HPE Community
Operating System - HP-UX
1838619 Members
2085 Online
110128 Solutions
New Discussion

Re: Security Negative alerts

 
SOLVED
Go to solution
Dewa Negara_4
Regular Advisor

‎12-30-2003 03:27 PM

‎12-30-2003 03:27 PM

Security Negative alerts

Hi All,

I was trying to run a CIS Security software on my system and found some negative alerts on that. Some of them have been resolved already. I still find a difficulties to resolve some alerts below. Could you please help.

Happy New Year 2004!

Thanks and Best Regards,
Negara

Negative: 3.5 Graphical login not deactivated.
Negative: 3.12 RPC rc-script (nfs.core) has not been deactivated.
Negative: 4.1 This operating system version does not support a non-executable stack.
Negative: 6.9 No banner line in /etc/ftpd/ftpaccess.
Santos
0 Kudos
Reply
8 REPLIES 8
T G Manikandan
Honored Contributor

‎12-30-2003 03:36 PM

‎12-30-2003 03:36 PM

Solution

Re: Security Negative alerts

Grpahical login -diable cde

#/sbin/init.d/dtlogin.rc stop
#mv /sbin/rc3.d/S990dtlogin.rc /sbin/init.d/s990dtlogin.rc

RPC(nfs.core)
#mv /sbin/rc2.d/S400nfs.core /sbin/rc2.d/s400nfs.core


No banner
In /etc/ftpd/ftpaccess

"banner /etc/issue"
or any other file which you want to print during login
Reply
Elmar P. Kolkman
Honored Contributor

‎12-30-2003 08:24 PM

‎12-30-2003 08:24 PM

Re: Security Negative alerts

It is a better practice to edit /etc/rc.config.d files on an HP-UX system then to change the startup links.

For cde that is /etc/rc.config.d/desktop

For NFS that is /etc/rc.config.d/nfsconf

The 4.1 message is not resolvable. Unless you move to another OS or version (don't know which one you should use then).

6.9 is a matter of adding an banner line, and if you don't want banners, let it point to an empty file.

Happy New Year too...
Every problem has at least one solution. Only some solutions are harder to find.
Reply
Dewa Negara_4
Regular Advisor

‎12-30-2003 10:24 PM

‎12-30-2003 10:24 PM

Re: Security Negative alerts

Thanks for your help. It looks fine for me now. One more alert which I still can not resolve. Could you please help me on this as well? How can I run checkperms?

Thanks and Best Regards,
Negara

Negative: 5.9 checkperms has not been run on this system.
Santos
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

‎12-30-2003 11:01 PM

‎12-30-2003 11:01 PM

Re: Security Negative alerts

I don't know checkperms, but might it be a part of the CIS security software?
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
T G Manikandan
Honored Contributor

‎12-30-2003 11:41 PM

‎12-30-2003 11:41 PM

Re: Security Negative alerts

check this

http://www.cisecurity.org/tools2/hpux/hp_checkperms

you should run this as root.

Also check the pdf

http://www.cisecurity.org/tools2/hpux/HPUXBenchmark.pdf
Reply
Robert Fritz
Regular Advisor

‎12-31-2003 04:12 AM

‎12-31-2003 04:12 AM

Re: Security Negative alerts

Regarding 4.1: I didn't see which HP-UX version you were running, but with 11.11 and after, there is a kernel parameter, execurtable_stack, that can be set to disable stack execution.

On 11.23 and after, the default is not to execute off the stack.

Also, if you're doing lockdown, you may consider trying out Bastille:

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
Reply
Dewa Negara_4
Regular Advisor

‎12-31-2003 12:41 PM

‎12-31-2003 12:41 PM

Re: Security Negative alerts

Hi All,

Thank you very much for your help. I am using HPUX 11.00. So you mean that 11.00 does not support non-executable stack? In this case the alert is not resolvable. Am I right? Please advise.

Thanks and Best Regards,
Negara
Santos
0 Kudos
Reply
Robert Fritz
Regular Advisor

‎01-05-2004 04:33 AM

‎01-05-2004 04:33 AM

Re: Security Negative alerts

Correct,

My understanding is that 11.00 does not support the non-executable stack parameter.

Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.