HPE Community
Operating System - HP-UX
1833777 Members
2120 Online
110063 Solutions
New Discussion

Re: Identify External devices on Itanium servers

 
SOLVED
Go to solution
Haralambos
Advisor

‎03-06-2007 03:05 PM

‎03-06-2007 03:05 PM

Identify External devices on Itanium servers

Our security policy states that no external devices are allowed to be connected to HP-UX (Itanium) servers. Such devices will include, but not limited to, USBs, CDROMs, external SCSI drives, etc.

The question though is how to verify this programaticaly.

At first I thought that it can be done based on the file system type that a device has, but this will not actually work as I can have, for example, HFS on a USB stick.

Any ideas?

Regards, haralambos
0 Kudos
4 REPLIES 4
Patrick Wallek
Honored Contributor

‎03-06-2007 04:09 PM

‎03-06-2007 04:09 PM

Solution

Re: Identify External devices on Itanium servers

You would have to know what the SCSI addresses are for any potential connection points for external devices. The address I am talking about is the address that can look like '0/0/1.1.0' in the output of 'ioscan -fn'.

The key to this is going to be doing an 'ioscan -fn', or for better performance 'ioscan -kfn' (the -k looks at the kernel and doesn't actually scan all I/O buses), when the system is in its live production state.

You should take the output of that ioscan and store it somewhere. Then you could occasionally run another ioscan and compare the output of it to the output of the original ioscan. If there are any discrepancies / changes, then you should be notified.

If something is intentionally attached to the machine, new disks, net LAN card, etc., then you would need to update your production ioscan that you compare against.

This could all be done pretty easily via a shell script.
0 Kudos
rick jones
Honored Contributor

‎03-07-2007 01:22 PM

‎03-07-2007 01:22 PM

Re: Identify External devices on Itanium servers

That is an interesting policy - does th epolicy also limit the people who have physical access to the system? If not, unless you were scanning very often, you would quite likely miss a quick connection of an external peripheral to the system.

If physical access to the system is limited to "trusted" individuals, then the main value of the scanning would be to help keep them honest, but it would still have the same limitations.

Of course, if you still allow the system to be connected to a network... :)
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Haralambos
Advisor

‎03-07-2007 02:27 PM

‎03-07-2007 02:27 PM

Re: Identify External devices on Itanium servers

Physical access in indeed limited and controlled.

Anyway, the ioscan suggestion will get us closer to our goal even though, as Rick said, it will only provide to me a system snapshot during the script's run.

Thanks

0 Kudos
Haralambos
Advisor

‎03-07-2007 02:31 PM

‎03-07-2007 02:31 PM

Re: Identify External devices on Itanium servers

The proposed solution will work for the moment during which the script takes to run.

But, a complete/real time solution might be hard to achieve.

regards
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.