In HP-UX versions 11iv2 and greater, "Install Time Security" allows choosing a security level during installation, and invokes Bastille scripts (see below) to harden HP-UX at install time.

HP's "Security Patch Check" perl script can be used to determine required patches. This tool is available at http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA

Some specific advice on minimising HP-UX is provided in the following GSEC paper by Larry Harker: Securing HP-UX 11

If using inetd on HP-UX, it is recommended not to use inetd.sec to control access to inetd services. Instead, use TCP Wrapper to do this. (See F.1 below)

The Bastille hardening scripts support HP-UX: http://www.bastille-linux.org/

Configure the parameters BOOT_AUTH and BOOT_USERS in the file /etc/default/security to require authentication before booting into single user mode. See the man page for security(4) for details.

Note that if HP-UX has already been converted to C2 "trusted system" mode, then the BOOT_USERS parameter will not be used. Instead, use sam to configure this requirement, under "General User Account Policies".

After a HP-UX system has been converted to run in C2 "trusted system" mode (see G.3 below) it is then possible to restrict user logins to specific times of day and/or specific terminal devices or serial lines. These settings are configured using the sam utility.

HP-UX version 11iv1.6 and later are able to support shadow passwords, but may not be using them by default. Use pwconv(1M) to convert to the shadow password scheme if necessary.

Note that shadow passwords work with LDAP. However NIS, NIS+ and the web interfaces for Partition Manager and Service Control Manager may not support shadow passwords.

If the system has been converted to "trusted" mode, then password information is stored in the /tcb/files/auth/*/* files instead of /etc/shadow.

Requirements on password length and complexity can be flexibly configured using the parameters in /etc/default/security. The manpage for security(4) explains these settings in detail. In C2 "trusted" mode, these settings are instead configured using sam.

Parameters in /etc/default/security also control password ageing and history retention. See the man page for security(4) for details. In C2 "trusted" mode, these settings are instead configured using sam.

Check that /etc/logingroup does not give users membership of any groups that are not listed in /etc/group.

RBAC is available for HP-UX versions 11iv2 and later. Further information on how to use HP's implementation of RBAC is available in the HP-UX Security Containment Administrator's Guide at http://docs.hp.com/en/5991-1821/ch03.html

HP-UX has a non-executable stack feature. Using this is explained in the document http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/Stackbuffer.pdf

TCP Wrapper for HP-UX is available for download from http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=TCPWRAP

HP-UX uses the file /etc/ftpd/ftpusers instead of /etc/ftpusers.

HP-UX systems have a "standard" mode and a "trusted" mode which offers TCSEC C2 level security features, including the HP-UX auditing features. A system can be converted to trusted mode by following the steps in the document "Administering Your HP-UX Trusted System" http://docs.hp.com/hpux/pdf/B2355-90121.pdf This document also explains how to configure auditing.

HP offers a host-based IDS for HP-UX based on system call monitoring. The HP-UX Host Intrusion Detection System is available at http://software.hp.com/portal/swdepot/displayProductsList.do?category=ISS

HP maintain their own fork of IP Filter, for use on HP-UX. This has come as standard with HP-UX systems from September 2004. HP-UX IPFilter is available at http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B9901AA Detailed information on using IP Filter is available from the upstream site at http://coombs.anu.edu.au/~avalon/

These settings can be configured in the file /etc/rc.config.d/nddconf Note that depending on the version there may be a limit of 10 settings in this file. However, they can alternatively be set from a startup script using the command
ndd -set /dev/ip <setting> <value>
(or ndd -set /dev/tcp <setting> <value> for those relating to TCP).

ip_forwarding 0
ip_forward_src_routed 0
ip_forward_directed_broadcasts 0
ip_send_redirects 0
ip_send_source_quench 0
ip_respond_to_address_mask_broadcast 0
ip_respond_to_echo_broadcast 0
ip_respond_to_timestamp_broadcast 0
ip_respond_to_timestamp 0
ip_ire_gw_probe 0
ip_pmtu_strategy 1
tcp_conn_request_max 200
tcp_syn_rcvd_max 1024

ndd -h provides details on these.