Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

981

982

983

984

985

986

987

988

989

990

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B 981

One alternative is CIFS/9000 (Samba). It is still a clear-text,

shared file system and therefore still raises security concerns, but unlike

NFS, CIFS/9000 at least requires the user to authenticate (prove they are who

they say they are) before reading or writing to files. Other alternatives

include tunneling NFS through IPSec or Secure Shell, but this can take

quite a bit of effort to setup and may degrade performance.

Miscellaneous

Daemons

Q: Would you like to deactivate NFS client daemons? [Y] [Y]

NFS (Network File System) client daemons include automount, autofs,

and biod.

automount/autofs allow non-root users to mount nfs file systems, which reduces the

burden on administrator, and allows for a more flexible operating environment.

However automount/autofs allows any user to perform an operation that is normally

restricted to root. There is an inherent security benefit to removing

privileges from non root accounts.

autofs is the updated version of automountd. They have similar security properties,

but one or the other may not be applicable to your operating system version.

biod, block I/O daemons, are used on an NFS client to handle read-ahead and

write-behind buffer caching, which improves nfs mounted file systems

performance. Turning this service off will have performance impacts if this

machine is still used as a nfs client.

NFS has a history of major security vulnerabilities, as well as

being a clear-text protocol. Any data transferred by NFS can be monitored

by any other network machine. Transferred data includes file handles, which

can then be used to modify files. These services can be made safer if they

are locked behind a firewall that will block NFS packets from entering or

leaving your network. It is best to deactivate them until you can investigate

whether or not you need NFS and how to best secure it.

Miscellaneous

Daemons

Q: Would you like to deactivate NIS server programs? [Y] [Y]

An NIS (Network Information System) server is used to distribute

network naming and administration information to other machines on a network

NIS is a system used for synchronizing key host information,

including account names and passwords. It is a clear-text protocol, and can be

easily compromised to gain access to accounts on the system. If you are

really interested in using NIS, you should configure your network firewall to block N

traffic coming in and going out of your network.

On many systems, including trusted-mode HP-UX systems, passwords are not only

encrypted but also readable only by the super-user. This defense measure was

taken because encrypted passwords can be decrypted fairly quickly with today's