Securing a HP UX system starts with the installation. This consists of an "initial" install of the latest version of the HP UX operating system. With every new release, HP incorporates improvements and additional features to enhance system security.
Building a secure HP UX Operating Environment system involves installing a new system with the latest version of the HP UX Operating Environment and applying the latest patches.
� Always use the latest version of the HP UX Operating Environment that your applications will support.
� Do not perform an upgrade to an existing HP UX system. Since previous installation may have some inherited bugs or improper configuration or Trojans installed, etc which could lead to security flaws. Therefore it must be avoided if possible. Also, install the system from an original HP UX Operating Environment CD to ensure a secure installation.
� Do not attach the system to a �public� network until the modifications have been made. The machine should not be dependent upon resources from other machines (which could be compromised).
Carefully select your partition sizes. A secure machine will have extensive system log capabilities enabled, so you need lots of log space. Before installing the HP UX operating environment, determine your disk space needs. Consider the following items:
� HP UX software group/cluster.
� Co-packaged software
See the co-packaged software documentation for estimated space required.
� Vendor or third-party software
See the vendor or third party software documentation.
� Space for home directories
Home directories may store user files such as mail, text or data files, or application files.
� Allocate adequate disk space for system directories, log files, and applications.
Certain server applications or services may require extra disk space or separate partitions to operate effectively without impacting other services. Typically, there should be separate partitions for the root file system (/), /usr, /var, and /opt.
The HP UX Operating Environment /var file system contains system log files, patch data, print, mail, and files for other services. The disk space required for these files will vary over time. Most systems should maintain /var as a separate partition from the root file system. Mail servers should maintain a large, separate /var/mail partition to contain user mail files.
These extra partitions will help prevent a full /var or /var/mail file system from affecting the operation of the system. Provide extra space in /var if you intend to store large log files. Most applications install themselves in /opt or /usr/local. Check the application installation directory location before allocating space.
Installing unnecessary services, packages, and applications can severely compromise system security. It is important to reduce the HP UX Operating Environment installation down to the minimum number of packages necessary to support the application to be hosted. This reduction in services, libraries, and applications helps increase security by reducing the number of subsystems that must be disabled, patched, and maintained.
To perform the installation we boot from the install CD and perform the following steps:
1. Select "Install HP-UX"
2. In the "User Interface and Media Options" screen select:
1. Media only installation
2. Advanced Installation
3. In the "Basic" screen select Environments "64-Bit Minimal HP-UX (English Only)"
4. In the "Software" screen:
1. Select "Change Depot Location"
2. Change "Interactive swinstall" to "Yes"
3. Select "Modify"
5. Change other configuration settings as appropriate for your system
6. Select "Go!"
7. In the "SD Install" screen:
1. Change the Software View to Products:
View->Change Software View->Start with Products
2. Mark MailUtilities.Runtime and MailUtilities.Manuals for Install
3. Unmark NFS.Runtime.NIS-CLIENT for Install (this will also unmark KEY-CORE and NIS-CORE)
4. Unmark NFS.Runtime.NFS-CLIENT for Install
5. Mark NFS.Runtime.NFS-64SLIB for Install
6. Unmark Networking.MinimumRuntime.PPP-RUN for Install
7. Select OS-Core.Manuals for Install
8. Select SOE for Install
9. Select SecurityMon for Install
10. Select Streams.Runtime.STREAMS-64SLIB for Install
11. Select SystemAdmin.Runtime for Install
12. Select TextEditors.Runtime and TextEditors.Manuals for Install
13. Perform installation analysis:
Actions->Install (analysis)
Choose a minimal HP-UX system. This will not install the X window system and many other products that we don't need or want. Also remove the NFS product if you are not using it, because it has a number of security problems. Also remove the PPP-RUN fileset because we are not using PPP.
For system management purposes install SAM, the core OS man pages, mailers and text editors. For security features of HP-UX select the SecurityMon and SOE products (SecurityMon contains commands and documentation for auditing and trusted system components, and SOE contains the pwconv command which we will use below).
Also select the 32/64 bit libraries depending upon the hardware being utilized
Also remove other products such as SNMP (OVSNMPAgent) and disable SNMP and other products that are difficult or impossible to remove.