topic Re: Validate HPUX Security items in Operating System - HP-UX

Validate HPUX Security items

Hunki — Wed, 01 Feb 2006 14:49:18 GMT

1) SNMP needs to be disabled if not required This is what I think needs to be done to do it:
1. /etc/rc.config.d/SnmpHpunix
Set SNMP_HPUNIX_START to 0: SNMP_HPUNIX_START=0
2. /etc/rc.config.d/SnmpMaster
Set SNMP_MASTER_START to 0: SNMP_MASTER_START=0
3. /etc/rc.config.d/SnmpMib2
Set SNMP_MIB2_START to 0: SNMP_MIB2_START=0
4. /etc/rc.config.d/SnmpTrpDst
Set SNMP_TRAPDEST_START to 0: SNMP_TRAPDEST_START=0

2) NFS - all shares need to be restricted to trusted hosts only and
preferably read only -> Trusted Hosts : listed in .rhosts file, check for permissions as read only for all shares listed in /etc/exports

3) Disable HTTP trace on port 8080 -> I think that we need to change/add to an "httpd.conf" file. :
RewriteEngine On
RewriteCond %{REQUEST_METHID} ^(TRACE|TRACK)
RewriteRule .* - [F]

4) Disable the following services (I noticed all but bootpc, are in /etc/inetd.conf):
echo -> Comment out both of them in inetd.conf?
discard -> Comment out both of them in inetd.conf?
chargen -> Comment out both of them in inetd.conf?
daytime -> Comment out both of them in inetd.conf?
bootps -> Comment out in inetd.conf?
bootpc -> /etc/services
tftp -> Comment out in inetd.conf?
ident -> Comment out in inetd.conf?

5) Patch PHP running on port 8080 ->
Get the patch from HP.

6) Disable sendmail if not needed.
a) edit/remove the -bd flag from the "sendmail" command line in the /sbin/init.d/sendmail file or
b) Just comment out that line.

Re: Validate HPUX Security items

Jeff_Traigle — Wed, 01 Feb 2006 15:11:24 GMT

1. Looks good. Be sure to run the corresponding /sbin/init.d scripts prior to making these changes so SNMP is disabled immediately.

2. .rhosts has nothing to do with NFS. You restrict access to NFS mounts via the access= option in /etc/exports. See exports(4)

3. Not sure about that one.

4. Looks good. Be careful of commenting identd, however. If you run Serviceguard, it may require it unless the -i option is used on cmclconfd in /etc/inetd.conf.

5. Sounds reasonable.

6. Modifying the /sbin/init.d scripts supplied by HP is never a good idea. They can be overwritten at any time you patch the system. Set SENDMAIL_SERVER=0 in /etc/rc.config.d/mailservs instead.

Re: Validate HPUX Security items

Don Mallory — Fri, 03 Feb 2006 13:01:14 GMT

You're number 3 looks good.

You could also go significantly farther and use rewrite options to limit the extended characters that Apache allows. Example:

RewriteRule [^a-zA-Z0-9|\.|/|_|-] - [F]

This will only allow a-z, A-Z, 0-90, ., /, _, -.

You should test this thoroughly though.

Trusted Apache security links of note:

www.sans.org/top20/index.php
www.cissecurity.org - look for the Apache Benchmark for UNIX
www.securityfocus.com/infocus/1694
www.securityfocus.com/infocus/1706
httpd.apache.org/docs/2.0/misc/security_tips.html

Don

Re: Validate HPUX Security items

Hunki — Wed, 08 Feb 2006 12:27:33 GMT

For these :

4) All the other ones are also in /etc/services. Why do I not comment those out in /etc/services instead of /etc/inetd.conf?

5) Unable to get patch. Receive message page from HP that there is an "issue." Where else can I get it?

6)O.K. I can do that. Do I need to reboot or what afterwards?

Thanks Again

Re: Validate HPUX Security items

Jeff_Traigle — Wed, 08 Feb 2006 12:35:43 GMT

4) All the other ones are also in /etc/services. Why do I not comment those out in /etc/services instead of /etc/inetd.conf?

Some people will say to comment them in /etc/services also. I typically only comment them in /etc/inetd.conf. Someone will probably berate me for that. :)

5) Unable to get patch. Receive message page from HP that there is an "issue." Where else can I get it?

The HP site is the only place I know to get patches, other than from your friendly neighborhood HP rep if you have a support contract.

6)O.K. I can do that. Do I need to reboot or what afterwards?

Nope. Once you run the init.d script to stop it, sendmail is down.

Re: Validate HPUX Security items

Hunki — Wed, 08 Feb 2006 12:49:17 GMT

What is the difference between the two files /etc/inetd.conf and /etc/services, and in my case where shall I make the changes.

Re: Validate HPUX Security items

John Payne_2 — Wed, 08 Feb 2006 13:09:16 GMT

/etc/services maps services to port numbers/protocols. /etc/inetd.conf tells inetd what services to spawn when a connection coms in for that service (port) and how to spawn them, really. If you want to disable, for sure comment out in /etc/inetd.conf, then do an 'inetd -c' to re-read the configuration file. The only reason to comment out /etc/services to to make it so someone doesn't 'accidentally' come along and chnge you inetd.conf setting and restart the services. I never comment these out, I just do not see a need for it. One thing I do is remove all unwanted lines in /etc/inetd.conf so that people can't just uncomment the line and start something back up.

Hope it helps

John

Re: Validate HPUX Security items

Steven E. Protter — Wed, 08 Feb 2006 13:20:56 GMT

Shalom,

I view /etc/services as a reservation file.

If inetd.com and other daemons are condfigured correctly, they will use the /etc/services designation and fucntion as the file says.

Its kind of like an airline reservation system, because it can be bumped. Oracle and other third party products use ports without needing an entry in the file and can cause conflict with services defined in /etc/services.

SEP

Re: Validate HPUX Security items

Florian Heigl (new acc) — Wed, 08 Feb 2006 14:03:18 GMT

2) Use netgroups for NFS
one for write, one for r/o hosts

4)
bootpc -> /etc/services
rbootd in /etc/inetd.conf
changing /etc/services is useless.

Re: Validate HPUX Security items

Hunki — Thu, 09 Feb 2006 10:11:56 GMT

Temporarily closing.