- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Security Audit HPUX 11.x
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2003 01:12 PM
12-22-2003 01:12 PM
Security Audit HPUX 11.x
As well as other files that may contain commands that were issued on the system such as the .sh_history file
Any help is much appreciated,
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2003 03:20 PM
12-22-2003 03:20 PM
Re: Security Audit HPUX 11.x
I think you should go through this document,
http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/hpux11isecuritywp.pdf
and
http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/building_a_bastion_host.pdf
They will give you an idea which fields and topics you should concentrate like file permissions, security patches, (security_patch_check utility), umask and files with no owners etc..
2nd one is a good document, i recomend you go through it, it nicely explains how to go ahead.
Cheers
Rajeev
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-22-2003 03:30 PM
12-22-2003 03:30 PM
Re: Security Audit HPUX 11.x
Bastille
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA
It also includes security_patch_check which in addition to checking for needed security patches also runs a scans for world writable directories.
There is a required perl install that is needed with that.
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=PERL
Beyond that tripwire is a good tool to use to spot changes in configuration files.
All security audits are different. It depends how much you pay the consultant and how bad they want to make you look and how much long term income prospect there is. Cynical but true to a degree.
In my opinion, the tougher the better.
Things they look at:
World Writable directories
binaries with suid set (lets the user be root) passwd has to have that because it modifies /etc/passwd
back doors: copy of /sbin/sh in a user directory letting the user become root.
unpatches software such as BIND, sendmail, apache
And lots more.
If you have time you might want to arrange the pre-audit audit. Pay someone to do a friendly look to get you ready.
I do that for friends, see my profile. It only takes an hour or so.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-23-2003 08:24 AM
12-23-2003 08:24 AM
Re: Security Audit HPUX 11.x
Thanks, Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-24-2003 01:02 AM
12-24-2003 01:02 AM
Re: Security Audit HPUX 11.x
Your first link to the Security White Paper didn't work for me. It gave an error. I'd like to get it.
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-24-2003 01:19 AM
12-24-2003 01:19 AM
Re: Security Audit HPUX 11.x
Files to check: all files with setuid bits, /etc/passwd (for users with uid 0, for instance), etc.
One thing sometimes forgotten: mount all filesystems with nosuid except /usr and perhaps /opt. It prevents illegal use of setuid bits.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-24-2003 01:28 AM
12-24-2003 01:28 AM
Re: Security Audit HPUX 11.x
I checked Rajeev's link
http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/hpux11isecuritywp.pdf
It appears to be working fine. Can you try again, maybe check your proxy settings? What error are you receiving?
The white paper says additional information is available on the documentation site, as well. "The focus of this document will be the security programs directly related to the core HP-UX operating
system. The network security features of the HP-UX platform are covered in detail within the Network Security Features of HP-UX 11i white paper, available from http://docs.hp.com/hpux/internet/index.html "
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-24-2003 01:41 AM
12-24-2003 01:41 AM
Re: Security Audit HPUX 11.x
Internet Explorer cannot download hpux11isecuritywp.pdf from www.hp.com
Internet Explorer was not able open this Internet site. The requested site is either unavailable or cannot be found. Please try again later.
If you could just attach it to your reply. Not sure what the deal is there. I can get to everything else and other pdfs but not that one. Wierd
Thanks
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-24-2003 02:05 AM
12-24-2003 02:05 AM
Re: Security Audit HPUX 11.x
http://www.sans.org/rr/papers/index.php?id=325
If you want a quick and dirty listing of files to check, here would be my list (of course there are more, but I would start with these):
/etc/passwd
/etc/group
/etc/inetd.conf
/etc/services
/var/adm/cron/cron.allow and at.allow
Also do "crontab -e" to check what jobs/scripts are running under cron.
You can also install Tripwire to automatically check all these files for any alterations made to them. IDS/9000 can also perform that.
Check the following log files:
/var/adm/syslog/syslog.log
/var/sam/log/*
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-24-2003 02:31 AM
12-24-2003 02:31 AM
Re: Security Audit HPUX 11.x
> I need to research internal actions by co-workers. Any file that contains communication information such as telnet, ftp etc. As well as any commands run by root.
Sounds like your system is having problems due to too many root users or inexperienced users. It's not going to be a simple task but here are the top level pieces:
last -R user_login
(that shows each time the user logs in and from what IP/hostname or serial port)
cat /home/user_login/.sh_history
(shows all commands typed into the shell by the user)
user_login can be any user or for root, login as root and cat the .sh_history file as well as running last as in: last -R root
Check for duplicate root users (a very bad security problem) by typing this into a file called chkrootid:
#!/usr/bin/sh
cut -f1,3 -d: /etc/passwd \
| tr ":" " " \
| while read USER UID
do
[[ $UID = 0 ]] && echo "user $USER is $UID"
done
Then chmod 700 chkrootid and run it as: ./chkrootid and you should get only one entry. Multiple entries are not good. You'll need sudo to distribute limited root privileges.
Now for a true security breach, the steps are quite involved depending on the sophistication of the attacker. First you have to determine: are the problems related to inexperienced users making dumb mistakes, or are the problems due to disgruntled employees, or has there been an actual attack on the system where a sophisticated user (perhaps a temp worker or contractor?) has broken in? That will likely require a security professional familiar with HP-UX and security problems.
Tools such as Bastille, sudo, ssh, etc are used to harden the system before it goes onto the network and are primarily used to prevent attacks, not detect them. IDS/9000 is a good product but will need some time to setup and some effort to monitor.
Bill Hassell, sysadmin