safe and powerful: security in hp-ux system …docshare01.docshare.tips/files/27864/278646432.pdfsmh...
TRANSCRIPT
EXECUTIVE SUMMARY
This white paper provides an overview of the security aspects in HP SMH, which is
the single system management solution introduced to manage an HP-UX system. The
white paper describes the various security features that the application provides, and
includes security related tips for system administrators.
The intended audience for this document includes HP customers currently using or
planning to use the HP System Management Homepage application, system
administrators, response center engineers and HP field and consulting personnel who
advise customers on solutions for their environments. It is assumed that the reader has
functional knowledge of HP-UX system administration.
Safe and Powerful: Security in HP-UX System
Management Homepage (SMH)
A white paper on the security related features in the web-based SMH Revision 1.0
2
Table of Contents
Introduction ......................................................................................................................................... 3
SMH key benefits................................................................................................................................. 3
SMH – creating a secure product .......................................................................................................... 4
SMH security features ........................................................................................................................... 4
Managing SMH security ....................................................................................................................... 5 The Security menu ............................................................................................................................ 5 Kerberos authentication .................................................................................................................... 7 Timeout Values ................................................................................................................................ 7 Startup Modes ................................................................................................................................. 8 Key and certificate information .......................................................................................................... 9 Secure custom menus........................................................................................................................ 9 Logging .......................................................................................................................................... 9 Bastille (IPFilter) and its affect on SMH Partition Manager ................................................................... 10
Securely maintaining SMH – Tips ........................................................................................................ 11
SMH documentation .......................................................................................................................... 11
For more information .......................................................................................................................... 13 HP SIM Security Resources .............................................................................................................. 13 Apache Security Resources .............................................................................................................. 13
Call to action .................................................................................................................................... 13
3
Introduction
HP System Management Homepage (SMH) is the single system management solution for
managing HP-UX 11i. It is a web-based tool and uses the Apache web server. SMH is also
available for Linux, and Microsoft® Windows® systems.
The key features of SMH are its system administration capabilities and its ability to display
details of hardware attributes. The SMH solution provides an easy-to-use interface for
displaying hardware fault and status monitoring, system thresholds, diagnostics, and software
version control for an individual server by aggregating the data from HP web-based agents
and management utilities.
SMH integrates with HP Systems Insight Manager (HP SIM) the strategic platform for
multisystem management from HP. HP SIM provides multisystem management capability by
providing administrators single sign-on (SSO) access to SMH on managed servers (stand-
alone or partitioned) from a central console.
Security is a prime goal in the development of SMH. A number of security features are built
into SMH, and the system administrators too can take steps to ensure that security is
maintained during the implementation, usage, and maintenance of SMH. This paper
describes the SMH security features and, contains information and references related to the
security of SMH.
SMH key benefits
SMH offers the following benefits:
SMH provides a common cross-platform single-system management solution for HP-UX
11i, Windows, and Linux.
SMH is bundled with HP-UX 11i v3 Base Operating Environment, as well as the
Foundation Operating Environment on HP-UX 11i v1, v2, and earlier versions of v3. The
user does not need to make any configuration changes to start using the application.
SMH uses operating system-based Secure Sockets Layer (SSL) and host-based
authentication to protect web-based system management tools. The tool provides a
secure, encrypted connection between the web browser and the host system.
SMH uses open standards such as WBEM-based property pages for operating system,
software, and hardware information.
SMH is tightly integrated with HP SIM. This offers several advantages:
• Gives users the ability to manage multiple systems from a single console, HP
SIM.
• Enables users to determine which aspects of their HP-UX system and software
might require corrective action.
• Enables users to view entities requiring attention, and drill down to subsequent
levels of detail until the precise situation and corrective action is determined.
• Eliminates ‘tool roulette’ by providing a guided path to the tool from which
appropriate action can be taken.
SMH provides system management capabilities through plug-in applications. The user
can add custom system management applications in to SMH.
4
SMH offers auto-start and time-out features that the user can configure by using the
hpsmh(1M) and smhstartconfig(1M) commands.
SMH supports the Mozilla, Firefox, and Internet Explorer web browsers.
SMH provides the command preview feature that enables the user to view the commands
that will be run for a task before executing that task. This feature facilitates training and
usage in scripts.
A majority of the SMH applications are localized. Online help for some of the
applications are available in nine languages: English, French, German, Italian,
Japanese, Korean, Simplified Chinese, Spanish, and Traditional Chinese.
All the key administrative actions are recorded in samlog, which can be viewed through
the Samlog Viewer in SMH.
SMH – creating a secure product
HP takes the security of its products very seriously and wants to protect customers against
vulnerabilities. The following security related items have been included in the development of
SMH to ensure security:
SMH undergoes a periodic security analysis known as CATA (Commercial Application
Threat Analysis). The various management utilities that plug-in to SMH also undergo this
analysis. Anything found during this analysis that is of concern is added back into the
next development/release cycle of the product. If it is an urgent item, a patch is
developed and released.
SMH uses the secure http protocol (https).
SMH validates user inputs. SMH has a limited number of user input fields and the fields
that are available are validated. This reduces the chances of SQL Injection, or other
scripting techniques being used against the SMH product.
SMH takes care of cross-site scripting vulnerabilities.
The Apache instance for SMH runs as a non-privileged user (hpsmh). In addition, SMH
runs its own Apache instance, with its own built-in security controls, separate from any
other Apache instance that may be running on a system.
The SMH development team follows industry standard Apache security best practices as
part of the SMH configuration (see the ‘For more information’ section at the end of this
paper for links to Apache Security resources).
The SMH team works closely with the HP team that builds and supports Apache for
HP-UX. Any vulnerability that is announced in Apache in the industry is mitigated in the
HP-UX version of Apache.
A team within HP, known as the Software Security Response Team (SSRT), is dedicated to
addressing any and all potential security vulnerabilities with software and firmware
products sold and supported by the Hewlett-Packard Company. SMH team works closely
with the SSRT team to fix any reported vulnerabilities.
SMH security features
SMH provides the following enhanced security and streamlined operations:
Browser access using operating system-based SSL-secure authentication.
5
Common HTTP and HTTPS service for HP Insight Management Agents and utilities, for
reduced complexity and system resource requirements.
Certificate-based authentication which is considered to be a very safe and secure mode
of authentication. Certificates signed by CAs such as VeriSign can be used for this.
Simplified architecture for implementing HTTP security and HP management updates.
Greater access control through NIC binding and advanced configuration features for
individual and groups of users.
Broader operating system and browser support.
Facility to launch X application and Run a command. It is available in SMH -> Tasks ->
Launch X Application -> Launch X Application as Root -> Run Command -> Run
Command as Root.
Managing SMH security
The Security menu
The Security link in SMH provides options for you to manage the security of SMH itself. For
more information about configuring all of these powerful security settings, refer the System
Management Homepage User Guide. The security options in SMH are as follows:
IP Binding Settings → System Management Homepage → Security → IP Binding
IP Binding specifies the IP addresses that SMH accepts requests from and controls the nets
and subnets that requests are processed.
Administrators can configure SMH to bind only to addresses specified in the IP Binding
window. You can define up to five subnet IP addresses and netmasks.
An IP address on the server is bound if it matches one of the entered IP Binding addresses
after the mask is applied.
IP Restricted Login Settings → System Management Homepage → Security → IP Restricted Login
IP Restricted login enables SMH to restrict login access based on the IP address of a system
from which the sign-in is attempted.
Local Server Certificate Settings → System Management Homepage → Security → Local Server Certificate
The Local Server Certificate link enables you to use certificates that are not generated by HP.
Multihomed Certificate Settings → System Management Homepage → Security → Local Server Certificate
SMH allows the setting of multihomed or multiple names to certificates that are not generated
by HP. Through this functionality, the certificate for SMH can contain additional information
for the machine, such as other names in the network and IPs that are available. In the same
way, it is possible to create a request certified to be signed by a Certificate Authority (CA).
Two kinds of values are acceptable as alternative names:
6
• DNS name (for example, Linux;Linux.localdomain)
• IP Address (for example, 10.16.165.1;192.168.1.189)
Anonymous/Local Access Settings → System Management Homepage → Security → Local/Anonymous Access
Anonymous/Local access enables you to select the following settings to include:
• Anonymous Access (Disabled by default). Enabling Anonymous Access enables a user to
access the SMH without logging in. If Anonymous is selected, any user, local or remote,
has access to unsecured pages without being challenged for a username and password.
Caution: HP does not recommend the use of anonymous access.
• Local Access (Disabled by default). Enabling Local Access means you can gain local
access to SMH without being challenged for authentication. This means that any user with
access to the local console is granted full access if Administrator is selected.
Caution: HP does not recommend the use of local access unless your management server
software enables it.
Trust Mode Settings → System Management Homepage → Security → Trust Mode
The Trust Mode link provides options that enable you to select the security required by your
system. Some situations require a higher level of security than others. Therefore, you have the
following security options:
• Trust by certificate
• Trust by name
• Trust all
Trusted Management Servers Settings → System Management Homepage → Security → Trusted Management
Servers
Certificates establish the trust relationship between HP SIM or Insight Manager 7 and SMH.
The Trusted Management Servers link enables you to manage your certificates in the Trusted
Certificates List. Note the following:
• Trust by certificate
• Trust by name
• Trust all
User Groups SMH uses operating system accounts for authentication and enables you to manage the level
of access of operating system accounts at an operating system account group level.
The users in the operating system group Administrators for Windows or the operating system
group root (which in turn contains the user root by default) for HP-UX and Linux, can define
operating system groups that correspond to SMH access levels of Administrator, Operator, or
7
User. After operating system groups are added, the operating system administrator can add
operating system users into these operating system groups.
Each SMH access level can be assigned up to five operating system groups. The SMH
installation enables you to assign the operating system groups to SMH. SMH will not allow
adding an operating system group if the specified operating system group is not defined in
the operating system.
The accounts used for SMH need not have elevated access on the host operating system. Any
SMH user with administrative privilege can specify operating system user groups to each
access level of SMH. As a result, all accounts in each operating system user group have
access to SMH specified in the User Groups window.
Kerberos authentication
Administrative access to SMH can be controlled by setting up an SMH User Group, which in
turn maps to a UNIX Group. The UNIX Group can be a group local to the HP-UX system or
can be a group that is maintained in a Directory Service such as Active Directory (as long as
Kerberos and LDAP-UX are installed and configured on the HP-UX system).
Once the Kerberos Authentication is configured, along with SMH User Group, users can
login to SMH as themselves and will have Administrative authority. There would be no reason
to login to SMH directly as root.
SMH uses the ‘sysmgthp’ service. Since this service is not configured in pam.conf by default
the PAM engine will use the OTHER service, which does not have pam_krb5 configured. By
adding the following to pam.conf you can login to SMH as a user defined in Active
Directory, after configuring the users group in Settings -> System Management Homepage ->
Security -> User Groups.
sysmgthp auth required libpam_hpsec.so.1
sysmgthp auth sufficient libpam_krb5.so.1
sysmgthp auth required libpam_unix.so.1 try_first_pass
sysmgthp account required libpam_hpsec.so.1
sysmgthp account sufficient libpam_krb5.so.1
sysmgthp account required libpam_unix.so.1
Timeout variables
The SMH configuration is based on environment variables and tags that are set by the
/opt/hpsmh/lbin/envvars, /opt/hpsmh/conf.common/smhpd.xml and
/opt/hpsmh/conf/timeout.conf files. To change the default configuration, you can
modify the files to properly set the value of the variables and tag. Table 1: SMH
Configuration – Timeout Variables describes the variables. These variables can also be set
through the GUI interface in SMH version A.3.0.0 and later.
8
Table 1: SMH Configuration – Timeout Variables
Variable Description Script JAVA_HOME This variable points to the
/opt/hpsmh/lbin/envvars
directory where JDK is installed.
/opt/hpsmh/lbin/envvars
<session-
timeout>15</session-
timeout>
The <session-timeout> tag
defines the HP SMH session timeout in
minutes. If it is defined, then the HP
SMH session stops after the time
period has elapsed without any user
activity. If it is not defined, then the
default for the HP SMH session timeout
is 15 minutes. You can define the
<session-timeout> tag using any
value between 6 and 120 minutes.
/opt/hpsmh/conf.common/smhpd.xml
TIMEOUT_SMH The TIMEOUT_SMH environment
variable defines the HP SMH server
timeout in minutes. If it is defined and
lower than the HP SMH session
timeout, the HP SMH server stops 3
minutes after the HP SMH session
timeout. If it is defined and greater
than the HP SMH session timeout, then
the HP SMH server stops after the time
period has elapsed without any user
activity. If it is not defined or equal to
zero, then HP SMH starts without
timeout. When the ‘automatic startup
on boot’ startup mode is in use, the
timeout mechanism does not start.
/opt/hpsmh/conf/timeout.conf
TIMEOUT_TOMCAT This variable defines the Tomcat
timeout in minutes in the /opt/hpsmh/conf/timeout.conf
file. If it is defined, Tomcat stops after
this time period has elapsed without
any request to a Java web
application. By default, the timeout for
the HP-UX Tomcat-based Servlet
Engine is 20 minutes and the timeout
for the HP-UX Apache-based Web
Server is 30 minutes. If it is not
defined or equal to zero, then Tomcat
starts without timeout. In this case,
Tomcat stops only when HP SMH is
stopped.
/opt/hpsmh/conf/timeout.conf
Startup modes
SMH supports three startup modes. You can set the startup mode according to your security
policies and requirements.
9
Autostart URL This mode is the default setting for startup. You can start SMH by using a web browser and
navigating to http://hostname:2301/. If autostart is configured as the default, there is a
daemon listening only on http://hostname:2301. There is no daemon listening on port 2381
and hence this port will fail. When a request reaches port 2301 (http), then the HP-UX
Apache-based Web Server is started on port 2381 (https) and the page is automatically
redirected.
Automatic startup on boot This mode starts SMH automatically during system initialization. If the automatic startup on
boot mode is enabled and the system was rebooted using this configuration, you can access
SMH by using a web browser and navigating to https://hostname:2381/. The SMH Apache
server is listening on both http://hostname:2301/ and https://hostname:2381/. If you use
port 2301 (http), then it automatically gets redirected to port 2381 (https).
NOTE: For autostart URL and automatic startup on boot, you can use http://hostname:2301,
as it works in both cases. This is possible on an HP-UX system only.
Manual startup You can start SMH from the HP-UX command line as long as you have an X-Windows
interface running (for example, if the DISPLAY variable is properly set). You can start SMH
using the smh command.
Use the /opt/hpsmh/bin/smhstartconfig script to configure the startup mode of the
SMH server and the Tomcat instance that SMH uses.
Key and certificate information
In HP-UX, both public and private keys for SMH are stored in the
/var/opt/hpsmh/sslshare directory. The files are called file.pem (private key) and
cert.pem (server certificate).
For detailed instructions on how to establish trust relationships using certificates, see the
System Management Homepage User Guide.
Secure custom menus
Only SMH users with Administrator authorization can create menus, and execute those menus
as the user ‘root’. For SMH users with Operator or User authorization, the custom menus that
they are allowed to access will be executed as the user who has logged in to SMH.
These custom menus are stored and managed in the
/opt/hpsmh/data/htdocs/xlaunch/custom_menus.js file which can be manually
copied from one system to other systems.
Logging
The System Management Homepage Log contains HP System Management Homepage
(SMH) level configuration changes as well as successful and failed login attempts. It is helpful
when troubleshooting login or access issues when logging in directly to SMH, or from the HP
Systems Insight Manager (HP SIM).
NOTE: You must have administrative access to SMH to access the System Management
Homepage Log. To access the System Management Homepage Log, select Logs → System
Management Homepage → System Management Homepage Log
10
The error log and access_log files are stored on the system at /opt/hpsmh/logs. The
System Management Homepage Error Log contains error information generated by SMH
modules and CGI execution errors (httpd). It is the first place to look when a problem occurs
with starting the server or with server operation because, the log often contains details of
what went wrong and how to fix the problem. The access_log records all requests processed
by the server. So all the URLs accessed will be logged in the access_log, which might be
helpful during auditing. Log records related to Tomcat are stored in a file catalina.out in
the directory /opt/hpsmh/tomcat/logs.
Bastille (IPFilter) and its affect on SMH Partition
Manager
Bastille is a system hardening program that enhances the security of an HP-UX host. It
configures daemons, system settings, and firewalls to be more secure. It can shut off services
and tools that are not required such as rcp(1) and rlogin(1), and can help to limit the
vulnerability of common internet services such as Web servers and DNS.
One of the facilities that Bastille uses to lock down a system is IP filtering. For information
about the requirements when using IP filtering with Partition Manager, see the Partition
Manager online help. If Bastille's interactive user interface is used, be aware of these issues
when answering the questions asked by Bastille.
Bastille also has three install-time security options that are represented by the following files in
/etc/opt/sec_mgmt/bastille:
HOST.config This is a host-based lockdown, without IPFilter configuration. There is no impact on Partition
Manager when this configuration is used.
MANDMZ.config This is a fairly tight lockdown, but allows select network ports that are used by common
management protocols and tools. For example, WBEM continues to function when this
configuration is used.
To open Partition Manager under this configuration, SSH must be used or changes must be
made to enable ports 2301 and 2381 (both ports are also required for SMH). You can
ensure that Partition Manager can be opened on a system where ports 2301 and 2381 have
been disabled. To do this, prior to running Bastille adjust the IP filtering by adding the
following entries to the /etc/opt/sec_mgmt/bastille/ipf.customrules file:
pass in quick proto tcp from any to any port = 2301 flags S/0xff keep state keep frags
pass in quick proto tcp from any to any port = 2381 flags S/0xff keep state keep frags
For more information, see the ipf(5) manpage.
DMZ.config This is a tight lockdown. To open Partition Manager under this configuration SSH must be
used. Bastille also impacts using Partition Manager to remotely manage a system where
Bastille is enabled. After the normal transfer of certificates, Partition Manager will work as
described above if the HOST.config or MANDMZ.config configurations are used. However,
the DMZ.config configuration blocks WBEM traffic and thus prevents the usage of Partition
Manager for remotely managing the system.
11
For more information about Bastille, see the bastille(1M) manpage, and the Bastille User
Guide available at /opt/sec_mgmt_bastille/docs/user_guide.txt.
Securely maintaining SMH – Tips
Here are some tips for maintaining a secure SMH environment:
• Limit the number of root users.
• Regularly review system and SMH logs.
• Always ‘logout’ of an SMH session. SMH automatically logs out the user if there is no
activity for the ‘session timeout’ period, 15 minutes being the default period. It can be
changed to a value suitable for your security policy.
• Closely monitor changes in critical SMH files (via HIDS or Tripwire).
• Follow a good patch strategy. You can do the following:
• Run SWA regularly or use your HP RSAA to provide patch analyses.
• Perform reactive patching – critical security issues.
• Perform proactive patching – every six months.
• SMH (HP-UX) depends on system installed Apache, Tomcat, PHP and OpenSSL. If
there is any vulnerability reported for these products then you must upgrade the
Apache suite (hpuxwsAPACHE) installation.
• Conduct periodic security audits.
• Bastille Drift reports.
• Nesssus and/or nmap scans.
• HP WebInspect scans.
• Report any vulnerabilities found back to HP.
• Use the native web browser on a local system to invoke SMH (SSL will be used). Do not
set the X-Windows DISPLAY variable on the HP-UX system to create the display on your
local desktop – the information, including password information will cross the network in
the clear. You must use the -F option to open the tools in an unsecure manner.
SMH documentation
For more information about SMH, see the following sources:
HP System Management Homepage Release Notes The release notes provide
documentation for what's new with the release, features and change notifications, system
requirements, and known issues. The release notes are available on the HP Technical
Documentation website at http://docs.hp.com.
HP System Management Homepage Help System The help system provides a set of
documentation for using, maintaining, and troubleshooting SMH. In SMH, go to the Help
menu.
HP System Management Homepage Installation Guide The installation guide
provides information about installing and getting started using SMH. It includes an
introduction to basic concepts, definitions, and functionality associated with SMH. The
12
installation guide is available on the HP Technical Documentation website at
http://docs.hp.com. Also, for Linux and Windows operating system releases, the installation
guide is available on the Management CD and at the SMH web page at
http://h18013.www1.hp.com/products/servers/management/agents/documentation.html
HP System Management Homepage User Guide The user guide provides a set of
documentation for using, maintaining, and troubleshooting SMH. For Linux and Windows
operating systems, this user guide is available under the SMH Help menu, and on the HP
Technical Documentation website at http://docs.hp.com. For HP-UX, HP no longer provides a
printed user guide. On HP-UX, see the SMH online help content for information on how to
use, maintain, and troubleshoot SMH.
Simplifying single-system management on HP-UX 11i – HP System
Management Homepage (HP SMH) This white paper introduces SMH and the various
management plug-in applications that form part of SMH. The paper highlights the various
capabilities of SMH. The white paper is available on the HP Technical Documentation
website at http://www.docs.hp.com.
hpsmh (1m) manpage For HP-UX releases, the manpage is available from the command
line using the man hpsmh command. This information is not available for Linux and Windows
operating systems.
smhstartconfig (1M) manpage For HP-UX operating system releases, the manpage is
available from the CLI using the man smhstartconfig command. This information is not
available for Linux and Windows operating systems.
sam(1M) manpage For HP-UX operating system releases, the manpage is available from
the CLI using the man sam command. This information is not available for Linux and
Windows operating systems.
NOTE: The HP-UX System Administration Manager (SAM) is deprecated in HP-UX 11i v3.
The HP System Management Homepage Installation Guide documents the functionality
changes in SAM. The guide is available on the HP Technical Documentation website at
http://docs.hp.com
smh (1m) manpage This command is available in HP-UX 11i v3 (B.11.31) only. This is an
enhanced version of the sam(1m) command. For HP-UX operating system releases, the
manpage is available from the CLI using the man smh command. This information is not
available for Linux and Windows operating systems.
smhassist (1m) manpage You can use the smhassist command to verify the
configurations of SMH and see if there are any dependent software, patches or configuration
errors. For HP-UX 11i v3 (B.11.31) and HP-UX 11i v2 (B.11.23) operating system releases,
the manpage is available from the CLI using the man smhassist command. This
information is not available for HP-UX 11i v1 (B.11.11), Linux, and Windows operating
systems.
HP System Management Homepage website The website provides SMH information
and product links. Go to the HP website at http://www.hp.com or to the Software Depot
home at http://www.hp.com/go/softwaredepot and search for System Management
Homepage.
HP Insight Essentials software page This web page is at
http://www.hp.com/servers/manage
13
For more information
HP SIM security resources
Understanding SIM security http://h10018.www1.hp.com/wwsolutions/misc/hpsim-helpfiles/hpsim_5_Security.pdf
Managing HP Servers through firewalls with SIM http://h10018.www1.hp.com/wwsolutions/misc/hpsim-helpfiles/ManagingHPServers-
withHPSIM.pdf
SIM Secure Data Transmission http://docs.hp.com/en/5991-4498/ch01s08.html
Secure Shell in SIM 5.3 http://h10018.www1.hp.com/wwsolutions/misc/hpsim-helpfiles/hpsim_53_ssh.pdf
Apache security resources
Securing Apache Version 2.0 http://www.securityfocus.com/infocus/1786
20 Ways to Secure Your Apache Configuration:
http://www.petefreitag.com/item/505.cfm
Apache Security O’Reilly Book http://www.apachesecurity.net/
10 Tips to Secure Apache: http://techrepublic.com.com/2415-7343_11-159903.html
Call to action
HP-UX 11i v3 for HP Integrity and HP 9000 servers www.hp.com/go/hpux11iv3
© Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Linux is a U.S. registered trademark of Linus Torvalds. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. UNIX is a registered trademark of The Open Group.
592202-001, September 2009