HPE Community
Operating System - HP-UX
1834675 Members
2741 Online
110069 Solutions
New Discussion

Hp-ux: which processes/services can be disabled ?

 
Augusto Vinhaes
Frequent Advisor

‎05-26-2006 08:54 AM

‎05-26-2006 08:54 AM

Hp-ux: which processes/services can be disabled ?

There are some hp-ux processes such as sendmail that represents a security problem. I’d like to know if there is a list of daemons and services that can be disabled to protect the system.
Regards,
Augusto Vinhaes
Augusto
0 Kudos
Reply
4 REPLIES 4
Patrick Wallek
Honored Contributor

‎05-26-2006 09:05 AM

‎05-26-2006 09:05 AM

Re: Hp-ux: which processes/services can be disabled ?

It really depends on how you use the system.

If they are not in use then things like:

sendmail
SNMP
r* daemons
Any of the 'small services' (like daytime, time, echo, discard, chargen) SHOULD be disabled
telnet
ftp

You just have to look at your particular environment and see. There is not a one-size-fits-all solution.
0 Kudos
Reply
Darrel Louis
Honored Contributor

‎05-26-2006 10:20 AM

‎05-26-2006 10:20 AM

Re: Hp-ux: which processes/services can be disabled ?

Augusto,

Attach you will find list of services from inetd.conf file.

It's not needed to have Sendmail daemon (-bd) running if you just want to sent emails.
But there are always exceptions:
example:
- Mail API provided in Java
- Oracle utl_smtp

Have a look at HP-bastille:
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

GoodLuck

Darrel
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎05-26-2006 12:30 PM

‎05-26-2006 12:30 PM

Re: Hp-ux: which processes/services can be disabled ?

There is no list of network services that you should disable except in /etc/inetd.conf. Put comments in front of every line and you will disable all network services including telnet and ftp. Now if you need these services, you'll have to re-enable them. The system administrator must know what services are needed and make sure they are enabled. Lacking that information, it is more secure to disable everything and then add back what you need.


Bill Hassell, sysadmin
0 Kudos
Reply
rariasn
Honored Contributor

‎05-28-2006 11:07 PM

‎05-28-2006 11:07 PM

Re: Hp-ux: which processes/services can be disabled ?

Sample processes deconfigured in /etc/inet.dconf,

#bootps dgram udp wait root /usr/lbin/bootpd bootpd
#finger stream tcp nowait bin /usr/lbin/fingerd fingerd
#uucp stream tcp nowait root /usr/sbin/uucpd uucpd
#ntalk dgram udp wait root /usr/lbin/ntalkd ntalkd
#daytime stream tcp nowait root internal
#daytime dgram udp nowait root internal
#time stream tcp nowait root internal
#time dgram udp nowait root internal
#echo stream tcp nowait root internal
#echo dgram udp nowait root internal
#discard stream tcp nowait root internal
#discard dgram udp nowait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp nowait root internal
#rpc stream tcp nowait root /usr/sbin/rpc.rexd 100017 1 rpc.rexd
#rpc dgram udp wait root /usr/lib/netsvc/rstat/rpc.rstatd 100001 2-4 rpc.rstatd
#rpc dgram udp wait root /usr/lib/netsvc/rusers/rpc.rusersd 100002 1-2 rpc.rusersd
#rpc dgram udp wait root /usr/lib/netsvc/rwall/rpc.rwalld 100008 1 rpc.rwalld
#rpc dgram udp wait root /usr/sbin/rpc.rquotad 100011 1 rpc.rquotad
#rpc dgram udp wait root /usr/lib/netsvc/spray/rpc.sprayd 100012 1 rpc.sprayd
#ncpm-pm dgram udp wait root /opt/ncpm/bin/ncpmd ncpmd
#ncpm-hip dgram udp wait root /opt/ncpm/bin/hipd hipd
swat stream tcp nowait.400 root /opt/samba/bin/swat swat

rgs,

Modify /etc/inetd.conf, and

# inetd -c

rgs,

ran
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.