Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

961

962

963

964

965

966

967

968

969

970

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B 967

- "cat" directories such as those in /usr/share/man are used by the

"man" command to write pre-processed man pages. Eliminating the

world-writeable bit will cause a degradation in performance because

the man page will have to be reformatted every time it is accessed.

- Some directories may have incorrect owners and/or groups. Eliminating

world-writeable permissions on these directories have no effect if the

owner/group is set properly. For example, one problem with HP Openview

running without world-writeable directories was corrected by the following:

/usr/bin/chown root:sys /var/opt/OV/analysis/ovrequestd/config

This change has not been fully tested, but was shown to work when tested

in a limited, single-purpose environment.

- Change the directory /var/obam/translated may have an impact on non-root

users viewing help in obam (the GUI library used by swinstall, SAM,

older versions of ServiceControl Manager, and others)

- Eliminating the world-writeable permissions on socket directories has been

shown to stop the X server from operating properly. However, setting the

sticky bit instead (what this script will do by default) did not have the

same effects.

- There are several other directories which have world-writeable permissions.

Some of these are shipped with HP-UX, others are shipped with 3rd party

products, and others may have been created by users without an appropriate

umask set. Bastille will help you find those directories so that you can

make appropriate decisions for your environment. The full impact of making

these changes has not been analyzed.

As you run the script, it will create a "revert-directory-perms.sh"

script which will allow you to revert to a supported state (independent of

the rest of the HP-UX Bastille configurations, which are supported).

Because of the potential for very subtle breakages, you should also keep

a record of any changes which you make manually to your system so that

you can revert them to help debug any problems which you run into.

Running 'bastille -r' will revert all Bastille changes, including

running the revert-directory-perms.sh script, but it may not revert

changes you have made manually.

The fact that a directory is world-writeable does not imply that a

vulnerability exists, because it depends on how the data stored in that

directory is used. Still, it is a security best-practice to only grant

world-write permissions on temporary directories, such as /tmp and /var/tmp,

and to set the "sticky" bit on those directories. By default, the generated

script will set the "sticky" bit on all world-writeable directories.

If the "sticky" bit is set on a directory, only the file owner, directory

owner, and super-user are allowed to rename or delete (and thus replace)

the file, regardless of the group and world write permissions on the directory.