topic HP-UX Security in Operating System - HP-UX

HP-UX Security

Aaclof — Fri, 11 Feb 2005 11:14:04 GMT

Hi all,

I have some questions for you about HP-UX 11i security. I have already found many documents about general UNIX security, but some points are still obscure.

Please take time to try to help me, I would be very grateful. Don't hesitate to explain things even if they seem obvious to you, my knowledge in UNIX's world being very limited...

1) My first question is about the single user mode. I would like to disallow anybody to boot as single user without prompting a password. Do you know how to do that ?

2) How can we close any connection after a certain period of inactivity ?

3) How can I limit the amount of information given to the user when he is establishing a connection to a server ? (typically not giving the version of OS, etc.)

4) Do you know the "Trusted Mode" of HP UX and is it an efficient way of securing HP or is it better to secure it from the normal mode ? Would you recommand it ?

5) How to make a password respect a predefined policy ? (complexity, aging). I have seen the PAM cracklib module, but is it possible to do the same things without PAM

6) General question : if you had to make a HP-UX very secure, which services would you allow and which one would you make unavailable ?

7) Finally, do you know a very good security guide for HP UX 11i (free)

Thank you for your help. Please answer even if you only know the answer to one question. It will help. And forgive me for my english (I am french).

Bye,

Aaclof

Re: HP-UX Security

Pete Randall — Fri, 11 Feb 2005 11:30:44 GMT

The "HP-UX System Administration Tasks" manual has an entire chapter (12) on security:

http://docs.hp.com/en/B2355-90672/index.html

There is also a manual for setting up Trusted Systems:

http://docs.hp.com/en/B2355-90121/index.html

And there's chapter 8 in "Managing Systems and Workgroups":

http://docs.hp.com/en/5990-8172/index.html

Pete

Re: HP-UX Security

Chris Wilshaw — Fri, 11 Feb 2005 11:34:15 GMT

Aaclof,

1,4,5) Converting to a trusted system would allow you to set a single user password, and to define several password policy definitions.

Also check out the security man page, as that gives you a couple of extra options.

3) Change /etc/issue, to remove any unwanted information. Change the telnetd line in /etc/inetd.conf to

telnet stream tcp nowait root /usr/lbin/telnetd telnetd -b /etc/issue

(the -b /etc/issue tells it to use the contents of the issue file when someone telnets in to the server).

Then run inetd -c to pick up the config changes.

6,7) If you really want to secure your system, look at the Bastille product from HP - it's free.

It's available from the www.software.hp.com web site, or from the standard support/application CDs.

Re: HP-UX Security

David Child_1 — Fri, 11 Feb 2005 11:41:11 GMT

Aaclof,

Here goes;

1) I think your system must be running in Trusted mode for this to work. I believe you can go into SAM and it is in the Security Policies section.

2) Add the following line to /etc/profile
TMOUT=600
This will log anyone out after 600 seconds of inactivity. Note: knowledgable users could redefine this to TMOUT= and it would no longer work.

3) edit /etc/issue for starters.

4) I highly recommend Trusted mode. It give more options for password management, auditing, etc. If you are concerned that auditing will take up too much resources you can limit what is audited or turn it off all together.

5) You will need to be in Trusted mode for this. It is then just a matter of setting the properties you want. You can use command line (modprpw) or via SAM.

6) I would shut down all services and then only enable the ones you know you need (telnet, ftp, etc.). If you are not sure, disable it and see if things work okay. I would definately disable all r* commands and use SSH instead.

7) I believe there is stuff in http://docs.hp.com. This forum is probably the best place to go.

By the way, your English is probably better than mine :)

David

Re: HP-UX Security

Patrick Wallek — Fri, 11 Feb 2005 11:45:07 GMT

1) I think this is a bad idea. The functionality is available when the system is in trusted mode. If this option is activated you must enter the root password before single-user mode is invoked. The problem I have with this is if you forget the root password you cannot get to single-user mode.

In my opinion the better option is to restrict the knowledge of the root password and make an entry in /etc/shutdown.allow so only root can shutdown the machine. This restricts who can boot the machine. If they can't boot it, it is much more difficult to get to single-user mode.

2) If it is a simple shell connection you can make use of the TMOUT environment variable. If you set TMOUT to 30 then someone sitting at a shell prompt for 30 minutes will be logged out. The problem with this though is if someone invokes vi and forgets, the TMOUT will not work.

A better option here is to look at your application and see what options you might have.

4) Yes, definitely go to trusted mode. You have much more control over passwords and accounts when running in trusted mode. An addition benefit is that the encrypted passwords are moved OUT of /etc/passwd when you convert to trusted mode.

5) You have some control over this when in trusted mode. You can also use the file /etc/default/security to further define password requirements. 'man security' for more details.

6) Unconfigure all low port number services. Things like daytime, echo, chargen, ntalk, printer, k* (kerberos services) and discard are not needed. If you can use SSH rather than telnet, ftp and the r* commands then I would disable those (login, shell and exec). Also disable anything you don't need. tftp, rpc stuff.

To disable services just put a # at the beginning of the line for that service in /etc/ientd.conf and then make inetd re-read its config by doing an 'inetd -c'.

7) Look at http://docs.hp.com and select your version of HP-UX. There is LOTS of good documentation available there.

Re: HP-UX Security

Steven E. Protter — Fri, 11 Feb 2005 11:47:33 GMT

Consider this product:

Bastille:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

Running it makes you aware of security issues. It needs this installed to work:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=PERL

I recommend not having telent or ftp daemons running at all.

Watch snmp because older version send the community strings in clear text.

I reccommend the following HP products:

HIDS, intrustion detection system
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

The security portions of Internet Express, nessus for example:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=TCPWRAP

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

A thorough review of policy and physical security must be done,since more than 65% of security problems come from inside the organization.

SEP

Re: HP-UX Security

Biswajit Tripathy — Fri, 11 Feb 2005 14:28:39 GMT

I will only answer few and will not repeate what
others have already said.

You can use Bastille / IPFilter for security related
issues. See the doc at
http://docs.hp.com/en/5990-7245/5990-7245.pdf

Go to docs.hp.com and serarch for information on
Bastille, SSH, IPFilter. You should be using Bastille
and IPFilter if you are concerned about security.

> 2) How can we close any connection after a
> certain period of inactivity ?

One way to achieve this, if you decide to use
IPFilter system firewall, is to modify the kernel
tunable "fr_tcpidletimeout". Note that this kernel
tunable works only if you have configured IPFilter.

> 6) General question : if you had to make a HP-UX
> very secure, which services would you allow and
> which one would you make unavailable ?

It would depend on what the system is used for.
General advice is, block everything by default and
allow only the services you are providing. Use
IPFilter or Bastille (which, in turn, might use IPFilter)
to achieve this. If it's a personal desktop and you
are not hosting any ftp/http server, block all
incoming connections. If you expect users to log
into this system, allow only ssh and block everything
else (incoming direction). See Bastille / IPFilter
documents (at docs.hp.com)

> 7) Finally, do you know a very good security
> guide for HP UX 11i (free)

Go to docs.hp.com and search "Security".

> And forgive me for my english (I am french).

And I'm Indian, english is my 3rd language :-)

- Biswajit

Re: HP-UX Security

Gordon Morrison — Mon, 14 Feb 2005 05:34:12 GMT

I've found this document to be very useful:

Re: HP-UX Security

Ranjith_5 — Mon, 14 Feb 2005 07:52:10 GMT

Hi Alcof,

HP-UX Bastille is a security hardening/lockdown tool which can be used to enhance the security of the HP-UX operating system. It provides customized lockdown on a system by system basis, addressing a large number of the recommendations from a number of popular security scanning tools and checklists.

Bastille was originally developed by the open source community for use on Linux systems. HP is contributing by providing HP-UX Bastille.

features and benefits

configures daemons and system settings to be more secure
turns off unneeded services such as pwgrd
helps create chroot jails that partially limit the vulnerability of common Internet services such as Web servers and DNS
educates users through its user interface
configures Security Patch Check to run automatically
configures an IPFilter-based firewall
the "revert" feature returns the security configuration to the state before Bastille was run.

Attached the file, which gives you the info about the things you can do with Bastille.This is very much informative.

More infor here.

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

Add following to your .profile file to set the time out.

readonly TMOUT=900
export TMOUT

this will logout the session after three minuts of inactivity.

Regards,
Syam

Re: HP-UX Security

Bill Alger — Mon, 14 Feb 2005 12:14:10 GMT

Here are some of my notes on what I have done here. I think you will find them helpfull. The breakout list is a list of services we have shut off here HP, SUN and AIX).

This is not the end all but just the beginning.

I hope this helps.

Re: HP-UX Security

Aaclof — Wed, 16 Feb 2005 11:30:58 GMT

Thank you for all your answers, it helped a lot.

I have another question for you, it is about password aging on HP-UX. I have seen the security file, but I don't think it helps us defining password aging policies (such as maximum life time).

I would like to know how to define a default password aging strategy that would be used for every new password (I don't want to use a command for each account in my database !).

Do you know how to implement it ?

Re: HP-UX Security

Florian Heigl (new acc) — Wed, 16 Feb 2005 11:41:07 GMT

I think You'll only get password aging in Trusted Mode, but hopefully someone proves me wrong :)

Re: HP-UX Security

Aaclof — Wed, 16 Feb 2005 11:58:42 GMT

Ok, and even in Trusted Mode. How do I configure my default password aging strategy ?

Re: HP-UX Security

Aaclof — Wed, 16 Feb 2005 12:01:50 GMT

Well, I just found it for the trusted mode.

Is it possible in normal mode ?

Re: HP-UX Security

Patrick Wallek — Wed, 16 Feb 2005 12:05:20 GMT

Yes, it is. You can go through SAM and set the password aging for each user.

Re: HP-UX Security

Bill Alger — Wed, 16 Feb 2005 13:53:30 GMT

You can also write a short script.
Put all the accounts in a file (file1).
example of file1:
billaccount
johnaccount
tedaccount

Now run this script:
cat file1 | while read line; do
passwd -x 60 -n 7 ${line}
done

This script will read the file and change every one in the file to expire at 60 days and set the min days to 7.
You can add users to this list as they are created.
I would not run this against the entire /etc/passwd file. Just the users.
I home this helps.

Re: HP-UX Security

Biswajit Tripathy — Wed, 16 Feb 2005 14:51:40 GMT

Syam wrote:
> Bastille
> features and benefits
> configures an IPFilter-based firewall

A small nitpick (just making sure that the original
poster does not get into a false sense of security)
:-)

Bastille has different levels of security (three, I
think), the lowest of which does not configure
IPFilter system firewall. Ofcourse, nothing stops you
to run bastille at the lowest level of security AND
configure IPFilter yourself.

- Biswajit

Re: HP-UX Security

Aaclof — Thu, 24 Feb 2005 09:21:33 GMT

Final little question:

How do I protect the access to the startup menu ? (I mean the equivalent of putting a password on the BIOS of a personal computer?).

For example, I wouldn't like anybody to be able to change the booting order (floppy, CD, hardisk).

Thanks for your help,

Aaclof