HPE Community
Operating System - HP-UX
1833776 Members
2380 Online
110063 Solutions
New Discussion

Re: HP-UX security hardening

 
SOLVED
Go to solution
AL_3001
Regular Advisor

‎05-19-2009 11:53 PM

‎05-19-2009 11:53 PM

HP-UX security hardening

Hello,

We are looking to extend our security related events including the one's which are already implemented. The implemented one's are umask, password guidelines, insecure shells, legal banner, world writable files etc.

We would like to extend these furthur, like disabling finger command and other services or other things to harden the system. Kidnly advise your recommendations.

Thanks.

Rgds,
AL
0 Kudos
17 REPLIES 17
Dennis Handly
Acclaimed Contributor

‎05-20-2009 12:10 AM

‎05-20-2009 12:10 AM

Re: HP-UX security hardening

Have you looked at bastille?
http://www.hp.com/go/bastille
0 Kudos
AL_3001
Regular Advisor

‎05-20-2009 12:14 AM

‎05-20-2009 12:14 AM

Re: HP-UX security hardening

Hi Dennis,

Thanks for the link. I am aware of that, but need few suggestions from the gurus :-)
0 Kudos
Steven E. Protter
Exalted Contributor

‎05-20-2009 12:33 AM

‎05-20-2009 12:33 AM

Solution

Re: HP-UX security hardening

Shalom Al,

Bastille is the single best suggestion a guru can make.

It does an interactive survey and scans the system for many common problems.

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

Bastille requires perl5.

There are a couple of other good tools, such as TCP wrappers. Internet Express from the same site includes a number of useful scanning tools such as nessus.

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1123

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1131

Host Intrusion Detection System
http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=TCPWRAP

Now these are the tools.

Here is the sage advice you seek.

Use the tools, run as few services as possible on your system. Every service opens up a port and creates vulnerabilities.

You will find a Bastille survey closes a lot of holes and improves performance.

Keep current on patches and secure shell:
http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

Run security_patch_check. The results of this survey is a list of patches not included in bi-annual quality/gold packs that are required to maintain your service contract with HP

Drop all services that are based on inetd.conf and replace them with secure alternatives. remesh with ssh, ftp with sftp. Almost all inet.conf services use clear text authentication, which means that any user can see the password pass back and forth on the network.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Steven E. Protter
Exalted Contributor

‎05-20-2009 01:04 AM

‎05-20-2009 01:04 AM

Re: HP-UX security hardening

You should leave this thread open longer. There are hundreds of good suggestions you have not heard. Or search ITRC forums.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
AL_3001
Regular Advisor

‎05-20-2009 01:30 AM

‎05-20-2009 01:30 AM

Re: HP-UX security hardening

Hey Steve,

Here we go, re-opened the thread.
0 Kudos
Bob E Campbell
Honored Contributor

‎05-20-2009 09:04 AM

‎05-20-2009 09:04 AM

Re: HP-UX security hardening

Drop the reference to security_patch_check. That was officially obsoleted on 11/1/2008 and will have the data feed shut off at an unspecified future date.

The replacement is Software Assistant (SWA) available at https://www.hp.com/go/swa
0 Kudos
Fred K. Abell Jr._1
Regular Advisor

‎05-20-2009 12:05 PM

‎05-20-2009 12:05 PM

Re: HP-UX security hardening

Greetings:

All of the above are good. You can visit the Center for Internet Security for some good suggestions http://www.cisecurity.org/. There is an HP-UX specific file.

You may consider adding:

ipfilter - a 'SWEET' host based firewall. It requires a good rule set

syslog-ng - to log to a logging server

additional entries to /etc/rc.config.d/nddconf such as:
ip_respond_to_timestamp
ip_respond_to_timestamp_broadcast
ip_respond_to_address_mask_broadcast
you could change their value to 0 so not to give up information to someone scanning

removing unnecessary programs that aid hackers if they do break in such as tftp, gcc, make, flex, and bison. don't make it easy to download and/or install a rootkit

lsof to look at which ports are open

create a cd with binaries that are known to be good in case you get a rootkit. Some suggestions for the cd to name a few:
ps lsof chkconfig find arp netstat ls crontab

Some type of intrusion detection, tripwire or AIDE

NTP so all the time entries in the logging files match

You could go to the SANS.org website and download a paper on securing HP-UX

Hope this gets helps.

Fred
0 Kudos
Fred K. Abell Jr._1
Regular Advisor

‎05-20-2009 12:07 PM

‎05-20-2009 12:07 PM

Re: HP-UX security hardening

Oh, and another thing, download and install the strong random number generator from http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I

Real Important!

Fred
0 Kudos
F Verschuren
Esteemed Contributor

‎05-25-2009 05:45 AM

‎05-25-2009 05:45 AM

Re: HP-UX security hardening

Implement your systems as described, and describe your implementation,
During the creation of the description of the implementation (very 6 mouth) you will find new stuff that you can implementâ ¦.


Ssh:
Set up ssh so that a user can not use a empty passphrasse.
If you use password make sure all users need to change is every ~60-90 days
Make sure it is not a easy guessable passwd

Make sure that all login connections prompt a banner prase.
Make sure that there is noting configured in /etc/inetd.conf (exept what you need)
Remove all stuff that you do not use (for example Netscape)
Make sure that you are up to date for all product on the server (almost all Old products have a discovered bug, new products have only hidden buggs ;) )
Make sure that a nessus (ore a other port scan tool) finds any of the sans bugs
Make sure that a system inventory tool (like ESM) and make the systems green!!
no world writable dirs, files
no executables (in the root path) where root, bin ore lp are not the owner
no group/world writable executables (ore etc) in the start-up files, ore cron jobs

Etc, etc,
Sorry I am not allowed to share my (ao) baseline policy...
0 Kudos
Kenan Erdey
Honored Contributor

‎05-25-2009 11:52 AM

‎05-25-2009 11:52 AM

Re: HP-UX security hardening

Hi,

you should decide what to secure because your applications, your working environment may change from others. You can use bastille but you can meet problems may be.

What we did is that we took procedures from

https://community.cisecurity.org/download/

and some security sites and prepared a security procedure for our company.

Kenan.
Computers have lots of memory but no imagination
0 Kudos
Gordon Crone
Frequent Advisor

‎05-26-2009 07:02 AM

‎05-26-2009 07:02 AM

Re: HP-UX security hardening

How about lobbying HP to increase the max password length? They want to obsolete trusted mode that allowed passwords > 8 characters, but have not enhanced the 'standard' mode to have more than 8. Just when we had users used to 9,10,11 etc characters they take it away.....
0 Kudos
Dennis Handly
Acclaimed Contributor

‎05-26-2009 08:04 AM

‎05-26-2009 08:04 AM

Re: HP-UX security hardening

>How about lobbying HP to increase the max password length?

I assume this is already there with shadow passwords.
0 Kudos
Fred K. Abell Jr._1
Regular Advisor

‎05-26-2009 10:38 AM

‎05-26-2009 10:38 AM

Re: HP-UX security hardening

Longer passwords are available if you convert to a 'Trusted System' (TS), but doing so provides other issues. CIS suggests converting to TS to utilize accounting, but that eats up resources.
0 Kudos
Gordon Crone
Frequent Advisor

‎05-27-2009 05:10 AM

‎05-27-2009 05:10 AM

Re: HP-UX security hardening

Dennis:
"I assume this is already there with shadow passwords."

That isn't the case in my testing with shadow passwords - You can create a password of many characters but only the first 8 are significant.

"WARNINGS HP-UX 11i Version 3 is the last release to support trusted systems functionality."

Come on HP, fix the password length for non-trusted!!!
0 Kudos
Fred K. Abell Jr._1
Regular Advisor

‎05-29-2009 07:32 AM

‎05-29-2009 07:32 AM

Re: HP-UX security hardening

My Final suggestions:

Much of what is done depends on how the system is going to be used. A workstation doing scientific calculations would be configured differently than a DNS server in the DMZ.

Start with a clean install, no point securing a system that may already be compromised.

Do not connect to the internet until the system is hardened.

From another machine download and put on tape to transfer to machine being hardened:
TCP Wrappers, Secure Shell, OpenSSL, MD5Checksum, Strong Random Number Generator, Bastille, IPFilter, and Software Assistant. Check the hashes of the files on the machine the files the files were downloaded. Some of these files are already included in standard load, but the most up-to-date should be used.

Install the files mentioned above. Using MD5Checksum, check the hashes of the files to make sure they are correct. You can also use OpenSSL to do check.

Run Bastille. Leave on only what need is needed. If it is unknown if a service is needed, turn it off and see if it breaks. You may not want Bastille to create an IPFilter configuration file. Make sure the ToDo list is done.

Apply the CIS benchmarks. Between Bastille and CIS, all of the Low hanging fruit will be removed.

Go through the /etc/rc.config.d/ directory and see if anything is still turned on that isnt needed. Again, if it is unknown if a service is needed, turn it off and see if it breaks.

Configure the /etc/hosts.allow and /etc/hosts.deny files. Put all services allowed in the allow file, and default deny in the deny file ALL:ALL:DENY.

Configure you IPFilter configuration file (Advanced).

Connect to the internet and patch unless patching can be done before connecting (Problems connecting, IPFilter may not be configured correctly).

Do not install unneeded programs. A DNS server does not need a gcc compiler. If a compiler was needed to install a service, remove the files after the service is working correctly.

Scan system for vulnerabilities. You may have to make a rule set in IPFilter to allow the scanning machine to pass.

These steps are in no way a complete, but they are a good start against external threats.

Fred
0 Kudos
VK2COT
Honored Contributor

‎05-29-2009 02:56 PM

‎05-29-2009 02:56 PM

Re: HP-UX security hardening

Hello,

Like all of you, I had problems finding good
information on this topics.

So, I sat down and wrote a script to
check all the important issues I could
find in literature or through experience.
The end result is my script:

http://www.circlingcycle.com.au/Unix-sources/HP-UX-check-OAT.pl.txt

I keep on adding new tests, so it is a work
in progress.

As a side note, HP-UX 11.31 will have
maximum password length increased from 8 to
255 characters. Also, for the longer
passwords it will use SHA512-based password hashing (more secure than older DES-based
hashing). The patch will be released in the
not-so-distant future and will become
part of the O/S too.

I know of a government agency which is
eagerly awaiting this feature. That is the
only reason why they are not migrating from
Trusted Mode to Shadow Mode yet.

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
AL_3001
Regular Advisor

‎06-23-2009 05:39 AM

‎06-23-2009 05:39 AM

Re: HP-UX security hardening

Thanks to all
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.