Re: security

 
SOLVED
Go to solution
kholikt
Super Advisor

security

Hi,

I am writing some security document. I need to put some recommendation about the software selection during the OS installation.

At this moment, the following components are recommended not to install.

- CIFS related components including server and client
- Apache - if the server is not a web server
- NFS related components including server and client
- Tomcat
- XML Web server tools
- Webmin based admin
- Mozilla
- Ximian GNOME
- Java
- IPFilter

Is there anything that I missed here. This document based on HP-UX 11.23 and 11.11
abc
8 REPLIES 8
Florian Heigl (new acc)
Honored Contributor
Solution

Re: security

I think You should rather include IPFilter, I am aware there are issues like local port redirection, but a malicious user could use a socks proxy etc. for that and the benefit of having IPFilter at hand can be great.

CDE / X - having a history of security issues, so You could leave them out in case no graphical logins are needed. (And for such cases, there are still other solutions)

VxVm administrator - at least on Tru64 (LSM there) it listens on the network for some funky Java GUI.
yesterday I stood at the edge. Today I'm one step ahead.
Mic V.
Esteemed Contributor

Re: security

If you will not use it, perhaps delete sendmail and the printing software.
I don't remember how isolated those filesets are. Other candidates: kermit, telnet, ftp, r-services.

Sorry I can't remember fileset names and the like.

HTH,
Mic
What kind of a name is 'Wolverine'?
Biswajit Tripathy
Honored Contributor

Re: security

You are recommending not to install IPFilter for better
security? Could you explain why?

Don;t you think it would be easier to install IPFilter and
and allow only those incoming/outgoing traffic that you
want to allow and block everything else (and log all
suspicious connection attempts)? I can understand
that you don't want to install anything that is not
needed on the system, but IPFilter would add another
line of defence to your systems.

- Biswajit
:-)
Gordon  Morrison
Trusted Contributor

Re: security

Surf on over to http://www.cisecurity.org/
They provide various documents containing "Benchmark" security recommendations for various OS flavours, including HP-UX.
What does this button do?
Florian Heigl (new acc)
Honored Contributor

Re: security

uucp and related things are also candites to get rid of at the beginning, but they're no fileset of their own.
yesterday I stood at the edge. Today I'm one step ahead.
Ivajlo Yanakiev
Respected Contributor

Re: security

First read some doc about Bastion host
it will desc all unsec software and way to exclude from install.
Install Bastion host
Install IPFILTER



Steven E. Protter
Exalted Contributor

Re: security

CIFS related components including server and client:
Only install it if you need it. It is very useful if you want to share files on the HP box with windows users or vice versa. Otherwise its pretty much wasted hard disk space. It does not as far as I know represent a security hazard.

NFS - Data goes back and forth in clear text. This is a security hazard. If you don't need NFS, don't use it. You must however leave it installed. I monkeyed around with removing it once and did serious damage to an old box I was using for the experiement. I ended up having to do an Ignite restore.

Apache - significant issues. Right now I have a seemingly pointless port 80 abuse on my Linux Apache server and its driving me crazy, since I'm 7,000 miles from the box and must tread lightly.

Tomcat: If the box is not a web server tomcat provides no functionality.

Webmin based admin. I think for this you need apache running. There are no security hazards in this product that I know of, and its actually quite useful.

XML - No web server, no need for these.

Mozilla - Very useful, pretty secure. I use it to get patches so there is zero chance of me ruining the depot by forgetting to ftp the thing right from my pc. Also, the ftp step transmits passwords in clear text. Bad idea.

Ximian GNOME - Dead product, no support any more. Decided not to go to Gnome. Their port was nice, but old. It was patched a lot and there may have been security hazards.

Java - Oracle needs it. Mozilla needs it. I'd think about changing my mind.

IPfilter - No security hazards. Easy to use, can be helpful in improving security. I'd reconsider this one unless you trust each and every user BEHIND your firewall. Remember 65% of system attacks come from employees.

General rule on security is: If its not going to be used, don't install it. It can not be abused if it does not exist on the system.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Biswajit Tripathy
Honored Contributor

Re: security

kholikt,
thanks for 10 points, but I would really like to know
why would you recommend not installing IPFilter for
better security. I have been working for
Hewlett-Packard's IPFilter team for last few years and
you are the first person I have seen who is
recommending to avoid installing IPFilter and would
really like to know what I'm missing here.

- Biswajit
:-)