HPE Community
Operating System - HP-UX
1825803 Members
2448 Online
109687 Solutions
New Discussion

secure system

 
yut
Advisor

‎09-22-2005 01:17 AM

‎09-22-2005 01:17 AM

secure system

all,

what files in hpux that need to make more secure system ??how to make /etc/default/security work if my system not in trusted and how if my system is trusted ???anyone can give me the example of /etc/default/security file? all my server that running hpux don't have that file.

many thanks for all of your kindness!

regards,

-yut-
0 Kudos
Reply
5 REPLIES 5
Geoff Wild
Honored Contributor

‎09-22-2005 01:21 AM

‎09-22-2005 01:21 AM

Re: secure system

How to tell if system is in trusted mode?

/usr/lbin/getprdef -r

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎09-22-2005 01:23 AM

‎09-22-2005 01:23 AM

Re: secure system

Also, if you just want to lock down the system, have a look at bastille:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Joseph Loo
Honored Contributor

‎09-22-2005 01:24 AM

‎09-22-2005 01:24 AM

Re: secure system

hi,

refer to this:

http://docs.hp.com/en/B2355-60105/security.4.html

u may also like to look at hardening your system using bastille:

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA

regards.
what you do not see does not mean you should not believe
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-22-2005 02:55 AM

‎09-22-2005 02:55 AM

Re: secure system

The security file in /etc/defaults is never supplied--you must always create it yourself. NOTE: most of the parameters mentioned in the man page apply only to a Trusted system. I've attached a heavily commented security file that has virtually all the options mantioned. Unfortunately, there is no error checking or syntax checking. If the option you choose does not exist (for example, PASSWORD_HISTORY_DEPTH=5 is meaningless in a non-Trusted system) then the option is silently ignored. Thus the reason for all the comments in my sample file.

The majority of the options require a Trusted system. Also, many options are based on patches. If a system is missing some security patches, then some of the options will also be ignored. The man page for security (as it exists on a specific system) should match what that system has in terms of patches.

Note also that comments CANNOT be appended to an option (ie, NOLOGIN=1 # stop user logins).


Bill Hassell, sysadmin
0 Kudos
Reply
Rick Garland
Honored Contributor

‎09-22-2005 03:46 AM

‎09-22-2005 03:46 AM

Re: secure system

You can get options and examples for the /etc/default/security file by doing man security.

If you are able, read the man pages from a 11,23 version of HPUX as opposed to 11.0. A lot of the options will still work but the explainations are better in 11.23 man pages.
Some of the items discussed deal with passwd restrictions, login restrictions, the wheel group, etc...

Other ideas, setup /etc/securetty so root login only on console and Bastille.

To convert to a trusted system and not expire passwds;
etc/tsconvert;/usr/lbin/modprpw -V


To go into trusted mode use the
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.