topic Re: HPUX11i security with MCSG and ovo 7.1 in Operating System - HP-UX

HPUX11i security with MCSG and ovo 7.1

Dale Waines_1 — Tue, 09 Sep 2003 13:36:21 GMT

Hi All,

Does anyone have any sugestions on how to proceed and the best way to secure HPUX 11i and to make sure it doesn't effect OVO/ITO/MCSG.

Thanks in advance
Dale

Re: HPUX11i security with MCSG and ovo 7.1

Zeev Schultz — Tue, 09 Sep 2003 14:51:31 GMT

Ok,
ITO uses rpc and securing rpc connections isn't an easy way,either its enabled in the source code or blocked (remember ms blaster?::).

Here is a security product (extension) for ovo/ito.

http://www.managementsoftware.hp.com/products/advsec/

For example I saw issues for ssh with java gui etc.

Here's description of ITO processes security:

http://www.managementsoftware.hp.com/sso/ecare/getsupportdoc?docid=B7491-90001_58-con

Zeev

Re: HPUX11i security with MCSG and ovo 7.1

Geoff Wild — Tue, 09 Sep 2003 15:58:41 GMT

For MC/SG, use /etc/cmcluster/cmclnodelist instead of .rhosts

Rgds...Geoff

Re: HPUX11i security with MCSG and ovo 7.1

Keith Buck — Wed, 10 Sep 2003 17:00:03 GMT

The first step is to ensure that you have a physically secure and highly available heartbeat network (or crossover cables).

The Bastille tool can be used to create a custom hardened HP-UX system.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

If you use the ipfilter firewall setup, you'll need to configure custom rules to allow MCSG traffic over the heartbeat lan. (allowing all traffic over this lan should be fine)

You'll also need to have rules like this to allow Openview traffic in through the ipfilter firewall:

pass in quick proto tcp from any to any port = 135 flags S keep state keep frags

pass in quick proto tcp from any to any port 35000 >< 35004 flags S keep state keep frags

The things you need to leave running depend on how you're using ITO. For minimalist functionality, you can lock it down pretty tight. It's pretty common to use snmp to manage devices and monitor services, so it depends on your threat environment whether or not you allow that (functionality vs security).

That's pretty aggressive on the security side. If this is in a production environment, you should go through the Bastille GUI for recommendations, but only make a few changes at a time. If you have a test environment, then you can accept a lot more breakage risk and get there a lot faster.

-Keith

Re: HPUX11i security with MCSG and ovo 7.1

Dale Waines_1 — Wed, 10 Sep 2003 17:10:18 GMT

Thanks for all the info.
I've already used bastille to lock down some common holes. Just wondering if anyone out there has done this exact configuration with OVO functionality. I amd basically going to be monitoring Windows, Linux, Solaris boxes using OVO agents and SNMP for hardware traps. Even after I used bastille to lock my secondary box (in the cluster) (Primary is being used) I ran a security scanner called cis-scan and my security rating is still pretty bad as in 4.66 out of 10. I don't want to lock it down to much in case it starts messing up Xwindows/OVO or MCSG. Any other recommendations? Or am I just going nuts.

Thanks again
Dale

Re: HPUX11i security with MCSG and ovo 7.1

Keith Buck — Thu, 11 Sep 2003 15:20:59 GMT

I have actually used this configuration with OVO and MCSG, but it was more of a single purpose configuration and didn't use all of the MCSG/OVO features.

As far as the CIS tester, you really need to look at the detailed report rather than the high level score. For example, it complains that you don't have tcpwrappers/inetd.sec setup even if you enable a more complete solution like a host-based firewall (ipfilter). A second line of defense is nice and probably won't break anything, but it is additional work to maintain. So you have to make a tradeoff for your environment.

Also, note that there are a couple of bugs in the CIS scanner that would raise your score if they were fixed in the tester (e.g. the executable_stack kernel parameter test always returns 'insecure' despite the real state of the system, as does the complaint that you haven't patched in 30 days. CIS has fixed these bugs but hasn't released the new version.)

Then, there are several changes which CIS recommends which are not tested/supported by HP. So, be careful there as it may break in unpredictable ways.

Hope that helps.

-Keith

Re: HPUX11i security with MCSG and ovo 7.1

Zeev Schultz — Mon, 15 Sep 2003 11:10:50 GMT

And I'd also scan the traffic between the computers in your farm with some good sniffer
(like Ethereal) plus get open ports status with Nmap.What I really liked about m$ windows based firewalls/port protection tools I've used is its user interactive mode (means you build your own rules learning from access atempts made by your applications) so it lets you learn more about processes/ports and set 'em at the same time. Nothing is better than the real thing (and not to configure based on technical documentations only) :)