When you have to secure a system you probably have come to the dilemma ‘Which method is the best? Bastille or manual hardening?’ at least I did it.
Bastille is a very good option, it will ease the process and you can even use the “Install Time Security” during the installation of new systems or use the configuration files in an already runing system (the files are in /etc/opt/sec_mgmt/bastille/configs/defaults), but some time ago I decide that it didn’t suit my needings since I like to mantain the control of the whole process.
If you really want to be sure that every corner in your systems is properly secured and monitored it is worthwhile to spend some time studiying your severs and the services running and its dependencies. After the compilation of all that data you can develop a generic security policy and use it as starting-point to customize the security of every server.
In the end of course this is up to you, you must choose whatever suits better your needings.
Recently a friend asked me about HP-UX security and where to find useful information. We have to admit it, there are not many resources out there about HP-UX security and the great majority of them are obsolete since they are about HP-UX 10.20 or even 9.x. Let’s take a look…
HP Docs is the first place to look for information, there you will find a lot of docs regarding HP-UX security, IPFilter, HP-UX Bastille and other products and manuals concerning security. Following is a reference of useful docs that can be found on this site:
- The most up to date document is HP-UX System Administrator’s Guide: Security Management, this is the main reference for any HP-UX admin. It covers HP-UX 11iv3 and is filled with detailed information on how-to protect your system, how is the security implemented in HP-UX and an appendix with references to other security products of HP that can be used to hardening your systems.
- HP-UX 11i Security Containment Administrator’s Guide HP-UX 11.23
- HP9000 Computer Systems: Administering Your HP-UX Trusted System. Useful information concerning older systems.
- HP-UX System Administration Tasks: HP9000. It has full chapter about system security, useful for older systems.
- Managing Systems and Workgroups: A Guide for HP-UX System Administrators. HP-UX 11iv1 and 11iv2 information.
Second in our small list is the yet classic but still very useful Kevin Steves’ great document “Building a Bastion Host Using HP-UX 11“. This is without any doubt (at least for me) the best document about HP-UX hardening ever done. Although it was written seven years ago it still applies to a wide variety of areas.
In the Center fo Information Security you will find the “CIS Level 1 Benchmark for HP-UX“. These benchmarks are a compilation of security confiigurations, settings and best practices. Current version applies to all three versions of HP-UX 11i so it is worthwhile to read them. It will ask for registration prior to allow you to download the docs.
In the ITRC Forums there is a HP-UX Security forum, it is not the most active forum in ITRC but if you post a question you will find that the people is willing to help you.
HP Security Bulletins. Throught ITRC you can subscribe to several digests and bulletins, including the HP-UX Security and HP-UX 11.x patches.
Security specific websites. There are a lot of sites and portals focused in security, and in all of them you can find papers about Unix security hardening in general and even some HP-UX specific papers, but as I said at the begining most of them are obselete. I usually read Security Focus but there are many others just do a search in Google and you will find them.
Security mailing lists. Probably the most known security mailing list is Bugtraq but there are others, they talk about HP-UX security bugs from time to time.
And this is the end… well not really. These are the resources I use in my everyday work, if any of you know about other resources please comment them.
See you next time.