Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Guidelines for Running a Secure System
Chapter 8780
❏ Mount the foreign file system read-only at that location, for
example, by loading the disk and typing:
# mount /dev/disk1 /securefile -r
❏ Check all directories for special objects and privileged programs,
and verify the identity of every program.
❏ Run ncheck -s to scan for setuid and setgid programs and
device files, and investigate any suspicious findings.
❏ Remount the system read-write and remove any unnecessary
setuid and setgid permissions from files that you discovered in
the previous step. These precautions are especially important if a
user requests that you mount a personal file system.
Only after performing these tests should you unmount the file
system and remount it in its desired location.
• Be sure to unmount all mounted file systems of a user whose account
you are disabling or removing.
For information on files mounted in an NFS environment, see
“Controlling Security on a Network” on page 783.
Guidelines for Handling Security Breaches
A security breach can present itself in many different ways:
• Someone might report unexpected or destructive behavior by a
common program.
• You might notice a sudden increase in your system’s load average,
causing the computer not to respond well.
• Read/write permissions or ownership might be changed from what
you expect.
• The byte count of a system file changes unexpectedly.
Anything that seems to deviate from normal system behavior might
suggest tampering. If you suspect a security breach, such as a virus or
worm, handle it by limiting its immediate impact.
1. Shut down the system.
2. Bring the system up in a single-user state, its barest minimum. This
limits the impact subject to symptoms. From a single-user state,
analyze the problem and clean it up.