Select Page Home Interleaf Notes Links

Select Page Unix Notes Build an HP-UX server Ignite Notes GSP Notes inetd.conf and inetd.sec Notes Changes to Unix pages

To see what's recently changed on this page - please look at the Changes page.

These (somewhat generic) instructions will help you build a fairly secure server. If you want to build a really secure server, please look up Kevin Steves "Building a Bastion Host Using HP-UX 11.00" - HP document: USECKBAN00000800.

Disclaimer:
Use at your own risk. If you see any problems with this document, please send an email explaining what is wrong to: dburton3@tampabay.rr.com.

Computer text (in RED color) = User input of some kind (manually entered text, commands run at the command line or an item needing a mouse click).

Italic text = Notes, special interest items or prompts.

• Internal
  
• External
  

• Configure umask
• Modify /.profile, /.kshrc and /.exrc files
• Add the /cdrom directory
• Make a link from /dev/dsk/cdrom to the real cdrom device
• Modify the /etc/rc.config.d/clean_tmps file
• Add drivers to kernel using SAM
• Make kernel parameter changes using SAM
• Configure DNS
• Install HP applications, diagnostics and patches
• Add Cron entries and associated files
• Install the latest JetAdmin software
• Disable X client (Xterminals, Exceed, Reflections X) access
• Configure Crash
• Configure sendmail
• Configure ISEE
• Configure Syslog logging to another server
• Configure Sar Reporting
• Configure Perl
• Configure NTP (Time)
• Add OmniBack, Data Protector or other Backup Software
• Add cfg2html

• Fix the copyright file
• Configure SSH
• Remove unused software
• Restrict root login
• Add the /etc/issue disclaimer
• Configure CDE to use the /etc/issue file
• Configure FTP
• Modify the /etc/inetd.conf file
• Change "registrar" logging
• Configure additional inetd logging
• Add "nosuid" info in /etc/fstab lines
• Make this a "trusted" (C2 compliant) server or use the /etc/shadow file
• Install IDS9000
• Install TCPwrappers
• Make NDD changes
• Configure Security Patch Check
• Change the snmp.conf file
• Tighten up file permissions and ownership

• The server is an "L" class or better with an 18 gigabit or larger drive located in the top row of slots and another drive located in the bottom row. Both drives will be used for the Operating System (O/S). Due to there inserted locations, both drives sit on separate SCSI buses. All for redundancy purposes. If a smaller server or hard drives are used, then please make adjustments where needed (lvol size, kernel parameters, etc.).
• An HP Web Console has been delivered with the server.
• A standard (backup) console is available in the data center in case network connectivity is down thus breaking connection to the Web Console.
• The server has a CD or CD-DVD drive, a DDS3 or better tape drive, at least one 10/100 BT Lan card.
• The following is available - HP-UX O/S 11.00 or 11i installation CD's, application CD's and applicable codewords, and the latest patch CD.
• Additional HP or third party software in tar or depot format which is available via LAN, tape or CD.

• Determine server hostname and the Web Console name.
• Obtain static IP(s) for server and Web Console.
• Have DNS maps changed to show this new server and it's Web Console.
• Network switches/routers have been configured for this server and its Web Console.
• Have power and LAN cables laid out and ready to use.

• Access the GSP by typing ^B (control b) on the monitor: Console prompt: ^B
• Log in: Admin Admin or <Enter> <Enter> (blank blank - in other words)
• Navigate to the "Command Menu" by typing cm at the GSP prompt: MP> cm
• Next, navigate to the "Configure LAN connections" area by typing lc at the GSP-Command Menu prompt: MP:CM> lc
• Make your LAN additions/changes as needed.

• Eight alpha/numeric characters with at least one special symbol in the password, i.e.; MakE2%bR [make 2% beer].

1. Access the GSP in order to add users (see above).
2. Go to the "Command Menu": MP> cm
3. Go to the "Configure Security Options and Access Control" menu: MP:CM> so
4. Select "User parameters": Which do you wish to modify? ([1]/2) : 2
5. Add a user: A to add, D to delete, Q to quite : a
6. Enter the login ID: Enter Login : batman
7. Enter the persons real name: Enter Name : Bruce Wayne
8. Enter your company name: Enter Organization : Batcave
9. Enter the level of access needed for this user: Enter Access Level (A/O/[S]) : a
10. Give them single or multiple use: Enter Mode (S/[M]) : m
11. Enable the account: Enter Status (D/[E]) : e
12. No modem = No Dialback: Enable Dialback? (Y/[N]) : n
13. Enter the password twice:
    Enter Password : MakE2%bR
    Re-Enter Password : MakE2%bR
14. Save your changes/additions: Save changes to user number 1? (Y/[N]) : y

Create a certificate in order to make a secure connection from your web browser.

1. Access the GSP in order to create a certificate (see above).
2. Go to the "Command Menu": MP> cm
3. Go to the "Generate ssl key pair and self signed certificate" and create your certificate: MP:CM> cg

   NOTE:
   When asked for a "Common Name", use the Web Consoles short name
   or it's fully qualified DNS name. Which ever one you plan to
   use in your web browser.
   Example:
   Use batcave-console or batcave-console.batcave.gotham.city.com
   

Connect to the internal Web Console:

1. Point your web browser using Internet Explorer 6.0 or better, or Netscape 6.2 or better using the following secure web address: https://target_web_console
2. Accept the certificate you created.
3. Enter your login name at the "MP login:" prompt.
4. Enter your password at the "MP password:" prompt.
5. Enter "co"
6. Enter "0" (zero).
7. Press the "Enter" key.
8. Enter "^Ecf" ("control E" then "cf").
9. Press "Enter" again.
10. Your now at the "Console login:" prompt.

• If you can't access the Web Console but you can ping it and telnet into it, you may have to restart the GSP. Perform the following procedures to restart the GSP without rebooting the server.
  1. Telnet or access the GSP from the monitor.
  2. Go to the "Command Menu": MP> cm
  3. Enter the "MP Diagnostics and Reboot" area: MP:CM> xd
  4. Then "Soft Reset the Master MP": Enter your choice: 3
  5. Wait about a minute to access the Web Console.

     NOTE:
     When resetting the GSP you may get an
     "Event Monitor Notification" from EMS.
     

• Configure Web Console making sure to add users (not root) with hardened passwords.
  • Eight alpha/numeric characters with at least one special symbol in the password, i.e.; MakE2%bR [make 2% beer].
• Initial IP of Web Console is: 192.0.0.192

1. ping 192.0.0.192
2. route add 192.0.0.192 10.10.10.100
   • The "10.10.10.100" IP is the computer used to connect to the Web Console.
3. arp -s 192.0.0.192 <MAC address>
   • The "<MAC address>" is the Web Console "LAN Addr" (MAC) address - found on the Web Console itself.

The second screen will ask for the following....

   Name:         Doug Burton  (Your Name)
   Function:     Administrator(Your function)
   Information:  Some info    (Some info)
   Login:        blahblah     (Your Web Console login ID)
   Password:          MakE2%bR(Your hardened password)
   Re-enter Password: MakE2%bR(Your hardened password again)

   Secure Console Name: batcave-console(Name of Web Console)
   IP Address:          10.10.10.2     (The Web Console IP address)
   IP Subnet Mask:      255.255.255.0  (The subnet mask)
   IP Gateway:          10.10.10.1     (The gateway IP)
   System Name:         batcave        (Name of server your connected to)
   Terminal Type:       vt100          (The type of terminal you like to use)

Log in using the new IP or Web Console name and config additional users.

• Turn the server on.
• Place the Install CD into the CD drive while the server is starting up.
  • The 11.xx boot CD use's a standard HP Ignite interface.
• Halt the boot process when prompted and execute the following command: sea ipl
• The "sea ipl" command will return any and all devices, which are bootable. You will see the device for the CD. If this is a new server you will not see any other drive devices due to the drives not being configured yet. However, you may see a Lan device if you have an Ignite server configured.
  • If your going to use the Ignite server to do the install across the network, then follow the Ignite installation document at this point.
• Your now ready to boot from the CD using the following command: bo p0
  • I assume "p0" was returned and matches the CD hardware address when the "sea ipl" command ran.
  Answer "no" to the "Interact with IPL" prompt.

  NOTE:
  Use the "Tab" key to navigate in the installation windows.
  

• When the "Welcome" window appears, select "Install HP-UX".
• Next, find "User Interface Options:" and press the space bar to select the "Advanced Installation" item the same way on the same screen. Press "OK" to continue.
• Choose "CD/DVD Installation".
• In the "Basic" tabbed area shown at the top of the screen:
  • Choose "32bit" or "64bit" O/S - found in the "Environments:" section.
  • Choose a root disk to use in the "Root Disk..." section. I will use c2t2d0 as the main boot drive and c1t2d0 as the bootable mirror.
  • Choose "(LVM) with VxFS" found in the "File System:" section.
  • Change the swap size as needed in the "Root Swap (MB)" section.

    NOTE:
    The default is usually fine. You
    can add swap later if you want.
    

• In the "Software" tabbed area:
  • Select or de-select software to be loaded.

    NOTE:
    You can add or remove software later if needed. However,
    you should only load what you need for security reasons.
    

• In the "System" tabbed area:
  • The server IP, subnet mask, time, date, time zone, root password, gateway, any static routes, DNS, NIS, and NTP info can be added in this area.
• Set LVM sizes in the "File System" tabbed area:

  NOTE:
  Be sure to watch the "Size:" area as it can take a
  percentage of the disk left over for some logical
  volumes. I suggest making all LVM's a "Fixed" size.
  Also, under the "Additional Tasks" section you will
  find the "File System Parameters..." section. Choose
  "Largefiles" for all your VxFS - Logical Volumes.
  

  The following is an example of an LVM (vg00) configuration (using a 4g, 18g or 36g drive). Again, change as needed.

                  4 gig       18 gig      36 gig
  /                100m        200m        500m
  /stand           100m        300m        500m
  swap             256m        2g          4g
  /var             1g          4g          6g
  /usr             1.2g        3g          5g
  /tmp             50m         1g          1g
  /opt             1g          4g          6g
  /home            100m        500m        1g
  /var/adm/crash   2g*         2g          4g
  swap2            2g*
  
  * = Use a second 4g drive
  

• Nothing to do in the "Advanced" tabbed area.
• Select "GO!" twice to begin the O/S install.

Configure umask

• File creation is VERY open on HP workstations and servers "out of the box". We need to fix this to a more secure setting right from the get go. So add this to the end of the /etc/profile file:

  if [[ $(/usr/bin/id -u) -eq 0 ]]
    then
      umask 077
    else
      umask 022
  fi
  

Don't forget to change root's $HOME in the /etc/passwd file. Now log off and then back in just to make sure everything is set correctly. Don't forget that if you make root's home a mounted file system, you won't have easy access to it in single user mode. Also, copy or move the "dot" files (.profile, .kshrc, etc), into roots new home.

• Add the following to the empty $HOME/.exrc file: set showmode noai
• Add the following to the $HOME/.profile file:

  stty erase "^H" kill "^U" intr "^C" eof "^D" stop "^S" susp "^Z"
  

  export HISTFILE="$HOME/.sh_history"	# Set history
  export ENV="$HOME/.kshrc"		# Set some aliases and other stuff
  export LPDEST=xxx			# Set the default printer
  export EDITOR=vi			# Set the Editor
  trap "$HOME/.logout" 0			# What to do on exit
  export TMP="$HOME/tmp"			# Set my tmp directories
  export TMPDIR="$HOME/tmp"
  
  ############################################################
  # PROMPT Stuff
  # If I run a DTterm, then the prompt is in color. Woo! Woo!
  ############################################################
  export NOEUD=`hostname`
  if [[ $TERM = dtterm ]]
   then
     PS1="$(echo "\\033[40m\\033[33m")"'$LOGNAME'@$(hostname)"-$(echo "\\033[36m")"'$PWD'"$(echo "\\033[0m") : "
     #export PS1="$(echo "\\033[40m\\033[33m")$LOGNAME@$(hostname):$(echo "\\033[0m") "
   else
     PS1='$LOGNAME@$NOEUD-$PWD'" : "
  fi

  Makes the printer named "xxx" the default printer for root.

• Add the following to the /.kshrc file:

  alias llm='ls -al|more'
  alias seek='ps -ef | grep -v grep | grep -v "ps -ef" | grep -i '
  alias c=clear
  alias x='clear;exit'
  alias count='ls | wc -l'
  
  alias lls='echo "\n*************************";    \
             echo "Long List - Largest first"; \
             echo "*************************\n";      \
             ls -Al $* | sort -nr -k 5 | more'
  alias llt='ls -alt | more'
  alias hp='export TERM=hp'
  alias dt='export TERM=dtterm'
  alias ht='export TERM=hpterm'
  alias xt='export TERM=xterm'
  alias bdfd="bdf | grep dev"
  alias cr='cd /usr/spool/cron/crontabs'
  alias rs=/usr/bin/X11/resize
  alias vp=/usr/vue/bin/vuepad
  alias xl=/usr/local/bin/xlock
  alias xlock=/usr/local/bin/xlock
  alias s="echo $SHELL"
  alias t="echo $TERM"
  alias term="echo $TERM"
  alias ip="/etc/arp `hostname`"
  alias path="echo $PATH"
  alias rl="rlogin"
  alias st='stty erase ^?'
  alias printtest="banner Print Test from `hostname` | lp -d "
  
  ####################################
  # Set window and icon titles (Use this with CDE)
  ####################################
  
  # put text on the X-window title bar
  
  setTitle()
    {
      hn="$1"
        if [ "$TERM" = "hp" -o "$TERM" = "hpterm" ]
           then
              echo "^[&f0k${#hn}D$hn^M\c"
        elif [ "$TERM" = "xterm" -o "$TERM" = "vt100" ]
           then
              echo "\033]2;$hn\007\c"
        elif [ "$TERM" = "dtterm" -o "$TERM" = "vt220" ]
           then
              echo "\033]2;$hn\007\c"
        fi
    }
  typeset -fx setTitle
  
  # Lets set an alias
  
  _cd()
    {
      'cd' ${1:-$HOME} ${2:-}
      setTitle "`hostname`:`pwd`" 1>&2
    }
  
  alias -x cd="_cd"
  _cd .

• Something for that .logout file:

  if [[ $TERM = dtterm ]]
   then
     function blah {
     echo "\\033[40m\\033[31m"
     banner Hey!
     echo "\\033[40m\\033[35m"
     echo "\n\n   You just logged me out. \n\n"
     echo "       Now I feel bad.         \n\n"
     echo "\\033[0m"
     sleep 2
        }
     blah
   else
     banner Hey!
     echo "\n\n   You just logged me out. \n\n"
     echo "       Now I feel bad.         \n\n"
     sleep 2
  fi

• Add the following:

  *loginShell:    true
  *saveLines:     1024
  *scrollBar:     true
  
  to these files:
  
  /usr/lib/X11/app-defaults/HPterm
  /usr/lib/X11/app-defaults/XTerm
  /usr/dt/app-defaults/C/Dtterm
  

   mkdir /cdrom

• To check which device file is used for the CDROM run:

  ioscan -fnC disk
  

• Look for the CD-ROM (or DVD-ROM) device and make a link to it:

  ln -s /dev/dsk/c6t2d0 /dev/dsk/cdrom
  

• Make sure the following lines are set to "0".

  LIST_TEMPS=0
  CLEAR_TMP=0
  

• Add the drivers you need.

NOTE:
The old selections for DataBase server kernel changes are not
available in 11i. To have these again, download the following
files and place them in the /usr/sam/lib/kc/tuned directory.
Then start up SAM and select the one you need.

General OLTP/Database Client System:      oltp_cli.tun
General OLTP/Database Monolithic System:  oltp_sa.tun
General OLTP/Database Server System:      oltp_ser.tun

Something I've put together and liked to use: DataBaseServer.tun

• Adjust the kernel for your environment.

  NOTE:
  The minimum changes should be "timeslice" set to 10.
  On 11i or higher servers, the "executable_stack"
  should be set to "0". Also set these if using preset
  values like the one's shown above.
  

The following assumes that you wish to resolve name-to-IP or IP-to-name using DNS first, then NIS, then your /etc/hosts file. Simply switch or remove the entries as needed.

• Comment the following line in the /etc/nsswitch.conf file: #hosts: files
• Add the following line:

  hosts: dns [NOTFOUND=continue UNAVAIL=continue TRYAGAIN=continue] nis [NOTFOUND=return UNAVAIL=continue] files [NOTFOUND=return UNAVAIL=continue TRYAGAIN=return]
  

• Add the following lines into the /etc/resolv.conf file:

    domain      gotham.city.com
    search      gotham.city.com
  
    nameserver  10.10.10.3  # Primary DNS server
    nameserver  10.10.10.4  # Secondary DNS server
  

• Mount the appropriate CD (or connect to a depot configured on another server):

  mount /dev/dsk/cdrom /cdrom
  

• Run "swinstall" in order to add the following applications (codewords needed):

  Ignite  MirrorDisk/UX  Glance  OnlineJFS (Other software???)
  

• Load latest DIAGNOSTICS.

  To check the current version you are running: swlist -l bundle
  The output: OnlineDiag <revision>
  

• Load latest software and hardware patch bundles making sure not to install "recalled" patches.
• Unmount the CD: umount /cdrom

# Find core files and remove them.
0 0 * * * find / -type f -name core -exec rm {} \;

# Gather system data once a week (on Monday @ 12:00am).
0  0  *  *  1  /opt/cfg2html/cfg2html_hpux.sh &

NOTE:
You will need the "cfg2html" program to run the cron job above.
Also, click the links below to get the scripts.

# Check disk space every 15 min.
0,15,30,45 * * * * /usr/local/bin/chk_dsk_space  > /dev/null 2>&1

# Check system procs every 15 min.
0,15,30,45 * * * * /usr/local/bin/chk_procs > /dev/null 2>&1

# Lets clean up some stuff older than 14 days shall we?
0  0 * * * /usr/local/bin/cleanup

# Check system load average every 15 min.
0,15,30,45 * * * * /usr/local/bin/load_average  > /dev/null 2>&1

# Collect SAR data every 5 minutes 24x7
0  0  *  *  *  /usr/local/bin/sar_collect 300 288

# Check bad su attempts every hour.
59 0-23 * * * /usr/local/bin/chk_su > /dev/null 2>&1

# Check logins every night at 11:50pm.
50 23 * * * /usr/local/bin/chk_logins

# Run Security Patch Check and email the goodies to root.
0 1 * * 1 /usr/local/bin/security_patch_chk > /dev/null 2>&1

• Configure the printer(s) by running /opt/hpnpl/bin/hppi or copy them over from another server using sam.

• Disable xclients from accessing this server by commenting the following line in the /usr/dt/config/Xaccess file:

  #  *                       # grant service to all remote displays
  

• Disable broadcasting so X clients can't access this server by commenting the following lines in the /usr/dt/config/Xaccess file:

  #  *  CHOOSER BROADCAST    # any indirect host can get a chooser
  

• Edit the file /etc/rc.config.d/savecrash and uncomment the following:
  # SAVECRASH=1, and # SAVECRASH_DIR=/var/adm/crash

• Make sure you have the current sendmail configuration file by running the following command: grep DZ /etc/mail/sendmail.cf
  • If the sendmail.cf file is NOT the latest and greatest, then backup the old one and copy the latest and greatest into place:

    cp -p /etc/mail/sendmail.cf /etc/mail/sendmail.cf.old
    cp -p /usr/newconfig/etc/mail/sendmail.cf /etc/mail
    

• Add the following lines into the /etc/mail/sendmail.cw file:
  • Change "batcave" to the server hostname your working on and change the domain name to your corporate domain name.

    localhost
    batcave
    batcave.gotham
    batcave.gotham.city
    batcave.gotham.city.com

• Make the following changes to the /etc/mail/sendmail.cf file:

  From: DS
  To:   DS<your mail server name> (i.e.; DSmetropolis).
  
  From: O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
  To:   O SmtpGreetingMessage=
  
  From: O PrivacyOptions=authwarnings
  To:   O PrivacyOptions=goaway
  

• Look for the "bd" switch in the /sbin/init.d/sendmail file:

  grep "sendmail -bd" /sbin/init.d/sendmail
  

  If found, make the following changes:

  From:	/usr/sbin/sendmail -bd -q30m && echo "sendmail"
  To:	/usr/sbin/sendmail -bm -q30m && echo "sendmail"
  

• After changes to the sendmail.cw and cf files, restart sendmail with the following commands:

  /sbin/init.d/sendmail stop ; /sbin/init.d/sendmail start
  

• Add your email address (and backup admin???) to the "root" alias in the /etc/mail/alias file. The entry in the /etc/mail/alias file would look like this:

  root   :   batman@gotham.city.com,robin@gotham.city.com
  

  You need to run newaliases in order for sendmail to recognize this new alias.

• Test sendmail: sendmail -v root

• After installing ISEE open a web browser to your target server:
  http://target_server:5060 and log in using the default login - admin and default password - isee.

  You will need to input your contact info and system handle for this server.

  If you have more than one server to do and wish to install ISEE with as much configured info as possible, you may want to create a depot with ISEE in it. After you have created the depot you will need to run the following in order to add all the data that will get pushed out when you network install ISEE:
  /usr/sbin/swask -s /depot_location/ISEE ISEE-Chorus

  NOTE:
  If you have different data for different servers such as separate "System Handles"
  for each server, you will need to add that data using your web browser.
  

• To configure a log server, all you need is sufficient disk space in /var or a file system mounted at /var/adm/syslog.
• To configure this server to send syslog data to the log server, add the following to the /etc/syslog.conf file: *.info;mail.none @metropolis
• Then run the following command: kill -HUP `cat /etc/syslog.pid`

• Make sure you have a directory for your sar data which is generated from the cron entry above: mkdir /var/adm/sa

• After loading the latest Perl version, you will need to rename a file and create a link.

  mv /usr/contrib/bin/perl /usr/contrib/bin/perl.old
  ln -s /opt/perl/bin/perl /usr/contrib/bin/perl
  

• Add the following to the end of /etc/ntp.conf file:

  server 10.10.10.5 version 2 prefer # The NTP server
  driftfile /etc/ntp.drift
  statsdir /var/spool/ntp/
  statistics  loopstats  clockstats  peerstats
  filegen peerstats  file peerstats  type day enable
  filegen loopstats  file loopstats  type day enable
  filegen clockstats file clockstats type day enable
  

  Notice that the "statsdir /var/spool/ntp/" has a trailing slash.

• Add the stats directory:

  mkdir /var/spool/ntp ; chmod 755 /var/spool/ntp
  

• Redirect NTP logging from the /var/adm/syslog/syslog.log file to another, easier to read file by adding the following in the /etc/rc.config.d/netdaemons file. Also add "1" so NTP will start at bootup:

    export XNTP=1
    export XNTPD_ARGS="-l /var/adm/syslog/ntp.log"
  

• Create the ntp.log and ntp.drift file:

  touch /var/adm/syslog/ntp.log  /etc/ntp.drift
  chmod 644 /var/adm/syslog/ntp.log  /etc/ntp.drift
  

• Stop (if it's already running) the XNTP process then restart it:

  /sbin/init.d/xntpd stop ; /sbin/init.d/xntpd start
  

• Test your config by executing the following: ntpq -p

• Install backup software.

• Install "cfg2html" which can be found at http://groups.yahoo.com/group/cfg2html. The cron entry is show above.

  The html, text and error info by default are created in the /opt/cfg2html directory. To save these files someplace else, modify the OUTDIR variable found in the /opt/cfg2html/cfg2html_hpux.sh file.

  NOTE:
  You may want to comment/remove the "script" code found in the
  /opt/cfg2html/plugins/head01.html and head02.html files. This
  code will fire off advertising garbage when the finished
  cfg2html web page is viewed.

Fix the copyright file

• Copy then empty /etc/copyright:

  cp -p /etc/copyright /etc/copyright.orig ; > /etc/copyright
  

• If a user wishes to logon to a target server running SSH and have there connection encrypted, they will need to login using the command "slogin <target server>". Think of it as a replacement for "rlogin" and "telnet". You can also run "scp" in place of "rcp" and "sftp" instead of "ftp".

  SSH software should be installed on every server.

• After a successful install using the HP created depot, create the following link:

  ln -s /opt/ssh/bin/slogin /usr/bin/slogin
  

• Log onto your server ("batcave" is used in this example) using your user ID, NOT root. The user "test" is used in this example. At the prompt, type in: ssh-keygen -t rsa
• You will then see the following with the appropriate entries shown to the right:

  Generating public/private rsa key pair.
  Enter file in which to save the key (/home/test/.ssh/id_rsa):	<Hit "Enter">
  Enter passphrase (empty for no passphrase):		        <Hit "Enter">
  Enter same passphrase again:				        <Hit "Enter">
  Your identification has been saved in /home/test/.ssh/id_rsa.
  Your public key has been saved in /home/test/.ssh/id_rsa.pub.
  The key fingerprint is: 3c:e9:17:6f:8d:9d:52:ab:21:8c:4f:3c:6d:42:1d:cc test@batcave
  

• Each user will need to run "ssh-keygen -t rsa" on each server they wish to log onto that has SSH loaded.
• In order for the user to "slogin", "scp", or "sftp" to another server without being prompted for there /etc/passwd password - they will need to do the following:

  The contents of your local file, "batcave:/home/test/.ssh/id_rsa.pub", needs to be copied into your "authorized_keys" file located in your home directory on the target server (metropolis). Let's assume that SSH is now loaded and working on both batcave and metropolis. You also have run the "ssh-keygen" program on both servers. Now is a good chance to remotely copy a file to the target server (from batcave to metropolis) in the new secure format. Run the following command from your $HOME directory on batcave:

  scp  ~/.ssh/id_rsa.pub  metropolis:/home/test/.ssh/id_rsa.pub.batcave
  

  The first time you "scp", "slogin", etc. to a "new" server, the following may be displayed. All you need to remember is to type "yes" and enter your /etc/passwd password when prompted.

  The authenticity of host 'metropolis (10.10.10.10)' can't be established.
  RSA key fingerprint is b7:f2:9d:51:6c:36:51:1a:ff:d6:82:92:78:fe:73:96.
  Are you sure you want to continue connecting (yes/no)?     yes
  Warning: Permanently added 'metropolis,10.10.10.10' (RSA) to the list of known hosts.
  test@metropolis's password:    <type in your /etc/passwd password>
  id_rsa.pub       100% |****************************|   220       00:00    
  

  Then, in order to get the data into the "authorized_keys" file you can run the following while logged onto metropolis:

  cat ~/.ssh/id_rsa.pub.batcave >> ~/.ssh/authorized_keys
  

  Remember, in order to "slogin", etc. to a target server which has SSH loaded and NOT get prompted to input your password, you will need the local "~/.ssh/id_rsa.pub" file copied into your "target:$HOME/.ssh/authorized_keys" file.

  One last thing, edit the "#Banner /some/path" line in the /opt/ssh/etc/sshd_config file to "Banner /etc/issue".

• Run "swremove" to remove ALL unused/unnecessary software. At least remove the following:

  Netscape, Apache, CIF (Samba), AudioSubsystem, DigitalVideo, and International (all but English)

• Modify the /etc/securetty file and change it's permissions.

  echo console > /etc/securetty ; chmod 400 /etc/securetty
  

• The /etc/issue file should look something like this:

  *******************************************************************
                           WARNING NOTICE
  *******************************************************************
  This system is restricted solely to Gotham City authorized users
  for legitimate business purposes only. The actual or attempted
  unauthorized access, use, or modification of this system is
  strictly prohibited by Gotham City. Unauthorized users are subject
  to Company disciplinary proceedings and/or criminal and civil
  penalties under state, federal, or other applicable domestic and
  foreign laws. The use of this system may be monitored and recorded
  for administrative and security reasons. Anyone accessing this
  system expressly consents to such monitoring and is advised that if
  monitoring reveals possible evidence of criminal activity, Gotham
  City may provide the evidence of such activity to law enforcement
  officials. All users must comply with Gotham City instructions
  regarding the protection of Gotham City information assets.
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

• After the /etc/issue file has been modified, add the following lines to /etc/dt/config/Xsession.d/0091.dthello if your using CDE:

  #!/usr/bin/ksh
  dtstart_hello[0]="/usr/dt/bin/dthello -file /etc/issue &"
  

  Then run this command:

  chmod 755 /etc/dt/config/Xsession.d/0091.dthello
  

• After adding "-l -a" to the end of the ftp line in the /etc/inetd.conf file (see below), you will need to add the following to the /etc/ftpd/ftpaccess file:

  class local real *.gotham.city.com 0.0.0.0
  class remote real *
  suppresshostname yes
  suppressversion yes
  email root
  banner /etc/issue
  loginfails 3
  private yes
  noretrieve passwd core
  log commands  anonymous,guest,real
  log transfers anonymous,guest,real inbound,outbound
  passwd-check enforce
  

• Edit the /etc/ftpd/ftpusers file and add:

  adm
  anonymous
  bin
  daemon
  guest
  hpdb
  informix
  lp
  nobody
  nuucp
  oracle
  postgres
  predmail
  root
  sys
  tftp
  uucp
  

  Any user added to this file can not login using FTP.

• Any user who tries to connect to the FTP port can get specific info like what version your running, etc. To see how well you've done on the old config front run this (you may have to config inetd.conf before running this):

  echo quit | telnet localhost 21

• Make sure the unused service lines in the /etc/inetd.conf file are commented out. Refer to my inetd.conf document to see what implications you may face by commenting out these lines.

  #tftp      dgram   udp   wait    root /usr/lbin/tftpd      tftpd
  #bootps    dgram   udp   wait    root /usr/lbin/bootpd     bootpd
  #finger    stream  tcp   nowait  bin  /usr/lbin/fingerd    fingerd
  #uucp      stream  tcp   nowait  root /usr/sbin/uucpd      uucpd
  #ntalk     dgram   udp   wait    root /usr/lbin/ntalkd     ntalkd
  #ident     stream  tcp   wait    bin  /usr/lbin/identd     identd -l
  #printer   stream  tcp   nowait  root /usr/sbin/rlpdaemon  rlpdaemon -i
  #daytime   stream  tcp   nowait  root internal
  #daytime   dgram   udp   nowait  root internal
  #time      stream  tcp   nowait  root internal
  #time      dgram   udp   nowait  root internal
  #echo      stream  tcp   nowait  root internal
  #echo      dgram   udp   nowait  root internal
  #discard   stream  tcp   nowait  root internal
  #discard   dgram   udp   nowait  root internal
  #chargen   stream  tcp   nowait  root internal
  #chargen   dgram   udp   nowait  root internal
  #rpc       stream  tcp   nowait  root /usr/sbin/rpc.rexd                 100017  1    rpc.rexd
  #rpc       dgram   udp   wait    root /usr/lib/netsvc/rstat/rpc.rstatd   100001  2-4  rpc.rstatd
  #rpc       dgram   udp   wait    root /usr/lib/netsvc/rusers/rpc.rusersd 100002  1-2  rpc.rusersd
  #rpc       dgram   udp   wait    root /usr/lib/netsvc/rwall/rpc.rwalld   100008  1    rpc.rwalld
  #rpc       dgram   udp   wait    root /usr/sbin/rpc.rquotad              100011  1    rpc.rquotad
  #rpc       dgram   udp   wait    root /usr/lib/netsvc/spray/rpc.sprayd   100012  1    rpc.sprayd
  #kshell    stream  tcp   nowait  root /usr/lbin/remshd                   remshd -K
  #klogin    stream  tcp   nowait  root /usr/lbin/rlogind                  rlogind -K
  #ncpm-pm   dgram   udp   wait    root /opt/ncpm/bin/ncpmd                ncpmd
  #ncpm-hip  dgram   udp   wait    root /opt/ncpm/bin/hipd                 hipd
  #dtspc     stream  tcp   nowait  root /usr/dt/bin/dtspcd                 /usr/dt/bin/dtspcd
  #rpc       xti     tcp   swait   root /usr/dt/bin/rpc.ttdbserver         100083 1 /usr/dt/bin/rpc.ttdbserver
  #rpc       dgram   udp   wait    root /usr/dt/bin/rpc.cmsd               100068 2-5 rpc.cmsd
  #instl_boots       dgram udp     wait root /opt/ignite/lbin/instl_bootd  instl_bootd
  #recserv   stream  tcp   nowait  root /usr/lbin/recserv recserv          -display :0
  

• Add logging, etc. to the following lines in the /etc/inetd.conf file:

  ftp     stream tcp nowait root /usr/lbin/ftpd      ftpd    -l -a
  telnet  stream tcp nowait root /usr/lbin/telnetd   telnetd -b /etc/issue
  login   stream tcp nowait root /usr/lbin/rlogind   rlogind -l -B /etc/issue
  

• To change "registrar" (found in the /etc/inetd.conf file), logging to the syslog file from every two minutes (the default), to every ten minutes - change the "MonitorRestartInterval" entry found in the /etc/opt/resmon/config file.

  From: MonitorRestartInterval =  2:00
  To:   MonitorRestartInterval = 10:00
  

• You then need to stop and restart EMS by running the following: /etc/opt/resmon/lbin/monconfig

  Select "k" - to "(K)ill (disable) monitoring", then "e" - to "(E)nable Monitoring"

• Edit the /etc/rc.config.d/netdaemons file and add the "-l" to the line:

  export INETD_ARGS="-l"
  

• Run the following command when finished editing the /etc/inetd.conf, making the registrar changes and setting up logging for inetd services: inetd -c

• Change stand, home, tmp, var and crash.

  /dev/vg00/lvol3	/              vxfs defaults         0 1
  /dev/vg00/lvol1	/stand         hfs  defaults,nosuid  0 1
  /dev/vg00/lvol5	/home          vxfs defaults,nosuid  0 2
  /dev/vg00/lvol6	/opt           vxfs defaults         0 2
  /dev/vg00/lvol7	/tmp           vxfs defaults,nosuid  0 2
  /dev/vg00/lvol8	/usr           vxfs defaults         0 2
  /dev/vg00/lvol4	/var           vxfs defaults,nosuid  0 2
  /dev/vg00/lvol9 /var/adm/crash vxfs delaylog,nosuid  0 2
  

• To make this a trusted server:
  • Open "SAM" and navigate to the "Auditing and Security" section.
  • Open "System Security Policies" and choose to make this server a "trusted" server.
  • When done, open the "Password Format Policies..." window and select all four "Password Selection Options:". Also select the "Use Restrictions Rules". Keep the "Maximum Password Length:" at "8".
  • Open the "Password Aging Policies..." window and choose "Enabled" in the "Password Aging:" field. Use all default values.
  • Open the "General User Account Policies..." window and change the "Unsuccessful Login Tries Allowed:" to "5".
  • The default settings are used in the "Terminal Security Policies..." section.

    If you made this a trusted server then decided NOT to have the computer setup as a "trusted" server, do this to un-trust it:

        Run SAM.
        Select "Auditing and Security".
        Select "Audited Events".
        Select "Actions".
        Select "Unconvert the System"
        Select "Yes"
        Exit SAM.
    

• To use the /etc/shadow file:
  • Install the "Shadow Password Enablement Product".
  • Run "pwconv".

• Configure IDS9000.

• Make the wrapper directory: mkdir /usr/lbin/wrapper
• Change it's permissions: chmod 755 /usr/lbin/wrapper
• Copy new files into place:

  cp -p /usr/newconfig/etc/hosts.allow /etc/hosts.allow
  cp -p /usr/newconfig/etc/hosts.deny  /etc/hosts.deny
  cp -p /usr/newconfig/etc/tcpd.conf   /etc/tcpd.conf

  NOTE:
  If the /etc/hosts.allow and hosts.deny files are left empty,
  then any server can access this server using the internet
  connections shown below. See the "man" page for "hosts_options"
  on how to configure these files.

• Modify the /etc/tcpd.conf file.
  • Uncomment the "rfc931_timeout" line. Change the "0" (zero) in the "rfc931_timeout" line to a "5".
  • Uncomment the "on_reverselookup_fail" line.
  • Uncomment the "log_level" line by changing "normal" in the "log_level" line to "extended".

    NOTE:
    See the "man" page for "tcpd" in order to configure the
    tcpd.conf file.

• Move/copy files into place:

  mv /usr/lbin/ftpd     /usr/lbin/wrapper
  mv /usr/lbin/remshd   /usr/lbin/wrapper
  mv /usr/lbin/rexecd   /usr/lbin/wrapper
  mv /usr/lbin/rlogind  /usr/lbin/wrapper
  mv /usr/lbin/telnetd  /usr/lbin/wrapper
  
  cp -p /usr/lbin/tcpd  /usr/lbin/ftpd
  cp -p /usr/lbin/tcpd  /usr/lbin/remshd
  cp -p /usr/lbin/tcpd  /usr/lbin/rexecd
  cp -p /usr/lbin/tcpd  /usr/lbin/rlogind
  cp -p /usr/lbin/tcpd  /usr/lbin/telnetd

• Add the following to the /etc/rc.config.d/nddconf file in order to make network security changes when the server is booted or you restart the network cards (/sbin/init.d/net stop; /sbin/init.d/net start).

  #Don't forward directed broadcasts 
  TRANSPORT_NAME[0]=ip
  NDD_NAME[0]=ip_forward_directed_broadcasts
  NDD_VALUE[0]=0
  
  #Don't forward packets with source route options 
  TRANSPORT_NAME[1]=ip
  NDD_NAME[1]=ip_forward_src_routed
  NDD_VALUE[1]=0
  
  #Disable IP forwarding 
  TRANSPORT_NAME[2]=ip
  NDD_NAME[2]=ip_forwarding
  NDD_VALUE[2]=0
  
  #Disable dead gateway detection (currently no ndd help text; echo-requests interact badly with firewalls) 
  TRANSPORT_NAME[3]=ip
  NDD_NAME[3]=ip_ire_gw_probe
  NDD_VALUE[3]=0
  
  #Don't use echo-request PMTU strategy (can be used for amplification attacks and we don't want to send echo-requests anyway) 
  TRANSPORT_NAME[4]=ip
  NDD_NAME[4]=ip_pmtu_strategy
  NDD_VALUE[4]=1
  
  #Don't send ICMP redirect messages (if we have no need to send redirects) 
  TRANSPORT_NAME[5]=ip
  NDD_NAME[5]=ip_send_redirects
  NDD_VALUE[5]=0
  
  #Don't send ICMP source quench messages (deprecated) 
  TRANSPORT_NAME[6]=ip
  NDD_NAME[6]=ip_send_source_quench
  NDD_VALUE[6]=0
  
  #Increase TCP listen queue maximum (performance) 
  TRANSPORT_NAME[7]=tcp
  NDD_NAME[7]=tcp_conn_request_max
  NDD_VALUE[7]=500
  
  #HP SYN flood defense 
  TRANSPORT_NAME[8]=tcp
  NDD_NAME[8]=tcp_syn_rcvd_max
  NDD_VALUE[8]=500
  
  #Permit 0 in local network part (should be the default) 
  TRANSPORT_NAME[9]=ip
  NDD_NAME[9]=ip_check_subnet_addr
  NDD_VALUE[9]=0
  
  #Don't respond to ICMP address mask request broadcasts 
  TRANSPORT_NAME[01]=ip
  NDD_NAME[01]=ip_respond_to_address_mask_broadcast
  NDD_VALUE[01]=0
  
  #Don't respond to ICMP echo request broadcasts 
  TRANSPORT_NAME[11]=ip
  NDD_NAME[11]=ip_respond_to_echo_broadcast
  NDD_VALUE[11]=0
  
  #Don't respond to ICMP timestamp request broadcasts 
  TRANSPORT_NAME[21]=ip
  NDD_NAME[21]=ip_respond_to_timestamp_broadcast
  NDD_VALUE[21]=0
  
  #Don't respond to ICMP timestamp requests 
  TRANSPORT_NAME[31]=ip
  NDD_NAME[31]=ip_respond_to_timestamp
  NDD_VALUE[31]=0
  
  #Don't send text messages in TCP RST segments (should be the default) 
  TRANSPORT_NAME[41]=ip
  NDD_NAME[41]=tcp_text_in_resets
  NDD_VALUE[41]=0

• If you don't want to do the change above you can copy the "/sbin/init.d/arpclean" file and put it into place.
• Change permissions and ownership:

  chmod 755 /sbin/init.d/arpclean ; chown root:sys /sbin/init.d/arpclean
  

• Create the needed link:
  

  ln -s /sbin/init.d/arpclean /sbin/rc2.d/S330arpclean
  

• Copy the "/usr/local/bin/security_patch_chk" file and put it into place.
• Add the cron entry (see above).
• After installing the security_patch_check depot you will need to make sure you can access perl 5.005 or higher. Install the latest Perl software if needed.
• Run the following command to start security_patch_check. Also note that using the "-r" option will download the "security_catalog" file into your local directory so you want to "cd" to /opt/sec_mgmt/spc/bin before running this beast:

  cd /opt/sec_mgmt/spc/bin
  ./security_patch_check -r
  

• Type "accept" to proceed.
• At this point your cron entry should take care of getting new catalogs and emailing you a report once a week.

  NOTE:
  You can always run /usr/local/bin/security_patch_chk to
  see what's up on your server (it gives you a bit more info
  than simply running /opt/sec_mgmt/spc/bin/security_patch_check -r).
  

• Comment the following in /etc/SnmpAgent.d/snmpd.conf:

  #get-community-name:     public
  #set-community-name:     private
  

• If you want to configure it, it should look something like this:

  max-trap-dest:	        2
  get-community-name:	community name
  set-community-name:	community name
  trap-dest:		IP of EMS monitoring server
  trap-dest:		IP of OVO server
  

• Run the following commands:

  NOTE: You may get "not found" or other errors when running the following commands due to items not being loaded, etc.

  chown bin:bin	/etc/hosts
  chown root:sys	$HOME/.profile
  chown root:sys	/
  chown root:sys	/etc/passwd
  chown root:sys	/etc/group
  chown root:sys	/etc/inittab
  chown root:sys	/var/adm/cron/at.allow
  chown root:sys	/var/adm/cron/cron.allow
  chown -R root:sys	/tcb/files/auth
  chown -R root:sys	/var/spool/cron/crontabs
  
  find /tcb/files/auth -type d -exec chmod 700 {} \;
  find /usr/local	-perm -003 -exec chmod 755 {} \;
  find /usr/local	-perm -002 -exec chmod 644 {} \;
  find /usr/share	-perm -003 -exec chmod 755 {} \;
  find /usr/share	-perm -002 -exec chmod 644 {} \;
  find /sbin     ! \( -group sys  -o -group root -o -group daemon -o -group lp \) -exec chgrp sys  {} \;
  find /usr/bin  ! \( -group sys  -o -group root -o -group daemon -o -group lp \) -exec chgrp sys  {} \;
  find /sbin     ! \( -user  root -o -user  lp   -o -user  uucp \) -exec chown root {} \;
  find /usr/bin  ! \( -user  root -o -user  lp   -o -user  uucp \) -exec chown root {} \;
  find /usr/sbin ! \( -user  root -o -user  lp   -o -user  uucp \) -exec chown root {} \;
  
  chmod u-s,g-s	/opt/audio/bin/Aserver
  chmod u-s,g-s	/opt/sharedprint/bin/pcltotiff
  chmod u-s,g-s	/sbin/shutdown
  chmod u-s,g-s	/usr/bin/kermit
  chmod u-s,g-s	/usr/bin/w
  chmod u-s,g-s	/usr/bin/ppl
  chmod u-s,g-s	/usr/bin/mediainit
  chmod u-s,g-s	/usr/bin/sadp
  chmod u-s,g-s	/usr/bin/dcnodes
  chmod u-s,g-s	/usr/bin/bdf
  chmod u-s,g-s	/usr/bin/df
  chmod u-s,g-s	/usr/bin/elm
  chmod u-s,g-s	/usr/contrib/bin/X11/xconsole
  chmod u-s,g-s	/usr/lbin/expreserve
  chmod u-s,g-s	/usr/lbin/exrecover
  chmod u-s,g-s	/usr/sbin/lanadmin
  chmod u-s,g-s	/usr/sbin/wall
  
  chmod +t	/tmp
  chmod +t	/var/news
  chmod +t	/var/tmp
  chmod +t	/var/dt/tmp
  chmod +t	/var/preserve
  chmod +t	/var/spool/sockets
  chmod +t	/var/spool/sockets/ICE
  chmod +t	/var/spool/sockets/X11
  chmod +t	/var/spool/sockets/common
  chmod +t	/var/X11/Xserver/logs
  chmod +t	/var/adm/diag
  
  chmod o-w	/tmp/snmpd.log
  chmod o-w	/var/X11/Xserver/logs/X0.log
  chmod o-w	/var/X11/Xserver/logs/X1.log
  chmod o-w	/var/X11/Xserver/logs/X2.log
  chmod o-w	/var/adm/automount.log
  chmod o-w	/var/adm/snmpd.log
  chmod o-w	/var/obam/translated
  chmod o-w	/var/opt/dce/svc/error.log
  chmod o-w	/var/opt/dce/svc/fatal.log
  chmod o-w	/var/opt/dce/svc/warning.log
  chmod o-w	/var/opt/dde/dde_error_log
  chmod o-w	/var/opt/hppak_error_log
  chmod o-w	/var/opt/ignite/logs/makrec.log1
  chmod o-w	/var/opt/ignite/recovery/fstab
  chmod o-w	/var/opt/ignite/recovery/group.makrec
  chmod o-w	/var/opt/ignite/recovery/passwd.makrec
  chmod o-w	/var/sam/hpbottom.dion
  chmod o-w	/var/sam/hpbottom.iout
  chmod o-w	/var/sam/hpbottom.iout.old
  chmod o-w	/var/sam/`hostname`.dion
  chmod o-w	/var/sam/`hostname`.iout
  chmod o-w	/var/sam/`hostname`.iout.old
  chmod o-w	/var/sam/lock
  chmod o-w	/var/sam/log/samlog
  chmod o-w	/var/sam/log/sam_tm_work
  chmod o-w	/var/adm/sw
  chmod o-w	/var/adm/sw/save
  chmod o-w	/var/adm/sw/patch
  
  chmod -R go-w	/opt/langtools/newconfig
  chmod -R go-w	/usr/newconfig/var/stm
  chmod -R go-w	/var/spool/sockets/pwgr
  chmod -R go-w	/var/stm
  chmod -R go-w	/usr/share/man
  
  chmod go-w	/SD_CDROM
  chmod go-w	/cdrom
  chmod go-w	/dev/mapfile
  chmod go-w	/opt/ifor/ls/res/i4adminX.pdl
  chmod go-w	/opt/pred/bin/PSERRLOG
  chmod go-w	/opt/pred/var
  chmod go-w	/var/dt/Xerrors
  chmod go-w	/var/dt/Xpid
  chmod go-w	/var/opt/common
  chmod go-w	/var/ppl
  chmod go-w	/var/rbootd
  chmod go-w	/var/spool/lp/SCHEDLOCK
  chmod go-w	/var/spool/sockets/common
  chmod go-w	/var/spool/sockets/pwgr
  
  chmod -R 400	/var/spool/cron/crontabs
  chmod -R 600	/tcb/files/auth
  chmod 755	/
  chmod 755	/etc
  chmod 755	/var/spool/uucppublic
  
  chmod 600	$HOME/.rhosts
  chmod 600	$HOME/.exrc
  chmod 600	$HOME/.profile
  chmod 600	$HOME/.sh_history
  chmod 600	$HOME/.kshrc
  chmod 600	/etc/ftpd/ftpusers
  chmod 600	/etc/inetd.conf
  
  chmod 400	/var/adm/cron/at.allow
  chmod 400	/var/adm/cron/cron.allow
  chmod 444	/etc/hosts
  chmod 444	/etc/resolv.conf
  chmod 444	/var/adm/inetd.sec
  chmod 700	/var/spool/cron/crontabs
  chmod 1777      /var/mail
  

  You may also want to run the following command and make a note of all files returned which will have their suid and/or sgid bit set:

  find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -ld {} \;
  

Reference HP Doc ID: LVMKBRC00005103

• Mirror root disk to a second disk drive while making sure the second drive is bootable.
  • I am going to assume that c2t2d0 is the main bootable drive and c1t2d0 will be our second, mirrored bootable drive we need to build.
• The "-B" option is used to create a bootable Physical Volume: pvcreate -B /dev/rdsk/c1t2d0
• Make sure to use the character device file when using mkboot: mkboot -l /dev/rdsk/c1t2d0
• Make sure disks are not in a quorum.
  • The "-lq" indicates no quorum when two disks are used. When three or more are used you don't need "-lq". You also need to do this with the primary disk. Otherwise, when you boot normally to "pri" and the "alt" disk is not there for whatever reason, you will **NOT** be able to boot. The "pri" disk will "look" for the "alt" disk. No quorum???? To bad so sad, you loose. Ack!

    So do this:

    mkboot -a "hpux -lq (;0)/stand/vmunix" /dev/rdsk/c1t2d0
    

    Don't forget the main boot drive:

    mkboot -a "hpux -lq (;0)/stand/vmunix" /dev/rdsk/c2t2d0
    

• Add Diag to lif:

  32 Bit:
  mkboot -b /usr/sbin/diag/lif/updatediaglif  -p ISL -p AUTO -p HPUX -p PAD -p LABEL /dev/rdsk/c1t2d0
  
  64 Bit:
  mkboot -b /usr/sbin/diag/lif/updatediaglif2 -p ISL -p AUTO -p HPUX -p PAD -p LABEL /dev/rdsk/c1t2d0
  

• Check the contents of the AUTO file:

  lifls /dev/rdsk/c1t2d0 or this command:  lifcp /dev/rdsk/c1t2d0:AUTO -
  

• Add the Physical Volume to the root volume group:

  vgextend /dev/vg00 /dev/dsk/c1t2d0
  

• Do this next command for each "lvol"......

  lvextend -m 1 /dev/vg00/lvol1 /dev/dsk/c1t2d0
  

  ******* or *******

  for x in lvol1 lvol2 lvol3 lvol4 lvol5 lvol6 lvol7 lvol8
    do
      echo "\n******** Doing ${x} ********\n"
      lvextend -m 1 /dev/vg00/${x} /dev/dsk/c1t2d0
  done ; banner All Done
  

  Don't forget any extra swap you added (like /dev/vg00/swap2). Do "swapinfo" and "bdf" to check for swap and any other lvols that may have been created.
• Specify the root logical volume: lvlnboot -r /dev/vg00/lvol3
• Specify the swap logical volume: lvlnboot -s /dev/vg00/lvol2
• Specify the dump logical volume: lvlnboot -d /dev/vg00/lvol2
• Specify the boot logical volume: lvlnboot -b /dev/vg00/lvol1
• Recover any BDRA info: lvlnboot -R
• Verify boot, root, swap and dump settings: lvlnboot -v
• Display the Primary and Alternate boot paths that are currently set: setboot
• Set alternate boot path to the new mirrored disk.
  • Use "ioscan -funC disk" to find out what the path should be:

    setboot -a 0/0/1/1.2.0

• Activate AutoSearch and AutoBoot: setboot -s on -b on
• Run "setboot" again to confirm the change.
• Do "shutdown -r 0" (or "reboot") to test. After halting the boot process, type in "bo alt" to boot from the alternate disk.
  • A good test would be to remove the primary and then boot to the alternate drive. After that test, place the primary back into the server, then remove the alternate to check that booting process as well. The server should boot from either the primary or alternate disk if no quorum was properly set.

• You may wish to do a "make_tape_recovery -v -I -x inc_entire=vg00 -a /dev/rmt/0mn" of your server when completely finished with the overall server installation.

Ok.. so I put this waaay down at the bottom of this web page. I don't expect anyone to actually toss a buck or two my way as a thank you for all the work I've done on this site (Hmmm... feel guilty yet?), but it sure would be nice.