Is Your e3000 Environment Secure? (Keeping your e3000 safe from hackers until 2006 or beyond) Mark Bixby TCSD/vCSY April 24, 2003
Presentation overview • Getting started with security on MPE • Auditing • Authentication • Authorization • Networking (general and product-specific) • :STORE/:RESTORE • Denial of service • People & processes • The future • Real-life security stories from the audience • General Q&A April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 2
Getting started with security on MPE April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 3
Security-related documentation • Accessing Files Programmer's Guide • New Features of MPE/iX: Using the Hierarchical File System (see also :XEQ POSIXCBT.LSN.
System logging • Enabled via :SYSGEN • Logging event data written to LOG####.PUB.SYS • :SHOWLOG – displays current log file • :SWITCHLOG – switches to a new log file • Use LOGTOOL.PUB.
System logging events • • • • • • • • • • • • 100 101 102 103 104 105 106 107 111 112 113 114 April 24, 2003 - System Logging System Up Job Initiation Job Termination Process Termination NM File Close System Shutdown Power Failure I/O Error Physical Mount/Dismount Logical Mount/Dismount Tape Label Is Your Homestead Secure? - Solution Symposium West page 6
System logging events (cont.
System logging events (cont.
System logging events (cont.
Auditing April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 10
There's more than just the console and system logging • Many – – – – – subsystems use separate logging facilities: INETD – JINETD $STDLIST spoolfile Apache - /APACHE/PUB/logs DNS BIND/iX – syslog (and possibly the console) Samba - /usr/local/samba/var Sendmail – syslog (and possibly the console) • Home-grown • Third-party • ALL April 24, 2003 applications? applications? logs need to be checked periodically for anomalies Is Your Homestead Secure? - Solution Symposium West page 11
Where did that :HELLO come from? • System logging and console messages don't include the IP address for terminal logons/logoffs •A system logon UDC could be used to capture the HPREMIPADDR CI variable for successful logons • But there is currently no way on MPE to capture the IP address of a failed VT-MGR logon attempt • Enable INETD connection logging option (-l) to track all telnet connections • Use April 24, 2003 external firewall SYN logging? Is Your Homestead Secure? - Solution Symposium Wes
Which files have been :RELEASEd? • :RELEASE is a great convenience for relaxing file security, but it opens major security holes • There are no FOS tools to conveniently scan for :RELEASEd files, but you can do this from the CI: file temp;rec=,,b;disc=2147483647 listfile /,3 >*temp xeq awk.hpbin.
Which files are world-writable? • World-writable files are equally risky • To search for all world-writable files using the POSIX shell: find / -perm –o+w –a ! –type l | xargs ls –ld • Then April 24, 2003 tighten security if appropriate Is Your Homestead Secure? - Solution Symposium West page 14
Who is using special capabilities (I.e. SM, OP, PM)? • No FOS tools for conveniently auditing special capability usage • Vesoft's VEAUDIT/3000 product does a good job • You could scan :LISTACCT, :LISTUSER, :LISTGROUP output for account, user, and group usage • You could scan VERSION.PUB.
Listing all users with SM, OP, or PM capability file temp;rec=,,b;disc=2147483647 listuser @.@ >*temp xeq awk.hpbin.sys "'& /^USER:/ { user=$2 } & /^CAP:.
Listing all PROG files with PM capability file temp;rec=,,b;disc=2147483647 listfile @.@.@,6;seleq=[code=prog] >*temp file temp2;rec=,,b;disc=2147483647 xeq version.pub.sys <*temp >*temp2 xeq awk.hpbin.sys "'& /^VERSION>/ { getline; getline prog } & /^CAP:.
Listing all NMPRG files with PM capability file temp;rec=,,b;disc=2147483647 listfile @.@.@,6;seleq=[code=nmprg] >*temp file temp2;rec=,,b;disc=2147483647 xeq version.pub.sys <*temp >*temp2 xeq awk.hpbin.sys "'& /^VERSION>/ { getline; getline prog } & /^CAPABILITIES:.
Who can write to priv-mode groups? • Non-prived users who can write to CAP=PM groups essentially have priv-mode capabilities • Make sure group-level security has restricted write and save access to authorized users • Make sure program files in PM groups are not :RELEASEd or writable by by unauthorized users • Process :LISTACCT/:LISTGROUP/:LISTFILE output yourself, or just purchase Vesoft's VEAUDIT/3000 April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 19
Would you know it if a hacker replaced a system file with a trojan horse? • Monitor system logging for unauthorized file open/close events – but what if a hacker disabled system logging or sanitized the log files? • Build a database of file checksums and other attributes for comparison purposes to detect file changes – Update the database after legitimate file changes – Various open source solutions – TripWire, Osiris, etc April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 20
Tracking account/user/group object changes • Would you be able to tell if a hacker assigned SM or PM capability to some obscure user? • Periodically compare :LISTACCT, :LISTUSER, :LISTGROUP output looking for any differences • Purchase HP Security Monitor/iX and enable command logging for :NEWACCT, :NEWUSER, :NEWGROUP, :ALTACCT, :ALTUSER, :ALTGROUP April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 21
Command file SNAPU – taking a snapshot of user attributes file temp;rec=,,b;disc=2147483647 listuser @.@;format=detail >*temp xeq awk.hpbin.
SNAPU output OPERATOR.SYS OPERATOR.SYS OPERATOR.SYS OPERATOR.SYS OPERATOR.SYS OPERATOR.SYS OPERATOR.SYS OPERATOR.
Compare SNAPU output to detect changes :SNAPU >before • :save before • • …time passes… • :SNAPU >after • :save after • :xeq diff.hpbin.sys 'BEFORE AFTER' 2304c2304 < OPERATOR.SYS --> OPERATOR.
System logging event #115 gives incomplete picture of console activity • Only a subset of CI commands are logged by event #115 • Enable additional logging events to get a better picture of console activity • If you are really paranoid, purchase HP Security Monitor/iX and enable CI command logging for all commands and all users (might be overkill!) April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 25
Perform periodic packet sniffing • :NETCONTROL TRACEON/TRACEOFF to capture packets, and :NMDUMP to format them • :NMDUMP is cumbersome and overly verbose, so using external packet sniffing tools might be a better choice • Connection attempts to unused TCP or UDP ports can indicate hacker scanning activity • tcpdump • Ethereal April 24, 2003 sniffer – www.tcpdump.org network analyzer – www.ethereal.
Auditing events across distributed systems •A single transaction may easily span multiple systems, each with their own clock of varying accuracy • Run NTP or other time synchronization software on each system so that event timestamps on one system may be correlated reliably with event timestamps on another system • NTP for MPE: http://jazz.external.hp.
Strange network errors may be a sign of hacker scanning tools • Some common hacker tools such as Nessus (www.nessus.
Nessus example console messages 14:18/#J89/174/Could not receive data from sockets during Telnet device initialization 14:18/#J89/174/Call to initialize telnet server failed with error -7 ** NS/3000 NetIPC ERROR IN VT; Job: 0; PIN: 239; Info: 1 - Error: 42; ** NS/3000 NetIPC ERROR IN VT; Job: 0; PIN: 229; Info: 1 - Error: 42; ** NS/3000 NetIPC ERROR IN VT; Job: 0; PIN: 165; Info: 1 - Error: 42; 14:18/160/CAN'T FOPEN $STDLIST IN 'STARTLOGON' ON LDEV #14. (js 131) 14:18/160/CAN'T CLEANUP SOCKET ON LDEV #14.
Nessus example console messages (cont.
Nessus example console messages (cont.) 14:14/#J89/192/FTP 14:14/#J89/177/FTP 14:14/#J89/232/FTP IP=12.34.56.78 14:14/#J89/232/FTP 14:14/#J89/232/FTP 14:14/#J89/232/FTP 14:14/#J89/232/FTP 14:14/#J89/232/FTP IP=12.34.56.78 14:14/#J89/232/FTP 14:14/#J89/232/FTP IP=12.34.56.78 14:14/#J89/232/FTP 14:14/#J89/232/FTP 14:14/#J89/232/FTP IP=12.34.56.78 14:14/#J89/232/FTP 14:14/#J89/232/FTP IP=12.34.56.78 14:14/#J89/232/FTP 14:14/#J89/232/FTP April 24, 2003 INVALID LOGON FOR: "BOGUS" IP=12.34.56.
Nessus example console messages (cont.) 14:15/#J3/72/Feb 12 14:15:12 localhost sendmail[19595483]: h1CMFCFP19595483: IDENT:root@some.hacker [12.34.56.78] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA 14:15/#J3/72/Feb 12 14:15:13 localhost sendmail[27721977]: h1CMFDFP27721977: IDENT:root@some.hacker [12.34.56.
Know your enemies (or know what your enemies know)! • Download Nessus (www.nessus.
Don't get mad, get even! • Report hacking attempts to the appropriate authorities within your organization • If the hacking originated via the Internet, use traceroute to display the network topology all the way back to the originating IP address to reveal: – the originator's organization – the originator's Internet Service Provider • Visit www.radb.
Authentication April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 35
Beware of install jobs using blank or constant passwords • Software product installation jobs (both HP and non-HP) frequently use blank or constant passwords when creating new accounts, groups, and users • Remember to manually impose custom passwords after software installations • Periodically – – check for blank passwords Scanning :LISTACCT, :LISTGROUP, :LISTUSER output Running Vesoft's VEAUDIT/3000 product April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 36
Listing users & accounts without passwords comment generate accounts without passwords file temp;rec=,,b;disc=2147483647 listacct @;pass;format=detail >*temp file tempa;rec=,,b;disc=2147483647 xeq awk.hpbin.sys "'& /^ACCOUNT/ { acct=$3 } & /^PASSWORD/ && NF == 2 { print acct }'" <*temp >*tempa comment generate users without passwords listuser @.@;pass;format=detail >*temp file tempu;rec=,,b;disc=2147483647 xeq awk.hpbin.
Listing users & accounts without passwords (cont.) comment list users & accounts without passwords save tempa save tempu xeq join.hpbin.sys '-t . -j1 2 -o "1.1 1.
VT/telnet/ftp/dtc authentication sends cleartext passwords over the network • Any idiot with a packet sniffer can capture these passwords • Don't use these protocols over an untrusted network (I.e.
Unencrypted passwords in the system directory • Passwords are stored in the system directory as cleartext by default • :STORE ;DIRECTORY copies these cleartext passwords to your backup, so control who has access to your backups • OP users can do :STORE ;DIRECTORY, so control who has access to OP capability • Purchase HP Security Monitor/iX and enable encrypted passwords – one-way encryption is used, so not even SM users can reveal passwords April 24, 2003 Is Your Homestead Secure? - Solution Sympo
Generate random passwords in installation jobs A shell script example: PASSWORD=`echo $$ | awk ' {\ srand($0); for (i=0; i < 8; i++) \ pass=pass \ substr("ABCDEFGHIJKLMNOPQRSTUVWXYZ",1+int(26*rand()),1); print pass }'` callci "NEWACCT FOOBAR;PASS=$PASSWORD" April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 41
Prevent users from choosing weak passwords • Nothing in MPE FOS to prevent users from choosing blank or weak passwords • Purchase HP Security Monitor/iX to impose minimum password length requirements • Purchase Vesoft's Security/3000 to impose minimum length and other password content requirements April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 42
Implement password expiration • Old passwords tend to become shared passwords • No MPE FOS mechanism for expiring old passwords to prevent them from becoming stale and known by too many people • Purchase HP Security Monitor/iX or Vesoft's Security/3000 to enforce regular MPE user and account password changes • Don't forget to change database and other passwords too! April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 43
Don't use embedded passwords in job streams • :JOBSECURITY ;PASSEXEMPT= can be used to permit certain classes of users to omit !JOB passwords in batch jobs • Third-party utilities (Vesoft, others) can insert !JOB passwords prior to :STREAMing April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 44
Time-out unattended terminal sessions • An unattended keyboard with a logged-on terminal session is a security risk • The HPTIMEOUT CI variable can time-out unattended sessions sitting at a CI prompt • Various freeware and third-party utilities can time-out idle MPE sessions •A password-protected PC screen saver can also prevent unauthorized usage April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 45
Authorization April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 46
The use & abuse of OP capability • OP – – – – capability grants the ability to: :STORE/:RESTORE any file, including the system directory Perform spoolfile and printer management Perform job/session management Use ;HIPRI on jobs • Few users need ALL of these abilities • Third-party utilities exist as OP alternatives for spoolfile/printer management and job/session management April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 47
Use OP on a temporary, process-local basis • Use priv-mode AIFs to temporarily give the local process OP capability so you don't have to give it to the user permanently • See – the MPE/iX AIF:OS Reference Manual for details http://docs.hp.com/mpeix/onlinedocs/3637490013/36374-90013.html AIFPROCGET(2119) /* obtain existing cap. mask */ set mask bit 21 for OP capability AIFPROCPUT(2119) /* modify process cap. mask */ HPCICOMMAND("OP command string") AIFPROCPUT(2119) /* restore original cap.
Some read-only diagnostic tools require potentially destructive user capabilities • :NETCONTROL • :NSCONTROL requires CAP=NM requires CAP=NM • NETTOOL.NET.
:PURGEUSER and :PURGEACCT don't clean up creators or ACDs • Results in files owned by users who no longer exist • Results in ACDs granting access rights to users who no longer exist • If you recreate one of these users, is it appropriate for that user to regain the old access rights? • Third-party solutions exist for finding missing creators, but nothing for ACD problems – Scan :LISTFILE ,ACD every time you purge a user? April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 50
Anybody can do :LISTFILE @.@.
Instead of :RELEASE, consider the use of ACDs (Access Control Definitions) • :RELEASE is easy for getting around conventional file access restrictions, but tends to create huge security holes • Instead use ACDs to grant different levels of access for different users of a file • See :HELP ALTSEC for details • For example: :ALTSEC FDATA;NEWACD=(R:@.@; W,R:@.
Networking April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 53
Null SNMP community name in SNMPSAMP • SNMPSAMP.NET.SYS gives a null community name as an example to be used in SNMPCONF.NET.SYS • Hackers know to try null or common community names such as "public" • If using SNMP, choose a unique community name in SNMPCONF.NET.SYS • SNMP – queries can reveal lots of interesting information! :XEQ SNMPWALK.NET.
MPE TCP vulnerable to sequence number spoofing • MPE TCP sequence numbers are predictable and can enable a hacker to impersonate your e3000 in order to exploit trust relationships • For more info on TCP sequence spoofing, see: http://www.sans.org/rr/threats/intro_spoofing.php • Patches are available to randomize MPE initial TCP sequence numbers: – – – 6.5: NSTGDV3 (LD) 7.0: NSTGDV5 (GR) 7.
Use external packet filtering • MPE network transport lacks packet filtering • Many MPE network services can allow or disallow by IP address, but this can be cumbersome to manage • Use an external firewall or other network device to block all but explicitly authorized packets, I.e.
Filter outbound ICMP timestamp & netmask replies • MPE responds to ICMP timestamp & netmask requests •A hacker who knows your local time could schedule attacks during the graveyard shift •A hacker who knows your netmask is learning about your network topology • Use an external firewall or other network device to filter these outbound ICMP replies from your e3000 April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 57
Apache – allow or deny via IP address or hostname • Module – mod_access http://httpd.apache.org/docs/mod/mod_access.html order allow,deny allow from 12.34.56.
Apache – basic user/password authentication • Module – mod_auth http://httpd.apache.org/docs/mod/mod_auth.
Apache – check logs for suspicious activity • The /APACHE/PUB/logs/access_log file can indicate suspicious Microsoft IIS virus activity (Nimda, etc): 12.34.56.78 - - [20/Feb/2003:16:06:41 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 291 12.34.56.78 - - [20/Feb/2003:16:06:41 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 289 12.34.56.78 - - [20/Feb/2003:16:06:42 -0800] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 12.34.56.78 - - [20/Feb/2003:16:06:42 -0800] "GET /d/winnt/system32/cmd.
WebWise – use HTTPS/SSL protocol for serving web pages • https:// URLs use the Secure Sockets Layer (SSL) protocol to encrypt the data stream between the web browser and the web server • If hackers should manage to network sniff this data stream, sensitive data will be protected • If you are using unencrypted FTP to allow file downloads, consider switching to WebWise and encrypted https:// • http://www.modssl.
WebWise – X.509 client authentication • X.509 certificates aren't just for web servers! • Require web browsers to submit valid X.509 certificates to be validated by the web server – http://www.modssl.org/docs/2.8/ssl_howto.
WebWise - OpenSSL security functionality in FOS as part of the web server • OpenSSL – – – – command line utility file encryption/decryption X.509 certificate management S/MIME encrypted e-mail message generation API libraries NOT included (but you can build them from source code from www.openssl.org) • Only the X.509 functionality is supported, but the rest all works J • 7.0: patch WBWGDT7A • 7.
FTP - log authentication attempts • Recent versions of the MPE FTP server log the originating IP address for both successful and failed authentication attempts: – – – MPE 6.5: FTPGD01 or later MPE 7.0: FTPGD49 or later MPE 7.5: already in FOS • See April 24, 2003 FTPDOC.ARPA.
FTP - log authentication attempts (cont.) 11:04/#J5/138/FTP INVALID PASSWORD FOR: "HACKER,MANAGER.SYS" IP=12.34.56.78 11:04/#J5/138/FTP OPEN FOR: "SYSADMIN,MANAGER.SYS,PUB" IP=12.34.56.78 11:04/#J5/138/FTP CLOSE IP=12.34.56.78 11:07/#J5/147/FTP INVALID LOGON FOR: "BOGUS.ACCOUNT" IP=12.34.56.
FTP – who is transferring what files? • FTPSRVR doesn't explicitly log file transfer attempts • But system logging file open & close events could be scanned to derive FTP usage April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 66
FTP - protocol logging would be helpful to detect certain hacking attempts • Unfortunately FTPSRVR does not support protocol logging • If access to FTPSRVR is controlled by an external firewall, proxy, or other network device, consider enabling FTP logging on the external device April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 67
FTP - restrict server usage to specific users • MPE FTPSRVR is all or nothing – it cannot restrict access to certain users • But April 24, 2003 Vesoft's Security/3000 product can Is Your Homestead Secure? - Solution Symposium West page 68
FTP - be aware of FTPSRVR's "site stream" command • Allows remote users to stream batch jobs • Users with CAP=BA,SF could upload new batch jobs to /tmp or other writable directories and then stream those jobs • Defeats the use of "OPTION LOGON,NOBREAK" if such UDCs do not also restrict batch jobs •A future version of FTPSRVR will likely add a new parameter to SETPARMS.ARPA.
FTP - don't enable anonymous FTP access • Too many hacker tools scan for anonymous FTP access • :PURGEUSER USER.FTPGUEST to make sure anonymous FTP is disabled (the default) • Console messages for failed USER.FTPGUEST logons might indicate hacker scanning activity: 15:59/#J5/123/FTP INVALID LOGON FOR: "USER.FTPGUEST,PUB" IP=12.34.56.
INETD - Enable connection logging option (-l) • The default mode is no logging • Edit JINETD.NET.
INETD - connection logging output Received call for: ftp tcp ftp/tcp: Connection from unknown (12.34.56.78) at Thu Feb 20 11:48:41 2003 Received call for: telnet tcp telnet/tcp: Connection from some.host.name (87.65.43.21) at Thu Feb 20 15:58:24 2003 Received call for: ftp tcp ftp/tcp: Connection from some.host.name (87.65.43.
INETD - disable unused services • The INCNFSMP.NET.SYS template for the INETD config file INETDCNF.NET.
INETD – allow or deny via by IP address or hostname • Use /usr/adm/inetd.sec to allow or deny access to INETD services by IP address or hostname • Create /SYS/NET/INETDSEC from the INSECSMP sample file • Make sure /usr/adm/inetd.sec is a symbolic link pointing to INETDSEC – ln –s /SYS/NET/INETDSEC /usr/adm/inetd.sec • Controls all services listed in /etc/inetd.
Samba – encrypted passwords • Samba/iX 2.0.7 and earlier only supported plaintext passwords • Samba/iX 2.2.8a adds support for encrypted passwords • Samba encrypted passwords are independent of MPE user & account passwords – stored in /usr/local/samba/private/smbpasswd – maintained with /usr/local/samba/bin/smbpasswd utility • For more information: http://de.samba.org/samba/ftp/docs/htmldocs/ENCR YPTION.
Samba – disable guest access • Many hacking scanners attempt Samba guest access • Modify /usr/local/samba/lib/smb.conf with "guest ok = no" • But if you MUST use guest access, use a minimalcapability user like GUEST.SAMBA instead of MGR.
Samba – allow or deny via IP address or hostname • In /usr/local/samba/lib/smb.conf: • hosts allow = 12.34.56.78 • hosts deny = badhost.somewhere.
Samba – check logs for suspicious activity • Look for individual client log files in /usr/local/samba/var/log.* • debug level = 2 needed to see failed authentication attempts (but also gives successful file open/close info) • log file = /usr/local/samba/var/log.
Sendmail – access database • Accept or reject incoming e-mail 1. :HELLO SERVER.SENDMAIL 2. :XEQ SH.HPBIN.SYS -L 3. shell/iX> /bin/cat - >/etc/mail/access makemoneyfast@aol.com REJECT imaspammer.com REJECT :EOD 4.
Sendmail – check syslog for suspicious activity • Unauthorized relay attempts from spammers: Oct 16 11:44:14 localhost sendmail[190251173]: f9GIi9M6190251173: ruleset=check_rcpt, arg1=, relay=spam.host.com [12.34.56.78], reject=550 5.7.1 ... Relaying denied • Hacker probes: Feb 20 16:26:10 localhost sendmail[1114264]: h1L0Q8ER1114264: hacker.host [12.34.56.
:STORE/:RESTORE April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 81
Untrusted OP users + :STORE-to-disk ;DIRECTORY is a bad combination • OP users can :STORE ;DIRECTORY to obtain cleartext passwords • Now that :STORE-to-disk is in FOS, physical access to tape media is no longer required • Only give OP capability to those users who absolutely positively need it • Purchase HP Security Monitor/iX and enable encrypted passwords April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 82
:RESTORE ;CREATE results in blank passwords • If accounts, groups, or users get created by :RESTORE, they will have BLANK passwords • Upon :RESTORE completion, remember to manually assign passwords to any newly created objects • Periodically scan :LISTACCT/:LISTGROUP/:LISTUSER output for blank passwords April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 83
OP users can read or write any file using :STORE/:RESTORE • Read the contents of any file • Write arbitrary contents back to any file • Think twice before giving OP capability to users! April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 84
Denial of Service April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 85
Configure sane connection limits • Attackers can exhaust processor, memory, and disk resources by making hundreds (or thousands) of concurrent connections to network services • Make sure each network service is configured with sane connection limits – – – – :NMMGR global TCP and UDP parameters :NSCONTROL SERVER=name,min,max Apache MaxClients directive Samba "max smbd processes" parameter • Unfortunately April 24, 2003 no connection limits within INETD Is Your Homestead Secure? - Solution Symposium W
Use Threshold Manager to define other limits • Included in FOS for global management of resource utilization • Only limits job & session logons, not process creations • See Performing System Management Tasks manual for details April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 87
People & Processes April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 88
Help! I forgot my password! • How can you be sure the user is who they say they are? • What if you don't recognize their face or voice? • Is a telephone request sufficient by itself? • Is an e-mail request sufficient by itself? • Should a handwritten signature be required? • NEVER reveal an existing password – always change it to something new April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 89
Are your employee ID numbers secure? • Social Security Numbers are too widely used for too many purposes to be truly secure • Do internal corporate applications "leak" employee ID numbers to other unauthorized employees? April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 90
Terminate passwords when terminating employees • Revoke or change passwords as soon as possible after the last day of employment • But short of using mental telepathy, how do you know which passwords an employee knows? • You may never know the full password list if informal password sharing is occurring • Do you change EVERY password if you terminate the system manager? April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 91
Avoiding the phony security audit scam •A hacker phones a user and says "Hi, I'm from IT Support and I need to verify your password" • Educate your users about what to expect and not expect from IT support staff • Users April 24, 2003 should never reveal passwords to ANYBODY else! Is Your Homestead Secure? - Solution Symposium West page 92
Never share login accounts (or passwords) • When multiple people share the same login account, reliable auditing becomes impossible • Products like Vesoft's Security/3000 can help facilitate login sharing, but MPE system logging will not be aware of those extra levels of authentication April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 93
Beware of dumpster diving • Implement procedures to prevent sensitive information being exposed in hardcopy trash • Use caution when recycling – is the recycling facility secure? • If in doubt, shred! April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 94
Control access to used backup media • System backups contain passwords and other sensitive information • Who has physical access to on-site media? • Who can request media from off-site archives? • When used media cycles back into the scratch pool, do you zero-out the old data before making the media available for reuse? April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 95
Knowledge retention • Employees with MPE OS & local application skills may leave to seek a different career path • Will the employees who are left have sufficient skills to ensure good MPE & application security? • Make sure critical knowledge is written down somewhere April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 96
Keep current on software versions • Perform periodic OS & application software updating/patching to get fixes for security problems • MUCH Internet grief could be prevented if everybody was up-to-date on key software • For MPE patches, the unsupported freeware patchman utility can help – http://www.bixby.org/ftp/pub/mpe/patchman-2.2.
Stay informed • Subscribe to vendor security alert mailing lists • Subscribe to Internet security alert mailing lists such as CERT, CIAC, BUGTRAQ, etc • Subscribe to open source application "announce" lists • Subscribe to open source application developer lists • Subscribe to HP3000-L / comp.sys.hp.
The future April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 99
MPE security 2003-2006: the good news • HP software support continues through 2006 • HP software delivery continues through 2006 • HP patches continue through 2006 • In short, nothing has changed from a customer support perspective April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 100
MPE security 2003-2006: the bad news • MPE 6.0 and earlier already not supported by HP • MPE 6.5 end of HP support date 12/31/04 • MPE 7.0 end of HP support date 12/31/06 • MPE 7.
MPE security beyond 2006 – native bugs • Vastly fewer customers using MPE means some undiscovered native security problems may stay hidden – good news: fewer MPE-specific security problems will emerge – bad news: if problems do emerge, HP won't be willing to fix them • Third-party support providers may be willing and able to provide fixes for some new bugs April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 102
MPE security beyond 2006 – open source bugs • Internet hackers will continue to find bugs in the open source products which are bundled into MPE – Apache, BIND, Samba, Sendmail • Most of these bugs tend to be of the buffer overflow / code execution variety, which at most will cause a process abort on MPE without executing any hacker code • HP will no longer be providing updated open source binaries for MPE • If these products are critical for your homesteading environment, you should invest in learn
Real-life security stories from the audience April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 104
General Q&A April 24, 2003 Is Your Homestead Secure? - Solution Symposium West page 105