Scribd Logo
Upload

Welcome to Scribd!

  • HP-UX Security Checklist

    Uploaded by

    satyapal kumar
    87 views7 pages
    The document provides a checklist of 31 items to harden UNIX system security. It includes recommendations to install latest patches, disable unnecessary network services and daemons, enable stack protection, modify network parameters for security, set appropriate file permissions, and remove unnecessary SUID permissions from executables.

    Original Description:

    This document who know to learn about HP-UX security .

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides a checklist of 31 items to harden UNIX system security. It includes recommendations to install latest patches, disable unnecessary network services and daemons, enable stack protection, modify network parameters for security, set appropriate file permissions, and remove unnecessary SUID permissions from executables.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as doc, pdf, or txt
    87 views7 pages

    HP-UX Security Checklist

    Uploaded by

    satyapal kumar
    The document provides a checklist of 31 items to harden UNIX system security. It includes recommendations to install latest patches, disable unnecessary network services and daemons, enable stack protection, modify network parameters for security, set appropriate file permissions, and remove unnecessary SUID permissions from executables.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as doc, pdf, or txt
    of 7

    UNIX Security Checklist:

    Patches
    1 Patches Install latest Patches
    Network Services
    2 TCP wrappers Install TCP wrappers
    3 SSH Install SSH
    4 Disable all the services normally
    enabled in the HP-UX inetd.conf file
    5 Disable login prompts on serial ports cp -p /etc/inittab /etc/inittab.tmp
    sed 's/^[^#].*getty.*tty.*$/#&/' \
    /etc/inittab.tmp > /etc/inittab
    rm -f /etc/inittab.tmp
    chown root:sys /etc/inittab
    chmod go-w,ug-s /etc/inittab

    6 Disable inetd if grep -Evq '^[ ]*(#|$)' /etc/inetd.conf


    then :
    else mv -f /sbin/rc2.d/S500inetd \
    /sbin/rc2.d/.NOS500inetd
    f

    7 Disable NIS/NIS+ ch_rc -a -p NIS_MASTER_SERVER=0 -p NIS_SLAVE_SERVER=0 \


    -p NIS_CLIENT=0 -p NISPLUS_SERVER=0 \
    -p NISPLUS_CLIENT=0 /etc/rc.confg.d/namesvrs

    8 Disable pronter daemons ch_rc -a -p XPRINTSERVERS="''" /etc/rc.confg.d/tps


    ch_rc -a -p LP=0 /etc/rc.confg.d/lp
    ch_rc -a -p PD_CLIENT=0 /etc/rc.confg.d/pd

    9 Disable GUI login ch_rc -a -p DESKTOP="" /etc/rc.confg.d/desktop


    chmod go-w,ug-s /usr/dt/bin/dtaction \
    /usr/dt/bin/dtappgather /usr/dt/bin/dtprintinfo \
    /usr/dt/bin/dtsession

    10 Disable email server ch_rc -a -p SENDMAIL_SERVER=0 /etc/rc.confg.d/mailservs


    cd /var/spool/cron/crontabs
    crontab -l >root.tmp
    echo '0 * * * * /usr/lib/sendmail -q' >>root.tmp
    crontab root.tmp
    rm -f root.tmp
    11 Disable SNMP 1. cd /sbin/rc2.d
    for fle in S565OspfMib S941opcagt S570SnmpFddi
    do mv -f $fle .NO$fle
    done
    ch_rc -a -p SNMP_HPUNIX_START=0 \
    /etc/rc.confg.d/SnmpHpunix
    ch_rc -a -p SNMP_MASTER_START=0 \
    /etc/rc.confg.d/SnmpMaster
    ch_rc -a -p SNMP_MIB2_START=0 \
    /etc/rc.confg.d/SnmpMib2
    ch_rc -a -p SNMP_TRAPDEST_START=0 \
    /etc/rc.confg.d/SnmpTrpDst
    2. Remove any software packages related to HP OpenView (generally those
    beginning with OV) using swremove.

    12 Disable other standard boot services ch_rc -a -p START_SNAPLUS=0 -p START_SNANODE=0 \


    -p START_SNAINETD=0 /etc/rc.confg.d/snaplus2
    ch_rc -a -p MROUTED=0 -p RWHOD=0 \-p DDFA=0 \
    -p START_RBOOTD=0 /etc/rc.confg.d/netdaemons
    ch_rc -a -p DCE_KRPC=0 -p DFS_CORE=0 -p DFS_CLIENT=0 \
    -p DFS_SERVER=0 -p DFS_EPISODE=0 -p EPIINIT=0 \
    -p DFSEXPORT=0 -p BOSSERVER=0 -p DFSBIND=0 \
    -p FXD=0 -p MEMCACHE=0 -p DFSGWD=0 \
    -p DISKCACHEFORDFS=0 /etc/rc.confg.d/dfs
    ch_rc -a -p RARPD=0 -p RDPD=0 /etc/rc.confg.d/netconf
    ch_rc -a -p PTYDAEMON_START=0 /etc/rc.confg.d/ptydaemon
    CIS HP-UX Benchmark 18
    ch_rc -a -p VTDAEMON_START=0 /etc/rc.confg.d/vt
    ch_rc -a -p NAMED=0 /etc/rc.confg.d/namesvrs
    ch_rc -a -p PEER_SNMPD_START=0 \
    /etc/rc.confg.d/peer.snmpd
    ch_rc -a -p START_I4LMD=0 /etc/rc.confg.d/i4lmd
    ch_rc -a -p RUN_X_FONT_SERVER=0 /etc/rc.confg.d/xfs
    ch_rc -a -p AUDIO_SERVER=0 /etc/rc.confg.d/audio
    ch_rc -a -p SLSD_DAEMON=0 /etc/rc.confg.d/slsd
    ch_rc -a -p RUN_SAMBA=0 /etc/rc.confg.d/samba
    ch_rc -a -p RUN_CIFSCLIENT=0 \
    /etc/rc.confg.d/cifsclient
    ch_rc -a -p NFS_SERVER=0 \
    -p NFS_CLIENT=0 /etc/rc.confg.d/nfsconf
    ch_rc -a -p NS_FTRACK=0 /etc/rc.confg.d/ns-ftrack
    ch_rc -a -p APACHE_START=0 /etc/rc.confg.d/apacheconf
    mv -f /sbin/rc2.d/S400nfs.core \
    /sbin/rc2.d/.NOS400nfs.core

    13 Disable NFS server processes Disable


    14 Disable windows compatible server Disable
    processes
    15 Disable Window-compatible client Disable
    processes
    16 Disabel RPC based services Disable
    17 Disable web-server Disable
    18 Disable BIND DNS server Disable
    Kernel Tuning
    19 Enable Stack protection /usr/sbin/kmtune –s executable_stack=0 && mk_kernel && kmupdate
    Network parameters modification
    20 Increase size of half-open TRANSPORT_NAME[0]=tcp;
    connection que NDD_NAME[0]=tcp_syn_rcvd_max;
    NDD_VALUE[0]=4096;
    21 Reduce timeouts on ARP TRANSPORT_NAME[1]=arp;
    cache NDD_NAME[1]=arp_cleanup_interval;
    NDD_VALUE[1]=6000;
    22 Drop source-routed TRANSPORT_NAME[2]=ip
    packets NDD_NAME[2]=ip_forward_src_routed
    NDD_VALUE[2]=0

    23 Don't forward TRANSPORT_NAME[3]=ip


    directed broadcasts NDD_NAME[3]=ip_forward_directed_broadcasts
    NDD_VALUE[3]=0

    24 Don't respond to TRANSPORT_NAME[4]=ip


    unicast ICMP NDD_NAME[4]=ip_respond_to_timestamp
    timestamp requests NDD_VALUE[4]=0

    25 Don't respond to TRANSPORT_NAME[5]=ip


    broadcast ICMP NDD_NAME[5]=ip_respond_to_timestamp_broadcast
    tstamp reqs NDD_VALUE[5]=0

    26 Don't respond to TRANSPORT_NAME[6]=ip


    ICMP address mask NDD_NAME[6]=ip_respond_to_address_mask_broadcast
    requests NDD_VALUE[6]=0

    27 Don’t respond to TRANSPORT_NAME[7]=ip


    broadcast echo NDD_NAME[7]=ip_respond_to_echo_broadcast
    requests NDD_VALUE[7]=0
    28 Use better TCP sequence echo "/usr/contrib/bin/nettune -s tcp_random_seq 2" >> \
    numbers /sbin/rc2.d/S339nettune
    chown root:sys /sbin/rc2.d/S339nettune
    chmod 555 /sbin/rc2.d/S339nettune

    File Directory permission access


    29 Passwd and group file chown root:root /etc/passwd /etc/group
    permissions chmod 644 /etc/passwd /etc/group
    30 World writable directories chmod +t /tmp /var/news /var/tmp /var/preserve \
    have their sticky bit set /var/spool/sockets /var/spool/sockets/ICE \
    /var/spool/sockets/X11 /var/spool/sockets/common \
    /var/X11/Xserver/logs /var/adm/diag \
    /var/opt/resmon/log /var/spool/uucppublic

    31 Strip dangerous/unneeded chmod ug-s /opt/audio/bin/Aserver \


    SUID from system /opt/sharedprint/bin/pcltotiff /sbin/shutdown \
    executables /usr/bin/bdf /usr/bin/df /usr/bin/elm \
    /usr/bin/kermit /usr/lbin/expreserve \
    /usr/lbin/exrecover /usr/sbin/wall \
    /usr/contrib/bin/X11/xconsole

    32 Ensure systems files are fnd \


    not world writable /dev/vg01 \
    /etc \
    /opt/apache/logs \
    /opt/langtools/newconfg \
    /opt/prm \
    /stand/dlkm \
    /stand/dlkm.vmunix.prev \
    /usr/lbin \
    /usr/local \
    /usr/newconfg/var/stm \
    /var/spool/sockets/pwgr \
    /var/stm \
    /usr/share/man \
    ! -type l -exec chmod go-w {} ';'
    chmod go-w \
    /SD_CDROM \
    /cdrom \
    /dev/mapfle \
    /opt/graphics/OpenGL \
    /opt/ifor/ls/res/i4adminX.pdl \
    /opt/pred/bin/PSERRLOG \
    /opt/pred/var \
    /var/adm/streams \
    /var/dt/Xerrors \
    /var/dt/Xpid \
    /var/obam/translated \
    /var/opt/PEX5 \
    /var/opt/common \
    /var/opt/scr/tmp/scrdaemon.pid \
    /var/opt/perf \
    /var/opt/sharedprint \
    /var/opt/starbase \
    /var/ppl \
    /var/rbootd \
    /var/sam/lock \
    /var/sam/log/samagent.log \
    /var/spool/lp/SCHEDLOCK \
    /var/spool/rexd \
    /var/spool/sockets/common \
    /var/spool/sockets/pwgr \
    /var/vue
    if [ -d /dev/screen ]; then
    rmdir /dev/screen
    f

    33 Ensure patch backup chmod go-rwx /var/adm/sw/save


    directories are not
    accessible
    System Access, Authentication and Authorization
    34 Trusted Mode Convert system to trusted mode
    35 Create /etc[/ftpd]/ftpusers if [[ "$(uname -r)" = B.10* ]]; then
    ftpusers=/etc/ftpusers
    else
    ftpusers=/etc/ftpd/ftpusers
    f
    for name in root daemon bin sys adm lp \
    uucp nuucp nobody hpdb useradm
    do
    echo $name
    done >> $ftpusers
    sort –u $ftpusers > $ftpusers.tmp
    cp $ftpusers.tmp $ftpusers
    rm –f $ftpusers.tmp
    chown root:sys $ftpusers
    chmod 600 $ftpusers

    36 Prevent Syslog from SYSLOGD_OPTS="`sh -c '. /etc/rc.confg.d/syslogd ;


    accepting messages from echo "$SYSLOGD_OPTS"'`"
    network ch_rc -a -p SYSLOGD_OPTS="-N $SYSLOGD_OPTS" \
    /etc/rc.confg.d/syslogd
    37 Disable XDMCP port if [ ! -f /etc/dt/confg/Xconfg ]; then
    mkdir -p /etc/dt/confg
    cp -p /usr/dt/confg/Xconfg /etc/dt/confg
    f
    cd /etc/dt/confg
    awk '/Dtlogin.requestPort:/ \
    { print "Dtlogin.requestPort: 0"; next }
    { print }' Xconfg > Xconfg.new
    cp Xconfg.new Xconfg
    rm -f Xconfg.new

    38 Set default locking screen for fle in /usr/dt/confg/*/sys.resources; do


    savaer timeout dir="$(dirname "$fle" | sed 's|^/usr/|/etc/|')"
    mkdir -p "$dir"
    echo 'dtsession*saverTimeout: 10' >>"$dir/sys.resources"
    echo 'dtsession*lockTimeout: 10' >>"$dir/sys.resources"
    done

    39 Restrice at/cron to cd /var/adm/cron


    authorized users rm -f cron.deny at.deny
    echo root >cron.allow
    echo root >at.allow
    chown root:sys cron.allow at.allow
    chmod 400 cron.allow at.allow

    40 Remove empty crontab cd /var/spool/cron/crontabs


    files and restrict file for fle in *
    permissions do
    lines=`grep -v '^#' $fle | wc -l | sed 's/ //g'`
    if [ "$lines" = "0" ]; then
    rm -f $fle
    f
    done
    chown root:sys *
    chmod 400 *

    41 Restrict root logins to echo console > /etc/securetty


    systems console chown root:sys /etc/securetty
    chmod 600 /etc/securetty

    42 Limit number of failed logins -ox \


    login attempts to 3 | awk -F: '($8 != "LK" && $1 != "root") { print $1 }' \
    | while read logname; do
    /usr/lbin/modprpw -m umaxlntr=3 "$logname"
    done
    modprdef -m umaxlntr=3
    echo NUMBER_OF_LOGINS_ALLOWED=3 >> /etc/default/security

    43 Disable “nobody” access KEYSERV_OPTIONS="`sh -c '. /etc/rc.confg.d/namesvrs ;


    for secure RPC echo "$KEYSERV_OPTIONS"'`"
    ch_rc -a -p KEYSERV_OPTIONS="-d $KEYSERV_OPTIONS " \
    /etc/rc.confg.d/namesvrs
    44 Enable system accounting cat <<END_SCRIPT >/sbin/init.d/newperf
    #!/sbin/sh
    PATH=/usr/sbin:/usr/bin:/sbin
    case "$1" in
    'start_msg')
    echo "Starting System Accounting""
    ;;
    'start')
    /usr/bin/su sys -c \
    "/usr/lbin/sa/sadc /var/adm/sa/sa\`date +%d\`"
    ;;
    *)
    echo "usage: $0 {start|start_msg}"
    exit 1
    ;;
    esac
    exit 0
    END_SCRIPT
    chown root:sys /sbin/init.d/newperf
    chmod 744 /sbin/init.d/newperf
    rm -f /sbin/rc2.d/S21perf
    ln -s /sbin/init.d/newperf /sbin/rc2.d/S21perf
    mkdir –p /var/adm/sa
    chown sys:sys /var/adm/sa
    chmod 700 /var/adm/sa
    /usr/bin/su sys -c crontab <<END_ENTRIES
    0,20,40 * * * * /usr/lbin/sa/sa1
    45 23 * * * /usr/lbin/sa/sa2 -s 0:00 -e 23:59 -i 1200 –A
    END_ENTRIES

    45 Enable kernel level Use SAM to turn on kernel level auditing (Auditing And Security …
    auditing Audited Events … Actions … Turn Auditing On).

    46 Confirm permissions on awk < /etc/syslog.conf '


    systems log files $0 !~ /^#/ && $2 ~ "^/" {
    print $2
    }
    ' | sort -u | while read fle
    do if [ -d "$fle" -o -c "$fle" -o \
    -b "$fle" -o -p "$fle" ]
    then :
    elif [ ! -f "$fle" ]
    then mkdir -p "$(dirname "$fle")"
    touch "$fle"
    chmod 640 "$fle"
    else chmod o-w "$fle"
    f
    done
    hostname=`uname -n`
    chmod o-w \
    /tmp/snmpd.log \
    /var/X11/Xserver/logs/X0.log \
    /var/X11/Xserver/logs/X1.log \
    /var/X11/Xserver/logs/X2.log \
    /var/adm/automount.log \
    /var/adm/snmpd.log \
    /var/opt/dce/svc/error.log \
    /var/opt/dce/svc/fatal.log \
    /var/opt/dce/svc/warning.log \
    /var/opt/dde/dde_error_log \
    /var/opt/hppak/hppak_error_log \
    /var/opt/ignite/logs/makrec.log1 \
    /var/opt/ignite/recovery/fstab \
    /var/opt/ignite/recovery/group.makrec \
    /var/opt/ignite/recovery/passwd.makrec \
    /var/opt/resmon/log \
    /var/opt/scr/log/scrlog.log \
    /var/opt/scr/log/scrlog.old \
    /var/sam/hpbottom.dion \
    /var/sam/hpbottom.iout \
    /var/sam/hpbottom.iout.old \
    "/var/sam/$hostname.dion" \
    "/var/sam/$hostname.iout" \
    "/var/sam/$hostname.iout.old" \
    /var/sam/lock \
    /var/sam/log/samlog \
    /var/sam/log/sam_tm_work \
    /var/adm/sw \
    /var/adm/sw/save \
    /var/adm/sw/patch

    User accounts and environment


    47 Block systems accounts for user in uucp nuucp adm daemon bin lp \
    nobody noaccess hpdb useradm; do
    passwd –l "$user"
    /usr/sbin/usermod -s /bin/false "$user"
    if [[ "$(uname -r)" = B.10* ]]; then
    /usr/lbin/modprpw -w "*" "$user"
    else
    /usr/lbin/modprpw -w "$user"
    f
    done
    48 Verify that there are no logins -p
    accounts with empty
    password fields
    49 Set account expiration logins -ox \
    parameters on active | awk -F: '($8 != "LK" && $1 != "root") { print $1 }' \
    accounts (maximum 90 | while read logname; do
    days and minimum 7 days) passwd –x 91 –n 7 –w 28 "$logname"
    /usr/lbin/modprpw -m exptm=90,mintm=7,expwarn=30 \
    "$logname"
    done
    echo PASSWORD_MAXDAYS=91 >> /etc/default/security
    echo PASSWORD_MINDAYS=7 >> /etc/default/security
    echo PASSWORD_WARNDAYS=28 >> /etc/default/security
    /usr/lbin/modprdef -m exptm=90,mintm=7,expwarn=30

    50 Verify no legacy ‘+’ entries grep '^+:' /etc/passwd /etc/group


    exist in password and
    group files
    51 Verify that no UID 0 logins -d | grep ' 0 '
    accounts exist other than
    root
    52 No '.' or group/world-
    writable directory in root
    $PATH
    53 User’s home directories logins -ox \
    should be mode 750 or | awk -F: '($8 == "PS" && $1 != "root") { print $6 }' \
    more restrictive | grep /home/ \
    | while read dir
    do chmod g-w,o-rwx "$dir"
    done

    54 No user dot-files should be logins -ox \


    group/world writable | awk -F: '($8 == "PS") { print $6 }' \
    | while read dir
    do ls -d "$dir/".[!.]* |
    while read fle
    do if [ ! -h "$fle" -a -f "$fle" ]
    then chmod go-w "$fle"
    f
    done
    done

    55 Remove user .netrc, logins -ox | cut -f6 -d: | while read h
    .rhosts and .shosts do for fle in "$h/.netrc" "$h/.rhosts" "$h/.shosts"
    files do if [ -f "$fle" ]
    then echo "removing $fle"
    rm -f "$fle"
    f
    done
    done

    56 Set default umask for users cd /etc


    for fle in profle csh.login d.profle d.login
    do echo umask 077 >> "$fle"
    done
    ch_rc –a -p UMASK=077 /etc/default/security

    57 Set “msg n” as default for cd /etc


    all users for fle in profle csh.login d.profle d.login
    do echo mesg n >> "$fle"
    done
    58 Create warning sessions banner="Authorized users only. All activity may \
    for terminal logins. be monitored and reported."
    echo "$banner" >> /etc/motd
    echo "$banner" > /etc/issue
    chown root:sys /etc/motd
    chown root:root /etc/issue
    chmod 644 /etc/motd /etc/issue

    You might also like