topic Re: System Files in Operating System - HP-UX

System Files

Marvyn Torres — Thu, 30 May 2002 08:11:29 GMT

Hello,

Would somebody please be kind enough to provide me with information on the following:
1. What are the prime system configuration files that need protecting and what should their appropriate permissions be?
2. What are the baseline SUID and SGID files that should exist in a system? (OS only)

Thanks!!

Re: System Files

Sebastian Galeski_1 — Thu, 30 May 2002 08:19:51 GMT

Hi
there is no one of few important file, there is many.
Usually You shold not change a permition to system files, because it can cause problems with system. About SUID'ed file. In system if suide'd file is a binary file it is oki, because using it for danger operation require a bit of knowledge, but if this is a text script it is dangerous because it can be edited in easy way. So my advise is to use find command to find all files with bit s set and check what kind of file it is. Try to use:
find / $ -perm ???04000 ???o ???perm ???02000 $ -exec ls -ld {} \;

hope it help

Re: System Files

Steven Sim Kok Leong — Thu, 30 May 2002 08:22:31 GMT

Hi,

Center for Internet Security has a HP-UX security benchmark for HP-UX 10.20, HP-UX 11.00 and HP-UX 11.11:

http://www.cisecurity.org/bench_HPUX.html

This benchmark comprises a list of hardening rules. As far as I recall, the SGID/SUID and file permission issues are addressed there as well.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: System Files

Stefan Farrelly — Thu, 30 May 2002 08:33:43 GMT

All the correct permissions for all files installed using software distributor are kept on the system. So, if youre after the correct permissions for all the OS files then you can list all files which belong to the OS-Core bundle (and all its filesets) and their correct permissions with the following command;

swlist -l file -a mode OS-Core | more

You could take the output from this, put it into a file and run a script on it to check that the permissions currently set what theyre supposed to be, or set them.

Re: System Files

Marvyn Torres — Fri, 31 May 2002 00:04:56 GMT

Hey Steve,

Tried running the hp_checkperms tool from the CIS HP Benchmark. But when I executed it I got the following message:

#./hp_checkperms
script interpreter "/bin/sh" not found
script interpreter link resolves to "/usr/bin/sh"
sh: ./hp_checkperms not found.

Is there any (easy) way to resolve this????

Re: System Files

James R. Ferguson — Fri, 31 May 2002 00:14:08 GMT

Hi Marvyn:

It sounds like you don't have (or have lost) your "transltion links". These are a set of standard soft (symbolic) links that appeared when the HP-UX filesystem layouts were changed during the 9.x to 10.x evolution.

'/bin' is really a link to 'usr/bin' and 'lib' is really (only) a link to 'usr/lib'.

You can reinstall any missing links with:

# /opt/upgrade/bin/tlinstall

Regards!

...JRF...

Re: System Files

Marvyn Torres — Fri, 31 May 2002 00:29:02 GMT

James,

# /opt/upgrade/bin/tlinstall

Would the above command have any negative effects if executed on a production server? And does it involve having to restart the system?

Re: System Files

James R. Ferguson — Fri, 31 May 2002 00:32:23 GMT

Hi Marvyn:

No, and No. The command takes about 20-30 seconds to run and has no adverse effects. The overhead is to search filesystems and create the transition symbolic links.

Regards!

...JRF...

Re: System Files

Marvyn Torres — Fri, 31 May 2002 01:00:22 GMT

James,

Oops! Tried the command but I'm still getting the same message.

Anything else you can have me do??

Re: System Files

Steven Sim Kok Leong — Fri, 31 May 2002 09:30:20 GMT

Hi,

First, verify that /usr/bin/sh exists:

# ll /usr/bin/sh

Then try this:

1) Method 1:

# ln -s /usr/bin /bin

This is safe because if /bin already exists, this command will simply fail gracefully.

If /bin does not exist, it will create the soft-link such that /bin/sh -> /usr/bin/sh

2) Method 2:

Modify ./hp_checkperms she-bang (#!/bin/sh) header from

#!/bin/sh

to

#!/usr/bin/sh

3) Method 3:

# sh -c ./hp_checkperms

This should avoid the she-bang (#!/bin/sh).

Hope this helps. Regards.

Steven Sim Kok Leong

Re: System Files

Marvyn Torres — Mon, 03 Jun 2002 23:39:35 GMT

Steven,

Tried methods 1 and 2 but still got the same message.

Can you elaborate on method 3? How do I edit the she-bang header?

Thanks,

Marvyn

Re: System Files

Marvyn Torres — Mon, 03 Jun 2002 23:53:30 GMT

Steven,

Corrections to the above question. What I meant was:

Tried methods 1 and 3 but still got the same message.

Can you elaborate on method 2? How do I edit the she-bang header?

Thanks,

Marvyn

Re: System Files

Steven Sim Kok Leong — Wed, 05 Jun 2002 04:12:55 GMT

Hi,

2) Method 2:

Modify ./hp_checkperms she-bang (#!/bin/sh) header from

#!/bin/sh to #!/usr/bin/sh

In other words, edit the script hp_checkperms

# vi hp_checkperms

Replace #!/bin/sh with #!/usr/bin/sh on the very first line of the script.

Before change it shows:

#!/bin/sh
#
# check "execution" permissions on an hp-ux system per the information in
# the IPD, which is hopefully correct. Unfortunately, there
# will be different permissions settings for the same system file. I will
# generate 4 files, LL_errormsgs, MORE.restricted, FIX_permissions, and
# MULTIPLE.permissions.

After change, it shows:

#!/usr/bin/sh
#
# check "execution" permissions on an hp-ux system per the information in
# the IPD, which is hopefully correct. Unfortunately, there
# will be different permissions settings for the same system file. I will
# generate 4 files, LL_errormsgs, MORE.restricted, FIX_permissions, and
# MULTIPLE.permissions.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: System Files

Steven Sim Kok Leong — Wed, 05 Jun 2002 04:25:24 GMT

Hi,

If you still face the same error, show us the output for the following commands:

# ll /usr/bin/sh
# file /usr/bin/sh
# ll ./hp_checkperms
# head -1 ./hp_checkperms

If you have the time, also show us output for the following:

# echo $SHELL
# env

Hope this helps. Regards.

Steven Sim Kok Leong

Re: System Files

Steven Sim Kok Leong — Thu, 06 Jun 2002 00:46:51 GMT

Hi,

Just to add on, once you swinstall the CISscan.pkg, you should be able to run the following:

# /opt/CIS/cis-scan

Here's an output of my testing that might interest you with regards to SUID/SGID programs:

===========================================
Beginning system evaluation...

Now a final check for Set-UID and Set-GID programs-- this can take a whole
lot of time if you have a large filesystem. Your score if there are
no extra SUID/SGID programs found will be 4.07 / 10.00 . If there are
extra SUID/SGID programs, your score will be 3.89 / 10.00 .

You can hit CTRL-C at any time to stop at this remaining step.

Rating = 3.89 / 10.00

-----------------------------------------
To learn more about the results, do the following:

All results/diagnostics:
more /opt/CIS/cis-ruler-log.20020606-15:35:48.15947
Positive Results Only:
egrep "^Positive" /opt/CIS/cis-ruler-log.20020606-15:35:48.15947
Negative Results Only:
egrep "^Negative" /opt/CIS/cis-ruler-log.20020606-15:35:48.15947

For each item that you score or fail to score on, please reference the
corresponding item in the CIS Benchmark Document.
===========================================

Hope this helps. Regards.

Steven Sim Kok Leong