First thing to do: Get the HP-UX Security book by Chris Wong:
http://www.phptr.com/ and search for: HP-UX security (you may want to attend HP World (
http://hpworld.com) next week and take some of the security classes. Don Pipkin will be giving a half-day seminar on Tuesday)
(note: all recommendations are for 11.0 and higher. Since 10.20 is obsolete, most of the new features will never be back ported)
As mentioned, get Bastille to use as a guided tour through the security steps. The man page for security is only located on 11i systems for right now and unfortunately, it is missing a number of new features which are documented only in the patch README files.
Convert to Trusted system to hide the password information, and setup strong password policies. SAM will do this for you. Look in the Auditing section of SAM.
Get sudo. Setup a root user group and discourage ALL sysadmins from ever logging in as root. In fact, with the security file, you can prevent su from running (even with the right password) unless the user is a member of a special group.
Remove all the classic (archaic) network services along with (usually) unnecessary services from inetd:
ntalkd
ident
daytime
time
echo
discard
chargen
kshell
klogin
dtspcd
rpc.ttdbserver
rpc.cmsd
recserv
NOTE: if you use Xwindows *and* use CDE as a desktop manager, then the services from dtspcd on down will have to remain.
Make sure umask is set in /etc/profile and /etc/csh.login. Fix the baad permissions in /usr/local with: find /usr/local -type d -exec chmod 755 {} \;
While you're at it, find bad permissions for all files and directories:
find / -perm 002 -exec ll {} \;
Anything with 666 or 777 is a big red flag saying: "My content is totally corrupted or will be very soon."
Install IDS/9000 (free download from software.hp.com) and configure the Intruder Detection System to monitor critical files, processes and changes.
(there's lots more, depends on how paranoid you want to be, but remember, everyone is out to get you) And finally, develop a security policy for each operating system you manage. This should include how to setup a standard build process, how to configure, detect and report security issues, and work with your company's HR or personnel department on standard business conduct concerning security.
Bill Hassell, sysadmin
