I don't think there is any formal reason why the permissions are unsafe. In my security talks, I recommend that you never put a new system into service until a security check is done. /usr/local used to be correct (755) but was changed to 777 at 10.00 and still remains 777.
Here's a quicky checklist:
> find /usr/local -type d -print -exec chmod {} \;
> Scan the following directories looking for 666 and 777 files:
> find / /opt /var /home /usr /stand -xdev -perm 777 -type d
> find / /opt /var /home /usr /stand -xdev -perm 777 -type f
> find / /opt /var /home /usr /stand -xdev -perm 666-type f
> Change *ALL* mountpoints in /etc/fstab to nosuid except /usr and /opt and /.
> Edit /etc/profile and add:
> umask 022
> Edit root's .profile to add:
> umask 077 # (or umask 027)
> Move root's $HOME from / to /root (this is to secure against fat-fingered root users--of which, none of us are a part)
> Edit /etc/mail/alaises and add:
> hostmaster: root
> webmaster: root
> postmaster: root
> then change root to forward to a 'real' sysadmin account that will always be read:
> root: sysadmin@mycompany.com
> Make sure that this statement is at the top of /etc/profile:
> trap "" 1 2 3
> and make sure this statement is at the end:
> trap 123
> Turn off all read, write and execute permissions for all disk and LVM device files (ie, 600)
> make sure (on newer servers) that the Guardian Service Processor (GSP) has a password.
> make sure the server has the remote support modem passworded and disabled. Use AirGap Security(tm) on the modem if you aren't using Predictive. (AirGap Security = pull out the phone line) 8-]
(changes to /etc/profile should also be translated into /etc/csh.login)
---
Therte are a lot more but the above needs to be applied to every HP-UX box regardless of revision. For a more in depth discussion of HP-UX security, get a copy of the brand new book: "HP-UX 11i Security" by Chris Wong (at any major online bokstore)
Bill Hassell, sysadmin
