Operating System - HP-UX
1834290 Members
2472 Online
110066 Solutions
New Discussion

Removing compilers from an HPUX server

 
SOLVED
Go to solution
Luis Toro
Regular Advisor

Removing compilers from an HPUX server

I have been asked audit to remove all compilers from my production HPUX servers (10.20 and 11.0). Not being a programmer, I was hoping to find out:
1- What compilers come with the HPUX OS ?
2- Is there a "clean" way to remove them ?
I see some servers have the ANSI C product, so I could swremove that, but I'm not sure about the default ones.

Thank you.
10 REPLIES 10
Ross Zubritski
Trusted Contributor

Re: Removing compilers from an HPUX server

cc is the vanilla compiler. Remove it.

Regards,

RZ

P.S. You may also want to do a "find" gcc.
Pete Randall
Outstanding Contributor
Solution

Re: Removing compilers from an HPUX server

Don't you need cc to build the kernel? Or am I just losing it (again).

Pete

Pete
Ross Zubritski
Trusted Contributor

Re: Removing compilers from an HPUX server

O my, I may be the one losing it. Of course you need cc for kernel compilation. Regards Pete, remove 10 points.

RZ
Steven E. Protter
Exalted Contributor

Re: Removing compilers from an HPUX server

Your auditors have gone a little over the top.

Want to install oracle on your production server? Guess what, it compiles itself.

Hundreds of other products follow the same model.

This is a bad idea that is best addressed by limited access to the compilers with appropriate permissions on the compilers themselves.

Lets say I have a little compiler called steve. Its installed in /usr/contrib/bin/steve

The steve compiler is dangerous if permissions were 777 on it.

If the permissions were 700 then root access is required to use the compiler. Surely if you are having a security audit such issues as limiting access to the root password are dealt with.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Jeff Schussele
Honored Contributor

Re: Removing compilers from an HPUX server

Good catch Pete....
I see you had your coffee this morning, eh?

Cheers,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Luis Toro
Regular Advisor

Re: Removing compilers from an HPUX server

Thanks.
Glad I asked. Ross, you get points since you technically answered my question ;^}
Ross Zubritski
Trusted Contributor

Re: Removing compilers from an HPUX server

Every dog has it's day! ;)

RZ
Steven E. Protter
Exalted Contributor

Re: Removing compilers from an HPUX server

A little extra on doing better in a security audit.

Download, install and use these free products.

No points necessary, just adding a little help for you sir.

security_patch_check: Checks your system and makes sure its up to date with security patches from HP
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA


Required Perl install

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL

Bastille: Security Hardening Tool

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

TCP Wrappers

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP

Secure Shell: a replacement for rcp ftp and telnet that encrypts passwords

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

IDS/9000 Intrusion Detection System which can track security breaches and attempted security breaches.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA

Attached is Chris Vail's paper on how to set up passwordless services by exchanging public keys.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Luis Toro
Regular Advisor

Re: Removing compilers from an HPUX server

Thanks Steve.
Having been already beaten up 3 months ago by external auditors, I have already implemented ssh and patch_check. The latest smackdown is coming from our internal auditors. I am looking into "tiger", or a tiger-like freebie that I can run monthly to report on audit points (world-writeable files, setuid files, etc...),
any recommendations on that front would be appreciated.
Pete Randall
Outstanding Contributor

Re: Removing compilers from an HPUX server

Luis,

Check out Bastille, if you haven't already:

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

It's a pretty handy security screener that just might be what you need.


Pete

Pete