HP: Generic installation checklist¶
- Title:
HP: Generic installation checklist
- Author:
Douglas O’Leary <dkoleary@olearycomputers.com>
- Description:
HP: Generic installation checklist
- Date created:
08/2008
- Date updated:
06/18/2009
- Disclaimer:
Standard: Use the information that follows at your own risk. If you screw up a system, don’t blame it on me…
The purpose of this document is not to be the end-all installation checklist for every site. That’s clearly impossible. Rather, I’m hoping this will document “best practices”; things that should be done at most sites.
If you see any glaring mistakes, things that should be added, or things that should be deleted, please send me an email
Data collection:
General
Host name
Networking
System IP(s)
Is the system going to route IP?
Default gateway
Nameserver precedence
NIS
domainname
NIS servers
DNS
Domain
DNS server(s)
Searchlist, if appropriate
Required networking services
ftp
telnet
NFS:
Whether or not filesystems are to be exported.
Whether or not remote filesystems are to be mounted locally.
List of exported filesystems and to which systems they’re exported.
tcp_wrappers vs inetd logging
User/Groups
Password timeframes (min, max, inactivity, etc)
Max number of invalid password attempts
Default paths
System logging
Where will your log files be stashed?
What facilities and severities will be monitored?
Kernel
Kernel model to apply, if appropriate. (boy, have these changed since the last time I looked at ‘em!)
CAE/ME/EE Engineering Workstation (Previous version)
EE Engineering Workstation 32-bit kernel (New 10/99)
EE Engineering Workstation 64-bit kernel (New 10/99)
CAE/ME/General Eng. Workstation 32-bit kernel (New 10/99)
CAE/ME/General Eng. Workstation 64-bit kernel (New 10/99)
V-class Technical Server
Tweaks required for appls (Oracle, for example)
Install the operating system and appropriate patch bundles. Please see the appropriate installation guide on docs.hp.com
Install and configure appropriate security tools:
ssh
Public key authentication
Client agent forwarding
sudo
sudoers: %wheel ALL=(ALL) ALL
Appropriate users in the wheel group
tcp_wrappers
wrap telnet, rlogin, and ftp at a minimum - preferably all allowed services.
Update /etc/hosts.allow and /etc/hosts.deny as appropriate - or leave blank for logging purposes.
Passwords:
Convert to TCB using one of the following:
SAM->Auditing & Security -> System Security Policies
Commands:
# tsconvert # pwconv # pwchk
Establish default password parameters through one of the following methods:
SAM->Auditing & Security -> System Security Policies
Password Format: Password length >= 6
Password aging:
Min: Minimum number of days before allowed to change password again.
Max: Maximum valid use of the password in days.
Warn: how many days before ${Max} will system start warning the user.
Expire: Maximum lifetime of the password in days.
General User account policies: Set appropriate times for:
Lock inactive accounts
Invalid password attempts
Files: Update the following files with entries listed as appropriate:
/etc/default/security
MIN_PASSWORD_LENGTH
PASSOWRD_HISTORY_DEPTH
SU_ROOT_GROUP # Users belonging to which group will be able to su to root.
SU_PATH
/tcb/files/auth/system/default
u_minchg#${days}: Minimum number of days before allowed to change password again.
u_exp#${secs}: Max valid use of password.
u_lief#${secs}: Max password life time.
u_maxtries${num}: Max invalid passwd attempts before account is locked.
Users:
Execute
logins -p
to verify that all users have passwords. Should come back empty. Correct any accounts that are lacking passwords.Root:
Root’s home directory.
Update /etc/passwd; update root’s home directory to /root.
mkdir -m 0700 /root
cp /.profile /root
cp /.kshrc /root
Configure root’s ssh environment to allow public key authentication only:
~/.ssh/ssh2_config:AllowedAuthentication publickey
Prevent direct root login via telnet:
echo "console" > /etc/securetty
~root/.profile:
Verify root’s path does not include current directory
Set root’s umask to 027
Lock the following accounts and set shell to /bin/false:
daemon
uucp
nuucp
bin
sys
hpdb
adm
lp
www
Home directories: Ensure they are:
Unique per user. (No shared home directories)
Owned by the appropriate user.
contain configuration files that are correct permissions and owned by the appropriate user.
don’t contain .netrc or .rhost files.
Network:
/etc/inetd.conf
Comment out all services that aren’t being actively used. Good choices to comment out are:
bootps
chargen
daytime
discard
echo
exec
finger
ident
login
ntalk
shell
time
uucp
Wrap any services left open. Using telnet as an example:
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd \ -b /etc/issue
Run
inetd -c
to refresh the inetd daemon.
NFS
/etc/rc.config.d/nfsconf
If the system is not to be an NFS server, (no exported filesystems) verify the following parameters are set to 0
NFS_SERVER
PCNFS_SERVER
START_MOUNTD
If you’re not planning on using the automounter or autofs service, ensure AUTOFS is set to 0. Also, remove or rename /etc/auto_master.
If you’re planning on using the NFS client, mounting remote filesystems, then set NFS_CLIENT to 1.
If you are planning on using any of these services, ensure the appropriate parameters are set to 1.
Exported filesystems. The following options should be configured appropriately when exporting filesystems:
ro | rw: Configure the exported filesystem read only if possible.
anon=${uid}: Uses ${uid} for any anonymous or root users from remote systems.
root=${host}:${host1}: Allows root on ${hosts[*]} to come in as root on the nfs exported filesystem. Should be used with care.
access=access_list: Probably the most important option; limits access to the hosts available through access_list. This option has expanded quite a bit over the years, so check the man page for details.
/etc/inetd.sec
Research items that are appropriate for the environment.
If you’re using NFS, minimally, ensure the following entry:
mountd allow < Addresses to allow in>
Sendmail
Turn off sendmail if the system doesn’t need to receive email.
If you’re going to leave it on,
Patch or upgrade to the latest version.
Ensure the privacy options are enabled in /etc/mail/sendmail.cf:
O PrivacyOptions=authwarning,novrfy,noexpn
Appropriately configure DNS resolver file, /etc/resolv.conf. Ensure it is 644 permissions.
Appropriately configure nameservice switch file, /etc/nsswitch.conf. Ensure it is 644 permissions.
Lock down the TCP/IP protocol stack. The table of ndd parameters that follow should be analzyed for your environment. Those that are needed should either be entered into /etc/rc.config.d/nddconf or a startup script that is configured to start immediately after the network initialization.
Net device |
Parameter |
Default value |
Suggested value |
Comment |
/dev/ip |
ip_check_subnet_addr |
1 |
0 |
Permit 0 in local network part (should be the default) |
/dev/ip |
ip_forward_directed_broadcasts |
1 |
0 |
Don’t forward directed broadcasts |
/dev/ip |
ip_forward_src_routed |
1 |
0 |
Don’t forward packets with source route options |
/dev/ip |
ip_forwarding |
2 |
0 |
Disable IP forwarding |
/dev/ip |
ip_ire_gw_probe |
1 |
0 |
Disable dead gateway detection (currently no ndd help text; echo-requests interact badly with firewalls) |
/dev/ip |
ip_pmtu_strategy |
2 |
1 |
Don’t use echo-request PMTU strategy (can be used for amplification attacks and we don’t want to send echo-requests anyway) |
/dev/ip |
ip_respond_to_address_mask_broadcast |
0 |
0 |
Don’t respond to ICMP address mask request broadcasts |
/dev/ip |
ip_respond_to_echo_broadcast |
1 |
0 |
Don’t respond to ICMP echo request broadcasts |
/dev/ip |
ip_respond_to_timestamp |
0 |
0 |
Don’t respond to ICMP timestamp requests |
/dev/ip |
ip_respond_to_timestamp_broadcast |
0 |
0 |
Don’t respond to ICMP timestamp request broadcasts |
/dev/ip |
ip_send_redirects |
1 |
0 |
Don’t send ICMP redirect messages (if we have no need to send redirects) |
/dev/ip |
ip_send_source_quench |
1 |
0 |
Don’t send ICMP source quench messages (deprecated) |
/dev/tcp |
tcp_conn_request_max |
20 |
500 |
Increase TCP listen queue maximum (performance) |
/dev/tcp |
tcp_syn_rcvd_max |
500 |
500 |
HP SYN flood defense |
/dev/tcp |
tcp_text_in_resets |
1 |
0 |
Don’t send text messages in TCP RST segments (should be the default) |
SNMP:
Turned off if not needed via appropriate config files in /etc/rc.config.d
If needed, ensure you’re not using default get|set community strings in /etc/snmpd.conf
ftp:
No anonymous ftp unless its needed and properly configured. See the man page for details.
Ensure tftp is locked down using directories and is wrapped via tcp_wrappers.
Ftp logging is enabled in the /etc/inetd.conf file.
All system users are listed in /etc/ftpusers.
General system:
/etc based files.
/etc/issue: For example:
You are connected to ${HOSTNAME}. Unauthorized use of this resource is prohibited. This system is routinely monitored for security and performance reasons. Logging into and use of this system constitutes acceptance of that monitoring. Any actions taken in violation of ${COMPANY}'s Acceptable Use Policy will result in appropriate disciplinary and/or legal action
/etc/profile
Set apporpriate timeout variable.
Set umask to at least 022
System init scripts:
All /sbin/rc[0-6].d scripts should be links to files in /sbin/init.d
All /sbin/init.d/* scripts should have permissions at least 755 and owned by root.
Check init scripts for:
Execution of scripts/programs w/world writable permissions.
Check permissions on the directories and any parent directories for any scripts that are executed from system init scripts. Ensure none of them are world writable.
Directory permission changes:
chmod 755 /usr/local/bin chmod 1777 /tmp /var/tmp /var/preserve
Cron facility:
Appropriate logging is configured.
Root cron jobs are protected in the same way as system init scripts.
/var/adm/cron/cron.allow configured for appropriate users.
Kernel:
Configure non-executable stack by uncommenting or adding the following line to /usr/conf/master.d/core-hpux (>= 11.X):
executable_stack EXECUTABLE_STACK 0
Apply kernel model if appropriate.
Modify kernel parameters as required for installed s/w (like Oracle).
Rebuild the kernel
ID and save a list of initial suid/sgid scripts/programs. Change permissions to minimize the list on any files that don’t specifically need to be suid/sgid.l
ID and save a list of world/group writable directories and files. Change permissions to minimize the list for any files/directories that don’t need to be world/group writable. Ensure the sticky bit is set on any directories that do need to be world writable.
Configure system logging: See Syslog daemon configuration.
Configure sar: See Performance monitoring