HPE Community
Operating System - HP-UX
1833758 Members
3029 Online
110063 Solutions
New Discussion

security

 
SOLVED
Go to solution
jerry1
Super Advisor

‎10-20-2003 01:28 AM

‎10-20-2003 01:28 AM

security

Could someone suggest some tools/places I
can go to to get security tools that I can
use to monitor who is doing what as root
on a server. Just looking at roots history
file is not enough. I could install TCPwrappers
that I believe has some logging. I have tripwire and cops installed but none of these
really tell who or what. I use to use logshell
at another company and was wondering if something similar exists. /.rhosts has to go also. I need to know who/what is using it.
0 Kudos
Reply
6 REPLIES 6
Graham Cameron_1
Honored Contributor

‎10-20-2003 01:36 AM

‎10-20-2003 01:36 AM

Re: security

I worked in a bank for a while, where use used UPM:
http://www.passgo.com/datasheets/upm.pdf
Does what you want and loads more.
-- Graham
Computers make it easier to do a lot of things, but most of the things they make it easier to do don't need to be done.
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎10-20-2003 01:38 AM

‎10-20-2003 01:38 AM

Re: security


The best solution is to change the password to root and remove any files that can be executed up to root, then have people submit their requests to you for root command executions.

Let's say you allow someone to have root priv's and they go into vi or simply "more" a file and then bang (!) out and start another shell or simply execute a command, which won't be logged.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Brian Bergstrand
Honored Contributor

‎10-20-2003 01:53 AM

‎10-20-2003 01:53 AM

Re: security

You can convert to a trusted system and then enable auditing for the root user. This will track just about any move made by root. Just make sure you have plenty of disk space for the logs. Use sam to do both of these.

HTH.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎10-20-2003 01:57 AM

‎10-20-2003 01:57 AM

Solution

Re: security

My standard pitch on security for hp-ux

Here is how we keep up on these security issues.

Fist we subscribe to itrc security bulletins, which you apparently already do.

Next we use the following tools to harden security on our system and notify us of security patches.

Bastille Security hardening
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

Perl which the above needs.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL

Security Patch Check
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA

TCP Wrappers

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP

IDS/9000 (Intrusion Detection Sytstem)

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA

Get all these products working you'll be quite secure.

Secure shell
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Zeev Schultz
Honored Contributor

‎10-20-2003 02:46 AM

‎10-20-2003 02:46 AM

Re: security

with slight modification of what Harry defined
as "ask other users to submit what they would like to run with root to yourself" aka being a lazy sysadmin once :) - use sudo. Define what people do what.Consequently restrict root logins to console only,
So computers don't think yet. At least not chess computers. - Seymour Cray
0 Kudos
Reply
Rory R Hammond
Trusted Contributor

‎10-21-2003 10:13 AM

‎10-21-2003 10:13 AM

Re: security

Agree with the all above.

If you need info now.
/usr/sam/bin/samlog_viewer might help.

If root is using a history file
strings .history might help.

If users are loging in as root you can find who they are and make them stop. (I think everyone should use sudo)
who -a /etc/wtmp |grep root
root pts/tb Oct 21 17:05 . 7731 bozo.thecompany.com
root pts/tb Oct 21 17:05 . 7731 id= tb term=0 exit=0
root pts/tb Oct 21 17:05 . 7731 id= tb term=0 exit=0
root pts/tb Oct 21 17:06 . 7818 bozo.thecompany.com
root pts/tb Oct 21 17:06 . 7818 id= tb term=0 exit=0
root pts/tb Oct 21 17:06 . 7818 id= tb term=0 exit=0

if users are using su to become root
you can get times and term id and who from /var/adm/sulog

If you have accounting you can use
/usr/sbin/acctcom to find commands executed
and from what terminal
if you have multiple acctoing files
pacct pacct1 pacct2 etc you need
to run
acctcom pacct? corresponding to your time period.


Rory
There are a 100 ways to do things and 97 of them are right
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.