Excerpt
Preface
Welcome to the world of HP-UX security! The title of this book may be HP-UX 11i Security, but much of the contents are applicable to any version of HP-UX. Sections of this book are true for any flavor of UNIX, but this book differentiates itself from other UNIX security books by focusing on the functionality unique to the HP-UX environment.
I first became interested in UNIX security after several systems I managed were compromised. I was new to UNIX. I had previously worked on an IBM System/36 and on the HP e3000. I had attended two HP-UX classes; the first was on UNIX fundamentals and the second on system administration. At that time the latest version of the operating system was HP-UX 9. Looking back, I was very naive about the security of the system. As I recall, I spent a great deal of time trying to manage disk space, running fsck, dealing with the fact that there never seemed to be enough inodes, and learning the vi editor. Security was not a major concern and nobody told me that it should be.
I have experienced several security-related episodes. The first was when the majority of accounts were compromised after the password file was cracked and distributed through a "club" of hackers who met weekly at a community college. Another incident involved a ninth grader whom we managed to track down to a local school. This intruder was selling accounts, distributing pirated game software, and mailing child pornography to his friends. I still can recall the comments from the instructor I spoke to: "This boy has the capacity to do these sort of things, very skilled, a real wiz." I can also recall the frustration when the parents, who by the way both worked at Microsoft, refused to believe their child would do such a thing. Another incident involved the local FBI office calling after a user at a remote site used our mail server to send a death threat to the President of the United States.
I was very fortunate during these incidents. The HP-UX systems that were compromised were not running any mission-critical applications. I quickly realized how much I did not know about securely administering a UNIX system. As I learned more, I began sharing my knowledge with other administrators at user meetings and conferences. From this experience, I noticed that, like myself, others learn the best by viewing examples, so I have included many examples in this book.
The book was designed primarily for system and security administrators. Programmers, system analysts, and developers will find the contents useful for integrating HP-UX functionality and security into development projects. Any non-technical individual can benefit by reading Chapter 1 and gaining a greater appreciation for the tasks of the system administrator.
Since this is a book on HP-UX host security, I have concentrated on the areas of system administration that are necessary to have a secure system. For example, a thorough understanding of permissions and user management is essential. In addition, I have covered a variety of no-charge HP-UX add-on products with a slant on using these products to better secure the environment. There are a few purchasable HP-UX products that are also covered.
Writing a book is a unique experience, especially when you contract "writer's disease," as another author called it. One of the hardest parts of writing a book is to be able to say, "this is what it is." By this I mean that there is always more I wanted to add. The problem with this is that the book will never get completed. I decided that I could not include every single public-domain security package or in-depth details on topics such as SSH, IPSec, and key distribution. There are already excellent books available that focus specifically on these very issues.
Where instructions on installing and configuring applications are included, I would recommend that you always download current instructions from the application's source and follow the most current prerequisites, instructions, and release notes. The instructions included in this book may assist with any required workarounds. The companion web site to this book, http://newfdog.hpwebhost.com/hpuxsecurity, is a good place to check for information on installing and configuring later releases of software.
As with any software, it is your responsibility to make sure you comply with any export regulations and license-to-use issues. In addition, the author, publisher, Hewlett-Packard, and Cerius Technology Group assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
This book is also not a security "cookbook." If someone tells you they have a security "cookbook," they are understating security issues. The closest item in this book to a cookbook would be a combination of Chapter 14, Building a Bastion Host, by Kevin Steves and the security checklist found in Chapter 15. There can be no "cookbook" since all environments are unique. The circumstances that make an environment unique must be addressed by those whom are familiar with the environment.