Thursday, April 14, 2011

Hp-Ux Terminal Security Policies, Auditing and Security


Terminal Security Policies
Use this screen to set system policies for terminals. Policies apply to all terminals unless terminal-specific policies are set.
Unsuccessful Login Tries Allowed: 10 .
Delay Between Login Tries (sec.): 2 .
Login Timeout Value (sec.): 0 .
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.
[ OK ]   [ Cancel ]   [ Help ]
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


* Network Information Service (NIS) is not supported on a trusted system.
System And Process Auditing
Now that the system has been converted to a trusted system and your security policies have been set. It’s time to turn on auditing.
/usr/sbin/sam
Select "Auditing and Security"
Select "Audited Events"
Select "Actions"
Select "Turn Auditing On"
Auditing and Security
File List View Options Actions Help .
. . Turn Auditing ON . .
.Auditing Turned: OFF . ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, . .
. . Set Audit Monitor and Log Parameters... . .
.,,,,,,,,,,,,,,,,,,,,,,,. View Audit Log... .,,,,,,,,,,,,.
.Audited Events . Unconvert the System . 18 selected.
.,,,,,,,,,,,,,,,,,,,,,,,. ======================================= .,,,,,,,,,,,,.
. Audit . (nothing selected) . .
. Event Type Success F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,G .
.R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,T .
.. admin Yes Yes acct, adjtime, audctl, audswitch, clock_ ^ .
.. close No No close, ksem_close, mq_close, munmap .
.. create No No creat, mkdir, mknod, msgget, pipe, semge .
.. delete No No ksem_unlink, mq_unlink, msgctl, rmdir, s .
.. ipcclose No No fdetach, shutdown .
.. ipccreat No No bind, socket, socket2, socketpair, socke .
.. ipcdgram No No .
.. ipcopen No No accept, connect, fattach .
.. login Yes Yes .
.. modaccess No No chdir, chroot, fchdir, link, lockf, lock v .
.F< >G .
F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,G
.
Next you need to select which events you want to audit. At the very minimum you should audit admin - Logs all administrative and privileged events.
login - Logs all logins and logouts
modaccess - Logs all access modifications other than DAC
moddac - Logs all modifications of object’s discretionary access controls
Setup a cron job to collect system diagnostic messages.
  1. ____ /usr/bin/crontab –e
  2. ____ Insert the following 2 lines
# log kernel diagnostic messages every 10 minutes
05,15,25,35,45,55 * * * * /usr/sbin/dmesg - >>/var/adm/messages

Hp-UX Convert to a Trusted System


Convert to a Trusted System
HP-UX offers some additional security features such as, a more stringent authentication system, auditing, terminal access control and time-based access control. These are in addition to the normal Unix security mechanisms that are generally available. But to take advantage of these features the system must be converted to a trusted system.* If security is important, it is recommended this be done. To convert a system you would need to:
/usr/sbin/sam
Select "Auditing and Security"
Select "System Security Policy"
Select "YES"
R T
Confirmation
You need to convert to a Trusted System before proceeding. The 
conversion process does the following things:
1. Creates a protected database on the system for storing security information.  2. Moves user passwords in "/etc/passwd" to this database 
3. Replaces all password fields in "/etc/passwd" with "*"
For more details, refer to the "System Security" chapter of the .
"System Administration Tasks" manual. .
Do you want to convert to a Trusted System now?
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.
[ Yes ] [[No ]]
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
You will then see a message telling you that you’re converting to a trusted system...
Next you will receive a "Successfully converted to a trusted system" message. Press OK continue.
Time to setup your security policies. The following are recommendations only. Please curtail yours to fix your environment.

Hp-Ux Remaining Network Services


Remaining Network Services
If the machine is to be a DNS client then you’ll need to define the domain and it’s name server(s). You will have to configure which sources the resolver will use and in which order. You should configure so that the host file is checked first then DNS.
  1. ____ /usr/bin/touch /etc/resolv.conf
  2. ____ /usr/bin/echo "domain " > /etc/resolv.conf
  3. ____ /usr/bin/echo "nameserver " >> /etc/resolv.conf
  4. ____ /usr/bin/chown root:root /etc/resolv.conf
  5. ____ /usr/bin/chmod 644 /etc/resolv.conf
  6. ____ /usr/bin/cp /etc/nsswitch.files /etc/nsswitch.conf
  7. ____ /usr/bin/vi /etc/nsswitch.files 
    modify the hosts entry from hosts:files to hosts:files [NOTFOUND=continue] dns
  8. ____ /usr/bin/chown root:root /etc/nsswitch.conf
  9. ____ /usr/bin/chmod 644 /etc/nsswitch.conf

Hp-Ux File System Configuration


File System Configuration
Some file systems are static in nature and won’t change unless you’re doing some type of upgrade. Therefore to safeguard against unkown modifications to the files in these file systems and possible addition of trojan horses, it makes sense to mount these files systems read-only. (/usr and /opt are examples) You also want to ensure that setuid programs are not executed in a non-root file system. To do this these file systems must be mounted with the nosuid option. (/var and /home are examples). An example of a secure /etc/fstab can be found in Appendix C.
  1. ____ /usr/bin/vi /etc/fstab
  2. ____ Add ro option to /opt and /usr
  3. ____ Add nosuid to /stand, /var, /home
/usr/local by default has been configured with world-writeable permissions on all directories. Change this to a safer 755.
  1. ____ find /usr/local –type d –exec chmod 755 {} \;
Remove write group permissions for /etc/.
  1. ____ chmod –R g-w /etc

Hp-Ux Network Tuning


Network Tuning
Reconfigure various network parameters to reduce your vulnerability to smurf attacks, SYN floods and ARP spoofing attacks. A description of the listed network parameters can be found in Appendix B. You can usendd –h sup to list all supported network parameters. Use ndd –h unsup to list unsupported network parameters. HP recommends that you DO NOT make changes to unsupported parameters.
  1. ____/usr/bin/vi /etc/rc.config.d/nddconf
  2. ____ Add following entries:
TRANSPORT_NAME[0]=ip
NDD_NAME[0]=ip_send_redirects
NDD_VALUE[0]=0
TRANSPORT_NAME[1]=ip
NDD_NAME[1]=ip_ire_flush_interval
NDD_VALUE[1]=60000
TRANSPORT_NAME[2]=arp
NDD_NAME[2]=arp_cleanup_interval
NDD_VALUE[2]=60000
TRANSPORT_NAME[3]=ip
NDD_NAME[3]=ip_forward_directed_broadcast
NDD_VALUE[3]=0
TRANSPORT_NAME[4]=ip
NDD_NAME[4]=ip_forward_src_routed
NDD_VALUE[4]=0
TRANSPORT_NAME[5]=ip
NDD_NAME[5]=ip_forwarding
NDD_VALUE[5]=0
TRANSPORT_NAME[6]=tcp
NDD_NAME[6]=tcp_ip_abort_cinterval
NDD_VALUE[6]=60000
____ ndd –c for the changes to take effect

HP-UX Modification of the Boot Process


Modification of the Boot Process
Closely review the startup scripts and identify all unnecessary services. You will then want to stop these services from starting up by renaming the startup script file that can be found in /sbin/rc?.d. By renaming the link instead of deleting it, it will be easier if you have to invoke the process in the future. Please pay particular attention to insecure network services. You should be able to eliminate everything in /sbin/rc3.d.
  1. ____ Review /etc/rc.log to determine which processes are started on boot
  2. ____ Rename NFS-related links
/usr/bin/mv /sbin/rc2.d/S400nfs.core /sbin/rc2.d/.NOS400nfs.core
/usr/bin/mv /sbin/rc2.d/S430nfs.client /sbin/rc2.d/.NOS430fns.client
/usr/bin/mv /sbin/rc3.d/S100nfs.server /sbin/rc3.d/.NOS100nfs.server
  1. ____ Rename RPC link
/usr/bin/mv /sbin/rc2.d/S590Rpcd /sbin/rc2.d/.NOS290Rpcd
  1. ____ Rename Sendmail links
/usr/bin/mv /sbin/rc2.d/S540sendmail /sbin/rc2.d/.NOS540sendmail
  1. ____ If this is machine not going to be a DNS server, rename DNS link
/usr/bin/mv /sbin/rc2.d/S370named /sbin/rc2d/.NOS370named
  1. ____ Rename everything in /sbin/rc3.d
/usr/bin/cd /sbin/rc3.d
for file in S*
do
mv $file .NO$file
done
Create a script to ensure that the startup scripts run with a proper umask [14]
  1. ____ /usr/bin/echo ‘umask 022’ > /sbin/init.d/umask.sh
  2. ____ /usr/bin/chmod 744 /sbin/init.d/umask.sh
  3. ____ Add umask.sh to startup script directories by running the following script
/usr/bin/umask 022
for d in /sbin/rc?.d
do
/usr/bin/ln –s /sbin/init.d/umask.sh $d/S000umask.sh
done
Inetd is the internet daemon that controls access to network services that are started on an as needed basis. Many of the services are considered unsafe. Therefore it is very important to review these services and disable ones that are not absolutely necessary. The Berkley "r" programs have a long history of abuse so make sure that shell and login services are disable. You may also want to consider disabling bootps, exec, ntalk, echo and charge. In fact the ideal situation would be not to run inetd at all. (If inetd is not running you will not have remote access to the machine, until ssh is installed and configured)
  1. ____ Disable inetd – Preferred method
/usr/bin/mv /sbin/rc2.d/S500inetd /sbin/rc2d/.NOS500inetd
/usr/bin/rm /etc/inetd.conf
  1. ____ inetd enabled – but with all unnecessary disabled
/usr/bin/vi /etc/inetd.conf
comment out (place # at the beginning of a line) all unnecessary services
/usr/bin/kill –HUP inetd

HP-UX Patches Installation


HP-UX Patches Installation
To track down know HP software vulnerabilities and solutions, use the HP Security Archive on the IT Resource Center Web site. Each bulletin contains a description of the problem, which versions of the Operating System are affected and the solution. To access this information go to:
Search Technical Knowledge Base
Security Bulletin Archive
You can also subscribe to HP’s Security Bulletin Digest. You will receive an email update of new vulnerabilities as they are identified. To sign up for this go to:
more…
support information digests

Helping  Other  People  Excel

Updating Applications


Updating Applications 
After installing HP-UX 11.0, install other needed applications
  1. ____Use swinstall to install new software that was not included as part of the basic OS installation. The latest versions of HP-UX software products are provided on the HP-UX Applications CDs. To find the contents of each CD, mount any HP-UX Applications CD and view the TOC file.
  2. ____ After installing the software, complete any post-install configuration. This will be explained in the software’s release notes or manual. Most documentation for HP-UX applications are either on the HP-UX Instant Information CD or on HP's documentation Web site: docs.hp.com/hpux/os/11.0/
Helping  Other  People  Excel

HP-UX Minimal OS Installation


HP-UX Minimal OS Installation
To cold-install HP-UX 11.0, you must have the following:
A supported HP 9000 server or workstation (see Appendix A)
64 MB memory, minimum
128 MB swap space, minimum 
2GB root disk volume, minimum
You will need the following CD’s ready:
HP-UX 11.0 Install/Update/Recovery CD, March 2001 or later. 
Core OS Options CD (for technical servers and workstations).
 
Support Plus CD, March 2001 or later (for hardware/critical patch bundle, diagnostics and iCOD product), is needed.
HP-UX 11.0 Application Software CDs
  1. ____ Make sure all peripherals are turned on.
  2. ____ Turn on the server or recycle the power.
  3. ____ Load the Install and Core OS CDROM into the CD-ROM driver.
  4. ____ Interrupt the autoboot process, by pressing any key during the 10 second interval that is given. This is so the system can be booted from the Core OS CDROM.
  5. ____ Once autoboot was been interrupted you should now see the autoboot menu.
  6. ____ Boot from the device that contains the Core OS CDROM. Usually the alternative boot path is the CDROM drive. 
    But to verify that you can type
     search and view all defined boot devices. 
    bo alt
     OR bo
  7. ____ You should now be asked: Interact with IPL (Y or N) ?> Type n.
  8. ____ The install kernel will take 3-5 minutes to install.
  9. ____When that has completed a screen will appear asking for the keyboard language of the console. Respond with the correct number and press ENTER.
  10. ____ The Welcome to Ignite-UX screen will be displayed.
  11. ____ Tab to Install HP-UX field and press Enter.
  12. ____ From the User Interface and Media Options screen, verify that these choices are selected: 
    Source Location Options: Media-only installation – installing from the local CD drive.
    User Interface Options:
     Guided Installation – provides an install wizard with limited choices.
  13. ____Now proceed through each screen to configure your system: 
    Basic Configuration: Commercial Servers – this will install HP-UX 11.0 Core OS software, required ACE patches, general recommended core (XSWGR1100), latest hardware-enablement and critical (HWCR) patches, diagnostic products and COD Client Product for HP-UX 11.0 
    Software Selection: Select needed mass-storage and networking I/O driver products.
    Languages: Click the Languages button to view CDE-languages bundles to be loaded.
     Global is set by default when installing on workstations, resulting in all available CDE-language bundles being installed. Global (Non-CDE) is set when installing on servers to indicate that a generic, CDE-language bundle will be installed.
  14. ____ Review any messages that Ignite-UX encountered. Resolve any errors before continuing with the installation.
  15. ____ Select: Finish
  16. ____ The system will now configure the disk(s) and load a minimum set of commands and libraries. Software Distributor will  download all the products and patches from the CD.
  17. ____ As prompted, replace the HP-UX 11.0 Install/Update/Recovery CD with the requested CD from the media box.
  18. ____ The system will automatically reboot after all software has been loaded.
  19. ____ Set_parms will run and asked you to set
root password
date,
time,
time zone,
IP address
other network parameters.

Helping  Other  People  Excel