HP: Generic installation checklist

Title:

HP: Generic installation checklist

Author:

Douglas O’Leary <dkoleary@olearycomputers.com>

Description:

HP: Generic installation checklist

Date created:

08/2008

Date updated:

06/18/2009

Disclaimer:

Standard: Use the information that follows at your own risk. If you screw up a system, don’t blame it on me…

The purpose of this document is not to be the end-all installation checklist for every site. That’s clearly impossible. Rather, I’m hoping this will document “best practices”; things that should be done at most sites.

If you see any glaring mistakes, things that should be added, or things that should be deleted, please send me an email

• Data collection:

  • General

    • Host name

  • Networking

    • System IP(s)

    • Is the system going to route IP?

    • Default gateway

    • Nameserver precedence

    • NIS

      • domainname

      • NIS servers

    • DNS

      • Domain

      • DNS server(s)

      • Searchlist, if appropriate

    • Required networking services

      • ftp

      • telnet

    • NFS:

      • Whether or not filesystems are to be exported.

      • Whether or not remote filesystems are to be mounted locally.

      • List of exported filesystems and to which systems they’re exported.

    • tcp_wrappers vs inetd logging

  • User/Groups

    • Password timeframes (min, max, inactivity, etc)

    • Max number of invalid password attempts

    • Default paths

  • System logging

    • Where will your log files be stashed?

    • What facilities and severities will be monitored?

  • Kernel

    • Kernel model to apply, if appropriate. (boy, have these changed since the last time I looked at ‘em!)

      • CAE/ME/EE Engineering Workstation (Previous version)

      • EE Engineering Workstation 32-bit kernel (New 10/99)

      • EE Engineering Workstation 64-bit kernel (New 10/99)

      • CAE/ME/General Eng. Workstation 32-bit kernel (New 10/99)

      • CAE/ME/General Eng. Workstation 64-bit kernel (New 10/99)

      • V-class Technical Server

    • Tweaks required for appls (Oracle, for example)

• Install the operating system and appropriate patch bundles. Please see the appropriate installation guide on docs.hp.com

• Install and configure appropriate security tools:

  • ssh

    • Public key authentication

    • Client agent forwarding

  • sudo

    • sudoers: %wheel ALL=(ALL) ALL

    • Appropriate users in the wheel group

  • tcp_wrappers

    • wrap telnet, rlogin, and ftp at a minimum - preferably all allowed services.

    • Update /etc/hosts.allow and /etc/hosts.deny as appropriate - or leave blank for logging purposes.

• Passwords:

  • Convert to TCB using one of the following:

    • SAM->Auditing & Security -> System Security Policies

    • Commands:

      # tsconvert
      # pwconv
      # pwchk
      

  • Establish default password parameters through one of the following methods:

    • SAM->Auditing & Security -> System Security Policies

      • Password Format: Password length >= 6

      • Password aging:

        • Min: Minimum number of days before allowed to change password again.

        • Max: Maximum valid use of the password in days.

        • Warn: how many days before ${Max} will system start warning the user.

        • Expire: Maximum lifetime of the password in days.

      • General User account policies: Set appropriate times for:

        • Lock inactive accounts

        • Invalid password attempts

    • Files: Update the following files with entries listed as appropriate:

      • /etc/default/security

        • MIN_PASSWORD_LENGTH

        • PASSOWRD_HISTORY_DEPTH

        • SU_ROOT_GROUP # Users belonging to which group will be able to su to root.

        • SU_PATH

      • /tcb/files/auth/system/default

        • u_minchg#${days}: Minimum number of days before allowed to change password again.

        • u_exp#${secs}: Max valid use of password.

        • u_lief#${secs}: Max password life time.

        • u_maxtries${num}: Max invalid passwd attempts before account is locked.

• Users:

  • Execute logins -p to verify that all users have passwords. Should come back empty. Correct any accounts that are lacking passwords.

  • Root:

    • Root’s home directory.

      • Update /etc/passwd; update root’s home directory to /root.

      • mkdir -m 0700 /root

      • cp /.profile /root

      • cp /.kshrc /root

    • Configure root’s ssh environment to allow public key authentication only:

      ~/.ssh/ssh2_config:AllowedAuthentication publickey
      

    • Prevent direct root login via telnet:

      echo "console" > /etc/securetty
      

    • ~root/.profile:

      • Verify root’s path does not include current directory

      • Set root’s umask to 027

  • Lock the following accounts and set shell to /bin/false:

    daemon	uucp	nuucp
    bin	sys	hpdb
    adm	lp	www

  • Home directories: Ensure they are:

    • Unique per user. (No shared home directories)

    • Owned by the appropriate user.

    • contain configuration files that are correct permissions and owned by the appropriate user.

    • don’t contain .netrc or .rhost files.

• Network:

  • /etc/inetd.conf

    • Comment out all services that aren’t being actively used. Good choices to comment out are:

      • bootps

      • chargen

      • daytime

      • discard

      • echo

      • exec

      • finger

      • ident

      • login

      • ntalk

      • shell

      • time

      • uucp

    • Wrap any services left open. Using telnet as an example:

      telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd \
         -b /etc/issue
      

    • Run inetd -c to refresh the inetd daemon.

  • NFS

    • /etc/rc.config.d/nfsconf

      • If the system is not to be an NFS server, (no exported filesystems) verify the following parameters are set to 0

        • NFS_SERVER

        • PCNFS_SERVER

        • START_MOUNTD

      • If you’re not planning on using the automounter or autofs service, ensure AUTOFS is set to 0. Also, remove or rename /etc/auto_master.

      • If you’re planning on using the NFS client, mounting remote filesystems, then set NFS_CLIENT to 1.

      • If you are planning on using any of these services, ensure the appropriate parameters are set to 1.

    • Exported filesystems. The following options should be configured appropriately when exporting filesystems:

      • ro | rw: Configure the exported filesystem read only if possible.

      • anon=${uid}: Uses ${uid} for any anonymous or root users from remote systems.

      • root=${host}:${host1}: Allows root on ${hosts[*]} to come in as root on the nfs exported filesystem. Should be used with care.

      • access=access_list: Probably the most important option; limits access to the hosts available through access_list. This option has expanded quite a bit over the years, so check the man page for details.

  • /etc/inetd.sec

    • Research items that are appropriate for the environment.

    • If you’re using NFS, minimally, ensure the following entry:

      mountd allow < Addresses to allow in>
      

  • Sendmail

    • Turn off sendmail if the system doesn’t need to receive email.

    • If you’re going to leave it on,

      • Patch or upgrade to the latest version.

      • Ensure the privacy options are enabled in /etc/mail/sendmail.cf:

        O PrivacyOptions=authwarning,novrfy,noexpn
        

  • Appropriately configure DNS resolver file, /etc/resolv.conf. Ensure it is 644 permissions.

  • Appropriately configure nameservice switch file, /etc/nsswitch.conf. Ensure it is 644 permissions.

  • Lock down the TCP/IP protocol stack. The table of ndd parameters that follow should be analzyed for your environment. Those that are needed should either be entered into /etc/rc.config.d/nddconf or a startup script that is configured to start immediately after the network initialization.

Net device	Parameter	Default value	Suggested value	Comment
/dev/ip	ip_check_subnet_addr	1	0	Permit 0 in local network part (should be the default)
/dev/ip	ip_forward_directed_broadcasts	1	0	Don’t forward directed broadcasts
/dev/ip	ip_forward_src_routed	1	0	Don’t forward packets with source route options
/dev/ip	ip_forwarding	2	0	Disable IP forwarding
/dev/ip	ip_ire_gw_probe	1	0	Disable dead gateway detection (currently no ndd help text; echo-requests interact badly with firewalls)
/dev/ip	ip_pmtu_strategy	2	1	Don’t use echo-request PMTU strategy (can be used for amplification attacks and we don’t want to send echo-requests anyway)
/dev/ip	ip_respond_to_address_mask_broadcast	0	0	Don’t respond to ICMP address mask request broadcasts
/dev/ip	ip_respond_to_echo_broadcast	1	0	Don’t respond to ICMP echo request broadcasts
/dev/ip	ip_respond_to_timestamp	0	0	Don’t respond to ICMP timestamp requests
/dev/ip	ip_respond_to_timestamp_broadcast	0	0	Don’t respond to ICMP timestamp request broadcasts
/dev/ip	ip_send_redirects	1	0	Don’t send ICMP redirect messages (if we have no need to send redirects)
/dev/ip	ip_send_source_quench	1	0	Don’t send ICMP source quench messages (deprecated)
/dev/tcp	tcp_conn_request_max	20	500	Increase TCP listen queue maximum (performance)
/dev/tcp	tcp_syn_rcvd_max	500	500	HP SYN flood defense
/dev/tcp	tcp_text_in_resets	1	0	Don’t send text messages in TCP RST segments (should be the default)

• SNMP:

  • Turned off if not needed via appropriate config files in /etc/rc.config.d

  • If needed, ensure you’re not using default get|set community strings in /etc/snmpd.conf

• ftp:

  • No anonymous ftp unless its needed and properly configured. See the man page for details.

  • Ensure tftp is locked down using directories and is wrapped via tcp_wrappers.

  • Ftp logging is enabled in the /etc/inetd.conf file.

  • All system users are listed in /etc/ftpusers.

• General system:

  • /etc based files.

    • /etc/issue: For example:

      You are connected to ${HOSTNAME}. Unauthorized use of this
      resource is prohibited. This system is routinely monitored for
      security and performance reasons. Logging into and use of this
      system constitutes acceptance of that monitoring. Any actions
      taken in violation of ${COMPANY}'s Acceptable Use Policy will
      result in appropriate disciplinary and/or legal action
      

    • /etc/profile

      • Set apporpriate timeout variable.

      • Set umask to at least 022

  • System init scripts:

    • All /sbin/rc[0-6].d scripts should be links to files in /sbin/init.d

    • All /sbin/init.d/* scripts should have permissions at least 755 and owned by root.

    • Check init scripts for:

      • Execution of scripts/programs w/world writable permissions.

      • Check permissions on the directories and any parent directories for any scripts that are executed from system init scripts. Ensure none of them are world writable.

  • Directory permission changes:

    chmod 755 /usr/local/bin
    chmod 1777 /tmp /var/tmp /var/preserve
    

  • Cron facility:

    • Appropriate logging is configured.

    • Root cron jobs are protected in the same way as system init scripts.

    • /var/adm/cron/cron.allow configured for appropriate users.

  • Kernel:

    • Configure non-executable stack by uncommenting or adding the following line to /usr/conf/master.d/core-hpux (>= 11.X):

      executable_stack   EXECUTABLE_STACK     0
      

    • Apply kernel model if appropriate.

    • Modify kernel parameters as required for installed s/w (like Oracle).

    • Rebuild the kernel

  • ID and save a list of initial suid/sgid scripts/programs. Change permissions to minimize the list on any files that don’t specifically need to be suid/sgid.l

  • ID and save a list of world/group writable directories and files. Change permissions to minimize the list for any files/directories that don’t need to be world/group writable. Ensure the sticky bit is set on any directories that do need to be world writable.

  • Configure system logging: See Syslog daemon configuration.

  • Configure sar: See Performance monitoring