HPE Community
Operating System - HP-UX
1834478 Members
3514 Online
110067 Solutions
New Discussion

Re: HP-UX Security Guidlines

 
Brian M. Fisher
Honored Contributor

‎11-22-2002 12:09 PM

‎11-22-2002 12:09 PM

HP-UX Security Guidlines

I was wondering if HP has any standard documentation for making the base operating system more secure. Our security department is attemtping to put together a UNIX security policy and would like to start with the manufacturers recommendations.

IBM has a document entitled: Strengthening AIX Security: A System-Hardening Approach along with several other Redbooks

SUN has documents entitled Solaris Operating Environment Security & Solaris Operating Environment Network Settings for Security

These documents give specific recommendations for increasing security in the base OS.

The document HP-UX 11 Security at:
http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/sec9906.pdf

only lists HP-UX security features, not specific instructions on how to implement them.


Thanks in advance,
Brian
<*(((>< er
Perception IS Reality
0 Kudos
Reply
10 REPLIES 10
James R. Ferguson
Acclaimed Contributor

‎11-22-2002 12:17 PM

‎11-22-2002 12:17 PM

Re: HP-UX Security Guidlines

Hi Brian:

If you haven't seen this you might find it useful:

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

Regards!

...JRF...
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎11-22-2002 12:21 PM

‎11-22-2002 12:21 PM

Re: HP-UX Security Guidlines

Also take a look at this document on building a Bastion Host.

http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000063104650

It is in the TKB as document ID USECKBAN00000800
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎11-22-2002 12:21 PM

‎11-22-2002 12:21 PM

Re: HP-UX Security Guidlines

Hi Brian,

Totally concur with JRF.
Bastille is the way to go.
Not only will it point out the deficiencies & weak points, it can solve them as well.
And the real-time help & messages it gives are great.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Keith Buck
Respected Contributor

‎11-24-2002 03:06 PM

‎11-24-2002 03:06 PM

Re: HP-UX Security Guidlines

Brian,

HP-UX Bastille is the initial set of recommendations from HP. We felt that a tool was more useful than a whitepaper, as it can be applied consistently across many machines. However, looking at the points that you have assigned, it appears that you prefer papers with a lot of manual procedures. Care to share why? If it's really important, perhaps we could look into publishing the Bastille recommendations on paper.

(Note: the Bastion Host whitepaper was one of many sources used in compiling the content for HP-UX Bastille.)

-Keith, HP-UX Bastille developer :)
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎11-24-2002 03:35 PM

‎11-24-2002 03:35 PM

Re: HP-UX Security Guidlines


I replaced our Virtual Vault OS's (an HP product that was just to difficult to work with) with bastion hosts, hosts that had all unnecessary services shutoff and sometimes removed. I used Kevin Steves bastion host paper as a starting point: http://people.hp.se/stevesk/bastion.html. I also got Kevin's permission to use parts of his document in my project plans, with of course the proper acknowledgements and links to the original documents.

We even apply that same knowledge to our sun servers.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Karamanolis Nikos
Advisor

‎11-25-2002 04:57 AM

‎11-25-2002 04:57 AM

Re: HP-UX Security Guidlines

Hi, Keith....

hmmm... how about, learning something more, than just watching a tool, do its job ?

Is this a good reason why someone would prefer a whitepaper than a ready-to-run tool (like SATAN, etc,etc...)

Greetings,

NikosK
0 Kudos
Reply
Chris Wong
Trusted Contributor

‎11-26-2002 09:06 PM

‎11-26-2002 09:06 PM

Re: HP-UX Security Guidlines

Hi Brian,

I do have a book on HP-UX Security that covers the basics on the UNIX OS and HP specific features. You can see the book TOC at my web-site. I also have some book updates and other papers at my site.

http://newfdawg.com/SecBook.htm

- Chris
0 Kudos
Reply
Brian M. Fisher
Honored Contributor

‎11-27-2002 04:26 AM

‎11-27-2002 04:26 AM

Re: HP-UX Security Guidlines

Thanks for all the responses. I will now attempt to reply.

James - The Bastille product looks like it can help securing my HP systems, but it doesn't aid in setting a starting point for my Security department to write a standard

Patrick - The Bastion white paper is the best reference I have seen so far, but it still falls short compared to IBM & Sun papers

Keith - Although the Bastille tool can be directly applied, it is not useful when writing a UNIX security standard. A white paper going in to detail as to what is being changed and why would be a GREAT companion to the tool.

Chris - I already own HP-UX 11i security and it is a wonderful reference. I was just hoping for a summary white paper from HP.

Thanks again for the responses.

If you have any other suggestions, please let me know,
Brian
<*(((>< er
Perception IS Reality
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎11-27-2002 08:15 AM

‎11-27-2002 08:15 AM

Re: HP-UX Security Guidlines

Hi,

Here's another suggestion for you.

Center for Information Security i.e. http://www.cisecurity.org has clear and detailed level 1 security guidelines for HP-UX 10.20, HP-UX 11.00 and HP-UX 11i.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Keith Buck
Respected Contributor

‎11-27-2002 08:39 AM

‎11-27-2002 08:39 AM

Re: HP-UX Security Guidlines

Brian,

Thanks for clarifying. As long as we're on the topic, I'm wondering:

What would be missing from this 'whitepaper' that you need if I just put all of the Bastille explanatory text into pdf format? It already explains what it is doing and why. It makes recommendations and allows the user to choose whether or not to apply it. This could be used by your policy board to say "Apply this Bastille config to all your systems."

These explanations are in human-readable form. The Bastille code is also opensource and relatively easy to follow if you're interested in the details of what is actually being done to the system. (I know, that statement doesn't go very far coming from a developer...but really, if you take an hour
or so and just look at the modules in /opt/sec_mgmt/lib/bastille, it is pretty straightforward to find implementation for a given question/action.)

I'll also mention the CIS whitepapers. They overlap significantly with Bastille, but they are in 'paper' form rather than as a tool. And, they're available for Solaris, HP-UX, Linux, and maybe AIX soon.

Thanks.

-Keith
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.