HPE Community
Operating System - HP-UX
1830018 Members
2106 Online
109998 Solutions
New Discussion

Re: HPUX O/S hardening

 
SOLVED
Go to solution
YLTan
Frequent Advisor

‎04-22-2003 05:52 PM

‎04-22-2003 05:52 PM

HPUX O/S hardening


I am recently doing some O/S hardening on HPUX, I have some question;

1. How does having 'mesg n' provide a greater security?

2. How does having global privileges such as
echo -n > /etc/privgroup with permission 400, if my global priv is chown provide a greater security.

3. how does disabling finger, echo, and chargen provide a greater security?
tyl
0 Kudos
Reply
7 REPLIES 7
John Poff
Honored Contributor

‎04-22-2003 06:37 PM

‎04-22-2003 06:37 PM

Re: HPUX O/S hardening

Hi,

I'm not an expert, but here is my take on your questions:

1. Turning off the mesg service probably helps prevent a denial of service attack, as well as preventing any possible bugs in the program that might cause trouble [the old buffer overflow problem].

2. If I understand your question, you are asking why the /etc/privgroup can have just 400 permissions when you still have global chown privileges? The /etc/privgroup file is read by the setprivgroup command, and also the file should be owned by root, which means that even if you have chown priviliges you should not be able to change the permissions on the file.

3. Those services usually aren't needed, and can possibly be exploited for denial of service, bugs, or for getting information about the system and user accounts.

JP
0 Kudos
Reply
Michael Tully
Honored Contributor

‎04-22-2003 06:57 PM

‎04-22-2003 06:57 PM

Re: HPUX O/S hardening

In addition to John's comments, you can also install HPUX Bastille that will assist you. You can get it from here:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

'chown/chmod/chgrp' should be allowed globally anyway. You still won't be able to change a file from 'root' or anyone else.

Anyone for a Mutiny ?
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎04-22-2003 07:49 PM

‎04-22-2003 07:49 PM

Re: HPUX O/S hardening

You might also want to take a look at the document "Building a Bastion Host Using HP-UX 11" available from the TKB. The document is available from the ITRC TKB. The doc id is USECKBAN00000800 and the URL is: http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000066258828
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎04-22-2003 09:00 PM

‎04-22-2003 09:00 PM

Solution

Re: HPUX O/S hardening

If you turn mesg off, you're basically saying you do not want to accept any broadcast message that is sent to your console or shell for that matter hence making it difficult for hackers to write to user's terminal. As for the services like finger, echo and chargen, they can be used for a DOS attack. Typically they are not needed and you can disable them in /etc/inetd.con especially the UDP ones.
Reply
kuksaa_1
New Member

‎04-22-2003 09:50 PM

‎04-22-2003 09:50 PM

Re: HPUX O/S hardening

You probably know this useful link:Building a Bastion Host Using HP-UX 11: by Kevin Steves.

http://people.hp.se/stevesk/bastion11.html

Thanks, Andrey
Thanks...
0 Kudos
Reply
Keith Buck
Respected Contributor

‎04-23-2003 09:13 AM

‎04-23-2003 09:13 AM

Re: HPUX O/S hardening

1. S.K. Chan explained mesg n. I won't repeat.

2. On some Unixes, chown can only be run by root. /etc/privgroup gives you the ability to have that behavior on HP-UX (as well as a few other privileges). By default, any user has the ability to chown to another user.
This is convenient in some environments, but in a high threat environment, limiting any privilege to the least necessary can be helpful.

3. Bastille 2.1 explains these services and some reasons for turning them off. Basically, any service that listens on the network increases your risk of having a future vulnerability which affects your system. Also, finger can be used as part of the "information gathering phase" of an attack.
Reply
Bill Hassell
Honored Contributor

‎04-23-2003 09:51 AM

‎04-23-2003 09:51 AM

Re: HPUX O/S hardening

Hardening Unix does require an extensive knowledge of all the services that it can provide and turn off any that are not needed. This is not a trivial task. There are a LOT more services besides chargen,finger,echo, etc that should be disabled. Bascially, you want nothing to respond unless it is a required service.

But when you ask the question about security, there are dozens of other areas such as cleartext passwords over the network (ie, telnet), security patch management, plaintext data exchange (ftp) and so on that need to be addressed.

As mentioned, download a copy of Bastille and the security patch checker from software.hp.com and also look at the IDS/9000 (Intruder Detection System),Secure Shell (OpenSSH) and perhaps TCPwrappers, also available from software.hp.com (and don't forget to buy the book: HP-UX 11i Security by Chris Wong)


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.