Manualshelf

Safe and Powerful: Security in HP-UX System Management Homepage (SMH)

ManualsBrandsHP ManualsSoftwareHP-UX System Administration
12345678910
10
The error log and access_log files are stored on the system at /opt/hpsmh/logs. The
System Management Homepage Error Log contains error information generated by SMH
modules and CGI execution errors (httpd). It is the first place to look when a problem occurs
with starting the server or with server operation because, the log often contains details of
what went wrong and how to fix the problem. The access_log records all requests processed
by the server. So all the URLs accessed will be logged in the access_log, which might be
helpful during auditing. Log records related to Tomcat are stored in a file catalina.out in
the directory /opt/hpsmh/tomcat/logs.
Bastille (IPFilter) and its affect on SMH Partition
Manager
Bastille is a system hardening program that enhances the security of an HP-UX host. It
configures daemons, system settings, and firewalls to be more secure. It can shut off services
and tools that are not required such as rcp(1) and rlogin(1), and can help to limit the
vulnerability of common internet services such as Web servers and DNS.
One of the facilities that Bastille uses to lock down a system is IP filtering. For information
about the requirements when using IP filtering with Partition Manager, see the Partition
Manager online help. If Bastille's interactive user interface is used, be aware of these issues
when answering the questions asked by Bastille.
Bastille also has three install-time security options that are represented by the following files in
/etc/opt/sec_mgmt/bastille:
HOST.config
This is a host-based lockdown, without IPFilter configuration. There is no impact on Partition
Manager when this configuration is used.
MANDMZ.config
This is a fairly tight lockdown, but allows select network ports that are used by common
management protocols and tools. For example, WBEM continues to function when this
configuration is used.
To open Partition Manager under this configuration, SSH must be used or changes must be
made to enable ports 2301 and 2381 (both ports are also required for SMH). You can
ensure that Partition Manager can be opened on a system where ports 2301 and 2381 have
been disabled. To do this, prior to running Bastille adjust the IP filtering by adding the
following entries to the /etc/opt/sec_mgmt/bastille/ipf.customrules file:
pass in quick proto tcp from any to any port = 2301 flags S/0xff keep state keep frags
pass in quick proto tcp from any to any port = 2381 flags S/0xff keep state keep frags
For more information, see the ipf(5) manpage.
DMZ.config
This is a tight lockdown. To open Partition Manager under this configuration SSH must be
used. Bastille also impacts using Partition Manager to remotely manage a system where
Bastille is enabled. After the normal transfer of certificates, Partition Manager will work as
described above if the HOST.config or MANDMZ.config configurations are used. However,
the DMZ.config configuration blocks WBEM traffic and thus prevents the usage of Partition
Manager for remotely managing the system.