|
HP-UX 11.0 Installation Checklist
Della Schmidt
April 6, 2001
This document is to be used as a guide to help create a secure HP-UX 11.0 Internet ready server. Since this is to be a secure install it is advisable that the server remain off the network/internet until it has been completely configured. You will need to have some way to transfer files so the system will need either a tape drive or a cdrom physically attached. It is also advisable not to have a C compiler installed on the system. (While this won’t stop a determined hacker it will make it just a little bit harder for them.) Since the machine will not have a compiler you will need to do the compiles on a different machine and transfer the binaries between them.
HP-UX Minimal OS Installation
To cold-install HP-UX 11.0, you must have the following:
A supported HP 9000 server or workstation (see Appendix A)
64 MB memory, minimum
128 MB swap space, minimum
2GB root disk volume, minimum
You will need the following CD’s ready:
HP-UX 11.0 Install/Update/Recovery CD, March 2001 or later.
Core OS Options CD (for technical servers and workstations).
Support Plus CD, March 2001 or later (for hardware/critical patch bundle, diagnostics and iCOD product), is needed.HP-UX 11.0 Application Software CDs
- ____ Make sure all peripherals are turned on.
- ____ Turn on the server or recycle the power.
- ____ Load the Install and Core OS CDROM into the CD-ROM driver.
- ____ Interrupt the autoboot process, by pressing any key during the 10 second interval that is given. This is so the system can be booted from the Core OS CDROM.
- ____ Once autoboot was been interrupted you should now see the autoboot menu.
- ____ Boot from the device that contains
the Core OS CDROM. Usually the alternative boot path is the CDROM drive.
But to verify that you can type search and view all defined boot devices.
bo alt OR bo <device path> - ____ You should now be asked: Interact with IPL (Y or N) ?> Type n.
- ____ The install kernel will take 3-5 minutes to install.
- ____When that has completed a screen will appear asking for the keyboard language of the console. Respond with the correct number and press ENTER.
- ____ The Welcome to Ignite-UX screen will be displayed.
- ____ Tab to Install HP-UX field and press Enter.
- ____ From the User Interface and Media
Options screen, verify that these choices are selected:
Source Location Options: Media-only installation – installing from the local CD drive.
User Interface Options: Guided Installation – provides an install wizard with limited choices. - ____Now proceed through each screen to
configure your system:
Basic Configuration: Commercial Servers – this will install HP-UX 11.0 Core OS software, required ACE patches, general recommended core (XSWGR1100), latest hardware-enablement and critical (HWCR) patches, diagnostic products and COD Client Product for HP-UX 11.0
Software Selection: Select needed mass-storage and networking I/O driver products.
Languages: Click the Languages button to view CDE-languages bundles to be loaded. Global is set by default when installing on workstations, resulting in all available CDE-language bundles being installed. Global (Non-CDE) is set when installing on servers to indicate that a generic, CDE-language bundle will be installed. - ____ Review any messages that Ignite-UX encountered. Resolve any errors before continuing with the installation.
- ____ Select: Finish
- ____ The system will now configure the disk(s) and load a minimum set of commands and libraries. Software Distributor will download all the products and patches from the CD.
- ____ As prompted, replace the HP-UX 11.0 Install/Update/Recovery CD with the requested CD from the media box.
- ____ The system will automatically reboot after all software has been loaded.
- ____ Set_parms will run and asked you to set
root password
date,
time,
time zone,
IP address
other network parameters.
Updating Applications
After installing HP-UX 11.0, install other needed applications
- ____Use swinstall to install new software that was not included as part of the basic OS installation. The latest versions of HP-UX software products are provided on the HP-UX Applications CDs. To find the contents of each CD, mount any HP-UX Applications CD and view the TOC file.
- ____ After installing the software, complete any post-install configuration. This will be explained in the software’s release notes or manual. Most documentation for HP-UX applications are either on the HP-UX Instant Information CD or on HP's documentation Web site: docs.hp.com/hpux/os/11.0/
HP-UX Patches Installation
To track down know HP software vulnerabilities and solutions, use the HP Security Archive on the IT Resource Center Web site. Each bulletin contains a description of the problem, which versions of the Operating System are affected and the solution. To access this information go to:
Search Technical Knowledge Base
Security Bulletin Archive
You can also subscribe to HP’s Security Bulletin Digest. You will receive an email update of new vulnerabilities as they are identified. To sign up for this go to:
more…
support information digests
Modification of the Boot Process
Closely review the startup scripts and identify all unnecessary services. You will then want to stop these services from starting up by renaming the startup script file that can be found in /sbin/rc?.d. By renaming the link instead of deleting it, it will be easier if you have to invoke the process in the future. Please pay particular attention to insecure network services. You should be able to eliminate everything in /sbin/rc3.d.
- ____ Review /etc/rc.log to determine which processes are started on boot
- ____ Rename NFS-related links
/usr/bin/mv /sbin/rc2.d/S400nfs.core /sbin/rc2.d/.NOS400nfs.core
/usr/bin/mv /sbin/rc2.d/S430nfs.client /sbin/rc2.d/.NOS430fns.client
/usr/bin/mv /sbin/rc3.d/S100nfs.server /sbin/rc3.d/.NOS100nfs.server
- ____ Rename RPC link
/usr/bin/mv /sbin/rc2.d/S590Rpcd /sbin/rc2.d/.NOS290Rpcd
- ____ Rename Sendmail links
/usr/bin/mv /sbin/rc2.d/S540sendmail /sbin/rc2.d/.NOS540sendmail
- ____ If this is machine not going to be a
DNS server, rename DNS link
/usr/bin/mv /sbin/rc2.d/S370named /sbin/rc2d/.NOS370named
- ____ Rename everything in /sbin/rc3.d
/usr/bin/cd /sbin/rc3.d
for file in S*
do
mv $file .NO$file
done
Create a script to ensure that the startup scripts run with a proper umask [14]
- ____ /usr/bin/echo ‘umask 022’ > /sbin/init.d/umask.sh
- ____ /usr/bin/chmod 744 /sbin/init.d/umask.sh
- ____ Add umask.sh to startup script directories by running the following script
/usr/bin/umask 022
for d in /sbin/rc?.d
do
/usr/bin/ln –s /sbin/init.d/umask.sh $d/S000umask.sh
done
Inetd is the internet daemon that controls access to network services that are started on an as needed basis. Many of the services are considered unsafe. Therefore it is very important to review these services and disable ones that are not absolutely necessary. The Berkley "r" programs have a long history of abuse so make sure that shell and login services are disable. You may also want to consider disabling bootps, exec, ntalk, echo and charge. In fact the ideal situation would be not to run inetd at all. (If inetd is not running you will not have remote access to the machine, until ssh is installed and configured)
- ____ Disable inetd – Preferred method
/usr/bin/mv /sbin/rc2.d/S500inetd /sbin/rc2d/.NOS500inetd
/usr/bin/rm /etc/inetd.conf
- ____ inetd enabled – but with all unnecessary disabled
/usr/bin/vi /etc/inetd.conf
comment out (place # at the beginning of a line) all unnecessary services
/usr/bin/kill –HUP inetd
Network Tuning
Reconfigure various network parameters to reduce your vulnerability to smurf attacks, SYN floods and ARP spoofing attacks. A description of the listed network parameters can be found in Appendix B. You can use ndd –h sup to list all supported network parameters. Use ndd –h unsup to list unsupported network parameters. HP recommends that you DO NOT make changes to unsupported parameters.
- ____/usr/bin/vi /etc/rc.config.d/nddconf
- ____ Add following entries:
TRANSPORT_NAME[0]=ip
NDD_NAME[0]=ip_send_redirects
NDD_VALUE[0]=0
TRANSPORT_NAME[1]=ip
NDD_NAME[1]=ip_ire_flush_interval
NDD_VALUE[1]=60000
TRANSPORT_NAME[2]=arp
NDD_NAME[2]=arp_cleanup_interval
NDD_VALUE[2]=60000
TRANSPORT_NAME[3]=ip
NDD_NAME[3]=ip_forward_directed_broadcast
NDD_VALUE[3]=0
TRANSPORT_NAME[4]=ip
NDD_NAME[4]=ip_forward_src_routed
NDD_VALUE[4]=0
TRANSPORT_NAME[5]=ip
NDD_NAME[5]=ip_forwarding
NDD_VALUE[5]=0
TRANSPORT_NAME[6]=tcp
NDD_NAME[6]=tcp_ip_abort_cinterval
NDD_VALUE[6]=60000
- ____ ndd –c for the changes to take effect
File System Configuration
Some file systems are static in nature and won’t change unless you’re doing some type of upgrade. Therefore to safeguard against unkown modifications to the files in these file systems and possible addition of trojan horses, it makes sense to mount these files systems read-only. (/usr and /opt are examples) You also want to ensure that setuid programs are not executed in a non-root file system. To do this these file systems must be mounted with the nosuid option. (/var and /home are examples). An example of a secure /etc/fstab can be found in Appendix C.
- ____ /usr/bin/vi /etc/fstab
- ____ Add ro option to /opt and /usr
- ____ Add nosuid to /stand, /var, /home
/usr/local by default has been configured with world-writeable permissions on all directories. Change this to a safer 755.
- ____ find /usr/local –type d –exec chmod 755 {} \;
Remove write group permissions for /etc/.
- ____ chmod –R g-w /etc
Remaining Network Services
If the machine is to be a DNS client then you’ll need to define the domain and it’s name server(s). You will have to configure which sources the resolver will use and in which order. You should configure so that the host file is checked first then DNS.
- ____ /usr/bin/touch /etc/resolv.conf
- ____ /usr/bin/echo "domain <domain name>" > /etc/resolv.conf
- ____ /usr/bin/echo "nameserver <ip address>" >> /etc/resolv.conf
- ____ /usr/bin/chown root:root /etc/resolv.conf
- ____ /usr/bin/chmod 644 /etc/resolv.conf
- ____ /usr/bin/cp /etc/nsswitch.files /etc/nsswitch.conf
- ____ /usr/bin/vi /etc/nsswitch.files
modify the hosts entry from hosts:files to hosts:files [NOTFOUND=continue] dns - ____ /usr/bin/chown root:root /etc/nsswitch.conf
- ____ /usr/bin/chmod 644 /etc/nsswitch.conf
Convert to a Trusted System
HP-UX offers some additional security features such as, a more stringent authentication system, auditing, terminal access control and time-based access control. These are in addition to the normal Unix security mechanisms that are generally available. But to take advantage of these features the system must be converted to a trusted system.* If security is important, it is recommended this be done. To convert a system you would need to:
/usr/sbin/sam
Select "Auditing and Security"
Select "System Security Policy"
Select "YES"
R T|
Confirmation |
| You need to convert to a Trusted
System before proceeding. The conversion process does the following things: 1. Creates a protected database on the
system for storing security information. 2. Moves user passwords
in "/etc/passwd" to this database For more details, refer to the "System Security" chapter of the . "System Administration Tasks" manual. . Do you want to convert to a Trusted System now? .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. [ Yes ] [[No ]] ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, |
You will then see a message telling you that you’re converting to a trusted system...
Next you will receive a "Successfully converted to a trusted system" message. Press OK continue.
Time to setup your security policies. The following are recommendations only. Please curtail yours to fix your environment.
|
Password Format Policies |
|
Use this screen to set system policies for
user accounts. Policies apply to all users unless user-specific
policies are set. .
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, If you choose more than one of the following options, users will choose which one of these options they prefer at login time. . . . . Password Selection Options: [ ] System Generates Pronounceable [ ] System Generates Character [ ] System Generates Letters Only [X] User Specifies . . . . User-Specified Password Attributes: [X] Use Restriction Rules [ ] Allow Null Passwords ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, Maximum Password Length: 8 . .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. [ OK ] [ Cancel ] [ Help ] . ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
|
Password Aging Policies |
|
Use this screen to set system password
aging policies. Policies apply to all users unless other user-specific
policies are set. .
Password Aging: [ Enabled ->] . Time Between Password Changes (days): 20 . Password Expiration Time (days): 90 . Password Expiration Warning Time (days): 14 . Password Life Time (days): 180 . .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. [ OK ] [ Cancel ] [ Help ] . ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
|
General User Account Policies |
|
Use this screen to set system policies for
user accounts. Policies apply to all users unless user-specific
policies are set. .
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, Lock Inactive Accounts: < > Enabled <*> Disabled ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, Unsuccessful Login Tries Allowed: 6 . [X] Require Login Upon Boot to Single-User State . .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. [ OK ] [ Cancel ] [ Help ] . ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
|
Terminal Security Policies |
|
Use this screen to set system policies for terminals. Policies apply to all terminals unless terminal-specific policies are set. Unsuccessful Login Tries Allowed: 10 . Delay Between Login Tries (sec.): 2 . Login Timeout Value (sec.): 0 . .,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,. [ OK ] [ Cancel ] [ Help ],,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
|
* Network Information Service (NIS) is not supported on a trusted system.
System And Process Auditing
Now that the system has been converted to a trusted system and your security policies have been set. It’s time to turn on auditing.
/usr/sbin/sam
Select "Auditing and Security"
Select "Audited Events"
Select "Actions"
Select "Turn Auditing On"
|
Auditing and Security |
| File List View
Options Actions Help . . . Turn Auditing ON . .. Auditing Turned: OFF . ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, . .. . Set Audit Monitor and Log Parameters... . ..,,,,,,,,,,,,,,,,,,,,,,,. View Audit Log... .,,,,,,,,,,,,.. Audited Events . Unconvert the System . 18 selected..,,,,,,,,,,,,,,,,,,,,,,,. ======================================= .,,,,,,,,,,,,.. Audit . (nothing selected) . .. Event Type Success F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,G ..R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,T . .. admin Yes Yes acct, adjtime, audctl, audswitch, clock_ ^ . .. close No No close, ksem_close, mq_close, munmap . .. create No No creat, mkdir, mknod, msgget, pipe, semge . .. delete No No ksem_unlink, mq_unlink, msgctl, rmdir, s . .. ipcclose No No fdetach, shutdown . .. ipccreat No No bind, socket, socket2, socketpair, socke . .. ipcdgram No No . .. ipcopen No No accept, connect, fattach . .. login Yes Yes . .. modaccess No No chdir, chroot, fchdir, link, lockf, lock v . .F < >G .F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,G |
.
Next you need to select which events you want to audit. At the very minimum you should audit admin - Logs all administrative and privileged events.
login - Logs all logins and logouts
modaccess - Logs all access modifications other than DAC
moddac - Logs all modifications of object’s discretionary access controls
Setup a cron job to collect system diagnostic messages.
- ____ /usr/bin/crontab –e
- ____ Insert the following 2 lines
# log kernel diagnostic messages every 10 minutes
05,15,25,35,45,55 * * * * /usr/sbin/dmesg - >>/var/adm/messages
User Access Control
Tight controls must be maintained on user’s accounts. You should only have accounts on a system that are necessary for the applications that are running.
Restrict root login to just the console. User must use su to login as root.
- ____ /usr/bin/touch /etc/securetty
- ____ /usr/bin/echo console > /etc/securetty
- ____ /usr/bin/chmod 400 /etc/securetty
Enable password history and password reuse. On a trusted systems, the system administrator can enable the password history feature to discourage users from reusing previous passwords
- ____ /usr/bin/touch /etc/default/security
- ____ /usr/bin/echo "PASSWORD_HISTORY_DEPTH=10" > /etc/default/security
- ____ /usr/bin/chown bin:bin /etc/default/security
- ____ /usr/bin/chmod 444 /etc/default/security
Lock all "pseudo-accounts", including uucp, lp, nnucp, sys, hpdb and www. These are logins that are not associated with individual users and do not have true interactive shells. They are in the password file because they are owners of files.
- ____ /usr/bin/vi /etc/passwd and change the default shell to /dev/null
- ____ Lock accounts using /usr/bin/passwd –l <login>
- ____ Remove any files in /var/spool/cron/crontabs except for root
- ____ Remove any files in /var/spool/cron/atjobs except for root
Ensure that root is the only login that has access to run crontab and at commands
- ____ /usr/bin/echo root > /var/admin/cron/cron.allow
- ____ /usr/bin/echo root > /var/adm/cron/at.allow
- ____ /usr/bin/chmod 400 /var/adm/cron/cron.allow
- ____ /usr/bin/chmod 400 /var/adm/cron/at.allow
- ____ /usr/bin/rm /var/adm/cron/cron.deny
- ____ /usr/bin/rm /var/adm/cron/at.deny
Restrict ftp access. At a minimum all logins with uid < 100 should not be able to ftp. Also add any other logins that do not need to ftp to /etc/ftpd/ftpusers.
- ____ /usr/bin/touch /etc/ftpd/ftpusers
- ____ /usr/bin/chown root:root /etc/ftpd/ftpusers
- ____ /usr/binchmod 600 /etc/ftpd/ftpusers
- ____ Add administrative logins to /etc/ftpd/ftpusers
for names in root, daemon, bin, sys and adm
do
echo $names >> /etc/ftpd/ftpusers
done
Check for /etc/hosts.equiv, ~/.netrc and ~/.rhost files. The existence of these files can allow selected users to be granted password-free access to a system. There shouldn’t be any of these files on your system. But if you have a need for them, check that they are not world-writeable and that there is no + in them. A + means the system will trust all other systems. You can use the following command to search for these files. You should run this command periodically and review the output.
- ____ /usr/bin/find / \( -name .rhosts –o –name .netrc –o -name hosts.equiv \) -exec ls -ldb {} \; -exec more {} \;
If you are still running inetd and are allowing ftp access you will want to log ftp access to /var/adm/syslog/syslog.log and change the default umask to 022.
- ____/usr/bin/vi /etc/inetd.conf
- ____ Add –l and –umask –22 to ftpd
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -umask 022
Add umask 022 and TMOUT to /etc/profile. Umask 022 will restrict file permissions. TMOUT will limit how long a session can set idle. But remember these can be easily overwritten in ~/.profile.
- ____ /usr/bin/vi /etc/profile
- ____ insert umask 022
- ____ insert TMOUT=1800 (TMOUT is in seconds)
Statutory Warnings
Add a warning message that machine is for authorized use only and that all activity is subject to monitoring. It is believed that having such a warning, could aid in the prosecution of any computer crimes involving that machine. You should however, consult with legal counsel about the wording of the message. The following is an example of one such message.
This system is the property of the Company ABC. All activities on this system are subject to monitoring for illegal or unauthorized activity.
Anyone using this system expressly consents to such monitoring and is advised that if monitoring reveals possible improper or criminal activity, system personnel may provide the evidence of such monitoring to authorities.
telnet stream tcp nowait root /usr/lbin/telnetd telnetd -b /etc/issue
* This is assuming you’re running inetd. If not, disregard this step.
Sendmail
Sendmail is very often a security risk. Therefore it is very important that you be running the newest version or at least a fully patched version. Also since most machines only need to send out mail to a relay host, many of sendmail functionalities can be disabled. You can download the latest version of sendmail for http://www.sendmail.org.
- ____ replace the existing /etc/mail/sendmail.cf [14] with the following
# Minimal client sendmail.cf
### Define macros
# define the mail hub – Put hostname for local site here.
DRmailhost
# define version
V8
# my name for error messages
DnMAILER-DAEMON
# UNIX initial From header format
DlFrom $g $d
# delimiter (operator) characters (old $o macro)
Do.:%@!^/[]+
#From of the sender’s address
Dq<$g>
# queue directory
OQ/var/spool/mqueue
### Mailer Delivery Agents
#Mailer to forward mail to the hub machine
Mhub, P=[IPC], S=0, R=0, F=mDFMuCX, A=IPC $h
#Sendmail requires these, but they are not used
Mlocal, P=/dev/null, F=rlsDFMmnuP, S=0, R=0,A=/dev/null
Mprog, P=/dev/null, F=lsDFMeuP, S=0, R=0 A=dev/null
### Rule sets
S0
R@S+ $ #error $: Missing user
R$+ $ #hub $@$R $:$1 forward to hub
S3
R$*<>$* $n handle <> error address
R$*<$$*>$* $2 basic RFC822 parsing
Since you have removed sendmail from the startup scripts you should schedule a cronjob to run sendmail every hour so any mail can be processed.
- ____ crontab -e
- ____ add the following lines
## run send mail once an hour
* 0 0 0 0 /usr/sbin/sendmail –q
Installation of TCP_WRAPPERS
- ____ Download from ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
- ____ /usr/contrib/bin/gzip -dc tcp_wrappers_7.6.tar.gz | tar xvf –
- ____ /usr/bin/cd tcp_wrappers_7.6
- ____ /usr/bin/chmod 644 Makefile
- ____ /usr/bin/vi Makefile
- ____ uncomment the REAL_DAEMON_DIR line that refers to HP-UX
- ____ Change FACILITY=LOG_MAIL to FACILITY=LOG_AUTH
- ____ Add –DUSE_GETDOMAIN to the BUGS macro definition if not running NIS
- ____ Make hp-ux
- ____ /usr/bin/mkdir –p –m 755 /usr/local/sbin
- ____ /usr/bin/mkdir –p –m 755 /usr/local/include
- ____ /usr/bin/mkdir –p –m 755 /usr/local/lib
- ____ for file in safe_finger tcpd tcpdchk tcpdmatch try-from
- ____ /usr/bin/cp tcpd.h /usr/local/include/tcpd.h
- ____ /usr/bin/chmod 444 /usr/local/include/tcpd.h
- ____ /usr/bin/chown root:daemon /usr/local/include/tcpd.h
- ____ /usr/bin/cp libwrap.a /usr/local/lib/libwrap.a
- ____ /usr/bin/chmod 555 /usr/local/lib/libwrap.a
- ____ /usr/bin/chown root:daemon /usr/local/lib/libwrap.a
REAL_DAEMON_DIR=/etc
do
cp $file /usr/local/sbin/$filechmod 555 /usr/local/sbin/$file
chown root:daemon /usr/local/sbin/$file
done
Installation of Perl
- ____ Download software HP-UX software
porting site
http://hpux.connect.org.uk/hppd/hpux/Languages/perl-5.6.0/ - ____ /usr/contrib/bin/gunzip gunzip perl-5.6.0-sd-11.00.depot.gz
- ____ /usr/sbin/swinstall -s perl-5.6.0-sd-11.00.depot \*
Installation of ZLIB
- ____ Download source from http://hpux.connect.org.uk/hppd/hpux/Misc/zlib-1.1.3/
- ____ /usr/contrib/bin/gunzip zlib-1.1.3-sd-11.00.depot.gz
- ____ /usr/sbin/swinstall -s /conv/tara/zlib-1.1.3-sd-11.00.depot \*
Installation of OPENSSL
Installation of OPENSSL needs Perl v5 installed on server.
- ____ Download software from http://hpux.connect.org.uk/hppd/hpux/Languages/openssl-0.9.6/
- ____ /usr/contrib/bin/gunzip openssl-0.9.6-sd-11.00.depot.gz
- ____ /usr/sbin/swinstall -s /conv/tara/openssl-0.9.6-sd-11.00.depot \*
Installation of OPENSSH
Telnet, rlogin, ftp, and other related programs send a user’s password across the Internet unencrypted. Openssh solves this problem by invoking a secure encrypted connection between two untrusted hosts over an insecure network. Openssh is used in place of rlogin and rsh.
- ____ Download software from
http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/openssh-2.5.1p1/ - ____ /usr/contrib/bin/gunzip openssh-2.5.1p1-sd-11.00.depot.gz
- ____ /usr/sbin/swinstall -s /conv/tara/openssh-2.5.1p1-sd-11.00.depot \*
Configuration of TCP-WRAPPERS and OPENSSH
- ____ for file in /etc/hosts.allow /etc/hosts.deny
do
/bin/touch $file
/bin/chown root:root &file
/bin/chmod 600 $file
done
- ____ /usr//bin/echo ‘ALL: <net1>, <net2>,
… ‘> /etc/hosts.allow
replace net1, net2 with the IP addresses of machines that you want to grant access to
- ____ /usr/bin/echo ‘ALL:ALL: /usr/bin/mailx
–s "%s:connection attempt from %a"<ADMIN EMAIL> ’ > /etc/hosts.deny
replace <ADMIN EMAIL> with email address of administrator
- ____ /usr/bin/cp /opt/openssh/etc/sshd_config /etc/rc.config.d/sshd_config
- ____ Modify /etc/rc.config.d/sshd_config
[14]
Port 22
Protocol 2,1
ListenAddress 0.0.0.0
PidFile /opt/openssh2/etc/sshd.pid
HostKey /opt/openssh2/etc/ssh_host_key
HostDSAKey /opt/openssh2/etc/ssh_host_dsa_key
ServerKeyBits 1024
LoginGraceTime 180
KeyRegenerationInterval 900
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
PrintMotd no
KeepAlive no
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
CheckMail nos
UseLogin no
- ____ /usr/bin/chown root:root /etc/rc.config.d/sshd_config
- ____ /usr/bin/chmod 600 /etc/rc.config.d/sshd_config
- ____ Generate server key files
____ /opt/openssh2/bin/ssh-keygen –b 1024 –N ‘’ –f /opt/openssh2/etc/ssh_host_key
____ /opt/openssh2/bin/ssh-keygen –d –N ‘’ –f /opt/openssh2/etc/ssh_host_dsa_key
- ____ create sshd startup script (See Appendix D for an example)
- ____ move script to /sbin/init.d/sshd
- ____/usr/bin/chown root:sys /sbin/init.d/sshd
- ____/usr/bin/chmod 744 /sbin/init.d/sshd
- ____ /usr/binln –s /sbin/init.d/sshd /sbin/rc2.d/S75sshd
- ____ /sbin/init.d/sshd start
- ____ /usr/sbin/vi /etc/inetd.conf*
- ____ modify ftp daemon to include
tcp_wrappers*
ftp stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/ftpd ftpd -l -umask 022
- ____ modify telnet daemon to include tcp_wrappers*
telnet stream tcp nowait root /usr/local/sbin/tcpd /usr/lbin/telnetd telnetd -b /etc/issue
* If this system has been configured not to run inetd then you can disregard these steps.
LSOF
This utility is used to list files, sockets, etc opened by processes. It also gives a large amount of other related information that can select by process ID, username or filename.
- ____ Download 32 bit version of the software from HP-UX Software porting site, http://hpux.connect.org.uk/hppd/hpux/Sysadmin/lsof-4.55/
- ____ /usr/contrib/bin/gunzip lsof-4.51-sd-11.00.depot.gz
- ____ /usr/sbin/swinstall -s lsof-4.51-sd-11.00.depot \*
- ____ The 64 bit version binaries can be found at ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/binaries/hpux/B.11.00/64/9000_800/
- ____ /usr/contrib/bin/gunzip lsof_4.55.gz
- ____ /usr/bin/mv lsof_455 to /opt/lsof/bin
Backups
Create a Golden Image – use make_tape_recovery to create a bootable system recovery tape for an LVM or whole disk system while it is up and running. When a system has a logical volume layout, the recovery tape will only include data from the root volume group, plus data from any Non-root volume group containing /usr. Data not in the root volume group must be backed up and recovered using normal backup utilities. This golden image can be used to restore a non-bootable system with little or not user intervention, restore a system in the event of a hardware failure, clone software from one system to another.
Make_recovery is part of the Ignite-UX product. It can be downloaded from www.software.hp.com/products/IUX/download.html. More detailed installation instructions can be found at www.software.hp.com/products/IUX/install_instructions.html.
Installing Ignite-UX
- ____ Downloaded software from www.software.hp.com/products/IUX/download.html
- ____ Copy ignite11_11.00.tar to /tmp
- ____ /usr/bin/bdf – Make sure you have at least 50 mb of free space in /opt
- ____ /usr/sbin/swinstall -s /conv/tara/ignite11_11_00.tar
\*
Create a golden image
- ____/opt/ignite/bin/make_tape_recovery -AvC -d /dev/rmt/0m
Physical Security
It is extremely important that a unix server be placed in a secure environment. It is a fact that anyone who has physical access to the machine can fairly easily gain root access.
- ____ The server should be installed in a locked environmentally controlled data center with restricted access to the server.
- ____ If possible the data center should have cameras installed to monitor all activity.
- ____ The keyboard should be situated away from any cameras, windows or prying eyes.
- ____ The system should be attached to a UPS with monitoring software that will shutdown the server when power to the UPS has been interrupted.
- ____ Backup tapes should be kept in a secure environment.
APPENDIX A – HP-UX 11.0 Supported Systems
|
Model |
32-bit |
64-bit |
|
Workstations: |
||
|
Series 700: 712, 715/64/80/100/100XC, 725/100 |
X |
|
|
B132L, B132L+, B160L, B180L |
X |
|
|
B1000, B2000 |
X |
|
|
C100, C110, C160L |
X |
|
|
C160, C180, C180XP, C200, C240, C360 |
X |
X |
|
C3000, C3600 |
X |
|
|
J200, J210, J210XC |
X |
|
|
J280, J282, J2240 |
X |
X |
|
J5000, J5600, J6000, J7000 |
X |
|
|
Servers: |
||
|
A180, A180C |
X |
|
|
A400, A5xx |
X |
|
|
Dx10, Dx20, Dx30, Dx50, Dx60 |
X |
|
|
Dx70, Dx80, Dx90 |
X |
X |
|
E, F, G, H, I (all) |
X |
|
|
Kx00, Kx10, Kx20 |
X |
|
|
Kx50, Kx60, Kx70, Kx80 |
X |
X |
|
L1000, L2000, L3000 |
X |
|
|
N4000/360, N4000/440, N4000/550 |
X |
|
|
R380, R390 |
X |
X |
|
T500, T520 |
X |
|
|
T6xx |
X |
X |
|
V22xx, V2500, V2600 |
X |
|
|
Enterprise Parallel Servers: EPS22, EPS23, EPS40 |
X |
X |
APPENDIX B – Network Parameters [5]
ip_send_redirects – causes the machine not to emit any ICMP redirect Packets. Under normal operation this probably won’t have significant security implications.
ip_ire_flush_interval and arp_cleanup_interval – control how long information will live in the system’s ARP cache. The ARP cache maintains a mapping between Ethernet addresses and IP address. The default values are 10 minutes (?????). Lowering these values can help prevent some ARP spoofing attacks but at the cost of more ARP traffic on your local LAN and possibly reduced performance. Think carefully before you change these variables.
ip_forward_directed_broadcast – caused the machine to not transmit packets which are destined for a broadcast network address. If the machine is being used as a gateway between several networks this can help you from being used as an intermediary network in a "smurf" type network attach. The machine will still respond to broadcast packets directed at any LAN it may be connected to.
ip_forward_src_routed – prevents the machine from forwading any packets that have the source routing option turned on.
ip_forwarding – turning off ip_forwarding prevents the machine from accepting and forwarding on packets that are not destined for one of it’s local interface addresses. Such a feature can be used by attackers to bypass other network security measures.
tcp_ip_abort_cinterval – this is how long the kernel will wait for a TCP connection to be completed (in milliseconds). Tuning this value down can also help your system resist SYN flooding attacks.
You can use the following commands to view various information concerning Network parameter.
ndd –h sup – display all the parameters that are supported by HP.
ndd –h unsup – display all the parameter that are not supported by HP. Becareful modifying these!
ndd –c - set tunable parameters
APPENDIX C – Example secure /etc/fstab
/dev/vg00/lvol3 / hfs defaults 0 1
/dev/vg00/lvol1 /stand hfs nosuid 0 1
/dev/vg00/lvol4 /tmp hfs defaults 0 2
/dev/vg00/lvol5 /home hfs nosuid 0 2
/dev/vg00/lvol6 /opt hfs ro 0 2
/dev/vg00/lvol7 /usr hfs ro 0 2
/dev/vg00/lvol8 /var hfs nosuid 0 2
APPENDIX D – Sample SSHD Startup Script
#!/sbin/sh
#
# start up secure shell deaemon - sshd
#
PATH=/usr/sbin:/usr/bin:/sbin
export PATH
rval=0
case $1 in
'start_msg')
echo "Starting the sshd"
;;
'stop_msg')
echo "Stopping the sshd"
;;
'start')
if [ -f /etc/rc.config.d/sshd_config ]
then
/opt/openssh2/sbin/sshd -f /etc/rc.config.d/sshd_config
else
echo "ERROR: /etc/rc.config.d defaults file MISSING"
fi
;;
'stop')
kill `cat /opt/openssh2/etc/sshd.pid`
;;
*)
echo "usage: $0 {start|stop|start_msg|stop_msg}"
rval=1
;;
esac
exit $rval
References:
- Poniatowski, Marty. HP-UX 10.x SYSTEM ADMINISTRATION "HOW TO" BOOK. Upper Saddle: Prentice Hall PTR, 1996. 1-383.
- Frisch, Aeleen. Essential System Administration Second Edition. Sebastopol: O’Reilly & Associates, Inc, December 1995. 1-758.
- Hassell, Bill and Totsch, David. "HP-UX SysAdmin Training Camp". HPWorld ’99 August 1999.
- Farrow, Rik. "HP-UX and Internet Security". HPWORLD ’98 August 1998.
- Brotzman, Lee and Pomeranz. Hal. "UNIX Practicum". SANS Institute February 2001.
- Pomeranz, Hal. "Common Issues and Vulnerabilities in UNIX Security". SANS Institute February 2001
- Bishop, Matt. "UNIX Security Tools and Their Uses". SANS Institute". SANS Institute Februray 2001.
- Netsysco Infrastructure Services. "Networking for System Administrators"
- HP-UX 11.0 Installation and Update Guide March 2001, HP Part Number: 5971-0642. http://www.docs.hp.com/hpux/onlinedocs/5971-0642/5971-0642.html
- Installing and Updating HP-UX 11.0
Additional Core Enhancements.
November 1999, HP Part Number: B3782-90785
http://www.docs.hp.com/hpux/onlinedocs/B3782-90785/B3782-90785.html - HP-UX System Administration Tasks , First Edition. January 1995, HP Part Number: B2355-90672
- Campione, Jeff. "Solaris 8 Installation Checklist", http://www.sans.org/y2k/practical/Jeff_Campione_GUCX.htm
- Rhoads, Jason. "HP-UX Security Guide", http://www.sabernet.net/papers/hp-ux10.html
- The SANS Institute. "Solaris Security Step by Step Version 2"
to top of page | to Unix Issues | to Reading Room Home
