topic Re: Reporting on security settings in Operating System - HP-UX

Reporting on security settings

Karen Elrod — Wed, 27 Oct 2004 09:08:30 GMT

Hi,
Does anyone know of a way to report on security settings (such as password expiration). We have many trusted systems. Auditing wants a listing of all of the security settings for each server. The only way that I can find to get this information is to do screen prints of SAM's security panels.
Thanks for any thoughts on this.
Karen

Re: Reporting on security settings

Steven E. Protter — Wed, 27 Oct 2004 09:21:58 GMT

passwd -sa gets you some dat.

I'm attaching a utility script that has lots of code snippets in it, most commented. There are lots of things you can change or merely report on with this script.

SEP

Re: Reporting on security settings

John Poff — Wed, 27 Oct 2004 09:24:34 GMT

Hi,

Take a look at the 'logins' command. If you give it the '-x' option it will display extended information, including password aging data.

JP

Re: Reporting on security settings

RAC_1 — Wed, 27 Oct 2004 09:30:43 GMT

Did you look at the commands - getprpw, modprpw, getprdef and modprdef.

/usr/lbin/gerprpw "user_name" Will give you the details about a user and related settings for the user.
The default settings go under /tcp/auth/files/default

Anil

Re: Reporting on security settings

Geoff Wild — Wed, 27 Oct 2004 09:43:45 GMT

Another tool to look at is System Health Check.

The Lite report is free as is the software:

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=SHCBASE01

Example of what it finds:

Security

--------------------------------------------------------------------------------

No. Priority # Found Problems Description

--------------------------------------------------------------------------------

1 H 6 User's home directory is writable by others.
2 H 1 World-writable directories allow other users than owner to modify/delete files.

--------------------------------------------------------------------------------

1 M 10 The cron daemon can be used by other users, besides root.
2 M 6 The at command can be used by other users, besides root.
3 M 1 The system parameter executable_stack differs from recommended.
4 M 1 The security defaults configuration file does not exist.
5 M 1 The number of concurrent sessions per user exceeds threshold.
6 M 1 On missing home directory, users are logged in to '/'.
7 M 1 Password history depth is below threshold.
8 M 1 su command usage is not restricted.
9 M 1 Password aging is not implemented.
10 M 8 .rhosts file detected in a user's home directory.
11 M 1 Bad logins pattern may indicate a security breach attempt.
12 M 1 Ownership manipulation command usage is not restricted.
13 M 7 .netrc files found.
14 M 4 External input may cause security problems on some directories.
15 M 2 PATH contains directories writable by others.

--------------------------------------------------------------------------------

1 L 1 Optional trusted system functionality is not enabled.
2 L 1 Internet services access is not restricted.
3 L 1 Connection logging is not enabled.
4 L 1 Root access not restricted.
5 L 1 The /etc/ftpd/ftpusers file does not exist.
6 L 1 Ftp configuration file does not exist.
7 L 11 Some enabled daemons/network services could present a security problem.
8 L 1 Running sendmail may present a security problem.
9 L 1 The system grants unrestricted community access via /etc/SnmpdAgent.d/snmpd.conf.
10 L 8 Network tunables differ from recommended.
11 L 49 Filesystem may allow SUID program execution.
12 L 1 Security Patch Check is not installed.
13 L 1 Bastille is not installed.

Rgds...Geoff

Re: Reporting on security settings

Prashant Zanwar_4 — Wed, 27 Oct 2004 09:46:45 GMT

getprpw is of use in this case.

/usr/lbin/getprpw -m exptm,spwchg sys something like this shall be able to help you out..

just go through the set of commands..

Thanks
Prashant

Re: Reporting on security settings

Karen Elrod — Wed, 27 Oct 2004 12:34:40 GMT

Thanks for all of the help. The information is just what I was looking for.