is for consoles, and provides the same functionality as
agetty. However, unlike agetty, which is used for serial lines, mingetty is used for
virtual consoles.
The newgrp command logs into another groupid.
The openssl program is a command-line tool for using the various cryptography functions of the
Secure Socket Layer (SSL v3) and Transport Layer Security (TSL v1) network protocols.
pam_tally manages the /var/log/faillog file to reset the failed login counter.
The ping and ping6 commands, for IPv4 and IPv6 respectively, use the mandatory
ECHO_REQUEST datagram of the Internet Control Message Protocol (ICMP) to elicit an
ICMP_ECHO_RESPONSE from a host or a gateway.
The ssh command is a program for logging into a remote machine and for executing commands
on a remote machine. It provides secure encrypted communications between two untrusted hosts
over an insecure network.
star is a version of the tar command that preserves extended attributes. Extended attributes are
the means by which ACLs are associated with file system objects.
The stunnel program is designed to work as an SSL encryption wrapper between remote clients
and local or remote servers.
The useradd, usermod, and userdel commands allow an administrator to add, modify, or delete
a user account, respectively. Refer to their respective man pages for more detailed information.
unix_chkpwd is the helper program for the pam_unix PAM module that checks the validity of
passwords at login time. It is not designed to be directly executed.
4.3 TSF databases
Section 6.2.8.5 of the Security Target identifies the primary TSF databases used in SLES and their purposes.
These are listed either as individual files, by pathname, or as collections of files.
With the exception of databases listed with the User attribute (which indicates that a user can read, but not
write, the file), all of these databases are only accessible to administrative users. None of these databases is
modifiable by a user other than an administrative user. Access control is performed by the file system
component of the SLES kernel. For more information about the format of these TSF databases, please refer
to their respective section of man pages.
See section 6.2.8.5 in the Security Target.
4.4 Definition of subsystems for the CC evaluation
Previous sections of this paper defined various logical subsystems that constitute the SLES system. One of
these logical subsystems alone can provide, or two or more can combine to provide, security functionalities.
28