Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

981

982

983

984

985

986

987

988

989

990

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B986

If you do not plan to use this system as a web server, then

it is recommended that you deactivate your Apache 2.x web server. Programs

that require an Apache server installed but do not bind to port 80 will still

be able start their own instances of the web server. If you do not plan to

use your Apache 2.x server immediately, then you should deactivate it until

you need it. Minimalism is a critical part of good site security.

NOTE: This will not turn off copies of Apache or other web servers if

they are supplied with individual products.

Apache Q: Would you like to chroot your Apache Server? [N] [N]

Apache 1.3.19 and higher for HP-UX have a chroot script built

into the distribution. Bastille has detected that your version of Apache

has this functionality. This script makes a copy of Apache and related

binaries and libraries and places them inside of a chroot jail. This

allows Apache to run with limited file system access. If you are not

currently running the Apache web server then answer no to this question.

The apache server, httpd, is given access to several compilers and system

libraries so that it can process cgi's, login attempts, etc... One way to

lessen the risk presented by this special status is to lock the daemon

(httpd) into a "chroot jail." In this case, the daemon has access to

only a small segment of the file system, a directory created specifically for

the purpose of giving the daemon access to only the files it needs.

The adjective "chroot'ed" is derived from "change root", since

Bastille sets the daemon's root directory(/)tosome child node in the

directory tree. Note, for experts: a root process can break out of a

chroot jail, but this is still an effective deterrent, especially since

Bastille will limit the number of common root attack vectors within the jail.

NOTE: If a security vulnerability is found in one of the files that has been

placed inside of the "chroot jail" then that file must be manually patched

by copying the fixed file(s) into the jail.

NOTE: If you have a 1.3.x version of apache installed as well as a 2.x

version, then both will be chrooted.

NOTE: This chroot script was written to provide for a fully functional web

server inside of a chroot'ed environment. For additional security remove

unneeded libraries and compilers as they may not all be used by your

Apache server.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,

see TODO list for details)

FTP Q: Would you like to disallow ftpd system account logins? [Y]

ftpusers file allows the administrator to set accounts that shall not

be allowed to log in via the ftpd. Default system users should not normally be

allowed access to the system through the ftpd, as it sends the username and

password in clear text over the network. Bastille will disallow ftp logins to