topic Re: security in Operating System - HP-UX

security

jerry1 — Mon, 20 Oct 2003 08:28:19 GMT

Could someone suggest some tools/places I
can go to to get security tools that I can
use to monitor who is doing what as root
on a server. Just looking at roots history
file is not enough. I could install TCPwrappers
that I believe has some logging. I have tripwire and cops installed but none of these
really tell who or what. I use to use logshell
at another company and was wondering if something similar exists. /.rhosts has to go also. I need to know who/what is using it.

Re: security

Graham Cameron_1 — Mon, 20 Oct 2003 08:36:42 GMT

I worked in a bank for a while, where use used UPM:
http://www.passgo.com/datasheets/upm.pdf
Does what you want and loads more.
-- Graham

Re: security

harry d brown jr — Mon, 20 Oct 2003 08:38:31 GMT

The best solution is to change the password to root and remove any files that can be executed up to root, then have people submit their requests to you for root command executions.

Let's say you allow someone to have root priv's and they go into vi or simply "more" a file and then bang (!) out and start another shell or simply execute a command, which won't be logged.

live free or die
harry

Re: security

Brian Bergstrand — Mon, 20 Oct 2003 08:53:59 GMT

You can convert to a trusted system and then enable auditing for the root user. This will track just about any move made by root. Just make sure you have plenty of disk space for the logs. Use sam to do both of these.

HTH.

Re: security

Steven E. Protter — Mon, 20 Oct 2003 08:57:13 GMT

My standard pitch on security for hp-ux

Here is how we keep up on these security issues.

Fist we subscribe to itrc security bulletins, which you apparently already do.

Next we use the following tools to harden security on our system and notify us of security patches.

Bastille Security hardening
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

Perl which the above needs.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL

Security Patch Check
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA

TCP Wrappers

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP

IDS/9000 (Intrusion Detection Sytstem)

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA

Get all these products working you'll be quite secure.

Secure shell
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

SEP

Re: security

Zeev Schultz — Mon, 20 Oct 2003 09:46:51 GMT

with slight modification of what Harry defined
as "ask other users to submit what they would like to run with root to yourself" aka being a lazy sysadmin once :) - use sudo. Define what people do what.Consequently restrict root logins to console only,

Re: security

Rory R Hammond — Tue, 21 Oct 2003 17:13:20 GMT

Agree with the all above.

If you need info now.
/usr/sam/bin/samlog_viewer might help.

If root is using a history file
strings .history might help.

If users are loging in as root you can find who they are and make them stop. (I think everyone should use sudo)
who -a /etc/wtmp |grep root
root pts/tb Oct 21 17:05 . 7731 bozo.thecompany.com
root pts/tb Oct 21 17:05 . 7731 id= tb term=0 exit=0
root pts/tb Oct 21 17:05 . 7731 id= tb term=0 exit=0
root pts/tb Oct 21 17:06 . 7818 bozo.thecompany.com
root pts/tb Oct 21 17:06 . 7818 id= tb term=0 exit=0
root pts/tb Oct 21 17:06 . 7818 id= tb term=0 exit=0

if users are using su to become root
you can get times and term id and who from /var/adm/sulog

If you have accounting you can use
/usr/sbin/acctcom to find commands executed
and from what terminal
if you have multiple acctoing files
pacct pacct1 pacct2 etc you need
to run
acctcom pacct? corresponding to your time period.

Rory