HPE Community
Operating System - Tru64 Unix
1829743 Members
1263 Online
109992 Solutions
New Discussion

Re: Is the Tru64 (4.0g) kernel tunable?

 
SOLVED
Go to solution
Linda Card
Frequent Advisor

‎08-20-2007 02:17 AM

‎08-20-2007 02:17 AM

Is the Tru64 (4.0g) kernel tunable?

I am in the middle of a security assessment and have 3 findings that I can't find in my pubs. I think this stuff is all kernel or network stuff that I don't want to mess up.

# 1 The executable stack is not disabled. The security book(not HP) tells me how to fix a Solaris or HP box; ie /etc/security (Sun) and kmtune -q executable stack.

#2 More random TCP sequence numbers are not used. Same book says ndd /dev/tcp tcp_isn_passphrase for HP

#3 Network parameters are not securely set.
Same book says: nd ndd /dev/tcp tcp_conn_req_max_q0

This box is so old but we need to get past this assessment before we can request an update.

Any help would be appreciated.
0 Kudos
2 REPLIES 2
Mark Poeschl_2
Honored Contributor

‎08-20-2007 03:27 AM

‎08-20-2007 03:27 AM

Re: Is the Tru64 (4.0g) kernel tunable?

For generic instructions on how to change Tru64 kernel parameters see the man pages for 'sysconfigtab' and 'sysconfigdb'. For individual parameter settings see the man pages for 'sys_attrs_*' (under section 5 of the man pages).

As to your individual questions:
1) It doesn't look like 4.0g lets you disable an executable stack via a tunable kernel parameter. 5.1B has a parameter called 'executable_stack' in the 'proc' subsystem which does what you want, but that parameter apparently doesn't exist in 4.0g.

2) That capability doesn't look familiar even for later versions of Tru64.

3) Looks like the equivalent parameter might be 'somaxconn' in the 'socket' subsystem. See the man page for sys_attrs_socket for details.
0 Kudos
Ann Majeske
Honored Contributor

‎08-20-2007 07:01 AM

‎08-20-2007 07:01 AM

Solution

Re: Is the Tru64 (4.0g) kernel tunable?

Many security related fixes were released for V4.0G while it was still supported, and the latest patch kit for V4.0G was supported up until June or July of this year. You don't say which patch kit you're running, but if you install the latest patch kit for V4.0G (PK 4/BL22) and install all of the ERPs (Early Release Patches) for V4.0G BL22, I think it's likely that you'd get the fixes for all 3 issues. You might have to look through all of the release notes to find out the proper configuration, though. See: http://www1.itrc.hp.com/service/patch/search.do?BC=main|&pageOsid=tru and select "V4.0G" and "Browse patch list" to get a list of all of the patch kits and ERP patches for V4.0G.

Ann
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.