Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 5 Remote Access Security Administration

Controlling an Administrative Domain


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

All network administration programs should be owned by a protected, network-specific account, such as uucp, nso, or by a daemon, instead of by root.

An administrative domain is a group of systems connected by network services that allow users to access one another without password verification. An administrative domain assumes that system users have already been verified by their host system. Use the following steps to identify and control an administrative domain:

  1. List the nodes to which you export file systems in /etc/exports. The /etc/exports file contains entries of a file system path name and a list of systems or groups of systems that are allowed access to the file system. The /etc/exports entries might contain names of groups of systems. You can find out what individual systems are included in a group by checking /etc/netgroup.

  2. List the nodes that have equivalent password databases in /etc/hosts.equiv.

  3. Verify that each node in the administrative domain does not extend privileges to any nodes that are not included. Repeat steps 2 and 3 for each node in the domain.

  4. Control root and local security on every node in the administrative domain. A user with superuser privileges on any machine in the domain can acquire those privileges on every machine in the domain.

  5. Maintain consistency of user name, uid, and gid among password files in the administrative domain.

  6. Maintain consistency among any group files on all nodes in the administrative domain. For example, to check consistency with the hq and mfg systems, if the root file system of the mfg system is remotely mounted to hq as /nfs/mfg/, enter the following diff command:

    $diff /etc/group /nfs/mfg/etc/group

    If any differences are displayed, the two /etc/group files are inconsistent and they should not be.

Verifying Permission Settings on Network Control Files

The network control files in the /etc directory are security targets because they provide access to the network itself. Network control files should never be writable by the public.

Set the modes, owners, and groups on all system files carefully. Check these files regularly for any changes and correct any changes.

The most commonly used network control files are as follows:

  • /etc/exports

    List of file directories that can be exported to NFS clients. For more information, see exports(4).

  • /etc/hosts

    List of network hosts and their IP addresses. For more information, see hosts(4).

  • /etc/hosts.equiv

    List of remote hosts that are allowed access and that are equivalent to the local host. For more information, see hosts.equiv(4).

  • /etc/inetd.conf

    Internet Services configuration file. For more information, seeinetd.conf(4).

  • /etc/netgroup

    List of networkwide groups. For more information, seenetgroup(4).

  • /etc/networks

    List of network names and their network numbers. For more information, see networks(4).

  • /etc/protocols

    List of protocol names and numbers. For more information, see protocols(4).

  • /etc/services

    List of official service names and aliases with the port number and protocol that the services use. For more information, see services(4).

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.