HP-UX 11.xx Server Build Information

To see what's recently changed on this page - please look at the Changes page.

These (somewhat generic) instructions will help you build a fairly secure server. If you want to build a really secure server, please look up Kevin Steves "Building a Bastion Host Using HP-UX 11.00".

Disclaimer:
Use at your own risk. If you see any problems with this document, please send an email explaining what is wrong to: dburton3@tampabay.rr.com.


Bold text = Main Headings.

Computer text (in RED color) = User input of some kind (manually entered text, commands run at the command line or an item needing a mouse click).

Italic text = Notes, special interest items or prompts.


Hardware/Software Assumptions
Initial setup
Console setup
O/S Install
Post O/S Installation Security Mirror the ROOT disk
Make an "Ignite" tape of your new server
Install or configure additional software

Hardware/Software Assumptions


Initial setup


Console setup

The first thing needed is to connect a physical monitor (or laptop) to your server. You can then configure your GSP LAN, add GSP Users, and make other changes to the GSP.

Also, please note:

  1. Older GSP prompts look like this: GSP>
  2. The newer GSP models may look like this: [Console Name] MP>.
I'll show both versions below. At this point you should be able to access the GSP from:

O/S Install

Quick note... I assume you are going to do kernel changes and patch installs. That will require additional reboots. When the server reboots it checks hardware and can take a long time to get to the login prompt. To save some time and stop the hardware check for the NEXT system boot ONLY, type setboot -T all=off. To change hardware checking permanently please see the man page for "setboot".

Post O/S Installation

Configure umask

Modify $HOME/.profile, $HOME/.kshrc and $HOME/.exrc files

Make roots home and tmp directories:
mkdir /root ; chmod 700 /root
mkdir /root/tmp

Don't forget to change root's $HOME in the /etc/passwd file. Now log off and then back in just to make sure everything is set correctly. Don't forget that if you make root's home a mounted file system, you won't have easy access to it in single user mode. Also, copy or move the "dot" files (.profile, .kshrc, etc), into roots new home.

Add the /cdrom directory

   mkdir /cdrom

Make a link from /dev/dsk/cdrom to the real cdrom device

Modify the /etc/rc.config.d/clean_tmps file

Add drivers to kernel using SAM

Make kernel parameter changes using SAM

NOTE:
The old selections for DataBase server kernel changes are not
available in 11i. To have these again, download the following
files and place them in the /usr/sam/lib/kc/tuned directory.
Then start up SAM and select the one you need.

General OLTP/Database Client System:      oltp_cli.tun
General OLTP/Database Monolithic System:  oltp_sa.tun
General OLTP/Database Server System:      oltp_ser.tun

Something I've put together and liked to use: DataBaseServer.tun

Configure DNS Settings

The following assumes that you wish to resolve name-to-IP or IP-to-name using DNS first, then NIS, then your /etc/hosts file. Simply switch or remove the entries as needed.

Install HP applications, diagnostics and patches

Add Cron entries and associated files

###################################################################################
## Cron entries follow these rules:                                              ##
##                                                                               ##
## Min(0-59)  Hr(0-23)  MonthDay(1-31)  Month(1-12)  Weekday(0-6 0=Sun)  Command ##
##                                                                               ##
############### This example will run at 6:10am every Sunday. #####################
##                                                                               ##
## 10  6  *  *  0  Command-to-run                                                ##
###################################################################################

# Find core files and remove them.
0 0 * * * find / -type f -name core -exec rm {} \;

# Check disk space every 15 min.
0,15,30,45 * * * * /usr/local/bin/chk_dsk_space  > /dev/null 2>&1

# Check system procs every 15 min.
0,15,30,45 * * * * /usr/local/bin/chk_procs > /dev/null 2>&1

# Lets clean up some stuff older than 14 days shall we?
0  0 * * * /usr/local/bin/cleanup

# Check system load average every 15 min.
0,15,30,45 * * * * /usr/local/bin/load_average  > /dev/null 2>&1

# Collect SAR data every 5 minutes 24x7.
0  0  *  *  *  /usr/local/bin/sar_collect  300 288 &

# Check bad su attempts every hour.
59 0-23 * * * /usr/local/bin/chk_su > /dev/null 2>&1

# Check logins every night at 11:50pm.
50 23 * * * /usr/local/bin/chk_logins

# Run Security Patch Check and email the goodies to root.
0 1 * * 1 /usr/local/bin/security_patch_chk > /dev/null 2>&1

#Stick the current date into the /.sh_history file. If we look at the
#.sh_history file we have an idea when a command was run
#(assuming you have "history" setup).
0  0  *  *  *  /usr/local/bin/add_date.sh

# Make an Ignite tape every Friday morning at 6am.
0  6  *  *  5  /usr/local/bin/make_ignite_tape > /dev/null 2>&1

# Gather system data once a week (on Monday @ 12:00am).
0  0  *  *  1  /opt/cfg2html/cfg2html_hpux.sh &

NOTE:
You will need the "cfg2html" program to run the cron job above.

Disable X client (Xterminals, Exceed, Reflections X) access

Configure Crash

If the system crashes you may want to have the data dumped somewhere. How about the /var/adm/crash directory you configured when the system was built?

Configure Sendmail

Configure Syslog and Syslog logging to another server

Configure Sar Reporting

Configure Perl

Configure NTP (Time)

Add Data Protector or other Backup Software

Add Cfg2html


Security

Fix the copyright file

Configure SSH

Remove unused software

Restrict root login

Add the - APPROVED by corporate attorneys or upper management - /etc/issue disclaimer

Configure CDE to use the /etc/issue file

Configure FTP

Modify the /etc/inetd.conf file

Change "registrar" logging

Configure additional inetd logging

Add "nosuid" info in /etc/fstab lines

Make this a "trusted" (C2 compliant) server or use the /etc/shadow file

Install IDS9000

Install TCPwrappers

Make NDD changes

Configure HP-UX Software Assistant (SWA)

Change the snmp.conf file

Tighten up file permissions and ownership


Mirror the ROOT disk

Reference HP Doc ID: LVMKBRC00005103


Make an "Ignite" tape of your new server


Install or configure additional software

The following is a representation of some (all?) of the software you need to install/configure on your new server. You can get this software off of your Application CD/DVD's or off the HP Software site.

This also depends on the version of O/S your installing and obviously what you want to run on your new server:

Apache-based Web Server
 - Apache
 - Tomcat
 - Webem
Bastille
Bind
cfg2html
Data Protector (or some other backup software)
Disks and File Systems
Distributed Systems Administration Utilities (DSAU)
Dynamic Root Disk
Encrypted Volume and File System (EVFS)
Event Monitoring Service (EMS) - May or may not be on your install CD/DVD
Glance
HA Monitors
Host Intrusion Detection System (HIDS)
Ignite
Internet Express
 - SUDO
 - Net-SNMP
 - TCPdump
IPFilter ----------------- REBOOT after install
IPSec -------------------- REBOOT after install
iSCSI Software Initiator - REBOOT after install
JDK
JRE
Kerberos
Kernel Configuration
Kernel Providers
LDAP
MD5 Secure Checksum
MeasureWare
Memory File System ----------- REBOOT after install
Node and Host Name Expansion - REBOOT after install
OnlineDiag
OpenSSL
Parallel Umounts
Perl
Process Resource Manager
Restricted Movement of Home Directories
Samba/CIFS
Software Assistant (SWA)
SSH
Standard Mode Security Extensions
Strong Random Number Generator
System Fault Management
SysMgmtBase
Trusted Computing Services

I developed this site so please send comments to dburton3@tampabay.rr.com. Thanks!

Search my site:
Loading
Locations of visitors to this page QRcode


Ok.. so I put this waaay down at the bottom of this web page. I don't expect anyone to actually toss a buck or two my way as a thank you for all the work I've done on this site (Hmmm... feel guilty yet?), but it sure would be nice.

Please donate!

This donation link uses a secure PayPal connection.
Valid CSS!
web counter
web counter