topic Re: Hardening HP in Operating System - HP-UX

Hardening HP

Abdul Salam H S_1 — Mon, 15 Jul 2002 08:55:47 GMT

Hi All,

I'm in the process of securing my OS, I converted my system to Trusted system but I'm facing following problems on tighten up the security.

How to set permanent UMASK for the programs? (User alaredy have UMASK in his profile for the files created by him now where do I set the permanemt UMASK?

After making trusted system, when secelcting auditing, either I have to select all the events or I'm allowed to choose upto 10 events. How do I choose more selective events?

How do I reneme and disable the root account. SAM dosen't allows me to do this.

When someone opens the FTP session, it displays the system name and ftp server virsion, I want to display this information only after login. Please suggest how do I do this.

Thank you.
Abdul Salam

Re: Hardening HP

Peter Kloetgen — Mon, 15 Jul 2002 09:03:20 GMT

Hi Abdul,

be aware of disabling the root account!!!! *Never* do this! If you have any problems on your computer you can repair nothing because only root has permissions to do so.

Every user can run umask- command per default and change his own umask. To get rid of this behaviour, you have to change the permissions for this command to: r-xr--r--

Allways stay on the bright side of life!

Peter

Re: Hardening HP

U.SivaKumar_2 — Mon, 15 Jul 2002 09:38:26 GMT

Hi,
You can set umask globally for all users in
/etc/profile ( which will writable only for
root , readable for all ).

Regarding renaming root , you can create any
user ( eg. administrator ) with UID 0 . Give same GID of root to this user. Then this user
can work as root.

But I don't recommend this , without testing this setup on a dummy machine. Doing all regular tasks like single user boot etc.

regards,

U.SivaKumar

Re: Hardening HP

Steven Sim Kok Leong — Mon, 15 Jul 2002 09:44:09 GMT

Hi,

To add on, don't forget to set the umask in your /etc/csh.login as well for users with csh as their login shells.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: Hardening HP

U.SivaKumar_2 — Mon, 15 Jul 2002 09:46:32 GMT

Hi,

Very good document on hardening HP-UX system.

http://people.hp.se/stevesk/bastion11.html

regards,

U.SivaKumar

Re: Hardening HP

Donald Kok — Mon, 15 Jul 2002 09:50:29 GMT

- you can put umask 077 in /etc/profile Which will be the default for all users.
- auditing events will cost huge amounts of disk, so you better put it on when you REALLY want it.
- renaming and disabling of root is looking for trouble.
- I wonder if you can do anything on the behaviour of ftp. I think it is encoded in the executable, but do not know for sure. Maybe you can use another ftp-program.

Goodluck
Donald

Re: Hardening HP

Steven Sim Kok Leong — Mon, 15 Jul 2002 09:55:06 GMT

Hi,

If csh is used as the login shell in /etc/passwd, then /etc/profile will not be used. Instead, /etc/csh.login will be used.

Just to add on to what has already been said, Center for Internet Security has a HP-UX security benchmark for HP-UX 10.20, HP-UX 11.00 and HP-UX 11.11:

http://www.cisecurity.org/bench_HPUX.html

This benchmark comprises a list of hardening rules. These rules are very precise and clear. Will be good to check them out as well.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: Hardening HP

V. V. Ravi Kumar_1 — Mon, 15 Jul 2002 10:04:32 GMT

hi Abdul,

i am attaching a word document, which may be useful for u.

regds

Re: Hardening HP

Daimian Woznick — Mon, 15 Jul 2002 11:41:29 GMT

This answer applies to the FTP configuration. From what I understand of the question you do not want to display the hostname and version when the ftp port is opened.

To do this you would utilize the /etc/ftpd/ftpaccess file (man 4 ftpaccess for further information). To turn off the hostname you would enter the following line in the file:

suppresshostname yes

To turn off the version:

suppressversion yes

To enable a banner (legal warning, etc.) - the following example uses /etc/issue:

banner /etc/issue

Take note that if you are not already using this file you should put the following line in the file as well:

class ppl real *

I tested all this on HPUX 11.11 with the 4 lines mentioned above (as well as the order above).

Re: Hardening HP

Daimian Woznick — Mon, 15 Jul 2002 11:54:29 GMT

In response to the hardening of the OS you will find a lot of information on the internet to help you in this. There was an earlier post on the Bastille UNIX program:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xc2d291ccb36bd611abdb0090277a778c,00.html

The depot file can be found on the following site:

http://www.bastille-linux.org

I have installed this program on a test server and found the interface to quite friendly. It will explain why the changes should be made and then ask permission before doing it.

You may also find the AusCERT UNIX Security Checklist to be of use. You can find this at the following web site:

www.auscert.org.au/Information/Auscert_info/Papers/usc20.html

and an abbreviated copy here:

http://www.cert.org/tech_tips/usc20_essentials.html