HPE Community
Operating System - HP-UX
1834601 Members
3684 Online
110069 Solutions
New Discussion

Re: Hardening HP

 
Abdul Salam H S_1
Frequent Advisor

‎07-15-2002 01:55 AM

‎07-15-2002 01:55 AM

Hardening HP


Hi All,

I'm in the process of securing my OS, I converted my system to Trusted system but I'm facing following problems on tighten up the security.


How to set permanent UMASK for the programs? (User alaredy have UMASK in his profile for the files created by him now where do I set the permanemt UMASK?

After making trusted system, when secelcting auditing, either I have to select all the events or I'm allowed to choose upto 10 events. How do I choose more selective events?

How do I reneme and disable the root account. SAM dosen't allows me to do this.

When someone opens the FTP session, it displays the system name and ftp server virsion, I want to display this information only after login. Please suggest how do I do this.

Thank you.
Abdul Salam
0 Kudos
Reply
9 REPLIES 9
Peter Kloetgen
Esteemed Contributor

‎07-15-2002 02:03 AM

‎07-15-2002 02:03 AM

Re: Hardening HP

Hi Abdul,

be aware of disabling the root account!!!! *Never* do this! If you have any problems on your computer you can repair nothing because only root has permissions to do so.

Every user can run umask- command per default and change his own umask. To get rid of this behaviour, you have to change the permissions for this command to: r-xr--r--

Allways stay on the bright side of life!

Peter
I'm learning here as well as helping
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎07-15-2002 02:38 AM

‎07-15-2002 02:38 AM

Re: Hardening HP

Hi,
You can set umask globally for all users in
/etc/profile ( which will writable only for
root , readable for all ).

Regarding renaming root , you can create any
user ( eg. administrator ) with UID 0 . Give same GID of root to this user. Then this user
can work as root.

But I don't recommend this , without testing this setup on a dummy machine. Doing all regular tasks like single user boot etc.

regards,

U.SivaKumar

Innovations are made when conventions are broken
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-15-2002 02:44 AM

‎07-15-2002 02:44 AM

Re: Hardening HP

Hi,

To add on, don't forget to set the umask in your /etc/csh.login as well for users with csh as their login shells.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎07-15-2002 02:46 AM

‎07-15-2002 02:46 AM

Re: Hardening HP

Hi,

Very good document on hardening HP-UX system.

http://people.hp.se/stevesk/bastion11.html

regards,

U.SivaKumar

Innovations are made when conventions are broken
0 Kudos
Reply
Donald Kok
Respected Contributor

‎07-15-2002 02:50 AM

‎07-15-2002 02:50 AM

Re: Hardening HP

- you can put umask 077 in /etc/profile Which will be the default for all users.
- auditing events will cost huge amounts of disk, so you better put it on when you REALLY want it.
- renaming and disabling of root is looking for trouble.
- I wonder if you can do anything on the behaviour of ftp. I think it is encoded in the executable, but do not know for sure. Maybe you can use another ftp-program.

Goodluck
Donald
My systems are 100% Murphy Compliant. Guaranteed!!!
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-15-2002 02:55 AM

‎07-15-2002 02:55 AM

Re: Hardening HP

Hi,

If csh is used as the login shell in /etc/passwd, then /etc/profile will not be used. Instead, /etc/csh.login will be used.

Just to add on to what has already been said, Center for Internet Security has a HP-UX security benchmark for HP-UX 10.20, HP-UX 11.00 and HP-UX 11.11:

http://www.cisecurity.org/bench_HPUX.html

This benchmark comprises a list of hardening rules. These rules are very precise and clear. Will be good to check them out as well.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
V. V. Ravi Kumar_1
Respected Contributor

‎07-15-2002 03:04 AM

‎07-15-2002 03:04 AM

Re: Hardening HP

hi Abdul,

i am attaching a word document, which may be useful for u.

regds
Never Say No
0 Kudos
Reply
Daimian Woznick
Trusted Contributor

‎07-15-2002 04:41 AM

‎07-15-2002 04:41 AM

Re: Hardening HP

This answer applies to the FTP configuration. From what I understand of the question you do not want to display the hostname and version when the ftp port is opened.

To do this you would utilize the /etc/ftpd/ftpaccess file (man 4 ftpaccess for further information). To turn off the hostname you would enter the following line in the file:

suppresshostname yes

To turn off the version:

suppressversion yes

To enable a banner (legal warning, etc.) - the following example uses /etc/issue:

banner /etc/issue

Take note that if you are not already using this file you should put the following line in the file as well:

class ppl real *

I tested all this on HPUX 11.11 with the 4 lines mentioned above (as well as the order above).
0 Kudos
Reply
Daimian Woznick
Trusted Contributor

‎07-15-2002 04:54 AM

‎07-15-2002 04:54 AM

Re: Hardening HP

In response to the hardening of the OS you will find a lot of information on the internet to help you in this. There was an earlier post on the Bastille UNIX program:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xc2d291ccb36bd611abdb0090277a778c,00.html

The depot file can be found on the following site:

http://www.bastille-linux.org

I have installed this program on a test server and found the interface to quite friendly. It will explain why the changes should be made and then ask permission before doing it.

You may also find the AusCERT UNIX Security Checklist to be of use. You can find this at the following web site:

www.auscert.org.au/Information/Auscert_info/Papers/usc20.html

and an abbreviated copy here:

http://www.cert.org/tech_tips/usc20_essentials.html
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.