Secure OS Software for Linux
cancel
Showing results for 
Search instead for 
Did you mean: 

HP-LX opinions

Neil Hare
Occasional Visitor

HP-LX opinions

I have just received a version of HP-LX Secure Linux. Have any of you already tested it? What experiences have you had?
11 REPLIES
Keith Hopkins
Occasional Visitor

Re: HP-LX opinions

I received mine today. I'll install it next week. How was your experience?
Hal Rottenberg
Frequent Advisor

Re: HP-LX opinions

You guys are pretty timely. We will be creating a Secure Linux sub-category within a week.

Please do share your experiences so far, and questions. When the new group is created, we will move this and any other related threads to it.

Hal Rottenberg
Technical Support Engineer
Hewlett-Packard
If at first you don't succeed, then skydiving isn't for you.
G. Vrijhoeven
Honored Contributor

Re: HP-LX opinions

Hi Neil,

How can i get a copy?

Gideon
Hal Rottenberg
Frequent Advisor

Re: HP-LX opinions

Gideon, you can find more information about Secure Linux and contact information at this URL:

http://www.hp.com/security/products/linux/

-hal
If at first you don't succeed, then skydiving isn't for you.
G. Vrijhoeven
Honored Contributor

Re: HP-LX opinions

Sorrie Neil for the interuption.

Thank Hal.

Lindsay Hill
Occasional Advisor

Re: HP-LX opinions

(I do work for HP, but not for the Secure Linux division. I am a consultant based in NZ. My thoughts are my own, not ISSL's or HP's)

Shortly after the release of 1.0, I downloaded a copy and installed it on an LP1000R I managed to er, "borrow". This is one of the officially supported platforms. I have a PIII 1GHz, with 256MB, plus 3*18GB disk.

It was no trouble to install - exactly the same as any RedHat install, except you have the option to install SSH keys. I used the CD install, with a graphical interface.

You will want to make sure you have the documentation with you. I believe the release notes are included with the boxed set, and the admin/install guides are on the CD. You can also get them from docs.hp.com. It is handy to have these with you, they can make things easier.

If you are going to be remotely administering from a Windows client, get ssh installed - the install guide tells you how to get/use Cygwin/Openssh. I recommend uploading the keys at install time, it will make things easier.

You'll probably want to apply the released patch before doing anything else.

After install, you may want to go through and install Apache/Tomcat/MCGA. They are on the CDs, and the install guide shows you how to do it. They will give you an idea of where to go from here.

After that, I installed a few other things in compartments - NFS and ntp. Once you get your head around what is happening, it is relatively straightforward to add new applications, with or without using compartments.

I think what people need to keep in mind is that it is not useful only for acting as a web server. It is appropriate for any sort of network services you wish to offer - e.g NFS, DNS, DHCP, etc. By placing apps in chrooted environments, and locking down their access almost totally, you can minimise any possible damage if an app gets compromised.

I prefer this approach to security - rather than just patching apps to fix a known problem, try and change things so apps are not vulnerable to both known and as yet undiscovered vulnerabilities. The Secure Linux approach also works to prevent other apps/data being compromised when one is compromised. When you consider the number of boxes that have been completely exposed due to one vulnerable service, it makes sense to take this approach.

I have also tried compiling my own kernel, following the instructions available. This proved to be a fairly straightforward exercise, not really much different to a standard roll-your-own kernel.

I think it is a good product, and the real key for me is that it is _not_ just for web servers.

- Lindsay
Neil Hare
Occasional Visitor

Re: HP-LX opinions

Here are my initial impressions.

Overall: I am very impressed and totally agree with the approach that HP has taken to security with HP-LX. It looks like HP has really done their homework and has setup
a solid base for the kind of server that the security paranoid don't mind placing on the Internet.

Setup: The setup runs very like a 'normal' Red Hat 7.1 install with some
modifications for security settings. You can only choose the 'server' install (for those of you familiar with the typical Red Hat categories), but this makes sense due to the market that HP is trying to reach here. Unfortunately, you cannot choose to
install individual packages - according to the documentation, this feature "will be enabled in a forthcoming software product release." After the installation I looked over the list of 305 installed packages and didn't see any packages that seemed improper for a server install, so I guess that this missing feature can be tolerated.
HP added Tripwire and ssh integration to the Red Hat install procedure to round things off.

Docu: I downloaded the documentation from docs.hp.com thinking that any changes
since release would be reflected online. This wasn't the case though as the Release Notes have a correction to the Administration Guide, but the online version was not
any more up to date than the version on my HP-LX CD. Otherwise the documentation was easy to follow and I think that anyone able to administer a standard Linux distro
should have no trouble getting underway with the help of the documentation.

In answer to Vrijhoeven's question, I received a test version from HP. I have not been able to procure a boxed set through normal distribution channels yet. It seems (to me) that the sales strategy is still being refined.

Things still to test:

- I plan on taking bind and setting up its own compartment. I am really interested to see how easily a standard rpm can be integrated into the HP-LX structure.

- HP-LX comes with kernel 2.4.5. I will be testing how easily an upgrade to 2.4.x goes. I have seen that this is documented with the open source kernel patches located
at ftp://ftp.hp.com/pub/security/hplx_source/

Random thoughts:

- The patches are a little hidden. To find them go to www.itrc.com -> maintenance and support -> individual patches -> patches for applications on other platforms -> INTEL LINUX patches

- I find it interesting that nmap does not know what OS is running. From the TCP/IP fingerprint you can tell it's Linux, but that's it. Has HP changed some of the TCP/IP options?

- No journaling file system is installed with the system. Is there a journaling file system available for Linux that is _really_ ready for prime time? I have mixed emotions on this issue.

- Support on non-HP hardware. I was told at a HP conference that HP will support HP-LX on any hardware, but they will double check that the same problem occurs with HP-LX running on a HP NetServer. If not, you're on your own. I did my testing on a Fujitsu-Siemens PC and everything works fine.

Neil
Lindsay Hill
Occasional Advisor

Re: HP-LX opinions

For those that are after them, HP is offering free boxed sets for a 60-day evaluation, although I don't believe there are any codewords or anything like that.

You should just be able to ask a local HP sales rep to order you a boxed set. Although I downloaded my copy (internal systems), we ordered a boxed set for a customer, and it arrived very quickly (like less than a week, which when you understand shipping US->NZ, is very fast)

- Lindsay
Konstantin Agouros
Occasional Advisor

Re: HP-LX opinions

Hello,

I don't want to brag, but the uptime on my HP-LX server says:
10:39am up 100 days, 19:04, 1 user, load average: 0.00, 0.00, 0.00

By now we also use it internally as Squid-Proxy for a not trustworthy network. I also integrated ntp, dns, postgres and a counterstrikeserver on it. What didn't work out was dhcp because LX seems to have problems with raw-sockets. I started bringing OpenCA to work, but have some trouble which is a OpenCA and not a LX problem. Otherwise I think it is fun to work with and it satisfies my paranoia. Oh BTW, we have it running even on a P1.
Marcus Henschel
Occasional Visitor

Re: HP-LX opinions

Hi Gideon,
did you already get a copy of hp-lx?
I also want a copy for testing. Where did you get it ?
Do i have to contact HP or is there a possibility to download the cd images ?
Best regards
Marcus
Ron Vladick
Advisor

Re: HP-LX opinions

Raw-sockets are working as defined in the current version of Secure Linux. There are inherent dangers with applications using raw-sockets. Some of these dangers are that raw-sockets bypass the ip stack and write directly to the network layer. Thus an application would be able to write its own network packets and could impersonate another machine. Because of these dangers raw-sockets are only supported in the sys-hi compartment. DHCP is not currently supported on Secure Linux.

I have added this topic as a new message in this forum:
How to use raw sockets on Secure Linux