System Files

Marvyn Torres · ‎05-30-2002

Hello,

Would somebody please be kind enough to provide me with information on the following:
1. What are the prime system configuration files that need protecting and what should their appropriate permissions be?
2. What are the baseline SUID and SGID files that should exist in a system? (OS only)

Thanks!!

Newbie over here!

Sebastian Galeski_1 · ‎05-30-2002

Hi
there is no one of few important file, there is many.
Usually You shold not change a permition to system files, because it can cause problems with system. About SUID'ed file. In system if suide'd file is a binary file it is oki, because using it for danger operation require a bit of knowledge, but if this is a text script it is dangerous because it can be edited in easy way. So my advise is to use find command to find all files with bit s set and check what kind of file it is. Try to use:
find / $ -perm ???04000 ???o ???perm ???02000 $ -exec ls -ld {} \;

hope it help

Steven Sim Kok Leong · ‎05-30-2002

Hi,

Center for Internet Security has a HP-UX security benchmark for HP-UX 10.20, HP-UX 11.00 and HP-UX 11.11:

http://www.cisecurity.org/bench_HPUX.html

This benchmark comprises a list of hardening rules. As far as I recall, the SGID/SUID and file permission issues are addressed there as well.

Hope this helps. Regards.

Steven Sim Kok Leong

Stefan Farrelly · ‎05-30-2002

All the correct permissions for all files installed using software distributor are kept on the system. So, if youre after the correct permissions for all the OS files then you can list all files which belong to the OS-Core bundle (and all its filesets) and their correct permissions with the following command;

swlist -l file -a mode OS-Core | more

You could take the output from this, put it into a file and run a script on it to check that the permissions currently set what theyre supposed to be, or set them.

Im from Palmerston North, New Zealand, but somehow ended up in London...

Marvyn Torres · ‎05-30-2002

Hey Steve,

Tried running the hp_checkperms tool from the CIS HP Benchmark. But when I executed it I got the following message:

#./hp_checkperms
script interpreter "/bin/sh" not found
script interpreter link resolves to "/usr/bin/sh"
sh: ./hp_checkperms not found.

Is there any (easy) way to resolve this????

Newbie over here!

James R. Ferguson · ‎05-30-2002

Hi Marvyn:

It sounds like you don't have (or have lost) your "transltion links". These are a set of standard soft (symbolic) links that appeared when the HP-UX filesystem layouts were changed during the 9.x to 10.x evolution.

'/bin' is really a link to 'usr/bin' and 'lib' is really (only) a link to 'usr/lib'.

You can reinstall any missing links with:

# /opt/upgrade/bin/tlinstall

Regards!

...JRF...

Marvyn Torres · ‎05-30-2002

James,

# /opt/upgrade/bin/tlinstall

Would the above command have any negative effects if executed on a production server? And does it involve having to restart the system?

Newbie over here!

James R. Ferguson · ‎05-30-2002

Hi Marvyn:

No, and No. The command takes about 20-30 seconds to run and has no adverse effects. The overhead is to search filesystems and create the transition symbolic links.

Regards!

...JRF...

Marvyn Torres · ‎05-30-2002

James,

Oops! Tried the command but I'm still getting the same message.

Anything else you can have me do??

Newbie over here!

Steven Sim Kok Leong · ‎05-31-2002

Hi,

First, verify that /usr/bin/sh exists:

# ll /usr/bin/sh

Then try this:

1) Method 1:

# ln -s /usr/bin /bin

This is safe because if /bin already exists, this command will simply fail gracefully.

If /bin does not exist, it will create the soft-link such that /bin/sh -> /usr/bin/sh

2) Method 2:

Modify ./hp_checkperms she-bang (#!/bin/sh) header from

#!/bin/sh

to

#!/usr/bin/sh

3) Method 3:

# sh -c ./hp_checkperms

This should avoid the she-bang (#!/bin/sh).

Hope this helps. Regards.

Steven Sim Kok Leong

Marvyn Torres · ‎06-03-2002

Steven,

Tried methods 1 and 2 but still got the same message.

Can you elaborate on method 3? How do I edit the she-bang header?

Thanks,

Marvyn

Newbie over here!

Marvyn Torres · ‎06-03-2002

Steven,

Corrections to the above question. What I meant was:

Tried methods 1 and 3 but still got the same message.

Can you elaborate on method 2? How do I edit the she-bang header?

Thanks,

Marvyn

Newbie over here!

Steven Sim Kok Leong · ‎06-04-2002

Hi,

2) Method 2:

Modify ./hp_checkperms she-bang (#!/bin/sh) header from

#!/bin/sh to #!/usr/bin/sh

In other words, edit the script hp_checkperms

# vi hp_checkperms

Replace #!/bin/sh with #!/usr/bin/sh on the very first line of the script.

Before change it shows:

#!/bin/sh
#
# check "execution" permissions on an hp-ux system per the information in
# the IPD, which is hopefully correct. Unfortunately, there
# will be different permissions settings for the same system file. I will
# generate 4 files, LL_errormsgs, MORE.restricted, FIX_permissions, and
# MULTIPLE.permissions.

After change, it shows:

#!/usr/bin/sh
#
# check "execution" permissions on an hp-ux system per the information in
# the IPD, which is hopefully correct. Unfortunately, there
# will be different permissions settings for the same system file. I will
# generate 4 files, LL_errormsgs, MORE.restricted, FIX_permissions, and
# MULTIPLE.permissions.

Hope this helps. Regards.

Steven Sim Kok Leong

Steven Sim Kok Leong · ‎06-04-2002

Hi,

If you still face the same error, show us the output for the following commands:

# ll /usr/bin/sh
# file /usr/bin/sh
# ll ./hp_checkperms
# head -1 ./hp_checkperms

If you have the time, also show us output for the following:

# echo $SHELL
# env

Hope this helps. Regards.

Steven Sim Kok Leong

Steven Sim Kok Leong · ‎06-05-2002

Hi,

Just to add on, once you swinstall the CISscan.pkg, you should be able to run the following:

# /opt/CIS/cis-scan

Here's an output of my testing that might interest you with regards to SUID/SGID programs:

===========================================
Beginning system evaluation...

Now a final check for Set-UID and Set-GID programs-- this can take a whole
lot of time if you have a large filesystem. Your score if there are
no extra SUID/SGID programs found will be 4.07 / 10.00 . If there are
extra SUID/SGID programs, your score will be 3.89 / 10.00 .

You can hit CTRL-C at any time to stop at this remaining step.

Rating = 3.89 / 10.00

-----------------------------------------
To learn more about the results, do the following:

All results/diagnostics:
more /opt/CIS/cis-ruler-log.20020606-15:35:48.15947
Positive Results Only:
egrep "^Positive" /opt/CIS/cis-ruler-log.20020606-15:35:48.15947
Negative Results Only:
egrep "^Negative" /opt/CIS/cis-ruler-log.20020606-15:35:48.15947

For each item that you score or fail to score on, please reference the
corresponding item in the CIS Benchmark Document.
===========================================

Hope this helps. Regards.

Steven Sim Kok Leong

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

System Files

System Files

Re: System Files

Re: System Files

Re: System Files

Re: System Files

Re: System Files

Re: System Files

Re: System Files

Re: System Files

Re: System Files

Re: System Files

Re: System Files

Re: System Files

Re: System Files

Re: System Files