Hp-UX User Access Control

User Access Control

Tight controls must be maintained on user’s accounts. You should only have accounts on a system that are necessary for the applications that are running.

Restrict root login to just the console. User must use su to login as root.

1. ____ /usr/bin/touch /etc/securetty
2. ____ /usr/bin/echo console > /etc/securetty
3. ____ /usr/bin/chmod 400 /etc/securetty

Enable password history and password reuse. On a trusted systems, the system administrator can enable the password history feature to discourage users from reusing previous passwords

1. ____ /usr/bin/touch /etc/default/security
2. ____ /usr/bin/echo "PASSWORD_HISTORY_DEPTH=10" > /etc/default/security
3. ____ /usr/bin/chown bin:bin /etc/default/security
4. ____ /usr/bin/chmod 444 /etc/default/security

Lock all "pseudo-accounts", including uucp, lp, nnucp, sys, hpdb and www. These are logins that are not associated with individual users and do not have true interactive shells. They are in the password file because they are owners of files.

1. ____ /usr/bin/vi /etc/passwd and change the default shell to /dev/null
2. ____ Lock accounts using /usr/bin/passwd –l
3. ____ Remove any files in /var/spool/cron/crontabs except for root
4. ____ Remove any files in /var/spool/cron/atjobs except for root

Ensure that root is the only login that has access to run crontab and at commands

1. ____ /usr/bin/echo root > /var/admin/cron/cron.allow
2. ____ /usr/bin/echo root > /var/adm/cron/at.allow
3. ____ /usr/bin/chmod 400 /var/adm/cron/cron.allow
4. ____ /usr/bin/chmod 400 /var/adm/cron/at.allow
5. ____ /usr/bin/rm /var/adm/cron/cron.deny
6. ____ /usr/bin/rm /var/adm/cron/at.deny

Restrict ftp access. At a minimum all logins with uid < 100 should not be able to ftp. Also add any other logins that do not need to ftp to /etc/ftpd/ftpusers.

1. ____ /usr/bin/touch /etc/ftpd/ftpusers
2. ____ /usr/bin/chown root:root /etc/ftpd/ftpusers
3. ____ /usr/binchmod 600 /etc/ftpd/ftpusers
4. ____ Add administrative logins to /etc/ftpd/ftpusers

for names in root, daemon, bin, sys and adm

do

echo $names >> /etc/ftpd/ftpusers

done

Check for /etc/hosts.equiv, ~/.netrc and ~/.rhost files. The existence of these files can allow selected users to be granted password-free access to a system. There shouldn’t be any of these files on your system. But if you have a need for them, check that they are not world-writeable and that there is no + in them. A + means the system will trust all other systems. You can use the following command to search for these files. You should run this command periodically and review the output.

1. ____ /usr/bin/find / \( -name .rhosts –o –name .netrc –o -name hosts.equiv \) -exec ls -ldb {} \; -exec more {} \;

If you are still running inetd and are allowing ftp access you will want to log ftp access to /var/adm/syslog/syslog.log and change the default umask to 022.

1. ____/usr/bin/vi /etc/inetd.conf
2. ____ Add –l and –umask –22 to ftpd

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -umask 022

Add umask 022 and TMOUT to /etc/profile. Umask 022 will restrict file permissions. TMOUT will limit how long a session can set idle. But remember these can be easily overwritten in ~/.profile.

1. ____ /usr/bin/vi /etc/profile
2. ____ insert umask 022
3. ____ insert TMOUT=1800 (TMOUT is in seconds)

Statutory Warnings

Add a warning message that machine is for authorized use only and that all activity is subject to monitoring. It is believed that having such a warning, could aid in the prosecution of any computer crimes involving that machine. You should however, consult with legal counsel about the wording of the message. The following is an example of one such message.

This system is the property of the Company ABC. All activities on this system are subject to monitoring for illegal or unauthorized activity.

Anyone using this system expressly consents to such monitoring and is advised that if monitoring reveals possible improper or criminal activity, system personnel may provide the evidence of such monitoring to authorities.

1. ____ /usr/bin/touch /etc/issue
2. ____ /usr/bin/touch /etc/motd.
3. ____ /usr/bin/chown root:root /etc/issue
4. ____ /usr/bin/chown root:sys /etc/motd
5. ____ /usr/bin/chmod 644 /etc/issue
6. ____ /usr/bin/chmod 644 /etc/motd
7. ____ copy warning message to /etc/issue and /etc/motd
8. ____ /usr/bin/vi /etc/inetd.conf *
9. ____ add –b /etc/issue to the end of the telnetd

telnet stream tcp nowait root /usr/lbin/telnetd telnetd -b /etc/issue

* This is assuming you’re running inetd. If not, disregard this step.

Hp-Ux Terminal Security Policies, Auditing and Security

Terminal Security Policies

Use this screen to set system policies for terminals. Policies apply to all terminals unless terminal-specific policies are set. Unsuccessful Login Tries Allowed: 10 . Delay Between Login Tries (sec.): 2 . Login Timeout Value (sec.): 0 . .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. [ OK ]   [ Cancel ]   [ Help ] ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

* Network Information Service (NIS) is not supported on a trusted system.

System And Process Auditing

Now that the system has been converted to a trusted system and your security policies have been set. It’s time to turn on auditing.

/usr/sbin/sam

Select "Auditing and Security"

Select "Audited Events"

Select "Actions"

Select "Turn Auditing On"

Auditing and Security

File List View Options Actions Help . . . Turn Auditing ON . . .Auditing Turned: OFF . ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, . . . . Set Audit Monitor and Log Parameters... . . .,,,,,,,,,,,,,,,,,,,,,,,. View Audit Log... .,,,,,,,,,,,,. .Audited Events . Unconvert the System . 18 selected. .,,,,,,,,,,,,,,,,,,,,,,,. ======================================= .,,,,,,,,,,,,. . Audit . (nothing selected) . . . Event Type Success F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,G . .R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,T . .. admin Yes Yes acct, adjtime, audctl, audswitch, clock_ ^ . .. close No No close, ksem_close, mq_close, munmap . .. create No No creat, mkdir, mknod, msgget, pipe, semge . .. delete No No ksem_unlink, mq_unlink, msgctl, rmdir, s . .. ipcclose No No fdetach, shutdown . .. ipccreat No No bind, socket, socket2, socketpair, socke . .. ipcdgram No No . .. ipcopen No No accept, connect, fattach . .. login Yes Yes . .. modaccess No No chdir, chroot, fchdir, link, lockf, lock v . .F< >G . F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,G

.

Next you need to select which events you want to audit. At the very minimum you should audit admin - Logs all administrative and privileged events.

login - Logs all logins and logouts

modaccess - Logs all access modifications other than DAC

moddac - Logs all modifications of object’s discretionary access controls

Setup a cron job to collect system diagnostic messages.

1. ____ /usr/bin/crontab –e
2. ____ Insert the following 2 lines

# log kernel diagnostic messages every 10 minutes

05,15,25,35,45,55 * * * * /usr/sbin/dmesg - >>/var/adm/messages

Hp-UX Convert to a Trusted System

Convert to a Trusted System

HP-UX offers some additional security features such as, a more stringent authentication system, auditing, terminal access control and time-based access control. These are in addition to the normal Unix security mechanisms that are generally available. But to take advantage of these features the system must be converted to a trusted system.* If security is important, it is recommended this be done. To convert a system you would need to:

/usr/sbin/sam

Select "Auditing and Security"

Select "System Security Policy"

Select "YES"

R T

Confirmation

You need to convert to a Trusted System before proceeding. The  conversion process does the following things: 1. Creates a protected database on the system for storing security information.  2. Moves user passwords in "/etc/passwd" to this database  3. Replaces all password fields in "/etc/passwd" with "*" For more details, refer to the "System Security" chapter of the . "System Administration Tasks" manual. . Do you want to convert to a Trusted System now? .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. [ Yes ] [[No ]] ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

You will then see a message telling you that you’re converting to a trusted system...

Next you will receive a "Successfully converted to a trusted system" message. Press OK continue.

Time to setup your security policies. The following are recommendations only. Please curtail yours to fix your environment.

Hp-Ux Remaining Network Services

Remaining Network Services

If the machine is to be a DNS client then you’ll need to define the domain and it’s name server(s). You will have to configure which sources the resolver will use and in which order. You should configure so that the host file is checked first then DNS.

1. ____ /usr/bin/touch /etc/resolv.conf
2. ____ /usr/bin/echo "domain " > /etc/resolv.conf
3. ____ /usr/bin/echo "nameserver " >> /etc/resolv.conf
4. ____ /usr/bin/chown root:root /etc/resolv.conf
5. ____ /usr/bin/chmod 644 /etc/resolv.conf
6. ____ /usr/bin/cp /etc/nsswitch.files /etc/nsswitch.conf
7. ____ /usr/bin/vi /etc/nsswitch.files 
   modify the hosts entry from hosts:files to hosts:files [NOTFOUND=continue] dns
8. ____ /usr/bin/chown root:root /etc/nsswitch.conf
9. ____ /usr/bin/chmod 644 /etc/nsswitch.conf

Hp-Ux Network Tuning

Network Tuning

Reconfigure various network parameters to reduce your vulnerability to smurf attacks, SYN floods and ARP spoofing attacks. A description of the listed network parameters can be found in Appendix B. You can usendd –h sup to list all supported network parameters. Use ndd –h unsup to list unsupported network parameters. HP recommends that you DO NOT make changes to unsupported parameters.

1. ____/usr/bin/vi /etc/rc.config.d/nddconf
2. ____ Add following entries:

TRANSPORT_NAME[0]=ip

NDD_NAME[0]=ip_send_redirects

NDD_VALUE[0]=0

TRANSPORT_NAME[1]=ip

NDD_NAME[1]=ip_ire_flush_interval

NDD_VALUE[1]=60000

TRANSPORT_NAME[2]=arp

NDD_NAME[2]=arp_cleanup_interval

NDD_VALUE[2]=60000

TRANSPORT_NAME[3]=ip

NDD_NAME[3]=ip_forward_directed_broadcast

NDD_VALUE[3]=0

TRANSPORT_NAME[4]=ip

NDD_NAME[4]=ip_forward_src_routed

NDD_VALUE[4]=0

TRANSPORT_NAME[5]=ip

NDD_NAME[5]=ip_forwarding

NDD_VALUE[5]=0

TRANSPORT_NAME[6]=tcp

NDD_NAME[6]=tcp_ip_abort_cinterval

NDD_VALUE[6]=60000

____ ndd –c for the changes to take effect