HPE Community
Operating System - HP-UX
1753873 Members
7582 Online
108809 Solutions
New Discussion

system hardening

 
Golf_4_Me
Visitor

‎08-01-2011 01:20 PM

‎08-01-2011 01:20 PM

system hardening

Hi All,

 

I am new to this board and look to the group for some guidance. I have been tasked with doing some server hardening for our HP-UX 11.x PA/IA machines. I've read everything I've found on the subject but most docs seem to be pretty outdated. I am familiar with Bastille and creating Trusted systems but at this point I would like to start by shutting down unnecessary services and ports.

 

Can anyone point me to documentation/information about HP-UX 11.x default installed services and their purposes?

 

I know many services can be turned off with the /etc/rc.config.d/* scripts but regarding /sbin/rc*.d links, is changing the capital K or S to lower case sufficient to shut off the service? In other words, will lower case first characters cause the link to be ignored?

 

Thank you in advance, any guidance is greatly appreciated.

 

Best regards,

 

PDY

0 Kudos
Reply
4 REPLIES 4
Dennis Handly
Acclaimed Contributor

‎08-01-2011 01:35 PM

‎08-01-2011 01:35 PM

Re: system hardening

>I know many services can be turned off with the /etc/rc.config.d/* scripts

 

That's what you should first use.

 

>but regarding /sbin/rc*.d links, is changing the capital K or S to lower case sufficient to shut off the service?

 

It might work.  But better to remove them or move them elsewhere.

 

You should also look at inetd(1M) and inetd.conf(4).

0 Kudos
Reply
Doug O'Leary
Honored Contributor

‎08-02-2011 05:46 AM

‎08-02-2011 05:46 AM

Re: system hardening

Hey;

 

>>I know many services can be turned off with the /etc/rc.config.d/* scripts but regarding /sbin/rc*.d links, is changing the capital K or S to lower case sufficient to shut off the service? In other words, will lower case first characters cause the link to be ignored?

 

Yes, the lower case characters 'will cause the links ot be ignored'.  If you look at the rc script itself, on/about line 17 of /sbin/rc, is a function called get_scripts.  The logic is a fairly easy to folllow if you're familiar with scripting; however, the key part for this discussion is: 

 

case $name in 

${mode}*)

 

${mode} will either be 'S' or 'K' 

 

So, moving the link to a lower case will eliminate it from consideration which is also in line with the standard method on other OSs.

 

All that being said, if there is an /etc/rc.config.d script, edit that.  Some apps don't use those, though, so you should be aware of this method as well.

 

Hope that helps.

 

Doug O'Leary


------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
Reply
Golf_4_Me
Visitor

‎08-02-2011 08:38 AM

‎08-02-2011 08:38 AM

Re: system hardening

Hi,

 

Thank you for the replies, they are very helpful.

 

Does anyone know of a source that describes the default HP-UX /etc/rc.config.d/* services and their use/purpose?  I am currently researching to find information on each but if there is a doc on the subject it would be a great help.

 

Thanks in advance,

 

PDY

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎08-03-2011 12:54 AM

‎08-03-2011 12:54 AM

Re: system hardening

>Does anyone know of a source that describes the default HP-UX /etc/rc.config.d/* services and their use/purpose?

 

You could ask each init script to print its purpose:

$ /sbin/init.d/nfs.client start_msg
Start NFS client subsystem

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.