- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- tightening up security
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2002 11:16 PM
09-17-2002 11:16 PM
What are some of the easy things to do to tighten up security on HP-UX ?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2002 11:18 PM
09-17-2002 11:18 PM
SolutionThe easiest way someone can get access to your server is to find out some passwords. So the aim is to prevent this happening. One way is the lastb command. This lists failed/bad login attempts. Often users will enter their passwords in the login field so simply by watching the lastb command output you can find out other users' passwords. So, change the permissions on the lastb command to stop non-root users listing bad logins;
chmod 500 /usr/bin/lastb
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2002 11:26 PM
09-17-2002 11:26 PM
Re: tightening up security
Another simple thing to check for is if ftp logging is on. To check do;
grep FTP /var/adm/syslog/syslog.log
This will list details of all ftp connections if ftp logging is switched on. If so then it displays passwords for ftp accounts.
So, make syslog non world readable; chmod 600 /var/adm/syslog.log
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2002 11:34 PM
09-17-2002 11:34 PM
Re: tightening up security
1)Be up to date on HP security patches which fixes up various security vulnerabilities.
2)Disable all unwanted network services
3)Use strong passwords.
4)secure the individual servers even though you
think you have a perfect firewall.
5)Monitor system log files frequently for suspicious activity.
6)Keep root password very secure ( memorised )
7)Monitor file permission of executables like
ksh sh csh etc.
Have a look at this links.
http://people.hp.se/stevesk/bastion11.html
http://www.vennerable.com/security.html
regards,
U.SivaKumar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2002 01:12 AM
09-18-2002 01:12 AM
Re: tightening up security
You could always convert to a trusted system or if you just want to strengthen your passwords on an untrusted system you could install the PHCO_26089 patch. When this patch is installed, you can create a file called /etc/default/security which let you set things like:
MIN_PASSWORD_LENGTH
NUMBER_OF_LOGINS_ALLOWED
PASSWORD_HISTORY_DEPTH
PASSWORD_MIN_UPPER_CASE_CHARS
PASSWORD_MIN_LOWER_CASE_CHARS
PASSWORD_MIN_DIGIT_CHARS
PASSWORD_MIN_SPECIAL_CHARS
Hope This Helps
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2002 02:31 AM
09-18-2002 02:31 AM
Re: tightening up security
One easy thing to do is to download and run the CIS Security Benchmark tools locally against your system to verify its security, such as checking for illegitimate setuid/setgid files and such:
http://www.cisecurity.org/bench_HPUX.html
Hope this helps. Reards.
Steven Sim Kok Leong
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2002 02:44 AM
09-18-2002 02:44 AM
Re: tightening up security
HP has a 'hardening' tool called Bastille which will guide you through the common security pitfalls and make recommendations which you can choose to accept or ignore. It's worth a look - the URL is in this thread:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x4f9793e260b0d611abdb0090277a778c,00.html
Pete
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2002 03:36 AM
09-18-2002 03:36 AM
Re: tightening up security
(note: all recommendations are for 11.0 and higher. Since 10.20 is obsolete, most of the new features will never be back ported)
As mentioned, get Bastille to use as a guided tour through the security steps. The man page for security is only located on 11i systems for right now and unfortunately, it is missing a number of new features which are documented only in the patch README files.
Convert to Trusted system to hide the password information, and setup strong password policies. SAM will do this for you. Look in the Auditing section of SAM.
Get sudo. Setup a root user group and discourage ALL sysadmins from ever logging in as root. In fact, with the security file, you can prevent su from running (even with the right password) unless the user is a member of a special group.
Remove all the classic (archaic) network services along with (usually) unnecessary services from inetd:
ntalkd
ident
daytime
time
echo
discard
chargen
kshell
klogin
dtspcd
rpc.ttdbserver
rpc.cmsd
recserv
NOTE: if you use Xwindows *and* use CDE as a desktop manager, then the services from dtspcd on down will have to remain.
Make sure umask is set in /etc/profile and /etc/csh.login. Fix the baad permissions in /usr/local with: find /usr/local -type d -exec chmod 755 {} \;
While you're at it, find bad permissions for all files and directories:
find / -perm 002 -exec ll {} \;
Anything with 666 or 777 is a big red flag saying: "My content is totally corrupted or will be very soon."
Install IDS/9000 (free download from software.hp.com) and configure the Intruder Detection System to monitor critical files, processes and changes.
(there's lots more, depends on how paranoid you want to be, but remember, everyone is out to get you) And finally, develop a security policy for each operating system you manage. This should include how to setup a standard build process, how to configure, detect and report security issues, and work with your company's HR or personnel department on standard business conduct concerning security.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2002 07:17 AM
09-18-2002 07:17 AM
Re: tightening up security
http://www.sans.org/newlook/home.php
they have some really good mailing lists that post as soon as new issues are found. You will get a lot of things that do not apply, but combine this with the HP security notices and you will have a better chance of staying current as new issues surface.
http://us-support3.external.hp.com/digest/bin/doc.pl/sid=2dc3dcf61aef9746e1
SANS also has some good white papers that can help.. just search for HP security or Unix security. The big issues apply to all flavors of Unix (poor passwords, etc.)