HPE Community
Operating System - HP-UX
1822448 Members
2616 Online
109642 Solutions
New Discussion юеВ

security - best practices

 
SOLVED
Go to solution
p7
Frequent Advisor

тАО12-30-2010 08:30 AM

тАО12-30-2010 08:30 AM

security - best practices

hi all,

we re moving from an 11.11 pa-risc dome to an 11.31 itanium dome. i want to impliment tighter security (/etc/default/security, ftpusers) that im not using currently. is there any best practice type documents, etc that are out there and that u all have experienced as practical?

thx in advance

0 Kudos
Reply
4 REPLIES 4
James R. Ferguson
Acclaimed Contributor

тАО12-30-2010 08:55 AM

тАО12-30-2010 08:55 AM

Solution

Re: security - best practices

Hi:

Bastille.

As part of the installation you can select one of four successively more secure configurations with Bastille during or following installation of the operating system. See page-29 here:

http://bizsupport.austin.hp.com/bc/docs/support/SupportManual/c02281370/c02281370.pdf

Regards!

...JRF...

Reply
Doug O'Leary
Honored Contributor

тАО12-30-2010 09:57 AM

тАО12-30-2010 09:57 AM

Re: security - best practices

Hey;

Most of the general security practices are common between unix platforms. Any good security book will give you the details on those.

One area I tend to push admins and users alike is in the use of secure shell (ssh), particularly as it relates to direct root access.

I've written the same document for a couple of different clients now that suggests ssh, using public key authentication (pka), is a better method of accessing root that the standard admin login/sudo combination.

That document, finally made more general, is available at http://www.olearycomputers.com/ll/sudo_v_ssh-pka.html

A generalized ssh users' guide is available at http://www.olearycomputers.com/ll/ssh_guide.html

Hope that helps.

Doug O'Leary

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
Reply
Emil Velez
Honored Contributor

тАО12-30-2010 03:32 PM

тАО12-30-2010 03:32 PM

Re: security - best practices

at installation time you can choose a bastille configuration or after installation you run bastille.

After you run bastille it will bring up a GUI where you answer about 30 questions and it will lockdown the system based on your answers. THe nice thing is you can keep that confuration or undo the configuration.

if you keep the configuration then you can take the config file to another system and run bastille with that config and the other system will be "locked down" the same exact way. (assuming same OS version).

Bottom line: create a bastille config on 1 system then use that config for all of them.

THere is also a feature called bastille_drift to see if anyone made changes so the system does not match the bastille configuration. This is neat.
Reply
Don Mallory
Trusted Contributor

тАО01-07-2011 06:12 AM

тАО01-07-2011 06:12 AM

Re: security - best practices

The CIS Security benchmark is an excellent place to work from.

http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.os.unix.hpux


They also have a scoring tool and utility/script for checking file permits.

http://cisecurity.org/en-us/?route=downloads.browse.category.tools.unix

Best regards,
Don
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.