Scribd
Upload
165 views7 pages

HP-UX Security Checklist

The document provides a checklist of 31 items to harden UNIX system security. It includes recommendations to install latest patches, disable unnecessary network services and daemons, enable stack protection, modify network parameters for security, set appropriate file permissions, and remove unnecessary SUID permissions from executables.

Uploaded by

satyapal kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
165 views7 pages

HP-UX Security Checklist

The document provides a checklist of 31 items to harden UNIX system security. It includes recommendations to install latest patches, disable unnecessary network services and daemons, enable stack protection, modify network parameters for security, set appropriate file permissions, and remove unnecessary SUID permissions from executables.

Uploaded by

satyapal kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 7

UNIX Security Checklist:

Patches
1 Patches Install latest Patches
Network Services
2 TCP wrappers Install TCP wrappers
3 SSH Install SSH
4 Disable all the services normally
enabled in the HP-UX inetd.conf file
5 Disable login prompts on serial ports cp -p /etc/inittab /etc/inittab.tmp
sed 's/^[^#].*getty.*tty.*$/#&/' \
/etc/inittab.tmp > /etc/inittab
rm -f /etc/inittab.tmp
chown root:sys /etc/inittab
chmod go-w,ug-s /etc/inittab

6 Disable inetd if grep -Evq '^[ ]*(#|$)' /etc/inetd.conf


then :
else mv -f /sbin/rc2.d/S500inetd \
/sbin/rc2.d/.NOS500inetd
f

7 Disable NIS/NIS+ ch_rc -a -p NIS_MASTER_SERVER=0 -p NIS_SLAVE_SERVER=0 \


-p NIS_CLIENT=0 -p NISPLUS_SERVER=0 \
-p NISPLUS_CLIENT=0 /etc/rc.confg.d/namesvrs

8 Disable pronter daemons ch_rc -a -p XPRINTSERVERS="''" /etc/rc.confg.d/tps


ch_rc -a -p LP=0 /etc/rc.confg.d/lp
ch_rc -a -p PD_CLIENT=0 /etc/rc.confg.d/pd

9 Disable GUI login ch_rc -a -p DESKTOP="" /etc/rc.confg.d/desktop


chmod go-w,ug-s /usr/dt/bin/dtaction \
/usr/dt/bin/dtappgather /usr/dt/bin/dtprintinfo \
/usr/dt/bin/dtsession

10 Disable email server ch_rc -a -p SENDMAIL_SERVER=0 /etc/rc.confg.d/mailservs


cd /var/spool/cron/crontabs
crontab -l >root.tmp
echo '0 * * * * /usr/lib/sendmail -q' >>root.tmp
crontab root.tmp
rm -f root.tmp
11 Disable SNMP 1. cd /sbin/rc2.d
for fle in S565OspfMib S941opcagt S570SnmpFddi
do mv -f $fle .NO$fle
done
ch_rc -a -p SNMP_HPUNIX_START=0 \
/etc/rc.confg.d/SnmpHpunix
ch_rc -a -p SNMP_MASTER_START=0 \
/etc/rc.confg.d/SnmpMaster
ch_rc -a -p SNMP_MIB2_START=0 \
/etc/rc.confg.d/SnmpMib2
ch_rc -a -p SNMP_TRAPDEST_START=0 \
/etc/rc.confg.d/SnmpTrpDst
2. Remove any software packages related to HP OpenView (generally those
beginning with OV) using swremove.

12 Disable other standard boot services ch_rc -a -p START_SNAPLUS=0 -p START_SNANODE=0 \


-p START_SNAINETD=0 /etc/rc.confg.d/snaplus2
ch_rc -a -p MROUTED=0 -p RWHOD=0 \-p DDFA=0 \
-p START_RBOOTD=0 /etc/rc.confg.d/netdaemons
ch_rc -a -p DCE_KRPC=0 -p DFS_CORE=0 -p DFS_CLIENT=0 \
-p DFS_SERVER=0 -p DFS_EPISODE=0 -p EPIINIT=0 \
-p DFSEXPORT=0 -p BOSSERVER=0 -p DFSBIND=0 \
-p FXD=0 -p MEMCACHE=0 -p DFSGWD=0 \
-p DISKCACHEFORDFS=0 /etc/rc.confg.d/dfs
ch_rc -a -p RARPD=0 -p RDPD=0 /etc/rc.confg.d/netconf
ch_rc -a -p PTYDAEMON_START=0 /etc/rc.confg.d/ptydaemon
CIS HP-UX Benchmark 18
ch_rc -a -p VTDAEMON_START=0 /etc/rc.confg.d/vt
ch_rc -a -p NAMED=0 /etc/rc.confg.d/namesvrs
ch_rc -a -p PEER_SNMPD_START=0 \
/etc/rc.confg.d/peer.snmpd
ch_rc -a -p START_I4LMD=0 /etc/rc.confg.d/i4lmd
ch_rc -a -p RUN_X_FONT_SERVER=0 /etc/rc.confg.d/xfs
ch_rc -a -p AUDIO_SERVER=0 /etc/rc.confg.d/audio
ch_rc -a -p SLSD_DAEMON=0 /etc/rc.confg.d/slsd
ch_rc -a -p RUN_SAMBA=0 /etc/rc.confg.d/samba
ch_rc -a -p RUN_CIFSCLIENT=0 \
/etc/rc.confg.d/cifsclient
ch_rc -a -p NFS_SERVER=0 \
-p NFS_CLIENT=0 /etc/rc.confg.d/nfsconf
ch_rc -a -p NS_FTRACK=0 /etc/rc.confg.d/ns-ftrack
ch_rc -a -p APACHE_START=0 /etc/rc.confg.d/apacheconf
mv -f /sbin/rc2.d/S400nfs.core \
/sbin/rc2.d/.NOS400nfs.core

13 Disable NFS server processes Disable


14 Disable windows compatible server Disable
processes
15 Disable Window-compatible client Disable
processes
16 Disabel RPC based services Disable
17 Disable web-server Disable
18 Disable BIND DNS server Disable
Kernel Tuning
19 Enable Stack protection /usr/sbin/kmtune –s executable_stack=0 && mk_kernel && kmupdate
Network parameters modification
20 Increase size of half-open TRANSPORT_NAME[0]=tcp;
connection que NDD_NAME[0]=tcp_syn_rcvd_max;
NDD_VALUE[0]=4096;
21 Reduce timeouts on ARP TRANSPORT_NAME[1]=arp;
cache NDD_NAME[1]=arp_cleanup_interval;
NDD_VALUE[1]=6000;
22 Drop source-routed TRANSPORT_NAME[2]=ip
packets NDD_NAME[2]=ip_forward_src_routed
NDD_VALUE[2]=0

23 Don't forward TRANSPORT_NAME[3]=ip


directed broadcasts NDD_NAME[3]=ip_forward_directed_broadcasts
NDD_VALUE[3]=0

24 Don't respond to TRANSPORT_NAME[4]=ip


unicast ICMP NDD_NAME[4]=ip_respond_to_timestamp
timestamp requests NDD_VALUE[4]=0

25 Don't respond to TRANSPORT_NAME[5]=ip


broadcast ICMP NDD_NAME[5]=ip_respond_to_timestamp_broadcast
tstamp reqs NDD_VALUE[5]=0

26 Don't respond to TRANSPORT_NAME[6]=ip


ICMP address mask NDD_NAME[6]=ip_respond_to_address_mask_broadcast
requests NDD_VALUE[6]=0

27 Don’t respond to TRANSPORT_NAME[7]=ip


broadcast echo NDD_NAME[7]=ip_respond_to_echo_broadcast
requests NDD_VALUE[7]=0
28 Use better TCP sequence echo "/usr/contrib/bin/nettune -s tcp_random_seq 2" >> \
numbers /sbin/rc2.d/S339nettune
chown root:sys /sbin/rc2.d/S339nettune
chmod 555 /sbin/rc2.d/S339nettune

File Directory permission access


29 Passwd and group file chown root:root /etc/passwd /etc/group
permissions chmod 644 /etc/passwd /etc/group
30 World writable directories chmod +t /tmp /var/news /var/tmp /var/preserve \
have their sticky bit set /var/spool/sockets /var/spool/sockets/ICE \
/var/spool/sockets/X11 /var/spool/sockets/common \
/var/X11/Xserver/logs /var/adm/diag \
/var/opt/resmon/log /var/spool/uucppublic

31 Strip dangerous/unneeded chmod ug-s /opt/audio/bin/Aserver \


SUID from system /opt/sharedprint/bin/pcltotiff /sbin/shutdown \
executables /usr/bin/bdf /usr/bin/df /usr/bin/elm \
/usr/bin/kermit /usr/lbin/expreserve \
/usr/lbin/exrecover /usr/sbin/wall \
/usr/contrib/bin/X11/xconsole

32 Ensure systems files are fnd \


not world writable /dev/vg01 \
/etc \
/opt/apache/logs \
/opt/langtools/newconfg \
/opt/prm \
/stand/dlkm \
/stand/dlkm.vmunix.prev \
/usr/lbin \
/usr/local \
/usr/newconfg/var/stm \
/var/spool/sockets/pwgr \
/var/stm \
/usr/share/man \
! -type l -exec chmod go-w {} ';'
chmod go-w \
/SD_CDROM \
/cdrom \
/dev/mapfle \
/opt/graphics/OpenGL \
/opt/ifor/ls/res/i4adminX.pdl \
/opt/pred/bin/PSERRLOG \
/opt/pred/var \
/var/adm/streams \
/var/dt/Xerrors \
/var/dt/Xpid \
/var/obam/translated \
/var/opt/PEX5 \
/var/opt/common \
/var/opt/scr/tmp/scrdaemon.pid \
/var/opt/perf \
/var/opt/sharedprint \
/var/opt/starbase \
/var/ppl \
/var/rbootd \
/var/sam/lock \
/var/sam/log/samagent.log \
/var/spool/lp/SCHEDLOCK \
/var/spool/rexd \
/var/spool/sockets/common \
/var/spool/sockets/pwgr \
/var/vue
if [ -d /dev/screen ]; then
rmdir /dev/screen
f

33 Ensure patch backup chmod go-rwx /var/adm/sw/save


directories are not
accessible
System Access, Authentication and Authorization
34 Trusted Mode Convert system to trusted mode
35 Create /etc[/ftpd]/ftpusers if [[ "$(uname -r)" = B.10* ]]; then
ftpusers=/etc/ftpusers
else
ftpusers=/etc/ftpd/ftpusers
f
for name in root daemon bin sys adm lp \
uucp nuucp nobody hpdb useradm
do
echo $name
done >> $ftpusers
sort –u $ftpusers > $ftpusers.tmp
cp $ftpusers.tmp $ftpusers
rm –f $ftpusers.tmp
chown root:sys $ftpusers
chmod 600 $ftpusers

36 Prevent Syslog from SYSLOGD_OPTS="`sh -c '. /etc/rc.confg.d/syslogd ;


accepting messages from echo "$SYSLOGD_OPTS"'`"
network ch_rc -a -p SYSLOGD_OPTS="-N $SYSLOGD_OPTS" \
/etc/rc.confg.d/syslogd
37 Disable XDMCP port if [ ! -f /etc/dt/confg/Xconfg ]; then
mkdir -p /etc/dt/confg
cp -p /usr/dt/confg/Xconfg /etc/dt/confg
f
cd /etc/dt/confg
awk '/Dtlogin.requestPort:/ \
{ print "Dtlogin.requestPort: 0"; next }
{ print }' Xconfg > Xconfg.new
cp Xconfg.new Xconfg
rm -f Xconfg.new

38 Set default locking screen for fle in /usr/dt/confg/*/sys.resources; do


savaer timeout dir="$(dirname "$fle" | sed 's|^/usr/|/etc/|')"
mkdir -p "$dir"
echo 'dtsession*saverTimeout: 10' >>"$dir/sys.resources"
echo 'dtsession*lockTimeout: 10' >>"$dir/sys.resources"
done

39 Restrice at/cron to cd /var/adm/cron


authorized users rm -f cron.deny at.deny
echo root >cron.allow
echo root >at.allow
chown root:sys cron.allow at.allow
chmod 400 cron.allow at.allow

40 Remove empty crontab cd /var/spool/cron/crontabs


files and restrict file for fle in *
permissions do
lines=`grep -v '^#' $fle | wc -l | sed 's/ //g'`
if [ "$lines" = "0" ]; then
rm -f $fle
f
done
chown root:sys *
chmod 400 *

41 Restrict root logins to echo console > /etc/securetty


systems console chown root:sys /etc/securetty
chmod 600 /etc/securetty

42 Limit number of failed logins -ox \


login attempts to 3 | awk -F: '($8 != "LK" && $1 != "root") { print $1 }' \
| while read logname; do
/usr/lbin/modprpw -m umaxlntr=3 "$logname"
done
modprdef -m umaxlntr=3
echo NUMBER_OF_LOGINS_ALLOWED=3 >> /etc/default/security

43 Disable “nobody” access KEYSERV_OPTIONS="`sh -c '. /etc/rc.confg.d/namesvrs ;


for secure RPC echo "$KEYSERV_OPTIONS"'`"
ch_rc -a -p KEYSERV_OPTIONS="-d $KEYSERV_OPTIONS " \
/etc/rc.confg.d/namesvrs
44 Enable system accounting cat <<END_SCRIPT >/sbin/init.d/newperf
#!/sbin/sh
PATH=/usr/sbin:/usr/bin:/sbin
case "$1" in
'start_msg')
echo "Starting System Accounting""
;;
'start')
/usr/bin/su sys -c \
"/usr/lbin/sa/sadc /var/adm/sa/sa\`date +%d\`"
;;
*)
echo "usage: $0 {start|start_msg}"
exit 1
;;
esac
exit 0
END_SCRIPT
chown root:sys /sbin/init.d/newperf
chmod 744 /sbin/init.d/newperf
rm -f /sbin/rc2.d/S21perf
ln -s /sbin/init.d/newperf /sbin/rc2.d/S21perf
mkdir –p /var/adm/sa
chown sys:sys /var/adm/sa
chmod 700 /var/adm/sa
/usr/bin/su sys -c crontab <<END_ENTRIES
0,20,40 * * * * /usr/lbin/sa/sa1
45 23 * * * /usr/lbin/sa/sa2 -s 0:00 -e 23:59 -i 1200 –A
END_ENTRIES

45 Enable kernel level Use SAM to turn on kernel level auditing (Auditing And Security …
auditing Audited Events … Actions … Turn Auditing On).

46 Confirm permissions on awk < /etc/syslog.conf '


systems log files $0 !~ /^#/ && $2 ~ "^/" {
print $2
}
' | sort -u | while read fle
do if [ -d "$fle" -o -c "$fle" -o \
-b "$fle" -o -p "$fle" ]
then :
elif [ ! -f "$fle" ]
then mkdir -p "$(dirname "$fle")"
touch "$fle"
chmod 640 "$fle"
else chmod o-w "$fle"
f
done
hostname=`uname -n`
chmod o-w \
/tmp/snmpd.log \
/var/X11/Xserver/logs/X0.log \
/var/X11/Xserver/logs/X1.log \
/var/X11/Xserver/logs/X2.log \
/var/adm/automount.log \
/var/adm/snmpd.log \
/var/opt/dce/svc/error.log \
/var/opt/dce/svc/fatal.log \
/var/opt/dce/svc/warning.log \
/var/opt/dde/dde_error_log \
/var/opt/hppak/hppak_error_log \
/var/opt/ignite/logs/makrec.log1 \
/var/opt/ignite/recovery/fstab \
/var/opt/ignite/recovery/group.makrec \
/var/opt/ignite/recovery/passwd.makrec \
/var/opt/resmon/log \
/var/opt/scr/log/scrlog.log \
/var/opt/scr/log/scrlog.old \
/var/sam/hpbottom.dion \
/var/sam/hpbottom.iout \
/var/sam/hpbottom.iout.old \
"/var/sam/$hostname.dion" \
"/var/sam/$hostname.iout" \
"/var/sam/$hostname.iout.old" \
/var/sam/lock \
/var/sam/log/samlog \
/var/sam/log/sam_tm_work \
/var/adm/sw \
/var/adm/sw/save \
/var/adm/sw/patch

User accounts and environment


47 Block systems accounts for user in uucp nuucp adm daemon bin lp \
nobody noaccess hpdb useradm; do
passwd –l "$user"
/usr/sbin/usermod -s /bin/false "$user"
if [[ "$(uname -r)" = B.10* ]]; then
/usr/lbin/modprpw -w "*" "$user"
else
/usr/lbin/modprpw -w "$user"
f
done
48 Verify that there are no logins -p
accounts with empty
password fields
49 Set account expiration logins -ox \
parameters on active | awk -F: '($8 != "LK" && $1 != "root") { print $1 }' \
accounts (maximum 90 | while read logname; do
days and minimum 7 days) passwd –x 91 –n 7 –w 28 "$logname"
/usr/lbin/modprpw -m exptm=90,mintm=7,expwarn=30 \
"$logname"
done
echo PASSWORD_MAXDAYS=91 >> /etc/default/security
echo PASSWORD_MINDAYS=7 >> /etc/default/security
echo PASSWORD_WARNDAYS=28 >> /etc/default/security
/usr/lbin/modprdef -m exptm=90,mintm=7,expwarn=30

50 Verify no legacy ‘+’ entries grep '^+:' /etc/passwd /etc/group


exist in password and
group files
51 Verify that no UID 0 logins -d | grep ' 0 '
accounts exist other than
root
52 No '.' or group/world-
writable directory in root
$PATH
53 User’s home directories logins -ox \
should be mode 750 or | awk -F: '($8 == "PS" && $1 != "root") { print $6 }' \
more restrictive | grep /home/ \
| while read dir
do chmod g-w,o-rwx "$dir"
done

54 No user dot-files should be logins -ox \


group/world writable | awk -F: '($8 == "PS") { print $6 }' \
| while read dir
do ls -d "$dir/".[!.]* |
while read fle
do if [ ! -h "$fle" -a -f "$fle" ]
then chmod go-w "$fle"
f
done
done

55 Remove user .netrc, logins -ox | cut -f6 -d: | while read h
.rhosts and .shosts do for fle in "$h/.netrc" "$h/.rhosts" "$h/.shosts"
files do if [ -f "$fle" ]
then echo "removing $fle"
rm -f "$fle"
f
done
done

56 Set default umask for users cd /etc


for fle in profle csh.login d.profle d.login
do echo umask 077 >> "$fle"
done
ch_rc –a -p UMASK=077 /etc/default/security

57 Set “msg n” as default for cd /etc


all users for fle in profle csh.login d.profle d.login
do echo mesg n >> "$fle"
done
58 Create warning sessions banner="Authorized users only. All activity may \
for terminal logins. be monitored and reported."
echo "$banner" >> /etc/motd
echo "$banner" > /etc/issue
chown root:sys /etc/motd
chown root:root /etc/issue
chmod 644 /etc/motd /etc/issue

You might also like