HPE Community
Operating System - HP-UX
1839185 Members
2982 Online
110137 Solutions
New Discussion

Hardening question

 
Jessica_37
Occasional Contributor

‎07-03-2005 02:15 PM

‎07-03-2005 02:15 PM

Hardening question

Hello Everyone,

I have several quick questions here, thanks in advance for your help!

1. how to determin whether an unnecessary account(such as sys, uucp, listen) is locked/disabled via /etc/passwd(non trust mode) or /.secure/etc/passwd (trusted mode), is that by default the system predefined accounts like sys, uucp and listen can not login?

2. What is the difference between disable and lock an account?

3. Is there any mesures can take to limit the access to PDC menu when the system is starting up? Like a password protected un-authenticated access to PDC? (like security mode protected BootPROM accessing in Solaris)

4. how to enable the inetd logging functions?(By inetd -l or some other options)

5. Does the core/dump file may contain system sentitive data (such as root password) which may exposed the vulnerabilities). Should we disable core file in HP-UX for this reason?

Thanks again!

Jess
0 Kudos
Reply
2 REPLIES 2
Olivier Masse
Honored Contributor

‎07-03-2005 03:31 PM

‎07-03-2005 03:31 PM

Re: Hardening question

1. Don't remember for untrusted, but for trusted mode you can use /usr/lbin/getprpw (see the man page). Someone at HP wrote a wrapper for it called deactivated.sh, it's in docid USECKBRC00008606 in the ITRC.

2. Under trusted mode from my understanding, you disable an account by putting a "*" in the u_pwd field in the trusted entry. You can also put an admin lock by locking it with modprpw -l, or passwd -l. Technically the result is the same, but an admin locked account can still be accessed with an SSH certificate (with HP-UX Secure Shell 4.0 and up) so totally disable an account, better use the two options.

3. Well the console itself is password protected, so that should be enough. Newer systems also let you create operator account that limit what can be done. Don't know the details though.

4. Put "-l" for INETD_ARGS in /etc/rc.config.d/netdaemons to enable it at boot. Then run /sbin/init.d/inetd stop and /sbin/init.d/inetd start to activate it.

5. I couldn't tell for core dumps. But for crash dumps you can exclude some parts of the OS in the dump. Maybe it's possible to at least exclude the sensitive data. See /etc/rc.config.d/crashconf and /etc/rc.config.d/savecrash. Running "crashconf -v" will give you a list of what's included in the crash dump. But be sure the dump remains analzable by HP if you exclude data.

Good luck


0 Kudos
Reply
Mark Nieuwboer
Esteemed Contributor

‎07-03-2005 08:24 PM

‎07-03-2005 08:24 PM

Re: Hardening question

Hi,

You also can use bastille.
This is a program from HP to harden your system.
Here is the link to download this product.
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

grtz. mark
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.