topic Re: Securing a system without using 'trusted' in Operating System - HP-UX

Securing a system without using 'trusted'

Michael Tully — Wed, 04 Jul 2001 01:16:12 GMT

I've been asked to look at securing our
systems far more than what they are now.
In doing so I've compiled a list of things
that need to be looked at. Unfortunately
our site cannot use 'trusted system'
because of a constraint with one of the
essential applications that we use.

Here is what I've listed so far. I would
like feedback on what else I can do.
Remember I cannot use 'trusted system'

Removing all instances of .rhosts and
/etc/hosts.equiv
Turning off unnecessary services such as
exec, comsat, talk, uucp, finger, echo,
discard, daytime, chargen, sadmind,
rpc.cmsd and rpc.ttdbserverd.
Beef up the permissions on the following
files:

/etc/passwd 444 root:sys
/etc/group 444 root:sys
/etc/syslog.conf 444 bin:bin
/etc/resolv.conf 444 root:sys
/etc/nsswitch.conf 444 root:sys
/etc/mail/aliases 644 root:mail
/etc/mail/sendmail.cf 444 root:mail
/etc/mail/sendmail.cw 444 root:mail
/etc/fstab 444 root:sys
/etc/mnttab 444 root:sys
/etc/inittab 444 root:sys
/etc/inetd.conf 444 root:sys
/etc/lvmconf (directory) 755 root:root
/etc/lvmtab 600 root:sys
/etc/lvmrc 640 bin:bin
/etc/profile 444 bin:bin
/etc/exports 600 root:sys
/etc/hosts 444 root:sys
/etc/services 444 root:sys
/etc/shutdown.allow 640 bin:bin
/etc/SnmpAgent/snmpd.conf 644 root:root
/etc/utmp 644 root:root
/var/adm/btmp 600 root:root
/var/adm/sulog 600 root:root
/var/adm/wtmp 640 root:sys
/var/adm/cron/at.allow 444 bin:bin
/var/adm/cron/cron.allow 444 bin:bin
/var/spool/cron/crontabs/* 444 root:sys

There are many more files that are suid and
sgid on these systems, but which
ones do I keep as suid and sgid??

Thanks
Michael

Re: Securing a system without using 'trusted'

James R. Ferguson — Wed, 04 Jul 2001 01:35:02 GMT

Hi Michael:

Be very careful about altering set-user and set-group bits on executables provided as a part of the CORE OS (principally files in /usr and /sbin).

Some excellent guidelines to tightening general security were recently offered and summarized by Bill Hassell in this post:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,1150,0x4499e7e60861d511abcd0090277a778c,00.html

Regards!

...JRF...

Re: Securing a system without using 'trusted'

Michael Tully — Wed, 04 Jul 2001 02:08:36 GMT

Many Thanks Jim, that what exactly what I was after.

BTW Do you ever sleep??

Thanks again!
Michael

Re: Securing a system without using 'trusted'

Will_11 — Wed, 27 Feb 2002 15:56:31 GMT

If using hpterm's, ensure root users have messages turned off. Non root users can execute commands as root by passing commands to root terminals.

Re: Securing a system without using 'trusted'

Mark Greene_1 — Wed, 27 Feb 2002 16:02:40 GMT

Will,

Is this using talk, or wall too?

thanks,
mark

Re: Securing a system without using 'trusted'

Eric Ladner — Wed, 27 Feb 2002 16:19:34 GMT

Also, lots of good info here: http://people.hp.se/stevesk/bastion11.html

The document uses trusted host, but many of the suggestions there can be implemented on a non-trusted host.

Re: Securing a system without using 'trusted'

Reinhard Burger — Wed, 27 Feb 2002 16:24:37 GMT

Hi michael

what i miss in your list is to close the system also from the network side.
check /var/adm/inetd.sec how access from network is configured.

cheers reinhard

Re: Securing a system without using 'trusted'

Will_11 — Wed, 27 Feb 2002 16:27:44 GMT

I dont' know if talk or wall are affected, but these are the results when this root user had his messages turned on "mesg y"

user1@ServerName [/home/user1]
$ echo "\r shutdown -ry 0 \r\033d" > /dev/pts/0

user1@ServerName [/home/user1]
$
Broadcast Message from ROOTUSER (pts/0) Fri Feb 22 12:23:28...
PLEASE LOG OFF NOW ! ! !
System maintenance about to begin.
All processes will be terminated in 0 seconds.

Broadcast Message from ROOTUSER (pts/0) Fri Feb 22 12:23:28...
SYSTEM BEING BROUGHT DOWN NOW ! ! !

Disconnected; connection lost (Connection closed.).
Connection to SERVERNAME closed.

Re: Securing a system without using 'trusted'

Will_11 — Wed, 27 Feb 2002 16:32:23 GMT

Michael

You might want to also use of the ???find??? command to search for world writeable files and directories;

find / -perm 0007 -type d 2> /dev/null
find / -perm 0007 ???type f 2> /dev/null

Re: Securing a system without using 'trusted'

Paula J Frazer-Campbell — Wed, 27 Feb 2002 18:26:50 GMT

Michael

Also have at look at the allow files (cron at etc) and shut them down.

Write a small script to do an ls -l grepping from root dir and push the output to a file with 400 permissions.

This is your baseline system file permissions/size/time file.

Each morning (wee small hours) do the ls -l again and compare selected files for things like - new root level files, root level files wich have changed permissions / size, time stamps on system files (commands). I am sure you get my track on this.

Mail out the results and then reset the baseline file ready for the next day, so you then have a rolling security check.

This can then be added to by doing things like lastb root, looking at sulog.

Paula

Re: Securing a system without using 'trusted'

Steven Sim Kok Leong — Thu, 28 Feb 2002 07:34:18 GMT

Hi Michael,

HP's PDF production definition files include a checksum. I use a combination of mkpdf, pdfck and pdfdiff to verify file integrity of system files such as in /usr, /sbin, /etc, /stand etc. everyday in a cron job which emails me the differences.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: Securing a system without using 'trusted'

Uday_S_Ankolekar — Thu, 28 Feb 2002 20:18:35 GMT

Hello, I tried to access the Link which James pointed. But I'm getting Page not found error. Why is that..?

-USA

Re: Securing a system without using 'trusted'

Chris Wong — Thu, 28 Feb 2002 22:00:48 GMT

Here is a listing of the suid/sgid after a cold install:

http://newfdog.hpwebhost.com/uptodatelistings/

Re: Securing a system without using 'trusted'

Jeff Schussele — Thu, 28 Feb 2002 22:18:32 GMT

I also am getting a 404 on JRF's URL.

Jeff

Re: Securing a system without using 'trusted'

Michael Tully — Fri, 01 Mar 2002 04:19:31 GMT

Thanks to all who have replied and kept replying. This post has been dead and buried for some time. No more posts please.

Thanks

Re: Securing a system without using 'trusted'

Alan Casey — Fri, 01 Mar 2002 10:34:55 GMT

A great document this checklist is used by auditing software, such as PentaSafe, and by auditors.

http://www.auscert.org.au/Information/Auscert_info/Papers/usc20.html