topic Re: security in Operating System - HP-UX

security

kholikt — Wed, 16 Feb 2005 21:20:08 GMT

Hi,

I am writing some security document. I need to put some recommendation about the software selection during the OS installation.

At this moment, the following components are recommended not to install.

- CIFS related components including server and client
- Apache - if the server is not a web server
- NFS related components including server and client
- Tomcat
- XML Web server tools
- Webmin based admin
- Mozilla
- Ximian GNOME
- Java
- IPFilter

Is there anything that I missed here. This document based on HP-UX 11.23 and 11.11

Re: security

Florian Heigl (new acc) — Wed, 16 Feb 2005 21:31:25 GMT

I think You should rather include IPFilter, I am aware there are issues like local port redirection, but a malicious user could use a socks proxy etc. for that and the benefit of having IPFilter at hand can be great.

CDE / X - having a history of security issues, so You could leave them out in case no graphical logins are needed. (And for such cases, there are still other solutions)

VxVm administrator - at least on Tru64 (LSM there) it listens on the network for some funky Java GUI.

Re: security

Mic V. — Wed, 16 Feb 2005 23:38:13 GMT

If you will not use it, perhaps delete sendmail and the printing software.
I don't remember how isolated those filesets are. Other candidates: kermit, telnet, ftp, r-services.

Sorry I can't remember fileset names and the like.

HTH,
Mic

Re: security

Biswajit Tripathy — Wed, 16 Feb 2005 23:53:38 GMT

You are recommending not to install IPFilter for better
security? Could you explain why?

Don;t you think it would be easier to install IPFilter and
and allow only those incoming/outgoing traffic that you
want to allow and block everything else (and log all
suspicious connection attempts)? I can understand
that you don't want to install anything that is not
needed on the system, but IPFilter would add another
line of defence to your systems.

- Biswajit

Re: security

Gordon Morrison — Thu, 17 Feb 2005 09:50:32 GMT

Surf on over to http://www.cisecurity.org/
They provide various documents containing "Benchmark" security recommendations for various OS flavours, including HP-UX.

Re: security

Florian Heigl (new acc) — Thu, 17 Feb 2005 10:15:48 GMT

uucp and related things are also candites to get rid of at the beginning, but they're no fileset of their own.

Re: security

Ivajlo Yanakiev — Thu, 17 Feb 2005 12:20:26 GMT

First read some doc about Bastion host
it will desc all unsec software and way to exclude from install.
Install Bastion host
Install IPFILTER

Re: security

Steven E. Protter — Thu, 17 Feb 2005 12:35:14 GMT

CIFS related components including server and client:
Only install it if you need it. It is very useful if you want to share files on the HP box with windows users or vice versa. Otherwise its pretty much wasted hard disk space. It does not as far as I know represent a security hazard.

NFS - Data goes back and forth in clear text. This is a security hazard. If you don't need NFS, don't use it. You must however leave it installed. I monkeyed around with removing it once and did serious damage to an old box I was using for the experiement. I ended up having to do an Ignite restore.

Apache - significant issues. Right now I have a seemingly pointless port 80 abuse on my Linux Apache server and its driving me crazy, since I'm 7,000 miles from the box and must tread lightly.

Tomcat: If the box is not a web server tomcat provides no functionality.

Webmin based admin. I think for this you need apache running. There are no security hazards in this product that I know of, and its actually quite useful.

XML - No web server, no need for these.

Mozilla - Very useful, pretty secure. I use it to get patches so there is zero chance of me ruining the depot by forgetting to ftp the thing right from my pc. Also, the ftp step transmits passwords in clear text. Bad idea.

Ximian GNOME - Dead product, no support any more. Decided not to go to Gnome. Their port was nice, but old. It was patched a lot and there may have been security hazards.

Java - Oracle needs it. Mozilla needs it. I'd think about changing my mind.

IPfilter - No security hazards. Easy to use, can be helpful in improving security. I'd reconsider this one unless you trust each and every user BEHIND your firewall. Remember 65% of system attacks come from employees.

General rule on security is: If its not going to be used, don't install it. It can not be abused if it does not exist on the system.

SEP

Re: security

Biswajit Tripathy — Fri, 18 Feb 2005 03:39:49 GMT

kholikt,
thanks for 10 points, but I would really like to know
why would you recommend not installing IPFilter for
better security. I have been working for
Hewlett-Packard's IPFilter team for last few years and
you are the first person I have seen who is
recommending to avoid installing IPFilter and would
really like to know what I'm missing here.

- Biswajit