Register your product to gain access to bonus material or receive a coupon.
HP-UX 11i Security
- By Chris Wong
- Published Sep 24, 2001 by Pearson.
Book
- Sorry, this book is no longer in print.
Description
- Copyright 2002
- Edition: 1st
- Book
- ISBN-10: 0-13-033062-0
- ISBN-13: 978-0-13-033062-8
No other book offers this much HP-UX specific security coverage! In this authoritative, comprehensive administrator's guide, leading HP-UX consultant Chris Wong covers every key aspect of HP-UX host security. Wong introduces "hot-off-the-press" HP-UX 11i capabilities and techniques for keeping mission-critical systems safe -- even when firewalls fail and backdoors are discovered. Coverage includes: securing NFS, UUCP, NNTP, DNS, NIS, NTP, the X Window System, and much more. Wong also introduces key public-domain HP-UX security tools, showing how to install, configure, and take full advantage of them. For all HP-UX system administrators, from novice to advanced-level; and for consultants, managers, security specialists, and others responsible for securing HP-UX systems.
Sample Content
Table of Contents
Foreword.
Preface.
1. Ready or Not, Here I Come!
Attacks. What Is Needed to Compromise a System? Ten Ways To Become root. What Can Happen When the System Is Compromised? Protection. A Letter to the CIO. Policies.
2. Passwords, Users, and Groups.
The password File. The Group File. Tools. Security Risk of the /etc/passwd File. Trusted System. Trusted Systems and Tools. Password Policies. What Makes a Good Password? Passwords and Multiple Hosts. User Management. Group Maintenance. Writing Scripts. The /etc/default/security File.
3. Disks, File Systems, and Permissions.
Disks. Logical Volume Manager. VERITAS Volume Manager. File Systems. The mount Command. File Permissions. Access Control Lists. The chatr Command and the Executable Stack. Quotas. The NAS and SAN.
4. System Access.
The Internet Daemon. Modems. The /etc/dialups and /etc/d_passwd Files. Secure Web Console. Physical Access and Boot Authentication. Guardian Service Processor. Restrictions for Users.
5. Multi-Host Environments.
The “r” Commands. SSH. NIS. NIS+. LDAP. DNS and BIND. DHCP. NFS. CIFS/9000.
6. Distributing root Privileges.
SUID/SGID Scripts and Programs. Restricted SAM. Sudo. ServiceControl Manager. OpenView. Comparison of Tools.
7. ServiceControl Manager.
Installation of the Central Management Server. Adding Nodes to the SCM Cluster. ServiceControl Manager Graphical User Interface. Adding Users. Role Assignments. Tools. Argument Limitations. Web Interface. SCM Log Files. SCM and Security. Why Use SCM?
8. Internet Daemon Services.
The Internet Daemon Startup. /etc/inetd.conf File. /etc/services File. /etc/protocols File. /var/adm/inetd.sec File. Understanding Socket Connections. Tcpwrappers. Telnet. File Transfer Protocol. Anonymous FTP. Trivial FTP. Finger. Other Internet Services. Running Other Services from inetd.
9. Kerberos.
What is Kerberos Doing? Installing Kerberos. Configuring Kerberos. Kerberos Utilities. Kerberos and HP-UX 10.20. Kerberos and rlogin. Kerberos and the -P Option. More about PAM.
10. IPSec/9000.
IPSec Configuration. What Is Happening? IPSec Tunnel Mode. Using IPSec/9000 as a Firewall. IP Number and Mask. Managing Keys on IPSec/9000.
11. Monitoring System Activity.
syslog Daemon. The syslog File. The btmp File. The wtmp File. The /etc/utmp File. The sulog File. The rc.log File. Shell History. Open Source Log Tools and Utilities. Log Rotation. Auditing. Accounting. Utilizing Performance Data. Monitoring System Resources. Managing System Resources.
12. Monitoring System Changes.
System Configuration Repository. Tripwire.
13. NetAction.
HP VirtualVault. Extranet VPN. HP Speedcard. HP PKI. Intrusion Detection System/9000.
14. Building a Bastion Host by Kevin Steves.
What Is a Bastion Host? Methodology. Sample Blueprint.
15. Checklist, Security Patches, and Miscellaneous Topics.
The Checklist. The HP-UX Security Patch Check Tool. The HP-UX Security Book Web Site. Continuing Your Knowledge. Mail. Protecting Your System Against “Ten Ways to Become root”. The Bastille Hardening System. IPFilter/9000.
Index.
Preface
Preface
Welcome to the world of HP-UX security! The title of this book may be HP-UX 11i Security, but much of the contents are applicable to any version of HP-UX. Sections of this book are true for any flavor of UNIX, but this book differentiates itself from other UNIX security books by focusing on the functionality unique to the HP-UX environment.
I first became interested in UNIX security after several systems I managed were compromised. I was new to UNIX. I had previously worked on an IBM System/36 and on the HP e3000. I had attended two HP-UX classes; the first was on UNIX fundamentals and the second on system administration. At that time the latest version of the operating system was HP-UX 9. Looking back, I was very naive about the security of the system. As I recall, I spent a great deal of time trying to manage disk space, running fsck, dealing with the fact that there never seemed to be enough inodes, and learning the vi editor. Security was not a major concern and nobody told me that it should be.
I have experienced several security-related episodes. The first was when the majority of accounts were compromised after the password file was cracked and distributed through a "club" of hackers who met weekly at a community college. Another incident involved a ninth grader whom we managed to track down to a local school. This intruder was selling accounts, distributing pirated game software, and mailing child pornography to his friends. I still can recall the comments from the instructor I spoke to: "This boy has the capacity to do these sort of things, very skilled, a real wiz." I can also recall the frustration when the parents, who by the way both worked at Microsoft, refused to believe their child would do such a thing. Another incident involved the local FBI office calling after a user at a remote site used our mail server to send a death threat to the President of the United States.
I was very fortunate during these incidents. The HP-UX systems that were compromised were not running any mission-critical applications. I quickly realized how much I did not know about securely administering a UNIX system. As I learned more, I began sharing my knowledge with other administrators at user meetings and conferences. From this experience, I noticed that, like myself, others learn the best by viewing examples, so I have included many examples in this book.
The book was designed primarily for system and security administrators. Programmers, system analysts, and developers will find the contents useful for integrating HP-UX functionality and security into development projects. Any non-technical individual can benefit by reading Chapter 1 and gaining a greater appreciation for the tasks of the system administrator.
Since this is a book on HP-UX host security, I have concentrated on the areas of system administration that are necessary to have a secure system. For example, a thorough understanding of permissions and user management is essential. In addition, I have covered a variety of no-charge HP-UX add-on products with a slant on using these products to better secure the environment. There are a few purchasable HP-UX products that are also covered.
Writing a book is a unique experience, especially when you contract "writer's disease," as another author called it. One of the hardest parts of writing a book is to be able to say, "this is what it is." By this I mean that there is always more I wanted to add. The problem with this is that the book will never get completed. I decided that I could not include every single public-domain security package or in-depth details on topics such as SSH, IPSec, and key distribution. There are already excellent books available that focus specifically on these very issues.
Where instructions on installing and configuring applications are included, I would recommend that you always download current instructions from the application's source and follow the most current prerequisites, instructions, and release notes. The instructions included in this book may assist with any required workarounds. The companion web site to this book, http://newfdog.hpwebhost.com/hpuxsecurity, is a good place to check for information on installing and configuring later releases of software.
As with any software, it is your responsibility to make sure you comply with any export regulations and license-to-use issues. In addition, the author, publisher, Hewlett-Packard, and Cerius Technology Group assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
This book is also not a security "cookbook." If someone tells you they have a security "cookbook," they are understating security issues. The closest item in this book to a cookbook would be a combination of Chapter 14, Building a Bastion Host, by Kevin Steves and the security checklist found in Chapter 15. There can be no "cookbook" since all environments are unique. The circumstances that make an environment unique must be addressed by those whom are familiar with the environment.