HP-UX 11i Security,9780130330628

HP-UX 11i Security

by
Edition: 1st
ISBN13: 9780130330628
ISBN10: 0130330620
Format: Paperback
Pub. Date: 2001-09-24
Publisher(s): Prentice Hall
List Price: $47.24

Rent Book

Select for Price
Add to Cart
There was a problem. Please try again later.

New Book

We're Sorry
Sold Out

Used Book

We're Sorry
Sold Out

eBook

We're Sorry
Not Available

Buy from our Marketplace starting at $44.68

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

HP-UX 11i Securityis the industry's most authoritative, comprehensive guide to securing HP-UX hosts. From powerful new HP-UX 11i security features to leading public-domain security tools, no other book offers as much HP-UX-specific security guidance.

Author Biography

CHRIS WONG has worked on HP systems since the mid-1980s. She is a HP Certified Technical Professional/Consultant on HP-UX 11, the HP e3000, High Availability, System Consolidation, and the XP. She is also a HP OpenView Certified Consultant and Integration Expert. Currently, she is a technical consultant for Cerius Technology Group, an HP Channel Partner.

Table of Contents

Foreword xv
Preface xvii
Ready or Not, Here I Come!
1(20)
Attacks
2(2)
What is Needed to Compromise a System?
4(1)
Ten Ways to Become root
5(10)
Making a Copy of the Shell
5(2)
Obtaining the Password
7(1)
Sniffing
8(2)
Dot (.) on path
10(1)
Writing to hpterm
11(1)
User with UID 0
12(1)
Physical Access
13(1)
Buffer Overflow
13(1)
Social Engineering
14(1)
FTP Daemon
14(1)
What Can Happen When the System is Compromised?
15(1)
Protection
16(1)
A Letter to the CIO
17(1)
Policies
18(3)
Passwords, Users, and Groups
21(61)
The password File
21(3)
The Encrypted Password
23(1)
The Password Command
23(1)
The Group File
24(4)
Passwords on the Group File
26(1)
The /etc/logingroup File
27(1)
Tools
28(2)
pwck
28(2)
grpck
30(1)
Customized Script
30(1)
vipw
30(1)
Security Risk of the /etc/passwd File
30(1)
Trusted System
31(12)
Implementing a Trusted System
37(2)
Details of the Trusted System
39(4)
Trusted Systems and Tools
43(2)
pwck
43(1)
authck
43(1)
Backing Up
44(1)
Force Password Changes
45(1)
Password Policies
45(6)
Standard Password Policies
45(3)
Trusted System Password Policies
48(3)
What Makes a Good Password?
51(3)
Bad Passwords
51(1)
Good Passwords
52(1)
Forcing Acceptable Passwords
52(1)
Using npasswd
52(2)
Passwords and Multiple Hosts
54(1)
User Management
54(22)
Adding a User
54(5)
Adding Users with SAM Templates
59(4)
Deleting a User
63(1)
Changing a User Password
64(1)
Locking/Deactivating a User
65(9)
Unlocking/Activating a User
74(1)
Status of Important Users
75(1)
Group Maintenance
76(1)
Writing Scripts
76(1)
The /etc/default/security File
77(5)
Abort Login on Missing Home Directory
77(1)
Change the Minimum Password Length
78(1)
The /etc/nologin File
78(1)
Limit Number of Concurrent Sessions Per User
79(1)
Password History Depth
79(1)
Restrict su to Root by Group Membership
80(1)
Default PATH Variable When ``su''ing
80(2)
Disks, File Systems, and Permissions
82(48)
Disks
82(2)
Logical Volume Manager
84(4)
Physical Volumes
85(1)
Volume Group
85(2)
Logical Volumes
87(1)
VERITAS Volume Manager
88(1)
File Systems
88(1)
HFS
88(1)
JFS (VxFS)
88(1)
Creating a File System
89(1)
The Mount Command
89(4)
Read-Only Mount
91(1)
JFS Disk Space Scrubbing
91(1)
Protection from Disk Resource Attacks
91(2)
File Permissions
93(17)
Traditional UNIX File Permissions
93(3)
Finding SUID/SGID Files
96(5)
Directory Permissions
101(2)
File Permission Quiz
103(1)
The chmod Command
104(2)
The umask
106(1)
The chown Command
107(1)
Home Directory Permissions
108(1)
Permissions of Programs Installed with SD-UX
109(1)
Access Control Lists
110(11)
JFS and ACLs
111(9)
HFS and ACLs
120(1)
Differences between HFS and JFS ACLs
121(1)
Backing Up ACLs
121(1)
The chatr Command and the Executable Stack
121(2)
Restricting Execute Permission on Stacks
122(1)
Quotas
123(3)
The NAS and SAN
126(4)
Security and Network Attached Storage
126(1)
Security and the Storage Area Network
127(1)
World-Wide Name
127(1)
Secure Manager/XP
128(2)
System Access
130(46)
The Internet Daemon
131(4)
Modems
135(1)
The /etc/dialups and /etc/d_passwd Files
136(1)
Secure Web Console
137(16)
Installing the Secure Web Console
138(3)
Adding SWC Operators
141(3)
Operator Use of the Secure Web Console
144(2)
Upgrading the Secure Web Console Firmware
146(4)
Secure Web Console Documentation
150(1)
Web Console---How Does it Work?
151(1)
Secure Web Console, Authentication, Traffic, and SSL
152(1)
Physical Access and Boot Authentication
153(1)
Guardian Service Processor
154(15)
LAN Console Port
159(7)
Modem Access to GSP
166(1)
Using the GSP
167(2)
Restrictions for Users
169(7)
Restricting Login by Startup Script
169(1)
Trusted Systems: Restructing by Time of Day
170(1)
Trusted System: Enhanced Terminal Security
171(3)
Restrictions for root
174(2)
Multi-Host Environments
176(27)
The ``r'' Commands
176(8)
The hosts.equiv File
177(1)
The .rhosts File
178(3)
Wildcard Characters in Equivalence Files
181(1)
The rlogin Command
182(1)
The rexec and remsh Command
183(1)
The rcp Command
184(1)
SSH
184(1)
NIS
185(3)
NIS+
188(1)
LDAP
189(9)
Installing the LDAP Client
190(1)
Migrating to LDAP
191(5)
The nsquery Command
196(1)
LDAP Security Considerations and Functionality
197(1)
DNS and BIND
198(1)
DHCP
199(1)
NFS
199(2)
CIFS/9000
201(2)
Distributing root Privileges
203(20)
SUID/SGID Scripts and Programs
204(3)
Breaking an SUID/SGID Script or Program
204(3)
Restricted SAM
207(12)
Configuring Restricted SAM Using the Builder
208(2)
Configuring Restricted SAM---Command Line
210(1)
Testing the Restricted SAM Configuration
211(1)
How the Non-root User Runs SAM
212(1)
Maintenance and Auditing
213(1)
Templates
213(2)
Customizing SAM Using the SAM Interface
215(4)
Sudo
219(2)
Installing sudo from Linked Binary
219(1)
Installing sudo from Source
219(1)
Configure sudoers File
220(1)
How the User Executes sudo
221(1)
Logging sudo Activities
221(1)
ServiceControl Manager
221(1)
OpenView
222(1)
Comparison of Tools
222(1)
ServiceControl Manager
223(36)
Installation of the Central Management Server
223(6)
Adding Nodes to the SCM Cluster
229(3)
ServiceControl Manager Graphical User Interface
232(2)
Adding Users
234(1)
Role Assignments
235(2)
Tools
237(10)
Argument Limitations
247(4)
Web Interface
251(2)
SCM Log Files
253(2)
SCM and Security
255(2)
Why Use SCM?
257(2)
Internet Daemon Services
259(25)
The Internet Daemon Startup
259(1)
/etc/inetd.conf File
259(1)
/etc/services File
260(1)
/etc/protocols File
261(1)
/var/adm/inetd.sec File
261(1)
Understanding Socket Connections
261(1)
tcpwrappers
262(5)
Installing tcpwrapper
262(2)
Configuring tcpwrapper: Method 1
264(1)
Configuring tcpwrapper: Method 2
264(1)
tcpwrapper Check
265(1)
tcpwrapper Access Control
265(2)
Telnet
267(2)
File Transfer Protocol
269(8)
/etc/ftpd/ftpusers File
271(1)
The FTP Configuration File
272(4)
The .netrc File
276(1)
Anonymous FTP
277(3)
Trivial FTP
280(1)
Finger
281(1)
Other Internet Services
282(1)
Running Other Services from inetd
283(1)
Kerberos
284(26)
What is Kerberos Doing?
285(1)
Installing Kerberos
286(4)
The krb5.conf File
288(1)
The kdc.conf File
289(1)
The kadm5.acl File
290(1)
Configuring Kerberos
290(14)
Kerberos Utilities
304(1)
Kerberos and HP-UX 10.20
304(1)
Kerberos and rlogin
305(1)
Kerberos and the -P Option
306(2)
More about PAM
308(2)
IPSec/9000
310(14)
IPSec Configuration
311(7)
What is Happening?
318(3)
IPSec Tunnel Mode
321(1)
Using IPSec/9000 as a Firewall
321(1)
IP Number and Mask
321(2)
Managing Keys on IPSec/9000
323(1)
Monitoring System Activity
324(42)
syslog Daemon
324(2)
The syslog File
326(1)
The btmp File
327(1)
The wtmp File
328(3)
Login History Displayed at login
329(2)
The /etc/utmp File
331(2)
The sulog File
333(1)
The rc.log File
334(1)
Shell History
334(2)
Open Source Log Tools and Utilities
336(1)
Log Rotation
337(3)
Auditing
340(12)
Configuring Auditing
341(3)
Auditing Users
344(2)
Auditing Events
346(4)
Interpreting the Audit Log Data
350(2)
Accounting
352(3)
Utilizing Performance Data
355(9)
The Performance Collection Daemon
356(8)
Monitoring System Resources
364(1)
Managing System Resources
365(1)
Monitoring System Changes
366(20)
System Configuration Repository
366(10)
Installing SCR
367(1)
Configuring SCR
367(4)
Viewing the SCR Information
371(3)
Creating a Customized Filter
374(1)
Comparing Collections
375(1)
SCR and Security
376(1)
Tripwire
376(10)
Installing Tripwire
376(3)
Configuring Tripwire
379(4)
Using Tripwire
383(3)
NetAction
386(20)
HP VirtualVault
386(3)
Extranet VPN
389(1)
HP Speedcard
390(1)
HP PKI
390(1)
Intrusion Detection System/9000
391(15)
Installing and Configuring IDS/9000
393(3)
Surveillance Groups and Schedules
396(5)
Running IDS/9000
401(2)
Responding to Alerts
403(1)
How Did it Do?
403(3)
Building a Bastion Host
406(29)
Kevin Steves
What is a Bastion Host?
407(1)
Methodology
407(1)
Sample Blueprint
408(27)
Install HP-UX
409(4)
Install Additional Products
413(1)
Install Support Plus Bundle
414(1)
Install Security Patches
414(2)
First Steps
416(4)
Disable Network Services (inetd Services)
420(2)
Disable Other Services
422(4)
Disable Other Daemons
426(3)
Examine set-id Programs
429(1)
Examine File Permissions
430(1)
Security Network Tuning
431(2)
Install Software and Test Configuration
433(1)
Create System Recovery Tape
433(2)
Checklist, Security, Patches, and Miscellaneous Topics
435(17)
The Checklist
435(3)
The HP-UX Security Patch Check Tool
438(5)
The HP-UX Security Book Web Site
443(1)
Continuing Your Knowledge
443(1)
Mail
444(3)
Protecting Your System Against ``Ten Ways to Become root''
447(3)
The Bastille Hardening System
450(1)
IPFilter/9000
451(1)
Index 452

Excerpts

PrefaceWelcome to the world of HP-UX security! The title of this book may be HP-UX 11i Security, but much of the contents are applicable to any version of HP-UX. Sections of this book are true for any flavor of UNIX, but this book differentiates itself from other UNIX security books by focusing on the functionality unique to the HP-UX environment.I first became interested in UNIX security after several systems I managed were compromised. I was new to UNIX. I had previously worked on an IBM System/36 and on the HP e3000. I had attended two HP-UX classes; the first was on UNIX fundamentals and the second on system administration. At that time the latest version of the operating system was HP-UX 9. Looking back, I was very naive about the security of the system. As I recall, I spent a great deal of time trying to manage disk space, running fsck, dealing with the fact that there never seemed to be enough inodes, and learning the vi editor. Security was not a major concern and nobody told me that it should be.I have experienced several security-related episodes. The first was when the majority of accounts were compromised after the password file was cracked and distributed through a "club" of hackers who met weekly at a community college. Another incident involved a ninth grader whom we managed to track down to a local school. This intruder was selling accounts, distributing pirated game software, and mailing child pornography to his friends. I still can recall the comments from the instructor I spoke to: "This boy has the capacity to do these sort of things, very skilled, a real wiz." I can also recall the frustration when the parents, who by the way both worked at Microsoft, refused to believe their child would do such a thing. Another incident involved the local FBI office calling after a user at a remote site used our mail server to send a death threat to the President of the United States.I was very fortunate during these incidents. The HP-UX systems that were compromised were not running any mission-critical applications. I quickly realized how much I did not know about securely administering a UNIX system. As I learned more, I began sharing my knowledge with other administrators at user meetings and conferences. From this experience, I noticed that, like myself, others learn the best by viewing examples, so I have included many examples in this book.The book was designed primarily for system and security administrators. Programmers, system analysts, and developers will find the contents useful for integrating HP-UX functionality and security into development projects. Any non-technical individual can benefit by reading Chapter 1 and gaining a greater appreciation for the tasks of the system administrator.Since this is a book on HP-UX host security, I have concentrated on the areas of system administration that are necessary to have a secure system. For example, a thorough understanding of permissions and user management is essential. In addition, I have covered a variety of no-charge HP-UX add-on products with a slant on using these products to better secure the environment. There are a few purchasable HP-UX products that are also covered.Writing a book is a unique experience, especially when you contract "writer's disease," as another author called it. One of the hardest parts of writing a book is to be able to say, "this is what it is." By this I mean that there is always more I wanted to add. The problem with this is that the book will never get completed. I decided that I could not include every single public-domain security package or in-depth details on topics such as SSH, IPSec, and key distribution. There are already excellent books available that focus specifically on these very issues.Where instructions on installing and configuring applications are included, I would recommend that you always download current instructions from the application's sour

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.