Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
HP.com home
Education & Training  >  Find a course 

HP-UX Security

» 

Business & IT Services

» 

Education & Training
US & Canada home

» Special deals
» What's new
» Register for class
» Locations
» Find a course
» ProLiant
» Business Analysis
» HP-UX
» HP Indigo
» HP Integrity
» HP NonStop
» HP Software (OpenView)
» HP OpenVMS
» HP Tru64
» HP VSE
» Imaging & printing
» iPAQ & Tablet PC
» ITSM / ITIL
» Linux
» Microsoft
» MPE/iX
» Project Management
» Service & support
» Storage & SAN
» VMware
» Printable catalogs
» Find training in other countries
» Certification
» Education consulting
» HP Virtual Rooms
» ITRC / Online training
Content starts here
At a glance
View schedule enroll Sorted by: location or date
Course number H3541S
Length 5 days
Delivery method Remotely assisted instructional learning ( RAIL)
Instructor-led training ( ILT)
Onsite dedicated training ( OST)
Price USD $3,500
CAD $3,600

Special notes

This fast-paced hands-on course examines a variety of popular tools and techniques for hardening and securing HP-UX systems. The course is 50% lecture / 50% lab.

 

Course overview

This course examines the most common HP-UX system security vulnerabilities, and introduces a variety of tools and techniques that can be used to prevent hackers from exploiting these vulnerabilities.


Prerequisites

  • HP-UX System and network administration I (H3064S) and HP-UX system and network Administration II (H3065S) or
  • HP-UX for experienced UNIX system administrators (H5875S) or equivalent experience
  • Equivalent experience

Audience

  • Experienced system and network administrators responsible for securing and monitoring HP-UX systems

Ways to save

Benefits to you

  • Learn how to use Role Based Access Control (RBAC), Secure Shell (SSH), Host Intrusion Detection System (HIDS), Software Assistant (SWA), IPFilter, security compartments, and other HP supported tools to harden and secure HP-UX systems
  • Learn how to use Tripwire, John the Ripper, nmap, lsof, and other open source tools to further improve HP-UX system security

Course outline

Introduction

  • Why security?
  • HP-UX security features
  • HP-UX security certifications
  • Course agenda

Securing user accounts: user passwords

  • Understanding the /etc/passwd file
  • Understanding the /etc/shadow file
  • Encrypting passwords
  • Managing user passwords
  • Configuring shadow passwords
  • Configuring password aging
  • Cracking passwords with John the Ripper
  • Authenticating users via PAM
  • Configuring /etc/pam.conf

Securing user accounts: special cases

  • Protecting user accounts: guidelines
  • Protecting the root account: guidelines
  • Limiting root and operator access via /etc/security
  • Limiting root and operator access via sudo
  • Limiting root and operator access via the restricted SAM builder
  • Limiting root and operator access via the SMH
  • Configuring accounts for guest users
  • Configuring accounts for single application users
  • Configuring accounts for teams and groups
  • Preventing dormant accounts

Securing user accounts: Standard Mode Security Extensions (SMSE)

  • Configuring SMSE user security
  • Understanding Standard Mode Security Enhancements Benefits
  • Understanding SMSE Attributes
  • Configuring /etc/security.dsc
  • Configuring /etc/default/security
  • Configuring /etc/passwd and /etc/shadow
  • Configuring /var/adm/userdb/ via userdbset, userdbget, and userdbck
  • Enforcing SMSE security policies

Securing user accounts: Role Based Access Control (RBAC)

  • RBAC features and benefits
  • Installing RBAC
  • Configuring assigning RBAC roles
  • Configuring assigning RBAC authorizations
  • Configuring RBAC commands privileges
  • Verifying the RBAC database
  • Configuring RBAC auditing
  • Running commands with privrun
  • Editing files with privedit

Protecting data via file permissions and JFS Access Control Lists (ACLs)

  • Understanding how hackers exploit improper file and directory permissions
  • Viewing and changing file permissions
  • Searching for files with improper permissions
  • Configuring and using the SUID bit
  • Configuring and using the SGID bit
  • Configuring and using the sticky bit
  • Configuring and using JFS ACLs

Protecting data via swverify, md5sum, and Tripwire

  • File integrity checking overview
  • Verifying executable integrity with swverify
  • Verifying file integrity with md5sum
  • Verifying file integrity with Tripwire
  • Installing Tripwire
  • Creating Tripwire keys
  • Creating the Tripwire configuration file
  • Creating the Tripwire policy file
  • Creating the Tripwire database
  • Performing a Tripwire integrity check
  • Updating the Tripwire database
  • Updating the Tripwire policy file

Protecting data via Encrypted Volumes and File Systems (EVFS)

  • EVFS features
  • EVFS architecture
  • EVFS volumes
  • EVFS volume encryption keys, user keys, and recovery keys
  • Step 1: Installing and configuring EVFS software
  • Step 2: Creating user keys
  • Step 3: Creating recovery keys
  • Step 4: Creating an LVM or VxVM volume
  • Step 5: Creating EVFS device files
  • Step 6: Creating and populating the volume’s EMD
  • Step 7: Enabling the EVFS volume
  • Step 8: Creating and mounting a file system
  • Step 9: Enabling autostart
  • Step 10: Migrating data to the EVFS volume
  • Step 11: Backing up the EVFS configuration

 

  • Managing EVFS volume users
  • Managing the EVFS key database
  • Extending an EVFS volume
  • Reducing an EVFS volume
  • Removing EVFS volumes
  • Backing up EVFS volumes
  • EVFS limitations
  • EVFS and TPM/TCS integration overview

Securing network services: inetd tcpwrapper

  • inetd service overview
  • inetd configuration file overview
  • Securing inetd
  • Securing the inetd internal services
  • Securing the RPC services
  • Securing the Berkeley services
  • Securing FTP
  • Securing FTP service classes
  • Securing anonymous FTP
  • Securing guest FTP
  • Securing other ftpaccess security features
  • Securing other inetd services
  • Securing other non-inetd services
  • Securing inetd via TCPwrapper

Securing network services: SSH

  • Legacy Network Service Vulnerabilities: DNS
  • Legacy Network Service Vulnerabilities: Sniffers
  • Legacy Network Service Vulnerabilities: IP spoofing
  • Solution: Securing the Network Infrastructure
  • Solution: Using Symmetric Key Encryption
  • Solution: Using Public Key Encryption
  • Solution: Using Public Key Authentication
  • HP-UX Encryption Authentication Product overview
  • Configuring SSH Encryption Server Authentication
  • Configuring SSH Client/User Authentication
  • Configuring SSH Single Sign-On
  • Using the UNIX SSH Clients
  • Using PuTTY SSH Clients

Securing network services: IPFilter

  • Firewall overview
  • Packet filtering firewalls
  • Network Address Translation firewalls
  • Host versus perimeter firewalls
  • Installing IPFilter
  • Managing IPFilter rulesets
  • Configuring a default deny policy
  • Preventing IP and loopback spoofing
  • Controlling ICMP service access
  • Controlling access to UDP services
  • Controlling access to TCP services
  • Controlling access via active and passive FTP
  • Testing IPFilter rulesets
  • Monitoring IPFilter

Securing network services: Nmap Nessus

  • Network scanner overview
  • Available network scanners
  • Installing and running Nmap
  • Installing and running Nessus
  • Connecting to the Nessus server
  • Selecting Nessus plugins
  • Selecting Nessus targets
  • Starting a Nessus scan
  • Viewing Nessus results
  • Saving the Nessus reports

Monitoring activity via system log files

  • Monitoring log files
  • Monitoring logins via last, lastb, and who
  • Monitoring processes via ps, top, and whodo
  • Monitoring file access via ll, fuser, and lsof
  • Monitoring network connections via netstat, idlookup, and lsof
  • Monitoring inetd connections
  • Monitoring system activity via syslogd
  • Configuring /etc/syslog.conf
  • Hiding connections, processes, and arguments
  • Doctoring log files and time stamps

Monitoring activity via SMSE auditing

  • Auditing overview
  • Trusted system versus SMSE auditing
  • Enabling and disabling auditing
  • Verifying auditing
  • Selecting events system calls to audit
  • Selecting users to audit
  • Viewing audit trails
  • Switching audit trails
  • Understanding audomon AFS FSS switches
  • Understanding audomon audit trail names
  • Configuring audomon parameters
  • Configuring audomon custom scripts

Monitoring suspicious activity via HP’s Host Intrusion Detection System (HIDS)

  • HIDS overview
  • HIDS architecture
  • Installing HP’s HIDS product
  • Configuring HIDS detection templates and properties
  • Configuring HIDS surveillance groups
  • Configuring HIDS surveillance schedules
  • Configuring HIDS response scripts
  • Assigning surveillance schedules to clients
  • Monitoring HIDS alerts and errors

Managing security patches with Software Assistant (SWA)

  • Security patch overview
  • SWA overview
  • Reading US-CERT advisory bulletins
  • Reading HP-UX security bulletins
  • Installing swa
  • Generating swa reports
  • Viewing swa reports
  • Retrieving swa recommended patches
  • Installing swa patches
  • Installing other products recommended by swa
  • Applying other manual changes
  • Regenerating swa reports
  • Purging swa caches
  • Viewing swa logs
  • Customizing swa defaults
  • Preventing unauthorized swa and swlist access
  • Preventing buffer overflow attacks
  • Setting the executable_stack kernel parameter
  • Setting the chatr +es executable stack option

Hardening HP-UX with Bastille

  • Bastille overview
  • Installing Bastille
  • Generating a Bastille assessment
  • Creating a Bastille configuration file
  • Applying a Bastille configuration file
  • Applying a pre-configured Bastille configuration file
  • Applying a pre-configured Bastille configuration via Ignite-UX
  • Reviewing the Bastille logs
  • Monitoring changes with bastille_drift
  • Reverting to the pre-Bastille configuration

Protecting data via chroot(), Fine Grained Privileges (FGP), and security compartments

  • Part 1: Concepts
  • Overview: isolating applications
  • Part 2: Implementing chroot()
  • Limiting file access via chroot()
  • Configuring chroot()ed applications
  • Part 3: Implementing FGP
  • Limiting privileges via FGP
  • Installing FGP Software
  • Installing FGP Software
  • Recognized Privileges
  • Permitted, Effective, and Retained Privilege Sets
  • Configuring FGP Privileges via setfilexsec
  • Configuring FGP Privileges via RBAC
  • Configuring Using FGP TRIALMODE

 

  • Part 4: Compartment concepts
  • Limiting IPC, network, and file access (without compartments)
  • Limiting IPC, network, and file access (with compartments)
  • Concept: Compartment rules
  • Concept: The INIT compartment
  • Compartment use cases
  • Part 5: Configuring compartments
  • Planning the compartment structure
  • Installing compartment software
  • Enabling compartment functionality
  • Creating and modifying compartments
  • Viewing compartments
  • Executing commands in compartments without RBAC
  • Executing commands in compartments with RBAC
  • Executing commands in discovery mode
  • Removing compartments
  • Disabling compartment functionality

 

  • Part 6: Configuring compartment rules
  • Network interface rules
  • File system rules
  • IPC rules
  • Signal rules
  • Privilege limitation rules
  • Preprocessor directives

Appendix: Improving user and password security with trusted systems

  • Trusted system overview
  • Configuring password format policies
  • Configuring password aging policies
  • Configuring user account policies
  • Configuring terminal security policies
  • Configuring access control policies
  • Configuring password aging policies
  • Understanding the /tcb directory structure

H3541Sg.00
Printable version
Privacy statement Using this site means you accept its terms Feedback to Education & Training
© 2008 Hewlett-Packard Development Company, L.P.