topic Re: System Security Policy in Operating System - HP-UX

System Security Policy

Joseph Bague — Thu, 23 Jan 2003 05:39:46 GMT

Hi all

I am currently making a System Security Policy to our HP-UX server. What thing that may I consider? other than converting it to trusted system, use password aging, etc.

Thanks in advance
Joseph

Re: System Security Policy

Rajeev Shukla — Thu, 23 Jan 2003 06:32:45 GMT

Hi,
You should also look at the /var/adm/inetd.sec file which is an access control file for indernet daemons like
login, telnet, ftp, shell, rcp etc..
You should conside that as to whom to give access to.
Also look at the /etc/ftpd/ftpusers in 11.X and /etc/ftpusers in 10.X
this if for ftp access to users.

Rajeev

Re: System Security Policy

Rajeev Shukla — Thu, 23 Jan 2003 06:34:19 GMT

Re: System Security Policy

Rajeev Shukla — Thu, 23 Jan 2003 06:36:07 GMT

Re: System Security Policy

S.K. Chan — Thu, 23 Jan 2003 06:36:44 GMT

Other points I can think of are ..
- File and directory permission/ownership.
- Console access policy (for example .. only root can log on to console).
- Root access policy (for example .. only system administrator have access to root).
- Security audit software (for example .. we use Medusa to give us weekly and monthly security reports).
- Audit trail on log files (for example .. how frequent you examine your system log files).
- File transfer policy.
- Root account log tools (for example .. sudo).
Hope this helps a bit ..

Re: System Security Policy

Rajeev Shukla — Thu, 23 Jan 2003 06:36:56 GMT

Re: System Security Policy

Rajeev Shukla — Thu, 23 Jan 2003 06:39:07 GMT

Re: System Security Policy

Michael Tully — Thu, 23 Jan 2003 06:47:24 GMT

Heres some suggestions.

Setting up the system as a bastion server.
See here: http://people.hp.se/stevesk/bastion11.html

Installing bastille, see here: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

Setting your system as trusted with password aging and utilsing the security policies provided. 'sam' is a good place to start. Isolate your console.

Also this posting, see the comments from Bill Hassell.
http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0x4499e7e60861d511abcd0090277a778c,00.htm

Installing sudo: See here:http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.6/
Installing SSH: See here: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

Re: System Security Policy

Jeff Barber — Fri, 24 Jan 2003 11:14:36 GMT

Couple of other things. Don't forget the "physical security" - control of computer room access, controlling access to GSP and consoles, media management(tape and CD mounting). Also updating /etc/issue and /etc/dt/config/C/Xresources with relevant warnings about system misuse

Re: System Security Policy

Bill Hassell — Fri, 24 Jan 2003 13:00:03 GMT

And then there's the soft science part of the policy: communication and enforcement. That means that everyone in the company must be aware of the access policies, the consequences of misuse and remedies for policy violations. This requires agreement by your HR (personnel) department, your legal department and the executives.

Note that warnings in email and login greetings are worthless as a practical policy although it makes the lawyers feel warm and fuzzy. A policy is just paper unless the systems are monitored (see IDS/9000 and Bastille) and actions taken.

Re: System Security Policy

Steven E. Protter — Fri, 24 Jan 2003 13:43:23 GMT

Bastille, is great, get it perl 5.8 and install it.

get security_patch_check and make it your ogranizational policy to use it, and follow its recommendations on a regular basis.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProducts.pl?group_type=search&group_name=security_patch_check&search_free=1&search_trial=1&search_buy=1

You should get and install a version of crack 5.0 on a non-production server. Copy your /etc/passwd files once a month and run analysis. Any passwords that get guessed, force password change and make the supervisor aware.

You should run lastb last analysis on all your logs on a regular basis. That should be policy and you write the script and your operations department reviews the output on a weekly basis.

You should consider download and install of the saint utility on a non-production server. It can be used to probe unix boxes and NT/Microsoft boxes and report security vulnerabilities. It should be operational policy that during a maintenance window, production servers are checked in this way.

You should consider taking two courses at HP Education. Practical Unix and Network Security and Internet Security. Almost nobody takes the Internet course but its one of the best courses HP offers.

Lastly, you should make your system a trusted system. This enables password shadowing, automatic expiration of unused accounts, and a great audit log for tracking down issues.

P

Re: System Security Policy

Gregory Lee_1 — Wed, 29 Jan 2003 17:40:03 GMT

Joseph,

A couple of things to consider. I don't beleive these were mentioned above, but you may want to look into using SSH and TCPWrappers.

Regards,
Greg