Disable What Is Not Used

There are some features of the system which you will not use which cannot be removed. It may be that something you do want to use is dependent upon the feature, or that it is so integrated into the system that removing it is more difficult than disabling it and monitoring it.

Disable Needed Pseudo-Accounts

Pseudo-accounts which are needed for proper operation of the system should be configured so that no individual can gain access with the account. The remaining pseudo-accounts should be disabled. The password entry should have an invalid shell program and an invalid home directory. This will disable remote connections.

On HP-UX , the needed pseudo-accounts are: bin, sys, and adm.

 bin:*:2:2:NO LOGIN:/bin/false:/dev/null  sys:*:2:2:NO LOGIN:/bin/false:/dev/null  adm:*:2:2:NO LOGIN:/bin/false:/dev/null 

Red Hat Linux 7.2 contain the following pseudo-accounts.

 bin:x:1:1:bin:/bin:/sbin/nologin  daemon:x:2:2:daemon:/sbin:/sbin/nologin  adm:x:3:4:adm:/var/adm:/sbin/nologin  sync:x:5:0:sync:/sbin:/bin/sync  shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown  halt:x:7:0:halt:/sbin:/sbin/halt  operator:x:11:0:operator:/root:/sbin/nologin  rpm:x:37:37::/var/lib/rpm:/bin/bash 

Disable Internet Services

Misuse of network services is the most common method of attack; therefore, only required network services should be enabled. All nonessential services should be disabled. It is rare that a system will not require some network services, so it is unlikely that internet daemon can be removed from the system. All services, except for those specifically required, should be disabled.

On HP-UX the internet services are controlled by the inetd daemon. These services are disabled by de-configuring them in the inetd configuration file ( /etc/inetd.conf ). The default inetd.conf file for HP-UX 11i has the following services enabled:

 ftp      stream tcp nowait root /usr/lbin/ftpd ftpd -l  telnet   stream tcp nowait root /usr/lbin/telnetd telnetd  shell    stream tcp nowait root /usr/lbin/remshd   remshd  exec     stream tcp nowait root /usr/lbin/rexecd   rexecd  ntalk    dgram  udp wait   root /usr/lbin/ntalkd   ntalkd  ident    stream tcp wait   bin  /usr/lbin/identd   identd  printer  stream tcp nowait root /usr/sbin/rlpdaemon  rlpdaemon -i  daytime  stream tcp nowait root internal  daytime  dgram  udp nowait root internal  time     stream tcp nowait root internal  echo     stream tcp nowait root internal  echo     dgram  udp nowait root internal  discard  stream tcp nowait root internal  discard  dgram  udp nowait root internal  chargen  stream tcp nowait root internal  chargen  dgram  udp nowait root internal  kshell   stream tcp nowait root /usr/lbin/remshd remshd -K  klogin   stream tcp nowait root /usr/lbin/rlogind rlogind -K 

Red Hat Linux 7.2 has replaced the inetd daemon with xinetd . The processes which are controlled by xinetd are listed in the directory /etc/xinetd.d . In this directory, there is a configuration file for each service which xinetd is to service. These files contain information about the programs which service the protocol.

To enumerate the services and their start-up state, the following grep command can be used.

 grep disable /etc/xinetd.d/* 

This lists the files and the lines containing the disable directive:

 /etc/xinetd.d/chargen:      disable = yes  /etc/xinetd.d/chargen-udp:  disable = yes  /etc/xinetd.d/daytime:      disable = yes  /etc/xinetd.d/daytime-udp:  disable = yes  /etc/xinetd.d/echo:         disable = yes  /etc/xinetd.d/echo-udp:     disable = yes  /etc/xinetd.d/rsync:        disable = yes  /etc/xinetd.d/time:         disable = yes  /etc/xinetd.d/time-udp:     disable = yes 

To disable the service, there should be a disable=yes directive set in the file. However, for compatibility, the /etc/inetd.conf file is also used by xinetd, so both have to be examined to see what processes are enabled.

Disable RPC Services

RPC services are the basis for the network services from SUN which include NIS and NFS. These services are not usually used on a system on which security is a concern. On HP-UX 11, rpcbind provides the RPC services; prior to this, the services were provided by portmapd . Linux runs portmap for managing RPC services. On Red Hat-based systems, the following command will shut down portmap and prevent it from restarting.

 /etc/rc.d/ini.d/portmap stop  chkconfig --del  portmap 

On HP-UX 11, rpcbind is started from the nfs. core script. These scripts can be disabled by either removing them or setting their permissions to 0. Setting the permissions of the rpcbind program to 0 helps ensure that it does not get started accidentally .

 chmod 0 /sbin/rc1.d/K600nfs.core  chmod 0 /sbin/rc2.d/S400nfs.core  chmod 0 /usr/sbin/rpcbind 

Disable SNMP Daemons

On HP-UX, many of the filesets are dependent on SNMP, so that they cannot be removed. Therefore, you need to disable the services. This is done by changing the "START" variables in the start-up configuration files to prevent the services from starting. This is done by editing the following lines in the SNMP start-up configuration files:

In /etc/rc.config.d/SnmpHpunix .

 SNMP_HPUNIX_START=0 

In /etc/rc.config.d/SnmpMaster

 SNMP_MASTER_START=0 

In /etc/rc.config.d/SnmpMib2

 SNMP_MIB2_START=0 

In /etc/rc.config.d/SnmpTrpDst

 SNMP_TRAPDEST_START=0 

Disable swagentd (SD-UX) Daemon

The swagentd script is run twice in the bootup start sequence. When it is run from S120swconfig it will complete any cleanup work from an install which required a reboot, such as remove the files listed in /var/adm/sw/cleanupfile . It is run again as S870swagentd . This start-up file, /etc/rc2.d/S870swagentd , should be removed to keep the daemon from running on the system.

Disable Password and Group Caching Daemon

HP-UX has introduced a password and group caching daemon, pwgrd, to improve the performance of accessing user and group IDs. It utilizes a UNIX domain socket for client requests , so the daemon should be disabled. Edit the following line in the file /etc/rc.config.d/pwgr:

 PWGR=0 

The sockets used by the password and group caching daemon should be removed.

 rm /var/spool/pwgr/*  rm /var/spool/sockets/pwgr/* 

Disable pty Daemon

The ptydaemon is a carry-over from the proprietary networking days at HP. It supports the vt and dscopy commands. It is unnecessary since dscopy is unsupported and vt , an unsecure MAC level terminal connection, is rarely used. Edit the following line in the file /etc/rc.config.d/ptydaemon:

 PTYDAEMON_START=0 

Environment Daemon

The environment daemon, envd, logs messages and can perform actions when over-temperature and chassis fan failure conditions are detected by the hardware. This feature is available only on specific hardware systems. For example, it will perform an orderly shutdown when an over-temperature condition occurs. It is probably best to leave this daemon running, but it can be disabled by editing its configuration file: /etc/rc.config.d/envd:

 ENVD = 0 

Network Tracing and Logging

The network tracing and logging system in the system default configuration starts three daemons: ntl_reader , nktl_daemon and netfmt . These are easily disabled by editing /etc/rc.config.d/nettl ; however, you will lose potentially valuable log data, such as link down messages. However, netfmt is the console filter formatter which sends the log messages to the system console. If this is not needed, then the following commands will stop the system from sending network logging to the console and will not start the netfmt daemon:

 nettlconf -L -console 0  nettl -stop  nettl -start 

The nettlconf command modifies the network tracing and logging configuration file, /etc/nettlgen.conf , so this change will persist across system starts.