General Guidelines
- As with all operating systems, it is important to patch frequently,
using the patches provide by the vendor.
- Enforce the rule of least privilege. Access to resources and
information should be limited to the minimum level needed to execute
a task or function. In practical terms, if you don't need to have
ftp access, don't leave the ftp daemon running. Don't let everyone
have write access to your directories. (For that matter, question
whether anyone besides you needs read access.)
- Turn off unneeded services in
/etc/inetd.conf.
- Use TCP wrappers to restrict
access to services.
- Clean up the startup scripts stored in /etc/rc.config.d.
This directory contains a several files, each containing a variable
set to either 1 or 0. A setting of 1 means the service will start at
boot. A setting of 0 will keep the service from starting automatically.
Your needs may vary, but the following list is a good starting point
for most machines:
Dmiconfig
SnmpHpunix
SnmpMaster
SnmpMib2
SnmpTrpDst
apacheconf
audio
comsec
egcd
ems
fc_td_conf
hparamgr
hparray
hpfcmsconf
kks
lp
mailservs
savecrash
scrdaemon
vjed
vt
- Before adding user accounts, run a port scanning program (such as
nmap) against your machine to see which ports are open.
- Use IPFilter, a network packet filtering program available in
HP-UX 11i. IPFilter is works at the kernel level and allows for
a great deal of customization and flexibility. Complete
configuration instructions and IPFilter information are available
from http://www.obfuscation.org/ipf/ipf-howto.txt.
- Restrict login practices.
- Run a port scanning program (such as nmap) against your machine to
see which ports are open. If you're installing from scratch, do this
before you start adding user accounts. If you're upgrading, do it
before you give users permission to start using the system again.
It's also a good idea to check your ports from time to time just
to see if anything has changed since your last portscan.
- Create superuser accounts to keep
maintain administrative accountability.
Restrict Login Practices
Start by disabling telnet in /etc/inetd.conf and requesting
that your users log in via ssh. Telnet should not be used because it
sends all its data (including passwords) across the network unencrypted.
This means that it is relatively easy to intercept anything you type
during a telnet session. SSH encrypts this information, making it very
difficult to intercept and use without specialized equipment.
There are a variety of free ssh clients for Mac OS and Windows,
and WSG maintains OpenSSH
Encaps for most major
flavors of Unix.
WSG also recommends disabling login, shell, and exec for the same reasons.
Next, create the file /etc/securetty with the single word
console as its contents. This prevents root access unless
you are sitting at the console or are using su.
Finally, create a file called /etc/default containing the
following lines:
ABORT_LOGIN_ON_MISSING_HOMEDIR=1
NOLOGIN=1
NUMBER_OF_LOGINS_ALLOWED=3
This prevents users from logging into the machine if they don't have a
home directory defined in /etc/passwd and will prevent a
user from logging in with more than three concurrent sessions.
Use superuser accounts instead of root
The main reason for creating superuser accounts is accountability.
By creating these superusers, a user must su to the account,
which creates a record in /var/adm/syslog/syslog.log that
user X su'ed to superuser Y. If anything unexpected happens
after that point, there is a record of the last person on the system
who had the ability to modify its behavior.
To create a superuser account, add a user (sufoo, for example) just
as you would add any other new user. Next, open /etc/passwd
and change sufoo's UID to 0. To avoid cluttering the system with
unnecessary home directories, you can also change sufoo's passwd
entry so that it shares a home directory with root (thereby keeping all
the root user files in one place) or foo (assuming that foo will be
the one using the sufoo account).
You can further restrict su access by adding a line to
/etc/security and to /etc/group.
In /etc/security, add the following line:
SU_ROOT_GROUP=super
In /etc/group, add something like this:
super::75:root,smith,jones
This means only users root, smith, and jones have the ability to
su on the system. The group number (75) is arbitrary
and can be any number as long as it isn't used by another group
on the system.
Refine and log superuser access
Distributing the root password to multiple users is generally a bad idea.
The system administrator and his or her backup should be the only people
with this password. In some cases, there may be users with a legitimate
need to perform administrative work. The sudo tool can be
used to allow non-privileged users to execute commands as root and is
available as an Encap from
http://encap.cites.uiuc.edu/search/search.cgi.
Sudo relies on /etc/sudoers to determine user privilege levels. For example,
if we wanted to give users 'smith' and 'jones' the authority to perform
certain system tasks, /etc/sudoers might look like this:
User_Alias WEBADMIN = smith, jones
Cmnd_Alias APACHE = /usr/local/sbin/apachectl
WEBADMIN ALL = NOPASSWD: APACHE
![[CITES]](../../images/cites_home.gif)
![[UIUC]](../../images/iMark_sm.gif)
![[WSG]](../../images/wsg.gif){kind=small}