I l @ ve RuBoard |
There are some features of the system which you will not use which cannot be removed. It may be that something you do want to use is dependent upon the feature, or that it is so integrated into the system that removing it is more difficult than disabling it and monitoring it. Disable Needed Pseudo-AccountsPseudo-accounts which are needed for proper operation of the system should be configured so that no individual can gain access with the account. The remaining pseudo-accounts should be disabled. The password entry should have an invalid shell program and an invalid home directory. This will disable remote connections. On HP-UX , the needed pseudo-accounts are: bin, sys, and adm. bin:*:2:2:NO LOGIN:/bin/false:/dev/null sys:*:2:2:NO LOGIN:/bin/false:/dev/null adm:*:2:2:NO LOGIN:/bin/false:/dev/null Red Hat Linux 7.2 contain the following pseudo-accounts. bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt operator:x:11:0:operator:/root:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/bin/bash Disable Internet ServicesMisuse of network services is the most common method of attack; therefore, only required network services should be enabled. All nonessential services should be disabled. It is rare that a system will not require some network services, so it is unlikely that internet daemon can be removed from the system. All services, except for those specifically required, should be disabled. On HP-UX the internet services are controlled by the inetd daemon. These services are disabled by de-configuring them in the inetd configuration file ( /etc/inetd.conf ). The default inetd.conf file for HP-UX 11i has the following services enabled: ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l telnet stream tcp nowait root /usr/lbin/telnetd telnetd shell stream tcp nowait root /usr/lbin/remshd remshd exec stream tcp nowait root /usr/lbin/rexecd rexecd ntalk dgram udp wait root /usr/lbin/ntalkd ntalkd ident stream tcp wait bin /usr/lbin/identd identd printer stream tcp nowait root /usr/sbin/rlpdaemon rlpdaemon -i daytime stream tcp nowait root internal daytime dgram udp nowait root internal time stream tcp nowait root internal echo stream tcp nowait root internal echo dgram udp nowait root internal discard stream tcp nowait root internal discard dgram udp nowait root internal chargen stream tcp nowait root internal chargen dgram udp nowait root internal kshell stream tcp nowait root /usr/lbin/remshd remshd -K klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K Red Hat Linux 7.2 has replaced the inetd daemon with xinetd . The processes which are controlled by xinetd are listed in the directory /etc/xinetd.d . In this directory, there is a configuration file for each service which xinetd is to service. These files contain information about the programs which service the protocol. To enumerate the services and their start-up state, the following grep command can be used. grep disable /etc/xinetd.d/* This lists the files and the lines containing the disable directive: /etc/xinetd.d/chargen: disable = yes /etc/xinetd.d/chargen-udp: disable = yes /etc/xinetd.d/daytime: disable = yes /etc/xinetd.d/daytime-udp: disable = yes /etc/xinetd.d/echo: disable = yes /etc/xinetd.d/echo-udp: disable = yes /etc/xinetd.d/rsync: disable = yes /etc/xinetd.d/time: disable = yes /etc/xinetd.d/time-udp: disable = yes To disable the service, there should be a disable=yes directive set in the file. However, for compatibility, the /etc/inetd.conf file is also used by xinetd, so both have to be examined to see what processes are enabled. Disable RPC ServicesRPC services are the basis for the network services from SUN which include NIS and NFS. These services are not usually used on a system on which security is a concern. On HP-UX 11, rpcbind provides the RPC services; prior to this, the services were provided by portmapd . Linux runs portmap for managing RPC services. On Red Hat-based systems, the following command will shut down portmap and prevent it from restarting. /etc/rc.d/ini.d/portmap stop chkconfig --del portmap On HP-UX 11, rpcbind is started from the nfs. core script. These scripts can be disabled by either removing them or setting their permissions to 0. Setting the permissions of the rpcbind program to 0 helps ensure that it does not get started accidentally . chmod 0 /sbin/rc1.d/K600nfs.core chmod 0 /sbin/rc2.d/S400nfs.core chmod 0 /usr/sbin/rpcbind Disable SNMP DaemonsOn HP-UX, many of the filesets are dependent on SNMP, so that they cannot be removed. Therefore, you need to disable the services. This is done by changing the "START" variables in the start-up configuration files to prevent the services from starting. This is done by editing the following lines in the SNMP start-up configuration files: In /etc/rc.config.d/SnmpHpunix . SNMP_HPUNIX_START=0 In /etc/rc.config.d/SnmpMaster SNMP_MASTER_START=0 In /etc/rc.config.d/SnmpMib2 SNMP_MIB2_START=0 In /etc/rc.config.d/SnmpTrpDst SNMP_TRAPDEST_START=0 Disable swagentd (SD-UX) DaemonThe swagentd script is run twice in the bootup start sequence. When it is run from S120swconfig it will complete any cleanup work from an install which required a reboot, such as remove the files listed in /var/adm/sw/cleanupfile . It is run again as S870swagentd . This start-up file, /etc/rc2.d/S870swagentd , should be removed to keep the daemon from running on the system. Disable Password and Group Caching DaemonHP-UX has introduced a password and group caching daemon, pwgrd, to improve the performance of accessing user and group IDs. It utilizes a UNIX domain socket for client requests , so the daemon should be disabled. Edit the following line in the file /etc/rc.config.d/pwgr: PWGR=0 The sockets used by the password and group caching daemon should be removed. rm /var/spool/pwgr/* rm /var/spool/sockets/pwgr/* Disable pty DaemonThe ptydaemon is a carry-over from the proprietary networking days at HP. It supports the vt and dscopy commands. It is unnecessary since dscopy is unsupported and vt , an unsecure MAC level terminal connection, is rarely used. Edit the following line in the file /etc/rc.config.d/ptydaemon: PTYDAEMON_START=0 Environment DaemonThe environment daemon, envd, logs messages and can perform actions when over-temperature and chassis fan failure conditions are detected by the hardware. This feature is available only on specific hardware systems. For example, it will perform an orderly shutdown when an over-temperature condition occurs. It is probably best to leave this daemon running, but it can be disabled by editing its configuration file: /etc/rc.config.d/envd: ENVD = 0 Network Tracing and LoggingThe network tracing and logging system in the system default configuration starts three daemons: ntl_reader , nktl_daemon and netfmt . These are easily disabled by editing /etc/rc.config.d/nettl ; however, you will lose potentially valuable log data, such as link down messages. However, netfmt is the console filter formatter which sends the log messages to the system console. If this is not needed, then the following commands will stop the system from sending network logging to the console and will not start the netfmt daemon: nettlconf -L -console 0 nettl -stop nettl -start The nettlconf command modifies the network tracing and logging configuration file, /etc/nettlgen.conf , so this change will persist across system starts. |
I l @ ve RuBoard |