CITES | University of Illinois

Breadcrumbs to this page

  1. CITES
  2. managing your computer
  3. wsg
  4. resources
  5. security
  6. hp-ux

HP-UX Security

This page contains information about how to secure a HP-UX system.

General guidelines

  1. As with all operating systems, it is important to patch frequently, using the patches provide by the vendor.
  2. Enforce the rule of least privilege. Access to resources and information should be limited to the minimum level needed to execute a task or function. In practical terms, if you don't need to have ftp access, don't leave the ftp daemon running. Don't let everyone have write access to your directories. (For that matter, question whether anyone besides you needs read access.)
  3. Turn off unneeded services in /etc/inetd.conf.
  4. Use TCP wrappers to restrict access to services.
  5. Clean up the startup scripts stored in /etc/rc.config.d. This directory contains a several files, each containing a variable set to either 1 or 0. A setting of 1 means the service will start at boot. A setting of 0 will keep the service from starting automatically. Your needs may vary, but the following list is a good starting point for most machines: Dmiconfig
    SnmpHpunix
    SnmpMaster
    SnmpMib2
    SnmpTrpDst
    apacheconf
    audio
    comsec
    egcd
    ems
    fc_td_conf
    hparamgr
    hparray
    hpfcmsconf
    kks
    lp
    mailservs
    savecrash
    scrdaemon
    vjed
    vt
  6. Before adding user accounts, run a port scanning program (such as nmap) against your machine to see which ports are open.
  7. Use IPFilter, a network packet filtering program available in HP-UX 11i. IPFilter is works at the kernel level and allows for a great deal of customization and flexibility. Complete configuration instructions and IPFilter information are available from http://www.obfuscation.org/ipf/ipf-howto.txt.
  8. Restrict login practices.
  9. Run a port scanning program (such as nmap) against your machine to see which ports are open. If you're installing from scratch, do this before you start adding user accounts. If you're upgrading, do it before you give users permission to start using the system again. It's also a good idea to check your ports from time to time just to see if anything has changed since your last portscan.
  10. Create superuser accounts to keep maintain administrative accountability.

Restrict login practices

Start by disabling telnet in /etc/inetd.conf and requesting that your users log in via ssh. Telnet should not be used because it sends all its data (including passwords) across the network unencrypted. This means that it is relatively easy to intercept anything you type during a telnet session. SSH encrypts this information, making it very difficult to intercept and use without specialized equipment. There are a variety of free ssh clients for Mac OS and Windows, and WSG maintains OpenSSH Encaps for most major flavors of Unix.

WSG also recommends disabling login, shell, and exec for the same reasons.

Next, create the file /etc/securetty with the single word console as its contents. This prevents root access unless you are sitting at the console or are using su.

Finally, create a file called /etc/default containing the following lines:

ABORT_LOGIN_ON_MISSING_HOMEDIR=1
NOLOGIN=1
NUMBER_OF_LOGINS_ALLOWED=3 This prevents users from logging into the machine if they don't have a home directory defined in /etc/passwd and will prevent a user from logging in with more than three concurrent sessions.

Use superuser accounts instead of root

The main reason for creating superuser accounts is accountability. By creating these superusers, a user must su to the account, which creates a record in /var/adm/syslog/syslog.log that user X su'ed to superuser Y. If anything unexpected happens after that point, there is a record of the last person on the system who had the ability to modify its behavior.

To create a superuser account, add a user (sufoo, for example) just as you would add any other new user. Next, open /etc/passwd and change sufoo's UID to 0. To avoid cluttering the system with unnecessary home directories, you can also change sufoo's passwd entry so that it shares a home directory with root (thereby keeping all the root user files in one place) or foo (assuming that foo will be the one using the sufoo account).

You can further restrict su access by adding a line to /etc/security and to /etc/group. In /etc/security, add the following line:

SU_ROOT_GROUP=super In /etc/group, add something like this: super::75:root,smith,jones This means only users root, smith, and jones have the ability to su on the system. The group number (75) is arbitrary and can be any number as long as it isn't used by another group on the system. Refine and log superuser access

Distributing the root password to multiple users is generally a bad idea. The system administrator and his or her backup should be the only people with this password. In some cases, there may be users with a legitimate need to perform administrative work. The sudo tool can be used to allow non-privileged users to execute commands as root and is available as an Encap from http://encap.cites.uiuc.edu/search/search.cgi.

Sudo relies on /etc/sudoers to determine user privilege levels. For example, if we wanted to give users 'smith' and 'jones' the authority to perform certain system tasks, /etc/sudoers might look like this: 

User_Alias	WEBADMIN = smith, jones
Cmnd_Alias	APACHE = /usr/local/sbin/apachectl
WEBADMIN	ALL = NOPASSWD: APACHE