https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732545#M65783 Hi,<BR /><BR />The easiest variation from vanilla HP-UX is of course the move to trusted system.<BR /><BR />But many more changes may be made to ensure a greater security.<BR /><BR />This document clearly highlights obvious changes.<BR /><A href="http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/building_a_bastion_host.pdf" target="_blank">http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/building_a_bastion_host.pdf</A><BR />Excellent read!<BR /><BR />Glenn Wed, 29 May 2002 12:14:25 GMT Glenn L. Stewart 2002-05-29T12:14:25Z https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732538#M65776 Hi,<BR /><BR /> Can someone tell me what is the security level associated with Traditional HP UX installation? Is there any utility for assessing the security levels of HPUX systems?<BR />With trusted system, the level is known as C2 level.Is there any level or standard like this for normal HPUX installation?<BR /><BR /><BR />Thanks and Regds,<BR /><BR />Abdul Salam Tue, 28 May 2002 12:02:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732538#M65776 Abdul Salam H S_1 2002-05-28T12:02:38Z https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732539#M65777 Standard UNIX is C1 Tue, 28 May 2002 12:10:58 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732539#M65777 Sebastian Galeski_1 2002-05-28T12:10:58Z https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732540#M65778 I dont think there is any security level associated with a default HP-UX installation. Its basically not very secure at all.<BR /><BR />If you convert to a trusted system it does NOT make your server C2 security compliant. All youve done is adopt part of the C2 security requirements - only those for password control. A truly C2 compliant server would have encrypted network connections and lots of other goodies (ssh, nfs over ssh etc.)<BR /> Tue, 28 May 2002 12:14:59 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732540#M65778 Stefan Farrelly 2002-05-28T12:14:59Z https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732541#M65779 Most security experts would define a cold install of HP-UX as un-secure. There are several missing features (like umask), almost every service is turned on by default and many directories and files have open permissions. These will not be fixed by converting to C2 (Trusted). You still need to shutdown the majority of network services and ideally install IDS/9000 (for 11.0 and higher). Also get a copy of the book "HP-UX 11i Security" by Chris Wong. Tue, 28 May 2002 12:18:25 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732541#M65779 Bill Hassell 2002-05-28T12:18:25Z https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732542#M65780 Hi,<BR /><BR />Center for Internet Security has a level 1 (not TCSEC) security benchmark for HP-UX 10.20, 11.00 and 11.11:<BR /><BR /><A href="http://www.cisecurity.org/bench_HPUX.html" target="_blank">http://www.cisecurity.org/bench_HPUX.html</A><BR /><BR />To comply with TCSEC Orange Book C2 security, you need to convert your server to trusted (TCB). <BR /><BR />To comply to TCSEC B-level security, you should be looking at HP's VirtualVault.<BR /><BR />"Virtualvault trusted Web server platform is built upon a trusted operating system that incorporates tough B-level Department of Defense Trusted Computer System Standards (TCSEC) features."<BR /><BR /><A href="http://www.hp.com/security/products/virtualvault/papers/brief_4.0/" target="_blank">http://www.hp.com/security/products/virtualvault/papers/brief_4.0/</A><BR /><BR />Hope this helps. Regards.<BR /><BR />Steven Sim Kok Leong Tue, 28 May 2002 13:05:56 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732542#M65780 Steven Sim Kok Leong 2002-05-28T13:05:56Z https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732543#M65781 Salam,<BR /><BR />actually as long as HP-UX stores the (encrypted) passwords visible for everybody in "/etc/passwd" it belongs to the TCSEC category "D" (="minimal security", read: none!)!<BR />For that reason do so many other vendors make use of the not-public-readable "/etc/shadow" store for passwords...<BR /><BR />Just my $0.02,<BR />Wodisch<BR /> Tue, 28 May 2002 17:02:22 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732543#M65781 Wodisch 2002-05-28T17:02:22Z https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732544#M65782 Hi,<BR /><BR />Standard HP-UX is not at TCSEC level D. It is at TCSEC level C1 because it complies with security features such as "Identification and Authentication" as well as "Discretionary Access Controls" etc. <BR /><BR />An example of an OS at TCSEC level D is MS-DOS i.e. it is an OS with no knowledge of "user identity" and "access control" etc.<BR /><BR />Btw, the following is an excellent whitepaper on the security differences between standard and trusted HP-UX:<BR /><BR /><A href="http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/sec9906.pdf" target="_blank">http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/sec9906.pdf</A><BR /><BR />Some of the B1 special releases include HP-UX 10.09 and 10.16 etc.<BR /><BR />Hope this helps. Regards.<BR /><BR />Steven Sim Kok Leong Tue, 28 May 2002 22:07:45 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732544#M65782 Steven Sim Kok Leong 2002-05-28T22:07:45Z https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732545#M65783 Hi,<BR /><BR />The easiest variation from vanilla HP-UX is of course the move to trusted system.<BR /><BR />But many more changes may be made to ensure a greater security.<BR /><BR />This document clearly highlights obvious changes.<BR /><A href="http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/building_a_bastion_host.pdf" target="_blank">http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/building_a_bastion_host.pdf</A><BR />Excellent read!<BR /><BR />Glenn Wed, 29 May 2002 12:14:25 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-level-associated-with-traditional-hpux-installation/m-p/2732545#M65783 Glenn L. Stewart 2002-05-29T12:14:25Z