Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

981

982

983

984

985

986

987

988

989

990

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B 987

a WU-FTPD server from the following users: root, daemon, bin, sys, adm, uucp, lp,

nuucp, hpdb, and guest. If you have a compelling reason to allow these users

ftp access, then answer no to this question. Use this as a secondary measure

if you have already chosen to deactivate the ftp server.

HP_UX Q: Would you like to enable kernel-based stack execute protection? [Y]

A common way to gain privileged access is to provide some type

of out-of-bounds input that is not checked by a program. This input can be

used to overflow the stack in a way that leaves some cleverly written

instructions stored in a place that will be executed by the program. The

HP-UX kernel has the ability to disallow execution of commands from the

stack. This will contain many of these types of attacks, making them

ineffective. Because this is done at the kernel level, it is

independent of any application which may have a vulnerability of this type.

Note that this will also break some applications (Example: Java 1.2 programs

will fail if using JDK/JRE 1.2.2 versions older than 1.2.2.06) which

were designed to execute code off of the stack. However, you can run

"chatr +es <executeable_file>" to override this for individual

programs if they break.

On HP-UX versions prior to 11.22, changing the kernel parameter

"executable_stack" requires Bastille to recompile the kernel.

Ensure that the current running kernel is /stand/vmunix. A backup of the old

kernel will be placed in /stand/vmunix.prev and /stand/dlkm.vmunix.prev.

If you answer yes to this question on HP-UX 11.11, you must reboot your

system for this change to take effect.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION on HP-UX 11.11,

see TODO list for details)

HP_UX Q: Would you like to restrict remote access to swlist? [Y]

The swagentd daemon allows for remote access to list and

install software on your system. This is a great feature for remote

administration. Security Patch Check can use this to query

remote machines. Unfortunately, it can also be a security risk since

it makes patch and other critical system information available

to anyone inside that system's firewall. For that reason, we

recommend that you disallow swagentd's default, remote read access.

HP_UX Q: Would you like Bastille to make the suggested ndd changes? [Y]

ndd is a utility for getting and setting network device parameters.

The following is a list of ndd changes Bastille will make (which are some of

the recommendations from the "HP-UX Bastion Host Whitepaper"):

Default => Suggested

-----------------------------------------------------------------------

ip_forward_directed_broadcasts 1 => 0

ip_forward_src_routed 1 => 0