Table of Contents
Home Up Updates to the Book Contact the Author Where to buy the book Listings & Source Code Table of Contents Korean Cover

 

 

HP-UX 11i Security Book by Chris Wong

ISBN: 0130330620
 

Table of Contents

Chapter 1 Ready or not, here I come!

1.1 Attacks

1.2 What is needed to compromise a system?

1.3 Ten Ways To Become Root

1.3.1 Making a copy of the shell

1.3.2 Obtaining the password

1.3.2.1 Trial & Error

1.3.2.2 Crack

1.3.3 Sniffing

1.3.4 Dot (.) on path

1.3.5 Writing to hpterm

1.3.6 User with UID 0

1.3.7 Physical access

1.3.8 Buffer overflow

1.3.9 Social Engineering

1.3.10 FTP Daemon

1.4 What Can Happen When The System is Compromised?

1.5 Protection

1.6 A Letter to The CIO

1.7 Policies

Chapter 2 Passwords, Users, and Groups

2.1 The password File

2.1.1 The Encrypted Password

2.1.2 The passwd Command

2.1.2.1 Creating a new password

2.1.2.2 Confirming a password

2.2 The group File

2.2.1 Passwords on the Group file

2.2.2 The /etc/logingroup file

2.2.2.1 Linking the /etc/logingroup file

2.2.2.2 10x vs. 11x /etc/logingroup behavior

2.3 Tools

2.3.1 PWCK

2.3.2 GRPCK

2.3.3 Customized Script

2.3.4 vipw

2.4 Security Risk of the /etc/passwd File

2.5 Trusted System

2.5.1 Implementing a Trusted System

2.5.1.1 Implementing a Trusted System via SAM

2.5.1.2 Implementing a Trusted System via the Command Line

2.5.1.3 Important! Check root password

2.5.2 Details of the Trusted System

2.5.2.1 Trusted System: User File

2.5.2.2 Trusted System: System Default File

2.6 Trusted Systems & Tools

2.6.1 pwck

2.6.2 authck

2.6.3 Backing Up

2.6.4 Force Password Changes

2.7 Password Policies

2.7.1 Standard Password Policies

2.7.1.1 Aging

2.7.1.2 Forcing User to Change Password

2.7.2 Trusted System Password Policies

2.7.2.1 Password Selections

2.7.2.2 Password Length & Null Passwords

2.7.2.3 Aging

2.7.2.4 Forcing User to Change Password

2.8 What makes a good password

2.8.1 Bad Passwords

2.8.2 Good Passwords

2.8.3 Forcing Acceptable Passwords

2.8.4 Using npasswd

2.9 Passwords and Multiple Hosts

2.10 User Management

2.10.1 Adding a user

2.10.1.1 Skeleton files

2.10.1.2 Adding users with a script

2.10.1.3 Program to Generate Encrypted Password

2.10.2 Adding users with SAM Templates

2.10.3 Deleting a user

2.10.4 Changing a user password

2.10.4.1 Changing all users passwords

2.10.5 Locking/Deactivating a user

2.10.5.1 The modprpw command

2.10.6 Unlocking/Activating a user

2.10.7 Status of Important Users

2.11 Group Maintenance

2.12 Writing Scripts

2.13 The /etc/default/security File

2.13.1 Abort Login on Missing Home Directory

2.13.2 Change the Minimum Password Length

2.13.3 The /etc/nologin File

2.13.4 Limit number of concurrent sessions per user

2.13.5 Password History Depth

2.13.6 Restrict su to root by group membership

2.13.7 Default PATH variable when "su"ing

Chapter 3 Disks, File Systems, and Permissions

3.1 Disks

3.2 Logical Volume Manager

3.2.1 Physical Volumes

3.2.2 Volume Group

3.2.3 Logical Volume

3.3 VERITAS Volume Manager

3.4 File Systems

3.4.1 HFS

3.4.2 JFS (VxFS)

3.4.3 Creating a File System

3.5 The mount Command

3.5.1 Read Only Mount

3.5.2 JFS Disk Space Scrubbing

3.5.3 Protection from Disk Resource Attacks

3.6 File Permissions

3.6.1 Traditional UNIX File Permissions

3.6.2 Finding SUID/SGID Files

3.6.3 Directory Permissions

3.6.4 File Permission Quiz

3.6.5 The chmod command

3.6.5.1 chmod & Octal Number

3.6.5.2 chmod & Symbolic Modes

3.6.6 The umask

3.6.7 The chown Command

3.6.8 Home Directory Permissions

3.6.9 Permissions of programs installed with SD-UX

3.7 Access Control Lists (ACLs)

3.7.1 JFS & ACLs

3.7.1.1 Using the setacl command

3.7.1.2 ACL Inheritance

3.7.2 HFS & ACLs

3.7.3 Differences between HFS and JFS ACLs

3.7.4 Backing up ACLs

3.8 The chatr Command & the Executable Stack

3.8.1 Restricting Execute Permission on Stacks

3.9 Quotas

3.10 The NAS and SAN

3.10.1 Security and Network Attached Storage

3.10.2 Security and the Storage Area Network

3.10.3 World Wide Name

3.10.4 Secure Manager/XP

Chapter 4 System Access

4.1 The Internet Daemon

4.2 Modems

4.3 The /etc/dialups and /etc/d_passwd Files

4.4 Secure Web Console

4.4.1 Installing the Secure Web Console

4.4.2 Adding SWC Operators

4.4.3 Operator use of the Secure Web Console

4.4.4 Upgrading the Secure Web Console Firmware

4.4.5 Secure Web Console Documentation

4.4.6 Web Console How does it Work?

4.4.7 Secure Web Console, Authentication, Traffic & SSL

4.5 Physical Access & Boot Authentication

4.6 Guardian Service Processor

4.6.1 Lan Console Port

4.6.1.1 Summary of LAN console port security risk

4.6.2 Modem access to GSP

4.6.3 Using the GSP

4.7 Restrictions for Users

4.7.1 Restricting Login By Startup Script

4.7.2 Trusted Systems: Restricting By Time of Day

4.7.3 Trusted System: Enhanced Terminal Security

4.7.3.1 Terminal Security Policies

4.7.3.2 Restrictions on Specific Terminal

4.7.3.3 Restrictions on Terminal by User

4.7.4 Restrictions for root

4.7.4.1 root & securetty

4.7.4.2 Secure TTY & CDE

4.7.4.3 Secure TTY & Gnome

Chapter 5 Multi-Host Environments

5.1 The "R" Commands

5.1.1 The hosts.equiv File

5.1.2 The .rhosts File

5.1.3 Wildcard Characters in Equivalence Files

5.1.4 The rlogin Command

5.1.5 The rexec & remsh Command

5.1.6 The rcp Command

5.2 SSH

5.3 NIS

5.4 NIS+

5.5 LDAP

5.5.1 Installing the LDAP client

5.5.2 Migrating to LDAP

5.5.3 The nsquery Command

5.5.4 LDAP Security Considerations & Functionality

5.6 DNS and BIND

5.7 DHCP

5.8 NFS

5.9 CIFS/9000

Chapter 6 Distributing root Privileges

6.1 SUID/SGID Scripts and Programs

6.1.1 Breaking a SUID/SGID Script or Program

6.2 Restricted SAM

6.2.1 Configuring Restricted SAM using the Builder

6.2.1.1 Assigning Capabilities to User

6.2.2 Configuring Restricted SAM Command Line

6.2.3 Testing the Restricted SAM Configuration

6.2.4 How the non-root User Runs SAM

6.2.5 Maintenance and Auditing

6.2.6 Templates

6.2.6.1 Creating a Template

6.2.6.2 Assigning Users to Templates

6.2.7 Customizing SAM using the SAM interface

6.2.7.1 Creating a custom group

6.2.7.2 Creating a Custom Application

6.3 sudo

6.3.1 Installing sudo from linked binary

6.3.2 Installing sudo from source

6.3.3 Configure sudoers file

6.3.4 How the user executes sudo

6.3.5 Logging sudo activities

6.4 ServiceControl Manager

6.5 OpenView

6.6 Comparison of Tools

Chapter 7 ServiceControl Manager

7.1 Installation of The Central Management Server

7.2 Adding Nodes to the SCM Cluster

7.3 ServiceControl Manager Graphical User Interface

7.4 Adding Users

7.5 Role Assignments

7.6 Tools

7.7 Argument limitations

7.8 Web Interface

7.9 SCM Log Files

7.10 SCM and Security

7.11 Why use SCM?

Chapter 8 Internet Daemon Services

8.1 The Internet Daemon Startup

8.2 /etc/inetd.conf File

8.3 /etc/services File

8.4 /etc/protocols File

8.5 /var/adm/inetd.sec File

8.6 Understanding Socket Connections

8.7 TCPWRAPPERS

8.7.1 Installing tcpwrapper

8.7.2 Configuring tcpwrapper: Method #1

8.7.3 Configuring tcpwrapper: Method #2

8.7.4 tcpwrapper Check

8.7.5 tcpwrapper Access Control

8.8 Telnet

8.9 File Transfer Protocol

8.9.1 /etc/ftpd/ftpusers File

8.9.2 The FTP Configuration File

8.9.2.1 Files that no one can retrieve

8.9.2.2 Limit # of FTP sessions

8.9.2.3 Limit FTP Access by Time of Day / Day of Week

8.9.2.4 Suppressing System Information

8.9.2.5 Detailed Logging

8.9.2.6 Command Capabilities

8.9.3 The .netrc File

8.10 Anonymous FTP

8.11 Trivial FTP

8.12 Finger

8.13 Other Internet Services

8.14 Running other Services from inetd

Chapter 9 Kerberos

9.1 What is Kerberos Doing?

9.2 Installing Kerberos

9.2.1 The krb5.conf File

9.2.2 The kdc.conf File

9.2.3 The kadm5.acl file

9.3 Configuring Kerberos

9.4 Kerberos Utilities

9.5 Kerberos & HP-UX 10.20

9.6 Kerberos & rlogin

9.7 Kerberos & the P option

9.8 Some More About PAM

Chapter 10 IPSec/9000

10.1 IPSec Configuration

10.2 What is happening?

10.3 IPSec Tunnel Mode

10.4 Using IPSec/9000 as a Firewall

10.5 IP number and Mask

10.6 Managing Keys on IPSec/9000

Chapter 11 Monitoring System Activity

11.1 SYSLOG Daemon

11.2 The syslog File

11.3 The btmp File

11.4 The wtmp File

11.4.1 Login history displayed at login

11.5 The /etc/utmp File

11.6 The sulog File

11.7 The rc.log File

11.8 Shell History

11.9 Open Source Log Tools & Utilities

11.10 Log Rotation

11.12 Auditing

11.12.1 Configuring Auditing

11.12.2 Auditing Users

11.12.3 Auditing Events

11.12.4 Interpreting the Audit Log Data

11.13 Accounting

11.14 Utilizing Performance Data

11.14.1 The Performance Collection Daemon

11.14.1.1 The Parm File

11.14.1.2 Viewing the Collected Data using PerfView

11.14.1.3 Viewing the Collected Data using Extract

11.15 Monitoring System Resources

Chapter 12 Monitoring System Changes

12.1 System Configuration Repository

12.1.1 Installing SCR

12.1.2 Configuring SCR

12.1.3 Viewing the SCR information

12.1.4 Creating a Customized Filter

12.1.5 Comparing Collections

12.1.5 SCR and Security

12.2 Tripwire

12.2.1 Installing Tripwire

12.2.2 Configuring Tripwire

12.2.3 Using Tripwire

Chapter 13 NetAction

13.1 HP VirtualVault

13.2 Extranet VPN

13.3 HP Speedcard

13.4 HP PKI

13.5 Intrusion Detection System/9000

13.5.1 Installing & Configuring IDS/9000

13.5.2 Surveillance Groups and Schedules

13.5.3 Running IDS/9000

13.5.4 Responding to Alerts

13.5.5 How did it do?

Chapter 14 Building a Bastion Host by Kevin Steves

14.1 What is a Bastion Host?

14.2 Methodology

14.3 Sample Blueprint

14.3.1 Install HP-UX

14.3.2 Install Additional Products

14.3.3 Install Support Plus Bundle

14.3.4 Install Security Patches

14.3.4.1 Security Patch Check

14.3.5 First Steps

14.3.5.1 Optionally remove saved patches

14.3.5.2 Convert to a trusted system

14.3.5.3 Tighten global privileges

14.3.5.4 Fix PAM CDE problems

14.3.5.5 Fix hparray startup weirdness

14.3.5.6 Set default umask

14.3.5.7 Restrict root login to the console if desired

14.3.5.8 Enable inetd logging if inetd will remain enabled

14.3.5.9 Remove unneeded pseudo-accounts

14.3.5.10 Configure nsswitch.conf(4) policy

14.3.5.11 Change root home directory to /root

14.3.6 Disable Network Services (inetd Services)

14.3.7 Disable Other Services

14.3.7.1 Prevent syslogd from listening on the network

14.3.7.2 Disable SNMP daemons

14.3.7.3 Disable swagentd (SD-UX) daemon

14.3.7.4 Disable sendmail daemon

14.3.7.5 Disable rpcbind daemon

14.3.8 Disable Other Daemons

14.3.9 Examine Set-id Programs

14.3.10 Examine File Permissions

14.3.11 Security Network Tuning

14.3.12 Install Software and Test Configuration

14.3.13 Create System Recovery Tape

14.4 Conclusion

Chapter 15 The Checklist, Security Patches, & Misc.

15.1 The Checklist

15.2 The HP-UX Security Patch Check Tool

15.3 The HP-UX Security Book Website

15.4 Continuing your Knowledge

15.5 Mail

15.6 Protecting your System Against "Ten Ways to Become root"

15.7 The Bastille Hardening System

15.8 IPFilter/9000

 

    

 Copyright 2007 NEWFDAWG.COM All rights reserved.     Last modified: 02/03/07.