HPE Community
Operating System - HP-UX
1832100 Members
3295 Online
110038 Solutions
New Discussion

Re: System Files

 
SOLVED
Go to solution
Marvyn Torres
Occasional Advisor

‎05-30-2002 01:11 AM

‎05-30-2002 01:11 AM

System Files

Hello,

Would somebody please be kind enough to provide me with information on the following:
1. What are the prime system configuration files that need protecting and what should their appropriate permissions be?
2. What are the baseline SUID and SGID files that should exist in a system? (OS only)

Thanks!!
Newbie over here!
0 Kudos
Reply
14 REPLIES 14
Sebastian Galeski_1
Trusted Contributor

‎05-30-2002 01:19 AM

‎05-30-2002 01:19 AM

Re: System Files

Hi
there is no one of few important file, there is many.
Usually You shold not change a permition to system files, because it can cause problems with system. About SUID'ed file. In system if suide'd file is a binary file it is oki, because using it for danger operation require a bit of knowledge, but if this is a text script it is dangerous because it can be edited in easy way. So my advise is to use find command to find all files with bit s set and check what kind of file it is. Try to use:
find / \( -perm ???04000 ???o ???perm ???02000 \) -exec ls -ld {} \;

hope it help
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎05-30-2002 01:22 AM

‎05-30-2002 01:22 AM

Re: System Files

Hi,

Center for Internet Security has a HP-UX security benchmark for HP-UX 10.20, HP-UX 11.00 and HP-UX 11.11:

http://www.cisecurity.org/bench_HPUX.html

This benchmark comprises a list of hardening rules. As far as I recall, the SGID/SUID and file permission issues are addressed there as well.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎05-30-2002 01:33 AM

‎05-30-2002 01:33 AM

Re: System Files


All the correct permissions for all files installed using software distributor are kept on the system. So, if youre after the correct permissions for all the OS files then you can list all files which belong to the OS-Core bundle (and all its filesets) and their correct permissions with the following command;

swlist -l file -a mode OS-Core | more

You could take the output from this, put it into a file and run a script on it to check that the permissions currently set what theyre supposed to be, or set them.


Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Marvyn Torres
Occasional Advisor

‎05-30-2002 05:04 PM

‎05-30-2002 05:04 PM

Re: System Files

Hey Steve,

Tried running the hp_checkperms tool from the CIS HP Benchmark. But when I executed it I got the following message:

#./hp_checkperms
script interpreter "/bin/sh" not found
script interpreter link resolves to "/usr/bin/sh"
sh: ./hp_checkperms not found.

Is there any (easy) way to resolve this????
Newbie over here!
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎05-30-2002 05:14 PM

‎05-30-2002 05:14 PM

Re: System Files

Hi Marvyn:

It sounds like you don't have (or have lost) your "transltion links". These are a set of standard soft (symbolic) links that appeared when the HP-UX filesystem layouts were changed during the 9.x to 10.x evolution.

'/bin' is really a link to 'usr/bin' and 'lib' is really (only) a link to 'usr/lib'.

You can reinstall any missing links with:

# /opt/upgrade/bin/tlinstall

Regards!

...JRF...

0 Kudos
Reply
Marvyn Torres
Occasional Advisor

‎05-30-2002 05:29 PM

‎05-30-2002 05:29 PM

Re: System Files

James,

# /opt/upgrade/bin/tlinstall

Would the above command have any negative effects if executed on a production server? And does it involve having to restart the system?
Newbie over here!
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎05-30-2002 05:32 PM

‎05-30-2002 05:32 PM

Solution

Re: System Files

Hi Marvyn:

No, and No. The command takes about 20-30 seconds to run and has no adverse effects. The overhead is to search filesystems and create the transition symbolic links.

Regards!

...JRF...
Reply
Marvyn Torres
Occasional Advisor

‎05-30-2002 06:00 PM

‎05-30-2002 06:00 PM

Re: System Files

James,

Oops! Tried the command but I'm still getting the same message.

Anything else you can have me do??
Newbie over here!
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎05-31-2002 02:30 AM

‎05-31-2002 02:30 AM

Re: System Files

Hi,

First, verify that /usr/bin/sh exists:

# ll /usr/bin/sh

Then try this:

1) Method 1:

# ln -s /usr/bin /bin

This is safe because if /bin already exists, this command will simply fail gracefully.

If /bin does not exist, it will create the soft-link such that /bin/sh -> /usr/bin/sh

2) Method 2:

Modify ./hp_checkperms she-bang (#!/bin/sh) header from

#!/bin/sh

to

#!/usr/bin/sh

3) Method 3:

# sh -c ./hp_checkperms

This should avoid the she-bang (#!/bin/sh).

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Marvyn Torres
Occasional Advisor

‎06-03-2002 04:39 PM

‎06-03-2002 04:39 PM

Re: System Files

Steven,

Tried methods 1 and 2 but still got the same message.

Can you elaborate on method 3? How do I edit the she-bang header?

Thanks,

Marvyn
Newbie over here!
0 Kudos
Reply
Marvyn Torres
Occasional Advisor

‎06-03-2002 04:53 PM

‎06-03-2002 04:53 PM

Re: System Files

Steven,

Corrections to the above question. What I meant was:

Tried methods 1 and 3 but still got the same message.

Can you elaborate on method 2? How do I edit the she-bang header?

Thanks,

Marvyn
Newbie over here!
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎06-04-2002 09:12 PM

‎06-04-2002 09:12 PM

Re: System Files

Hi,

2) Method 2:

Modify ./hp_checkperms she-bang (#!/bin/sh) header from

#!/bin/sh to #!/usr/bin/sh

In other words, edit the script hp_checkperms

# vi hp_checkperms

Replace #!/bin/sh with #!/usr/bin/sh on the very first line of the script.

Before change it shows:

#!/bin/sh
#
# check "execution" permissions on an hp-ux system per the information in
# the IPD, which is hopefully correct. Unfortunately, there
# will be different permissions settings for the same system file. I will
# generate 4 files, LL_errormsgs, MORE.restricted, FIX_permissions, and
# MULTIPLE.permissions.

After change, it shows:

#!/usr/bin/sh
#
# check "execution" permissions on an hp-ux system per the information in
# the IPD, which is hopefully correct. Unfortunately, there
# will be different permissions settings for the same system file. I will
# generate 4 files, LL_errormsgs, MORE.restricted, FIX_permissions, and
# MULTIPLE.permissions.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎06-04-2002 09:25 PM

‎06-04-2002 09:25 PM

Re: System Files

Hi,

If you still face the same error, show us the output for the following commands:

# ll /usr/bin/sh
# file /usr/bin/sh
# ll ./hp_checkperms
# head -1 ./hp_checkperms

If you have the time, also show us output for the following:

# echo $SHELL
# env

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎06-05-2002 05:46 PM

‎06-05-2002 05:46 PM

Re: System Files

Hi,

Just to add on, once you swinstall the CISscan.pkg, you should be able to run the following:

# /opt/CIS/cis-scan

Here's an output of my testing that might interest you with regards to SUID/SGID programs:

===========================================
Beginning system evaluation...

Now a final check for Set-UID and Set-GID programs-- this can take a whole
lot of time if you have a large filesystem. Your score if there are
no extra SUID/SGID programs found will be 4.07 / 10.00 . If there are
extra SUID/SGID programs, your score will be 3.89 / 10.00 .

You can hit CTRL-C at any time to stop at this remaining step.


Rating = 3.89 / 10.00

-----------------------------------------
To learn more about the results, do the following:

All results/diagnostics:
more /opt/CIS/cis-ruler-log.20020606-15:35:48.15947
Positive Results Only:
egrep "^Positive" /opt/CIS/cis-ruler-log.20020606-15:35:48.15947
Negative Results Only:
egrep "^Negative" /opt/CIS/cis-ruler-log.20020606-15:35:48.15947

For each item that you score or fail to score on, please reference the
corresponding item in the CIS Benchmark Document.
===========================================

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.