Thursday, April 14, 2011

APPENDIX A – HP-UX 11.0 Supported Systems


APPENDIX A – HP-UX 11.0 Supported Systems
Model
32-bit
64-bit
Workstations:


Series 700: 712, 715/64/80/100/100XC, 725/100
X

B132L, B132L+, B160L, B180L
X

B1000, B2000

X
C100, C110, C160L
X

C160, C180, C180XP, C200, C240, C360
X
X
C3000, C3600

X
J200, J210, J210XC
X

J280, J282, J2240
X
X
J5000, J5600, J6000, J7000

X
Servers:


A180, A180C
X

A400, A5xx

X
Dx10, Dx20, Dx30, Dx50, Dx60
X

Dx70, Dx80, Dx90
X
X
E, F, G, H, I (all)
X

Kx00, Kx10, Kx20
X

Kx50, Kx60, Kx70, Kx80
X
X
L1000, L2000, L3000

X
N4000/360, N4000/440, N4000/550

X
R380, R390
X
X
T500, T520
X

T6xx
X
X
V22xx, V2500, V2600

X
Enterprise Parallel Servers: EPS22, EPS23, EPS40
X
X

Hp-Ux Backups

Backups
Create a Golden Image – use make_tape_recovery to create a bootable system recovery tape for an LVM or whole disk system while it is up and running. When a system has a logical volume layout, the recovery tape will only include data from the root volume group, plus data from any Non-root volume group containing /usr. Data not in the root volume group must be backed up and recovered using normal backup utilities. This golden image can be used to restore a non-bootable system with little or not user intervention, restore a system in the event of a hardware failure, clone software from one system to another.
Make_recovery is part of the Ignite-UX product. It can be downloaded from www.software.hp.com/products/IUX/download.html. More detailed installation instructions can be found atwww.software.hp.com/products/IUX/install_instructions.html.
Installing Ignite-UX
  1. ____ Downloaded software from www.software.hp.com/products/IUX/download.html
  2. ____ Copy ignite11_11.00.tar to /tmp
  3. ____ /usr/bin/bdf – Make sure you have at least 50 mb of free space in /opt
  4. ____ /usr/sbin/swinstall -s /conv/tara/ignite11_11_00.tar \*
Create a golden image
  1. ____/opt/ignite/bin/make_tape_recovery -AvC -d /dev/rmt/0m
Physical Security
It is extremely important that a unix server be placed in a secure environment. It is a fact that anyone who has physical access to the machine can fairly easily gain root access.
  1. ____ The server should be installed in a locked environmentally controlled data center with restricted access to the server.
  2. ____ If possible the data center should have cameras installed to monitor all activity.
  3. ____ The keyboard should be situated away from any cameras, windows or prying eyes.
  4. ____ The system should be attached to a UPS with monitoring software that will shutdown the server when power to the UPS has been interrupted.
  5. ____ Backup tapes should be kept in a secure environment.

Hp-Ux LSOF software


LSOF
This utility is used to list files, sockets, etc opened by processes. It also gives a large amount of other related information that can select by process ID, username or filename.
  1. ____ Download 32 bit version of the software from HP-UX Software porting site,http://hpux.connect.org.uk/hppd/hpux/Sysadmin/lsof-4.55/
  2. ____ /usr/contrib/bin/gunzip lsof-4.51-sd-11.00.depot.gz
  3. ____ /usr/sbin/swinstall -s lsof-4.51-sd-11.00.depot \*
  1. ____ The 64 bit version binaries can be found atftp://vic.cc.purdue.edu/pub/tools/unix/lsof/binaries/hpux/B.11.00/64/9000_800/
  2. ____ /usr/contrib/bin/gunzip lsof_4.55.gz
  3. ____ /usr/bin/mv lsof_455 to /opt/lsof/bin

Hp-Ux Configuration of TCP-WRAPPERS and OPENSSH


Configuration of TCP-WRAPPERS and OPENSSH
  1. ____ for file in /etc/hosts.allow /etc/hosts.deny
do
/bin/touch $file
/bin/chown root:root &file
/bin/chmod 600 $file
done
  1. ____ /usr//bin/echo ‘ALL: , , … ‘> /etc/hosts.allow
replace net1, net2 with the IP addresses of machines that you want to grant access to
  1. ____ /usr/bin/echo ‘ALL:ALL: /usr/bin/mailx –s "%s:connection attempt from %a" ’ > /etc/hosts.deny
replace with email address of administrator
  1. ____ /usr/bin/cp /opt/openssh/etc/sshd_config /etc/rc.config.d/sshd_config
  2. ____ Modify /etc/rc.config.d/sshd_config [14]
Port 22
Protocol 2,1
ListenAddress 0.0.0.0
PidFile /opt/openssh2/etc/sshd.pid
HostKey /opt/openssh2/etc/ssh_host_key
HostDSAKey /opt/openssh2/etc/ssh_host_dsa_key
ServerKeyBits 1024
LoginGraceTime 180
KeyRegenerationInterval 900
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
PrintMotd no
KeepAlive no
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
CheckMail nos
UseLogin no
  1. ____ /usr/bin/chown root:root /etc/rc.config.d/sshd_config
  2. ____ /usr/bin/chmod 600 /etc/rc.config.d/sshd_config
  3. ____ Generate server key files
____ /opt/openssh2/bin/ssh-keygen –b 1024 –N ‘’ –f /opt/openssh2/etc/ssh_host_key
____ /opt/openssh2/bin/ssh-keygen –d –N ‘’ –f /opt/openssh2/etc/ssh_host_dsa_key
  1. ____ create sshd startup script (See Appendix D for an example)
  2. ____ move script to /sbin/init.d/sshd
  3. ____/usr/bin/chown root:sys /sbin/init.d/sshd
  4. ____/usr/bin/chmod 744 /sbin/init.d/sshd
  5. ____ /usr/binln –s /sbin/init.d/sshd /sbin/rc2.d/S75sshd
  6. ____ /sbin/init.d/sshd start
  7. ____ /usr/sbin/vi /etc/inetd.conf*
  8. ____ modify ftp daemon to include tcp_wrappers*
ftp stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/ftpd ftpd -l -umask 022
  1. ____ modify telnet daemon to include tcp_wrappers*
telnet stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/telnetd telnetd -b /etc/issue
* If this system has been configured not to run inetd then you can disregard these steps.

Hp-Ux Installation of TCP_WRAPPERS, Perl, ZLIB and OpenSSH


Installation of TCP_WRAPPERS
  1. ____ Download from ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
  2. ____ /usr/contrib/bin/gzip -dc tcp_wrappers_7.6.tar.gz | tar xvf –
  3. ____ /usr/bin/cd tcp_wrappers_7.6
  4. ____ /usr/bin/chmod 644 Makefile
  5. ____ /usr/bin/vi Makefile
  6. ____ uncomment the REAL_DAEMON_DIR line that refers to HP-UX
REAL_DAEMON_DIR=/etc
  1. ____ Change FACILITY=LOG_MAIL to FACILITY=LOG_AUTH
  2. ____ Add –DUSE_GETDOMAIN to the BUGS macro definition if not running NIS
  3. ____ Make hp-ux
  4. ____ /usr/bin/mkdir –p –m 755 /usr/local/sbin
  5. ____ /usr/bin/mkdir –p –m 755 /usr/local/include
  6. ____ /usr/bin/mkdir –p –m 755 /usr/local/lib
  7. ____ for file in safe_finger tcpd tcpdchk tcpdmatch try-from
do
cp $file /usr/local/sbin/$file
chmod 555 /usr/local/sbin/$file
chown root:daemon /usr/local/sbin/$file
done
  1. ____ /usr/bin/cp tcpd.h /usr/local/include/tcpd.h
  2. ____ /usr/bin/chmod 444 /usr/local/include/tcpd.h
  3. ____ /usr/bin/chown root:daemon /usr/local/include/tcpd.h
  4. ____ /usr/bin/cp libwrap.a /usr/local/lib/libwrap.a
  5. ____ /usr/bin/chmod 555 /usr/local/lib/libwrap.a
  6. ____ /usr/bin/chown root:daemon /usr/local/lib/libwrap.a
Installation of Perl
  1. ____ Download software HP-UX software porting site 
    http://hpux.connect.org.uk/hppd/hpux/Languages/perl-5.6.0/
  2. ____ /usr/contrib/bin/gunzip gunzip perl-5.6.0-sd-11.00.depot.gz
  3. ____ /usr/sbin/swinstall -s perl-5.6.0-sd-11.00.depot \*
Installation of ZLIB
  1. ____ Download source from http://hpux.connect.org.uk/hppd/hpux/Misc/zlib-1.1.3/
  2. ____ /usr/contrib/bin/gunzip zlib-1.1.3-sd-11.00.depot.gz
  3. ____ /usr/sbin/swinstall -s /conv/tara/zlib-1.1.3-sd-11.00.depot \*
Installation of OPENSSL
Installation of OPENSSL needs Perl v5 installed on server.
  1. ____ Download software from http://hpux.connect.org.uk/hppd/hpux/Languages/openssl-0.9.6/
  2. ____ /usr/contrib/bin/gunzip openssl-0.9.6-sd-11.00.depot.gz
  3. ____ /usr/sbin/swinstall -s /conv/tara/openssl-0.9.6-sd-11.00.depot \*
Installation of OPENSSH
Telnet, rlogin, ftp, and other related programs send a user’s password across the Internet unencrypted. Openssh solves this problem by invoking a secure encrypted connection between two untrusted hosts over an insecure network. Openssh is used in place of rlogin and rsh.
  1. ____ Download software from 
    http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/openssh-2.5.1p1/
  2. ____ /usr/contrib/bin/gunzip openssh-2.5.1p1-sd-11.00.depot.gz
  3. ____ /usr/sbin/swinstall -s /conv/tara/openssh-2.5.1p1-sd-11.00.depot \*