HPE Community
Operating System - HP-UX
1837418 Members
3415 Online
110116 Solutions
New Discussion

Re: HP-UX 11i on intanium minimun running processes/services

 
robert fowler_1
Advisor

‎04-08-2007 09:11 PM

‎04-08-2007 09:11 PM

HP-UX 11i on intanium minimun running processes/services

I have a system running every service you can think of in rcX.d I want to disable all services so that the system is back to a core minimum build that is secure. Does anyone have a list of what the minimum services are required to run hp-ux 11i v2 on intanium processor.

I would build a box myself but sadily I do not own one.

If one has a list of what these services are that would be great to but not my main aim

Thanks in advance
0 Kudos
Reply
6 REPLIES 6
Olivier Masse
Honored Contributor

‎04-09-2007 01:58 AM

‎04-09-2007 01:58 AM

Re: HP-UX 11i on intanium minimun running processes/services

When you install HP-UX with the SEC30DMZ install-time security, almost all useless services will be deactivated, with only SSH accessible remotely. But if you need a list, you can look into Bastille (which applies the SEC30DMZ level), it has a config file which details everything that it will turn off on a vanilla system.

Running IP Filter and limiting what ports your server listens to is also your best bet since it isolates you from a lot of possible remote exploits.

Besides that, there is the old Bastion guide for HP-UX 11.0 but a lot of "value-added" services have been added since then (SMH, WBEM, etc) so it's less relevant as it used to be: http://www.unixadm.net/hp/bastioning_hpux.11.html

You can also look at a doc I made here:
http://www.mayoxide.com/securing-hpux/phpwiki/ . But it is dated from 2004, unfinished and I have no plans to complete it.

0 Kudos
Reply
Emil Velez
Honored Contributor

‎04-09-2007 01:18 PM

‎04-09-2007 01:18 PM

Re: HP-UX 11i on intanium minimun running processes/services

The Bastille program when you run bastille will ask you what services you want to turn on or off.. The nice thing about bastille it allows you to create a config.. apply it and undo it in a single command. Once you have a configuration you can then ftp 1 file to another system and apply the same configuration this way all of your systems are setup consistently.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎04-09-2007 01:31 PM

‎04-09-2007 01:31 PM

Re: HP-UX 11i on intanium minimun running processes/services

If you disable networking, most of those services will be disabled. Of course, most servers are useless without some networking, so start by turning off everything except sshd. No telnet, no ftp, no rexec, no rlogin, no rcp, etc. ssh gives all you need to communicate with the system securely. Bastille will do this and a bunch more security stuff.

But there is a LONG list of useless, almost impossible to determine the purpose of, extra stuff in /sbin/init.d. Unfortunately, there is no easy way to determine what function the obscure scripts are starting. Minimum services is undefinable, but there is a lot of junk that can be dumped. Use Google to search for the mystery features to see if you need these items.


Bill Hassell, sysadmin
0 Kudos
Reply
robert fowler_1
Advisor

‎04-20-2007 01:57 AM

‎04-20-2007 01:57 AM

Re: HP-UX 11i on intanium minimun running processes/services

Thanks for the help so far but I do not wish to use Bastille what I want to know is the minimun services that are installed on minimun build so i can advise a customer what the difference is with his system and what he should look at disabeling

thanks
0 Kudos
Reply
Tim Nelson
Honored Contributor

‎04-20-2007 02:03 AM

‎04-20-2007 02:03 AM

Re: HP-UX 11i on intanium minimun running processes/services

First run through the /etc/initd.conf

comment out what you do not wish to run.

Leave telnet
Leave ftp

If you want EMS to work then leave registrar.

A number of items there are self explanitory or there is a man page that desribes the service.

Next step.
run through the /etc/rc.log.

Services like sendmail may not be wanted.
Most other services can be disabled by stopping them and then modifying /etc/rc.config.d/xxx file.

And in the end. review ps -ef output then do your research on what processes are running.

You should be able to get things down to about 70 processes.

0 Kudos
Reply
Bill Hassell
Honored Contributor

‎04-20-2007 02:59 AM

‎04-20-2007 02:59 AM

Re: HP-UX 11i on intanium minimun running processes/services

You'll also want to step through all the unnecessary startup config files in /etc/rc.config.d to set their start option = 0.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.