Security

The default security configuration file in HP-UX is /etc/default/security

To prevent users from loggin in: 

 01. Modify NOLOGIN variable in /etc/default/security to 1 (NOLOGIN=1)
 02. Create /etc/nologin file with the text you want to display the users.

To make the HP-UX system to use /etc/shadow file to store ecrypted password instead of /etc/passwd 

 # pwconv

To switch to standard password mode from shadow mode 

 # pwunconv

To list all the failed login attempts 

 # lastb

To force the user "user1" to change his password during next login; 

 # passwd -f user1

To set the password expire after 90 days for user root 

 # passwd -x 90 root

To find out the last passwd change date and number of days left for the passwd to expire from the password change date 

 passwd -s root
 root  PS    06/26/08    0  126

To remove password for a user (blank passwd) 

 passwd -d user1

To lock user1 

 passwd -l user1  # it replaces password with *

Format of /etc/shadow 

 loginname:password:lastchange:mindays:maxdays:warndays:inactivity:expiration:reserved

Some files related to logged in users 

 /var/adm/wtmps  ## all the successful logins. Access using last command
 /var/adm/btmps  ## all the bad login info. Access using lastb
 /var/adm/utpms  ## has the list of currently logged in users. Access using who command.

Standard Mode security Extensions

A security attribute defines how to control security configurations, such as passwords, logins,and auditing. The security attributes description file, /etc/security.dsc, lists the attributes that can be defined either in /etc/default/security, in the user database in /var/adm/userdb, or in both files. Some attributes are configurable and some are internal.

To check the status of local user accounts 

 # userstat -a

When an account has been locked due to too many authentication failures, root can unlock the account by 

 01. su'ing to the account 
            or 
 02. # userdbset -d -u username auth_failures

To display all attributes for user "user1" 

 # userdbget -u user1

To set the Minimum password length to 7 and UMAK to 0022 for user user1 

 # userdbset -u user1 MIN_PASSWORD_LENGTH=7 UMASK=0022

To identiy and repair the problems in User database 

 # userdbck

Account locking if OpenSSH is used

If you are using OpenSSH:

  • Make sure PAM support is enabled by setting UsePAM yes in sshd_config.
  • You may want to disable password authentication by setting PasswordAuthentcation no in sshd_config. Without this, you will be prompted two additional times for your password if your account is locked (although you still won't be able to authenticate).

Adding and removing users

useradd 

 useradd 
        -u uid
        -g group ## primary group
        -G groups ## other groups user need to be member of
        -d dir ## home directory
        -c comment 
        -m ## create home directory if it does not present
        -s shell
        -k skel_dir
        -o # allow UID to be non unique (duplicate)
        -D # Manage defaults for various options
        -t template # specify the template to be used when loading the defaults for options

To change the default base directory to /u01 from /home for all new users to be created 

 # useradd -D -b /u01

HP-UX Bastille

HP-UX bastille is a security hardening and lock down tool that enhances the system security by implementing various levels of hardening. This tool can be integrated with HP System Insight Manager. It can generate reports on system security configuration and allows you compare current systems security settings with saved settings.

It can be used to

  • Securing files which are world writtable
  • securing user login and crons
  • turning off unneeded inetd services
  • Making sendmail, FTP server, apache and DNS more secure
  • Stops print scheduler and associated daemons if not necessory
  • Performing security configurations actions
  • Runs SWA (Software Assistant) or SPC (Security Patch check) for patches and reports
  • Configuring IP-Filter based firewall.

The key Bastille files are

  • /etc/opt/sec_mgmt/bastille/config # config file that include answers to the most recently saved session
  • /etc/opt/sec_mgmt/bastille/log/error-log # logs error generated while running bastille
  • /etc/opt/sec_mgmt/bastille/sction-log # Includes steps taken during executing bastille
  • /etc/opt/sec_mgmt/bastille/revert/revert-sctions # includes list of files that were changed when bastille was run

Install Time Security Bundles

There are four predefined security configuration Bundles

  1. Sec00Tools # The install time security Infrastructure. No security changes
  2. Sec10Host # Host based lockdown. No firewall. Many common clear text based services turned off excluding telnet and ftp.
  3. Sec20MngDMZ # Lockdown. IP filter firewall blocks incoming connections except common, secured, management protocols
  4. Sec30DMZ # Full lockdown. IP filter blocks all imcoming connections except SSH.

setprivgrp (man 1m setprivgrp)
getprivgrp
privgrp
/etc/privgrp