HPE Community
Operating System - HP-UX
1833864 Members
2171 Online
110063 Solutions
New Discussion

Re: /var/adm/sw/save world writable???

 
SOLVED
Go to solution
Marco Santerre
Honored Contributor

‎03-09-2006 04:01 AM

‎03-09-2006 04:01 AM

/var/adm/sw/save world writable???

Hello gurus,

quick question : I'm having an issue with compliancy to security where when some patches are installed, it saves the filesets and directories under /var/adm/sw/save but with world writable security on it.

Is there a way to get rid of that automatically? I mean without intervention of SA? Either through SD or with a switch that we set up previously?

Thanks
Cooperation is doing with a smile what you have to do anyhow.
0 Kudos
8 REPLIES 8
Steven E. Protter
Exalted Contributor

‎03-09-2006 04:03 AM

‎03-09-2006 04:03 AM

Re: /var/adm/sw/save world writable???

Shalom,

I'd just have the sysadmin fix it.

Its not like there is a lot of usable data there.

HP-UX has never been sold as a secure OS, but rather a secureable OS, that can be made secure with good system administration.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎03-09-2006 04:09 AM

‎03-09-2006 04:09 AM

Solution

Re: /var/adm/sw/save world writable???

You can greatly restrict the permissions on /var/admsw/save to simply 500 owned by root:sys. Root, the user (or effective user) running any swxxxx command, will not need write permission to create new directories because permissions are ignored by root. This will effectively isolate any files below that directory level from ordinary users. However, files below that level should be left intact because if a patch has to be uninstalled, it's important that the files be put back in their original state. I've never had any difficultly explaining this to the security auditors and as long as they see the higher level directory permissions prevent anyone except root from accessing these files, they give their okey-dokey.
If it ain't broke, I can fix that.
0 Kudos
Pete Randall
Outstanding Contributor

‎03-09-2006 04:16 AM

‎03-09-2006 04:16 AM

Re: /var/adm/sw/save world writable???

Marco,

I find this quite odd. My save directory has 500 root:sys permissions and every saved patch within has 755 root:sys permissions. I would suggest changing yours and monitoring.


Pete

Pete
0 Kudos
Geoff Wild
Honored Contributor

‎03-09-2006 04:20 AM

‎03-09-2006 04:20 AM

Re: /var/adm/sw/save world writable???

/var/adm/sw/save should be 500 and everything under it 755 with root:sys.

Also, root umask should be 022

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Marco Santerre
Honored Contributor

‎03-09-2006 05:07 AM

‎03-09-2006 05:07 AM

Re: /var/adm/sw/save world writable???

Thanks for all the info.

I don't plan to toy very much with it, but in order for our SOX compliancy to go through and help us out, we have a tool that we use and it found out that a lot of the OVO patches have world writable directories under their saved patch and the software does pick it up as a "hole" in our security.

my /var/adm/sw/save is also owned by root:sys at 500, and all other patches do come through as 755.
Cooperation is doing with a smile what you have to do anyhow.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

‎03-09-2006 05:10 AM

‎03-09-2006 05:10 AM

Re: /var/adm/sw/save world writable???

Exactly what I was saying. This will require about a 5 sentence paragraph in your assessment to explain that it is important that the files under /var/adm/sw/save be left intact so that patch rollbacks restore files EXACTLY as they were.
If it ain't broke, I can fix that.
0 Kudos
Marco Santerre
Honored Contributor

‎03-09-2006 06:01 AM

‎03-09-2006 06:01 AM

Re: /var/adm/sw/save world writable???

Thanks to all of you for helping me
Cooperation is doing with a smile what you have to do anyhow.
0 Kudos
Robert Fritz
Regular Advisor

‎03-10-2006 03:41 AM

‎03-10-2006 03:41 AM

Re: /var/adm/sw/save world writable???

Note that HP-UX Bastille can help with world-writeable directories, and other lockdown steps (ref: the "secureable" comment earlier)
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.