Recently a friend asked me about HP-UX security and where to find useful information. We have to admit it, there are not many resources out there about HP-UX security and the great majority of them are obsolete since they are about HP-UX 10.20 or even 9.x. Let’s take a look…
HP Docs is the first place to look for information, there you will find a lot of docs regarding HP-UX security, IPFilter, HP-UX Bastille and other products and manuals concerning security. Following is a reference of useful docs that can be found on this site:
- The most up to date document is HP-UX System Administrator’s Guide: Security Management, this is the main reference for any HP-UX admin. It covers HP-UX 11iv3 and is filled with detailed information on how-to protect your system, how is the security implemented in HP-UX and an appendix with references to other security products of HP that can be used to hardening your systems.
- HP-UX 11i Security Containment Administrator’s Guide HP-UX 11.23
- HP9000 Computer Systems: Administering Your HP-UX Trusted System. Useful information concerning older systems.
- HP-UX System Administration Tasks: HP9000. It has full chapter about system security, useful for older systems.
- Managing Systems and Workgroups: A Guide for HP-UX System Administrators. HP-UX 11iv1 and 11iv2 information.
Second in our small list is the yet classic but still very useful Kevin Steves’ great document “Building a Bastion Host Using HP-UX 11”. This is without any doubt (at least for me) the best document about HP-UX hardening ever done. Although it was written seven years ago it still applies to a wide variety of areas.
In the Center fo Information Security you will find the “CIS Level 1 Benchmark for HP-UX”. These benchmarks are a compilation of security configurations, settings and best practices. Current version applies to all three versions of HP-UX 11i so it is worthwhile to read them. It will ask for registration prior to allow you to download the docs.
In the ITRC Forums there is a HP-UX Security forum, it is not the most active forum in ITRC but if you post a question you will find that the people is willing to help you.
HP Security Bulletins. Through ITRC you can subscribe to several digests and bulletins, including the HP-UX Security and HP-UX 11.x patches.
Security specific websites. There are a lot of sites and portals focused in security, and in all of them you can find papers about Unix security hardening in general and even some HP-UX specific papers, but as I said at the beginning most of them are obsolete. I usually read Security Focus but there are many others just do a search in Google and you will find them.
Security mailing lists. Probably the most known security mailing list is Bugtraq but there are others, they talk about HP-UX security bugs from time to time.
And this is the end… well not really. These are the resources I use in my everyday work, if any of you know about other resources please comment them.
See you next time.