HPE Community
Operating System - HP-UX
1825659 Members
3663 Online
109686 Solutions
New Discussion

Re: Validate HPUX Security items

 
SOLVED
Go to solution
Hunki
Super Advisor

‎02-01-2006 06:49 AM

‎02-01-2006 06:49 AM

Validate HPUX Security items

1) SNMP needs to be disabled if not required This is what I think needs to be done to do it:
1. /etc/rc.config.d/SnmpHpunix
Set SNMP_HPUNIX_START to 0: SNMP_HPUNIX_START=0
2. /etc/rc.config.d/SnmpMaster
Set SNMP_MASTER_START to 0: SNMP_MASTER_START=0
3. /etc/rc.config.d/SnmpMib2
Set SNMP_MIB2_START to 0: SNMP_MIB2_START=0
4. /etc/rc.config.d/SnmpTrpDst
Set SNMP_TRAPDEST_START to 0: SNMP_TRAPDEST_START=0


2) NFS - all shares need to be restricted to trusted hosts only and
preferably read only -> Trusted Hosts : listed in .rhosts file, check for permissions as read only for all shares listed in /etc/exports

3) Disable HTTP trace on port 8080 -> I think that we need to change/add to an "httpd.conf" file. :
RewriteEngine On
RewriteCond %{REQUEST_METHID} ^(TRACE|TRACK)
RewriteRule .* - [F]


4) Disable the following services (I noticed all but bootpc, are in /etc/inetd.conf):
echo -> Comment out both of them in inetd.conf?
discard -> Comment out both of them in inetd.conf?
chargen -> Comment out both of them in inetd.conf?
daytime -> Comment out both of them in inetd.conf?
bootps -> Comment out in inetd.conf?
bootpc -> /etc/services
tftp -> Comment out in inetd.conf?
ident -> Comment out in inetd.conf?

5) Patch PHP running on port 8080 ->
Get the patch from HP.

6) Disable sendmail if not needed.
a) edit/remove the -bd flag from the "sendmail" command line in the /sbin/init.d/sendmail file or
b) Just comment out that line.

0 Kudos
9 REPLIES 9
Jeff_Traigle
Honored Contributor

‎02-01-2006 07:11 AM

‎02-01-2006 07:11 AM

Solution

Re: Validate HPUX Security items

1. Looks good. Be sure to run the corresponding /sbin/init.d scripts prior to making these changes so SNMP is disabled immediately.

2. .rhosts has nothing to do with NFS. You restrict access to NFS mounts via the access= option in /etc/exports. See exports(4)

3. Not sure about that one.

4. Looks good. Be careful of commenting identd, however. If you run Serviceguard, it may require it unless the -i option is used on cmclconfd in /etc/inetd.conf.

5. Sounds reasonable.

6. Modifying the /sbin/init.d scripts supplied by HP is never a good idea. They can be overwritten at any time you patch the system. Set SENDMAIL_SERVER=0 in /etc/rc.config.d/mailservs instead.
--
Jeff Traigle
0 Kudos
Don Mallory
Trusted Contributor

‎02-03-2006 05:01 AM

‎02-03-2006 05:01 AM

Re: Validate HPUX Security items

You're number 3 looks good.

You could also go significantly farther and use rewrite options to limit the extended characters that Apache allows. Example:

RewriteRule [^a-zA-Z0-9|\.|/|_|-] - [F]

This will only allow a-z, A-Z, 0-90, ., /, _, -.

You should test this thoroughly though.

Trusted Apache security links of note:

www.sans.org/top20/index.php
www.cissecurity.org - look for the Apache Benchmark for UNIX
www.securityfocus.com/infocus/1694
www.securityfocus.com/infocus/1706
httpd.apache.org/docs/2.0/misc/security_tips.html

Don
0 Kudos
Hunki
Super Advisor

‎02-08-2006 04:27 AM

‎02-08-2006 04:27 AM

Re: Validate HPUX Security items

For these :

4) All the other ones are also in /etc/services. Why do I not comment those out in /etc/services instead of /etc/inetd.conf?

5) Unable to get patch. Receive message page from HP that there is an "issue." Where else can I get it?

6)O.K. I can do that. Do I need to reboot or what afterwards?

Thanks Again
0 Kudos
Jeff_Traigle
Honored Contributor

‎02-08-2006 04:35 AM

‎02-08-2006 04:35 AM

Re: Validate HPUX Security items

4) All the other ones are also in /etc/services. Why do I not comment those out in /etc/services instead of /etc/inetd.conf?

Some people will say to comment them in /etc/services also. I typically only comment them in /etc/inetd.conf. Someone will probably berate me for that. :)

5) Unable to get patch. Receive message page from HP that there is an "issue." Where else can I get it?

The HP site is the only place I know to get patches, other than from your friendly neighborhood HP rep if you have a support contract.

6)O.K. I can do that. Do I need to reboot or what afterwards?

Nope. Once you run the init.d script to stop it, sendmail is down.
--
Jeff Traigle
0 Kudos
Hunki
Super Advisor

‎02-08-2006 04:49 AM

‎02-08-2006 04:49 AM

Re: Validate HPUX Security items

What is the difference between the two files /etc/inetd.conf and /etc/services, and in my case where shall I make the changes.
0 Kudos
John Payne_2
Honored Contributor

‎02-08-2006 05:09 AM

‎02-08-2006 05:09 AM

Re: Validate HPUX Security items

/etc/services maps services to port numbers/protocols. /etc/inetd.conf tells inetd what services to spawn when a connection coms in for that service (port) and how to spawn them, really. If you want to disable, for sure comment out in /etc/inetd.conf, then do an 'inetd -c' to re-read the configuration file. The only reason to comment out /etc/services to to make it so someone doesn't 'accidentally' come along and chnge you inetd.conf setting and restart the services. I never comment these out, I just do not see a need for it. One thing I do is remove all unwanted lines in /etc/inetd.conf so that people can't just uncomment the line and start something back up.

Hope it helps

John
Spoon!!!!
0 Kudos
Steven E. Protter
Exalted Contributor

‎02-08-2006 05:20 AM

‎02-08-2006 05:20 AM

Re: Validate HPUX Security items

Shalom,

I view /etc/services as a reservation file.

If inetd.com and other daemons are condfigured correctly, they will use the /etc/services designation and fucntion as the file says.

Its kind of like an airline reservation system, because it can be bumped. Oracle and other third party products use ports without needing an entry in the file and can cause conflict with services defined in /etc/services.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Florian Heigl (new acc)
Honored Contributor

‎02-08-2006 06:03 AM

‎02-08-2006 06:03 AM

Re: Validate HPUX Security items

2) Use netgroups for NFS
one for write, one for r/o hosts

4)
bootpc -> /etc/services
rbootd in /etc/inetd.conf
changing /etc/services is useless.
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Hunki
Super Advisor

‎02-09-2006 02:11 AM

‎02-09-2006 02:11 AM

Re: Validate HPUX Security items

Temporarily closing.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.