topic HPUX O/S hardening in Operating System - HP-UX

HPUX O/S hardening

YLTan — Wed, 23 Apr 2003 00:52:06 GMT

I am recently doing some O/S hardening on HPUX, I have some question;

1. How does having 'mesg n' provide a greater security?

2. How does having global privileges such as
echo -n > /etc/privgroup with permission 400, if my global priv is chown provide a greater security.

3. how does disabling finger, echo, and chargen provide a greater security?

Re: HPUX O/S hardening

John Poff — Wed, 23 Apr 2003 01:37:34 GMT

Hi,

I'm not an expert, but here is my take on your questions:

1. Turning off the mesg service probably helps prevent a denial of service attack, as well as preventing any possible bugs in the program that might cause trouble [the old buffer overflow problem].

2. If I understand your question, you are asking why the /etc/privgroup can have just 400 permissions when you still have global chown privileges? The /etc/privgroup file is read by the setprivgroup command, and also the file should be owned by root, which means that even if you have chown priviliges you should not be able to change the permissions on the file.

3. Those services usually aren't needed, and can possibly be exploited for denial of service, bugs, or for getting information about the system and user accounts.

JP

Re: HPUX O/S hardening

Michael Tully — Wed, 23 Apr 2003 01:57:21 GMT

In addition to John's comments, you can also install HPUX Bastille that will assist you. You can get it from here:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

'chown/chmod/chgrp' should be allowed globally anyway. You still won't be able to change a file from 'root' or anyone else.

Re: HPUX O/S hardening

Patrick Wallek — Wed, 23 Apr 2003 02:49:52 GMT

You might also want to take a look at the document "Building a Bastion Host Using HP-UX 11" available from the TKB. The document is available from the ITRC TKB. The doc id is USECKBAN00000800 and the URL is: http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000066258828

Re: HPUX O/S hardening

S.K. Chan — Wed, 23 Apr 2003 04:00:12 GMT

If you turn mesg off, you're basically saying you do not want to accept any broadcast message that is sent to your console or shell for that matter hence making it difficult for hackers to write to user's terminal. As for the services like finger, echo and chargen, they can be used for a DOS attack. Typically they are not needed and you can disable them in /etc/inetd.con especially the UDP ones.

Re: HPUX O/S hardening

kuksaa_1 — Wed, 23 Apr 2003 04:50:11 GMT

You probably know this useful link:Building a Bastion Host Using HP-UX 11: by Kevin Steves.

http://people.hp.se/stevesk/bastion11.html

Thanks, Andrey

Re: HPUX O/S hardening

Keith Buck — Wed, 23 Apr 2003 16:13:59 GMT

1. S.K. Chan explained mesg n. I won't repeat.

2. On some Unixes, chown can only be run by root. /etc/privgroup gives you the ability to have that behavior on HP-UX (as well as a few other privileges). By default, any user has the ability to chown to another user.
This is convenient in some environments, but in a high threat environment, limiting any privilege to the least necessary can be helpful.

3. Bastille 2.1 explains these services and some reasons for turning them off. Basically, any service that listens on the network increases your risk of having a future vulnerability which affects your system. Also, finger can be used as part of the "information gathering phase" of an attack.

Re: HPUX O/S hardening

Bill Hassell — Wed, 23 Apr 2003 16:51:28 GMT

Hardening Unix does require an extensive knowledge of all the services that it can provide and turn off any that are not needed. This is not a trivial task. There are a LOT more services besides chargen,finger,echo, etc that should be disabled. Bascially, you want nothing to respond unless it is a required service.

But when you ask the question about security, there are dozens of other areas such as cleartext passwords over the network (ie, telnet), security patch management, plaintext data exchange (ftp) and so on that need to be addressed.

As mentioned, download a copy of Bastille and the security patch checker from software.hp.com and also look at the IDS/9000 (Intruder Detection System),Secure Shell (OpenSSH) and perhaps TCPwrappers, also available from software.hp.com (and don't forget to buy the book: HP-UX 11i Security by Chris Wong)