HPE Community
Operating System - HP-UX
1849532 Members
6992 Online
104044 Solutions
New Discussion

Re: security requirements

 
SOLVED
Go to solution
Jay Cantwell
Regular Advisor

‎04-18-2006 05:55 AM

‎04-18-2006 05:55 AM

security requirements

I am having to apply security locks on my hpux 11.0 system. I have the following item I need help with:

Console Device is world writeable/readable while in use. I am not sure what would happen if I issued a chmod command. The permissions are currently crw—w—w-.

what chmod command could be used to correct this.

thanks...Jay
0 Kudos
Reply
7 REPLIES 7
Rick Garland
Honored Contributor

‎04-18-2006 06:09 AM

‎04-18-2006 06:09 AM

Re: security requirements

No need to change this. Don't change this. Look in this directory and you will see that the devices (lan0, pty's, etc) are all set to world write.
Reply
Jay Cantwell
Regular Advisor

‎04-18-2006 06:13 AM

‎04-18-2006 06:13 AM

Re: security requirements

HI Rick....this is what is prompting my question....the security documentation I am following state that the console should not be in a world write or read state while it is being accessed. When I log into the console, the world write stays on. Is this an OS requirement? If so, I can state that and go on from there....jay
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎04-18-2006 06:26 AM

‎04-18-2006 06:26 AM

Solution

Re: security requirements

You can certainly run chmod 640 /dev/console but the "fix" will only be temporary nor is the "fix" necessary or even desired. By intent, processes are allowed to log errors to the console as this may be one of the few known working devices in the event of a severe problem. All a malicious user could do is write a message something like this: "Hey stupid, please re-enter the root password for verification purposes." Even if you were dumb enough to follow those instructions, no harm would be done because the intruder does not have read permission for /dev/console so that he could not read your input.
If it ain't broke, I can fix that.
Reply
Rick Garland
Honored Contributor

‎04-18-2006 06:37 AM

‎04-18-2006 06:37 AM

Re: security requirements

Not an OS requirement, but as Clay states it is irrelevant to do so.
Reply
Geoff Wild
Honored Contributor

‎04-18-2006 07:02 AM

‎04-18-2006 07:02 AM

Re: security requirements

I took a look in this doc:

http://www.giac.org/certified_professionals/practicals/gsna/0101.php

and found nothing about write permission to /dev/console.

If you do a chmod o-w /dev/console and reboot - it comes back - so I'd say it is an OS requirement and carry on with the audit.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Reply
Bill Hassell
Honored Contributor

‎04-18-2006 10:32 AM

‎04-18-2006 10:32 AM

Re: security requirements

I would challenge the security documentation as being too general. While on other flavors of Unix, this might be a an appropriate recommendation, it isn't meaningful on HP-UX. As mentioned, the permissions will be corrected on reboot. Most servers don't actually have a console (usually it's shared) and if the console is in a public area, you have much bigger problems to fix. Consoles must be behind locked doors with access allowed only by trusted (and trained) sysadmins.


Bill Hassell, sysadmin
Reply
Don Mallory
Trusted Contributor

‎04-19-2006 01:38 AM

‎04-19-2006 01:38 AM

Re: security requirements

I agree with Bill regarding control of physical console access.

I will also point you to two other references:

Managing Systems and Workgroups - Chapter 8. Administering a System: Managing System Security
http://docs.hp.com/en/B2355-90950/ch08.html

sub - Security Considerations for Device Files:
http://docs.hp.com/en/B2355-90950/ch08s04.html#cegdefcg

sub - Link-Level Access:
http://docs.hp.com/en/B2355-90950/ch08s06.html#d0e69379

Also of note is the Center for Internet Security - HP-UX Benchmark v1.3.1:
http://www.cisecurity.com/bench_hpux.html

Of note is section 5.7 which recommends that /dev/vg01 not be world writable.

If you further examine the Bastille scripts and a few other resources. The largest concern over device file security is over /dev/mem, /dev/kmem, /dev/lan*, /dev/ieee*, /dev/ether* and /dev/vg*. Based on what these device files are used to access, you can see why they would be limited.

Other things I have seen would suggest keeping /dev and any dirs under /dev limited to no world write (pretty good recommendation). Of course, you must keep in mind that any permission that is required for the system to run will be restored on reboot.

One last point, if you are so concerned about console security above all else, I would question two points, the first being, how secure is access to your console (are you also using the remote console with the GSP or MP card as well?) and the second is, how trusted or untrusted are your users? Perhaps they shouldn't be allowed to directly log in, or you should consider other means of monitoring or limiting acccess such as separating the services between multiple nodes or limiting other services.

The HP-UX Benchmark is an excellent reference for this.

Good luck,
Don
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.