HPUX kernel compile???

HPUX kernel compile???
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
HPUX kernel compile??? Neil Jones 07-23-2006
Posted by Walter Roberson on July 23, 2006, 6:52 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>I have been assigned to perform a security review for a HPUX system
>which is in production. One thing I have noticed is that the system has
>a C compiler on the system. Since this is not a development system I
>suggested that it be removed. The sysadmin mentioned that it is
>required to perform kernel compilation, which caught me by surprise.

I haven't used HPUX, but the situation is similar on SGI IRIX:
a stripped-down compiler is squirreled away for kernel building.


Answering the poster who asked how often they expect to rebuild
the kernel: the answer to that on SGI IRIX is "Every time a kernel
patch is released, or a kernel driver package is installed or uninstalled,
or a change is made to one of the kernel device driver tables (e.g.,
forcing a particular speed on a scsi bus), or a change is made to
one of the fundamental system tunables that affect kernel table
memory allocation."

In SGI IRIX, the compiler -could- be removed, but you'd have to put it
back before installing most any of the security upgrades. SGI IRIX
is not open source, but the fundamental parts of it are provided as
object files that are linked together to form the kernel. There are
also important configuration tables in SGI IRIX; see below:



Extracting from SGI IRIX /var/sysgen/master/* :


* Any object which is to be included in a kernel by the self
* configuration boot program must have a corresponding master file which
* contains configuration specifications. The master file name is the
* basename of the object it describes.
*

* There are three sections in a master file: a tabulated ordering of
* flags, phrases and values interpreted by the configuration program and
* used to build device tables and the like, a list of stub routines, and
* a section of (mostly) C code. The first non-blank, non-comment line
* is interpreted for flags, phrases and values. Any other (non-comment)
* lines, up to a line that begins with a dollar sign ('$'), specify stubs.
* All phrases uttered after the line beginning with a dollar sign is
* processed to interpret special characters, then compiled (by the C
* compiler) into the kernel.

Posted by Casper H.S. Dik on July 24, 2006, 4:43 am
If you were  Registered and logged in, you could reply and use other advanced thread options

>I have been assigned to perform a security review for a HPUX system
>which is in production. One thing I have noticed is that the system has
>a C compiler on the system. Since this is not a development system I
>suggested that it be removed. The sysadmin mentioned that it is
>required to perform kernel compilation, which caught me by surprise. I
>come from the Linux camp. (I do love all flavors of Unix). My
>understanding is that HPUX is a closed source operating system. Has HP
>opened it's source code to open source (like Solaris)? If not, then
>what type of kernel code is being compiled by the C compiler? The
>sysadmin mentioned that this it is a stripped down compiler.


Traditional Unix systems were configured by defining the size of
certain tables in C code and them compiling and linking them.

Only a small part of the actual code was shipped with the OS; the
rest was shipped in binary form.

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Posted by Volker Birk on July 24, 2006, 11:45 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> I have been assigned to perform a security review for a HPUX system
> which is in production. One thing I have noticed is that the system has
> a C compiler on the system. Since this is not a development system I
> suggested that it be removed.

Why?

> The sysadmin mentioned that it is
> required to perform kernel compilation, which caught me by surprise. I
> come from the Linux camp. (I do love all flavors of Unix). My
> understanding is that HPUX is a closed source operating system. Has HP
> opened it's source code to open source (like Solaris)?

No. But kernel compiling is still used.

> If not, then
> what type of kernel code is being compiled by the C compiler?

Modules.

> The
> sysadmin mentioned that this it is a stripped down compiler.

Usually, it's just an ANSI compiler.

Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.

        Ralph Angenendt in debate@ccc.de

Posted by Timothy J. Lee on August 22, 2006, 4:58 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
>If not, then
>what type of kernel code is being compiled by the C compiler? The
>sysadmin mentioned that this it is a stripped down compiler.

If it is like the older HP-UX computers that I once dealt with, the
cc compiler was used to compile a configuration file which was then
linked to the rest of the kernel objects / libraries to make a new
kernel. The configuration file had tunable parameters and such in it.

The cc compiler itself only handled old style K&R 1 C, not stuff like
function prototypes. It was capable of compiling gcc from source.

--
------------------------------------------------------------------------
Timothy J. Lee
Unsolicited bulk or commercial email is not welcome.
No warranty of any kind is provided with this message.

Posted by OldSchool on August 23, 2006, 10:35 am
If you were  Registered and logged in, you could reply and use other advanced thread options
FWIW: HP offers a rootkit protection package, as well as other security
items, free of charge for 11iv1 and v2 as part of the "Internet
Express" package.

see hp.software.com


Similar ThreadsPosted
Compile/Configure Apache 1.3.31 problem without error message July 19, 2004, 11:49 pm
Recompiling the kernel July 11, 2005, 3:44 am
Does kernel 2.6 include an NSA backdoor? March 4, 2008, 7:19 pm
HPSBUX02127 SSRT051056 - rev.1 HP-UX Kernel Local Denial of Service (DoS) June 23, 2006, 7:59 am

The site map in XML format XML site map

Contact Us | Privacy Policy