Passwords on novell netware managed nodes, Automatic and operator-initiated actions, Queue files – HP UX B6941-90001 User Manual

456

Chapter 10

Tuning, Troubleshooting, Security, and Maintenance

ITO Security

Passwords on Novell NetWare Managed Nodes

The password for the default operator opc_op is not assigned during the
installation of the agent software. For security reasons, it is strongly
recommended to assign a password to opc_op, using NetWare tools, after
the agent software is installed.

Automatic and Operator-initiated Actions

Action requests and action responses can contain sensitive information
(application password, application responses and so on), which might be
of interest to intruders. In a secure system this might not be a problem.
However, if these requests and responses have to pass through a firewall
system or even over the Internet where packets may be routed through
many unknown gateways and networks, then administrators need to
think in terms of the measures required to improve security.

In addition, automatic and operator-initiated actions are currently
executed as root. Consequently, in order to prevent security holes, it is
essential that the administrator:

❏ protect any shell scripts (for example, those used to switch user) by

assigning minimal rights

❏ choose carefully the commands which an application uses

Queue Files

The queue files for the message interceptor (

msgiq

) and the monitor

agent (

monagtq

) and used by

opcmsg

and

opcmon

for communicating

with their corresponding processes have read/write permission for
everyone. Sensitive messages can be read by displaying these queue files
as a regular user.

In addition, the administrator also needs to take into account the fact
that the

opcmsg

and

opcmon

commands allow anybody to send a

message which triggers automatic action attached to a message even on
another node.