topic Unix Security in Operating System - HP-UX

Unix Security

Wong_3 — Wed, 23 Oct 2002 00:55:56 GMT

Hi,

I need to come up with a detailed proposal on both on unix system and network security. Anyone can share with me their information or direct me to some good sources? Thanks!

Re: Unix Security

Michael Tully — Wed, 23 Oct 2002 01:12:58 GMT

Hi,

You need to check out HP-UX bastille, as the white paper on building a 'Bastion Server'.

HP-UX bastille (free)
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

How to build a Bastion server:
http://people.hp.se/stevesk/bastion11.html

Check Bill Hassell's comments on this post:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0x4499e7e60861d511abcd0090277a778c,00.htm

and this one:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0x67f9c6af36b7d5118ff10090279cd0f9,00.html

HTH
Michael

Re: Unix Security

Bill Hassell — Wed, 23 Oct 2002 01:27:40 GMT

This is a very complex task depending on whether you are already protected by strong firewalls and a knowledgeable network support staff. As a minimum, get Chris Wong's book on HP-UX Security. Then overestimate the cost of the task (in hours) by about 200% so that managment can slash the estimate in half and you'll have about the right amount of time.

Get the HP-UX security patch checker which then point out numerous problems with previous installations of patches and products.

If this machine is to be on the open Internet, you'll need the Bastion host white paper--and follow it carefully *BEFORE* you connect to the net.

Network security is easily as complex (and very different) as HP-UX security (or Unix in general). If management is serious about security, you will need an expert. I would avoid Bubba's Unix Security and TV Repair Shop as a vendor (get someone who is truly qualified).

Re: Unix Security

Dave Unverhau_1 — Wed, 23 Oct 2002 02:09:38 GMT

You might find that having HP perform a security review. We have a number of experts who can provide valuable guidance.

If you have a proactive support agreement with HP, this consultation can be covered by utilizing your Technical Support Entitlement deliverables. Otherwise, this service can be purchased. I've spoken with several customers who have had HP provide this service and they have been very pleased.

I don't mean to make this sound like an advertisement, but if you do have a PSS, CSS or BCS support contract, it might be attractive to use the entitlements, rather than spend out-of-pocket money.

...And as Bill and Michael pointed out, the Bastion host white paper is an excellent starting point!

Best Regards,

Dave

Re: Unix Security

Christian Gebhardt — Wed, 23 Oct 2002 04:53:01 GMT

A good book for "practical" security is
"Practical Unix & Internet Security" written by Simson Garfinkel and Gene Stafford from O'Reilly & Associates,Inc

Chris

Re: Unix Security

Wodisch — Wed, 23 Oct 2002 17:48:01 GMT

Hi,

do not forget to install and use the additional products to improve your HP-UX systems' security, like:
- OpenSSH
- IPFilter/9000

FWIW,
Wodisch

Re: Unix Security

Ronald Cogen — Thu, 24 Oct 2002 06:21:09 GMT

Hi,

Take a look at the HP-Manual "Administering your HP-UX Trusted System HP 9000 Computer Systems", HP Part Nr. B2355-90121 (1996).
The manual describes the tasks required for configuring and administering a HP-UX system as a C-2 level trusted system.
Chapter 1 Description of the HP-UX Trusted System
Chapter 2 Installation and Configuration of a HP-UX Trusted System
Chapter 3 Practices that enforce the Trustworthiness of the System
Chapter 4 Practices that Compromise the Trustworthiness of the System
App A Audit Record Format
App B Commands and System Calls
App C SFUG Supplement

If I'm not mistaken, you can find the manual at the documentation web-site. Be careful, when setting up a trusted system. Good luck.

Regards,
Ron

Re: Unix Security

Wong_3 — Thu, 24 Oct 2002 06:55:33 GMT

Thanks for the help guys. I will try to look through all the documents. By the way, I have assigned some points but somehow it is not reflected. Do you guys see the points that i have assigned??

Re: Unix Security

Yogeeraj_1 — Thu, 24 Oct 2002 07:32:32 GMT

hi,

It is very important to keep updated with patches especially the one released for correcting security bugs!

One way of keeping informed is to subscribe to Security newsletters like Secure Wire (http://infosecuritymag.bellevue.com/)

You should also take into consideration "application level patches"

E.g. Oracle Security Alert #45: Security Release of Apache 1.3.27 released recently by Oracle Security Product Management.

hope this helps!

Regards
Yogeeraj

Re: Unix Security

Ronald Cogen — Thu, 24 Oct 2002 07:44:03 GMT

Hello,

Thanks for the points. I can see them clearly.
Regards,
Ron

Re: Unix Security

Chuck J — Thu, 24 Oct 2002 08:15:04 GMT

Hi

All the points showed up. Also do a seach on the internet for "server hardening scripts" These can remove uneeded software and close down ports that you don't need to use.

Chuck J

Re: Unix Security

W.C. Epperson — Thu, 24 Oct 2002 11:27:09 GMT

The CERT/AUSCERT checklist also contains some excellent points:

http://www.auscert.org.au/Information/Auscert_info/papers.html