HPE Community
Operating System - HP-UX
1836623 Members
1606 Online
110102 Solutions
New Discussion

Re: Security Policies/Procedures

 
Kurt Renner
Frequent Advisor

‎01-07-2002 11:23 AM

‎01-07-2002 11:23 AM

Security Policies/Procedures

Hello, I am working on a project to develop comprehensive security policies and procedures for HP-UX. I have found several very good resources on security including Building a Bastion Host using HP-UX 11 as well as the Austrailian Computer Emergency Response Team web site which discusses Unix security in detail. Does anyone have any other references they would consider to be very good that I could also use as guides to developing our policies/procedures or would anyone possibly be willing to share a copy of their policies/procedures with me?

Much discussion concerning Unix security centers on de-activating services via /etc/inetd.conf or limiting access to certain hosts via /var/adm/inetd.sec and the use of /etc/hosts.allow and /etc/hosts.deny.

I am finding that some of the security vulnerabilities in certain services (finger and uucp for example) discovered over the years are disabled (or appear to be since they are commented out in /etc/inetd.conf) by default in a HP-UX installation. For all other services I wish to disable, should I comment out both the line in /etc/services and /etc/inetd.conf and create an entry in /var/adm/inetd.sec explicitly denying access to that service? What is the best method of disabling services you do not need running?

I also have run across many recommendations to use tcp_wrappers and ssh. I would like to get a feel for how commonly these utilities are used, and what kind of issues have been encountered in using them.

There also appears to be TCP ports opened that aren't necessarily represented in either /etc/services or /etc/inetd.conf identified via the lsof utility. How do you protect against other applications opening TCP ports you don't want opened? Apparently just because a service is not explicitly specified in one of these 2 files doesn't necessarily mean the service is disabled or restricted. Does /var/adm/inetd.sec also apply to these services in preventing them from being available to outside hosts?

I clearly cannot lock down all TCP/UDP ports and still have a useful system, so what are the best practices for identifying how and what to lock down?

I realize some of this depends on what applications are installed on a system. What I am looking for are general guidelines used at other organizations when addressing HP-UX security.

Thanks in advance! I can be reached via email at renner@fullnet.com
Do it right the first time and you will be ahead in the long run.
0 Kudos
Reply
4 REPLIES 4
fg_1
Trusted Contributor

‎01-07-2002 11:51 AM

‎01-07-2002 11:51 AM

Re: Security Policies/Procedures

Kurt

I have created and attached a zip file containing some security site links for you to check out.

Bear in mind, you are best served by checking with whatever govermental agency regulates your practices (if applicable).

Ex: banking/finance: F.D.I.C
Trading: S.E.C.
Health Care: HIPPA.

Just a few thoughts.

Good luck.
0 Kudos
Reply
T. M. Louah
Esteemed Contributor

‎01-07-2002 11:59 AM

‎01-07-2002 11:59 AM

Re: Security Policies/Procedures

I suggest that u take a look at ARMOR @:
http://armor.sourceforge.net/

FOR Armor FAQs:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/~checkout~/armor/armor/FAQ?rev=HEAD&content-type=text/plain

g'd luck
t++
Little learning is dangerous!
0 Kudos
Reply
Kurt Renner
Frequent Advisor

‎01-07-2002 01:27 PM

‎01-07-2002 01:27 PM

Re: Security Policies/Procedures

I haven't gotten through all the web links in the first reply yet, but they look promising. Thanks for taking the time to send the links!

Armor is a very interesting set of tools. I haven't had a chance to look at it in depth yet, but I will. Once I have my security policies determined, I intended to write a set of scripts similar to these to make implementation of the policy straight-forward for the rest of the administrators on my team. I may be able to use Armor for this purpose (at least a starting point) and save myself a lot of scripting time.

I had not run across Armor until you pointed it out, thanks!
Do it right the first time and you will be ahead in the long run.
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎01-08-2002 04:53 AM

‎01-08-2002 04:53 AM

Re: Security Policies/Procedures

>>> Does anyone have any other references they would consider to be very good that I could also use as guides to developing our policies/procedures or would anyone possibly be willing to share a copy of their policies/procedures with me? <<<

Although you can have a general security policy, each application needs its own policy, along with each server. The more sensitive the data on a server/application, then the greater need for a more strict security policy. Security must always reside within each application, assisting in the security of the entire server security policy.

>>>For all other services I wish to disable, should I comment out both the line in /etc/services and /etc/inetd.conf and create an entry in /var/adm/inetd.sec explicitly denying access to that service? <<<

Yes, commenting out and explicitly denying service, as well as making sure there are no startup scripts for the services.

>>>What is the best method of disabling services you do not need running?<<<

It depends. If you are setting up a web server, you might not have inetd running at all (which is what I do). It boils down to a case by case basis on each service, depending upon what you need.

>>>I also have run across many recommendations to use tcp_wrappers and ssh. I would like to get a feel for how commonly these utilities are used, and what kind of issues have been encountered in using them. <<<

The best security policy would prohibit all (ALL) users from shell access.

>>> How do you protect against other applications opening TCP ports you don't want opened? <<<

With HPux 11.x you get ???syslogd ???N??? that turns off the socket listener (the logging of other systems via syslog).

>>> Apparently just because a service is not explicitly specified in one of these 2 files doesn't necessarily mean the service is disabled or restricted. Does /var/adm/inetd.sec also apply to these services in preventing them from being available to outside hosts? <<<

If inetd is not being used to service requests, then NO, the use of inetd.sec will not help, ie: Oracle.

>>> I clearly cannot lock down all TCP/UDP ports and still have a useful system, so what are the best practices for identifying how and what to lock down? <<<

Each Server and application will have its own security needs. For Web servers, I used the Bastian host document, and pushed it as far as not installing services that I will not use, like FTP, and NFS. My web servers don???t even have inetd running. Although I have shut down almost every service, I unfortunately have more than ports 80 and 443 open, which is why I have routers and firewalls (two different ones ???different vendors ??? one for the outside and one for the inside) wrapped around the Web servers.

>>>I realize some of this depends on what applications are installed on a system. What I am looking for are general guidelines used at other organizations when addressing HP-UX security. <<<

You are correct, that every application/server should have its own polices.

live free or die
harry
Live Free or Die
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.