Hp-UX Convert to a Trusted System

Convert to a Trusted System

HP-UX offers some additional security features such as, a more stringent authentication system, auditing, terminal access control and time-based access control. These are in addition to the normal Unix security mechanisms that are generally available. But to take advantage of these features the system must be converted to a trusted system.* If security is important, it is recommended this be done. To convert a system you would need to:

/usr/sbin/sam

Select "Auditing and Security"

Select "System Security Policy"

Select "YES"

R T

Confirmation

You need to convert to a Trusted System before proceeding. The  conversion process does the following things: 1. Creates a protected database on the system for storing security information.  2. Moves user passwords in "/etc/passwd" to this database  3. Replaces all password fields in "/etc/passwd" with "*" For more details, refer to the "System Security" chapter of the . "System Administration Tasks" manual. . Do you want to convert to a Trusted System now? .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. [ Yes ] [[No ]] ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

You will then see a message telling you that you’re converting to a trusted system...

Next you will receive a "Successfully converted to a trusted system" message. Press OK continue.

Time to setup your security policies. The following are recommendations only. Please curtail yours to fix your environment.

Hp-Ux Remaining Network Services

Remaining Network Services

If the machine is to be a DNS client then you’ll need to define the domain and it’s name server(s). You will have to configure which sources the resolver will use and in which order. You should configure so that the host file is checked first then DNS.

1. ____ /usr/bin/touch /etc/resolv.conf
2. ____ /usr/bin/echo "domain " > /etc/resolv.conf
3. ____ /usr/bin/echo "nameserver " >> /etc/resolv.conf
4. ____ /usr/bin/chown root:root /etc/resolv.conf
5. ____ /usr/bin/chmod 644 /etc/resolv.conf
6. ____ /usr/bin/cp /etc/nsswitch.files /etc/nsswitch.conf
7. ____ /usr/bin/vi /etc/nsswitch.files 
   modify the hosts entry from hosts:files to hosts:files [NOTFOUND=continue] dns
8. ____ /usr/bin/chown root:root /etc/nsswitch.conf
9. ____ /usr/bin/chmod 644 /etc/nsswitch.conf

Hp-Ux Network Tuning

Network Tuning

Reconfigure various network parameters to reduce your vulnerability to smurf attacks, SYN floods and ARP spoofing attacks. A description of the listed network parameters can be found in Appendix B. You can usendd –h sup to list all supported network parameters. Use ndd –h unsup to list unsupported network parameters. HP recommends that you DO NOT make changes to unsupported parameters.

1. ____/usr/bin/vi /etc/rc.config.d/nddconf
2. ____ Add following entries:

TRANSPORT_NAME[0]=ip

NDD_NAME[0]=ip_send_redirects

NDD_VALUE[0]=0

TRANSPORT_NAME[1]=ip

NDD_NAME[1]=ip_ire_flush_interval

NDD_VALUE[1]=60000

TRANSPORT_NAME[2]=arp

NDD_NAME[2]=arp_cleanup_interval

NDD_VALUE[2]=60000

TRANSPORT_NAME[3]=ip

NDD_NAME[3]=ip_forward_directed_broadcast

NDD_VALUE[3]=0

TRANSPORT_NAME[4]=ip

NDD_NAME[4]=ip_forward_src_routed

NDD_VALUE[4]=0

TRANSPORT_NAME[5]=ip

NDD_NAME[5]=ip_forwarding

NDD_VALUE[5]=0

TRANSPORT_NAME[6]=tcp

NDD_NAME[6]=tcp_ip_abort_cinterval

NDD_VALUE[6]=60000

____ ndd –c for the changes to take effect

Hp-Ux File System Configuration

File System Configuration

Some file systems are static in nature and won’t change unless you’re doing some type of upgrade. Therefore to safeguard against unkown modifications to the files in these file systems and possible addition of trojan horses, it makes sense to mount these files systems read-only. (/usr and /opt are examples) You also want to ensure that setuid programs are not executed in a non-root file system. To do this these file systems must be mounted with the nosuid option. (/var and /home are examples). An example of a secure /etc/fstab can be found in Appendix C.

1. ____ /usr/bin/vi /etc/fstab
2. ____ Add ro option to /opt and /usr
3. ____ Add nosuid to /stand, /var, /home

/usr/local by default has been configured with world-writeable permissions on all directories. Change this to a safer 755.

4. ____ find /usr/local –type d –exec chmod 755 {} \;

Remove write group permissions for /etc/.

5. ____ chmod –R g-w /etc

HP-UX Modification of the Boot Process

Modification of the Boot Process

Closely review the startup scripts and identify all unnecessary services. You will then want to stop these services from starting up by renaming the startup script file that can be found in /sbin/rc?.d. By renaming the link instead of deleting it, it will be easier if you have to invoke the process in the future. Please pay particular attention to insecure network services. You should be able to eliminate everything in /sbin/rc3.d.

1. ____ Review /etc/rc.log to determine which processes are started on boot
2. ____ Rename NFS-related links

/usr/bin/mv /sbin/rc2.d/S400nfs.core /sbin/rc2.d/.NOS400nfs.core

/usr/bin/mv /sbin/rc2.d/S430nfs.client /sbin/rc2.d/.NOS430fns.client

/usr/bin/mv /sbin/rc3.d/S100nfs.server /sbin/rc3.d/.NOS100nfs.server

3. ____ Rename RPC link

/usr/bin/mv /sbin/rc2.d/S590Rpcd /sbin/rc2.d/.NOS290Rpcd

4. ____ Rename Sendmail links

/usr/bin/mv /sbin/rc2.d/S540sendmail /sbin/rc2.d/.NOS540sendmail

5. ____ If this is machine not going to be a DNS server, rename DNS link

/usr/bin/mv /sbin/rc2.d/S370named /sbin/rc2d/.NOS370named

6. ____ Rename everything in /sbin/rc3.d

/usr/bin/cd /sbin/rc3.d

for file in S*

do

mv $file .NO$file

done

Create a script to ensure that the startup scripts run with a proper umask [14]

1. ____ /usr/bin/echo ‘umask 022’ > /sbin/init.d/umask.sh
2. ____ /usr/bin/chmod 744 /sbin/init.d/umask.sh
3. ____ Add umask.sh to startup script directories by running the following script

/usr/bin/umask 022

for d in /sbin/rc?.d

do

/usr/bin/ln –s /sbin/init.d/umask.sh $d/S000umask.sh

done

Inetd is the internet daemon that controls access to network services that are started on an as needed basis. Many of the services are considered unsafe. Therefore it is very important to review these services and disable ones that are not absolutely necessary. The Berkley "r" programs have a long history of abuse so make sure that shell and login services are disable. You may also want to consider disabling bootps, exec, ntalk, echo and charge. In fact the ideal situation would be not to run inetd at all. (If inetd is not running you will not have remote access to the machine, until ssh is installed and configured)

1. ____ Disable inetd – Preferred method

/usr/bin/mv /sbin/rc2.d/S500inetd /sbin/rc2d/.NOS500inetd

/usr/bin/rm /etc/inetd.conf

2. ____ inetd enabled – but with all unnecessary disabled

/usr/bin/vi /etc/inetd.conf

comment out (place # at the beginning of a line) all unnecessary services

/usr/bin/kill –HUP inetd

HP-UX Patches Installation

HP-UX Patches Installation

To track down know HP software vulnerabilities and solutions, use the HP Security Archive on the IT Resource Center Web site. Each bulletin contains a description of the problem, which versions of the Operating System are affected and the solution. To access this information go to:

http://itrc.hp.com

Search Technical Knowledge Base

Security Bulletin Archive

You can also subscribe to HP’s Security Bulletin Digest. You will receive an email update of new vulnerabilities as they are identified. To sign up for this go to:

http://itrc.hp.com

more…

support information digests

Helping  Other  People  Excel

Updating Applications

Updating Applications 

After installing HP-UX 11.0, install other needed applications

1. ____Use swinstall to install new software that was not included as part of the basic OS installation. The latest versions of HP-UX software products are provided on the HP-UX Applications CDs. To find the contents of each CD, mount any HP-UX Applications CD and view the TOC file.
2. ____ After installing the software, complete any post-install configuration. This will be explained in the software’s release notes or manual. Most documentation for HP-UX applications are either on the HP-UX Instant Information CD or on HP's documentation Web site: docs.hp.com/hpux/os/11.0/

Helping  Other  People  Excel