HP-UX System Administrator's Guide: Security Management HP-UX 11i v3 (B3921-90020, September 2010)

Table Of Contents
3. Verify that each node in the administrative domain does not extend privileges to
any nodes that are not included. Repeat steps 2 and 3 for each node in the domain.
4. Control root and local security on every node in the administrative domain. A
user with superuser privileges on any machine in the domain can acquire those
privileges on every machine in the domain.
5. Maintain consistency of user name, uid, and gid among password files in the
administrative domain.
6. Maintain consistency among any group files on all nodes in the administrative
domain. For example, to check consistency with the hq and mfg systems, if the
root file system of the mfg system is remotely mounted to hq as /nfs/mfg/, enter
the following diff command:
$diff /etc/group /nfs/mfg/etc/group
If any differences are displayed, the two /etc/group files are inconsistent and
they should not be.
4.5.1 Verifying Permission Settings on Network Control Files
The network control files in the /etc directory are security targets because they provide
access to the network itself. Network control files should never be writable by the
public.
Set the modes, owners, and groups on all system files carefully. Check these files
regularly for any changes and correct any changes.
The most commonly used network control files are as follows:
/etc/exports
List of file directories that can be exported to NFS clients. For more information,
see exports(4).
/etc/hosts
List of network hosts and their IP addresses. For more information, see hosts(4).
/etc/hosts.equiv
List of remote hosts that are allowed access and that are equivalent to the local
host. For more information, see hosts.equiv(4).
/etc/inetd.conf
Internet Services configuration file. For more information, seeinetd.conf(4).
/etc/netgroup
List of networkwide groups. For more information, seenetgroup(4).
/etc/networks
List of network names and their network numbers. For more information, see
networks(4).
4.5 Controlling an Administrative Domain 75