topic Re: secure system in Operating System - HP-UX

secure system

yut — Thu, 22 Sep 2005 08:17:05 GMT

all,

what files in hpux that need to make more secure system ??how to make /etc/default/security work if my system not in trusted and how if my system is trusted ???anyone can give me the example of /etc/default/security file? all my server that running hpux don't have that file.

many thanks for all of your kindness!

regards,

-yut-

Re: secure system

Geoff Wild — Thu, 22 Sep 2005 08:21:36 GMT

How to tell if system is in trusted mode?

/usr/lbin/getprdef -r

Rgds...Geoff

Re: secure system

Geoff Wild — Thu, 22 Sep 2005 08:23:28 GMT

Also, if you just want to lock down the system, have a look at bastille:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

Rgds...Geoff

Re: secure system

Joseph Loo — Thu, 22 Sep 2005 08:24:35 GMT

hi,

refer to this:

http://docs.hp.com/en/B2355-60105/security.4.html

u may also like to look at hardening your system using bastille:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

regards.

Re: secure system

Bill Hassell — Thu, 22 Sep 2005 09:55:53 GMT

The security file in /etc/defaults is never supplied--you must always create it yourself. NOTE: most of the parameters mentioned in the man page apply only to a Trusted system. I've attached a heavily commented security file that has virtually all the options mantioned. Unfortunately, there is no error checking or syntax checking. If the option you choose does not exist (for example, PASSWORD_HISTORY_DEPTH=5 is meaningless in a non-Trusted system) then the option is silently ignored. Thus the reason for all the comments in my sample file.

The majority of the options require a Trusted system. Also, many options are based on patches. If a system is missing some security patches, then some of the options will also be ignored. The man page for security (as it exists on a specific system) should match what that system has in terms of patches.

Note also that comments CANNOT be appended to an option (ie, NOLOGIN=1 # stop user logins).

Re: secure system

Rick Garland — Thu, 22 Sep 2005 10:46:37 GMT

You can get options and examples for the /etc/default/security file by doing man security.

If you are able, read the man pages from a 11,23 version of HPUX as opposed to 11.0. A lot of the options will still work but the explainations are better in 11.23 man pages.
Some of the items discussed deal with passwd restrictions, login restrictions, the wheel group, etc...

Other ideas, setup /etc/securetty so root login only on console and Bastille.

To convert to a trusted system and not expire passwds;
etc/tsconvert;/usr/lbin/modprpw -V

To go into trusted mode use the