HP UX Bastille Software manual Table A-3 Additional Sec20MngDMZ security settings1

Page 29

1Manual action may be required to complete configuration. For more information, see /etc/opt/sec_mgmt/ bastille/TODO.txt after update or installation.

2The following ndd changes are made:

ip_forward_directed_broadcasts=0 ip_forward_src_routed=0 ip_forwarding=0 ip_ire_gw_probe=0 ip_pmtu_strategy=1 ip_send_source_quench=0 tcp_conn_request_max=4096 tcp_syn_rcvd_max=1000

3Settings applied only if software is installed.

Table A-3 Additional Sec20MngDMZ security settings1

Category

inetd services

IPFilter configuration2

Action

Includes all disabled inetd services in Table A-2Disable ftp

Disable telnet

Restrict syslog daemon to local connections

Block incoming DNS query connections

Block incoming HIDS administration connections3, 4 Configure IPFilter to allow outbound traffic Configure IPFilter to block incoming traffic with IP options set

Configure IPFilter to block all other traffic except for HP-UX Secure Shell, HIDS agent, WBEM, web admin, web admin autostart,5 and ICMP echo

1Applies all security configuration settings in Table A-2.

2Additional IPFilter rules may be applied with a custom rules file located at /etc/opt/sec_mgmt/bastille/

ipf.customrules.

3HP-UX Host IDS is a selectable software bundle and only available for commercial servers.

4 Settings applied only if software is installed.

5 Manual action may be required to complete configuration. For more information, see /var/opt/sec_mgmt/ bastille/TODO.txt after installation or update.

Table A-4 Additional Sec30DMZ security settings1

Category

IPFilter configuration2

Action

Includes all IPFilter settings in Table A-3Block incoming HIDS agent connections3, 4 Block incoming WBEM connections5 Block incoming web admin connections

Block incoming web admin autostart connections Block all traffic except HP-UX Secure Shell Block ICMP echo

1Applies all security configuration settings in Table A-2and Table A-3.

2Additional IPFilter rules may be applied with a custom rules file located at /etc/opt/sec_mgmt/bastille/

ipf.customrules.

3Settings applied only if software is installed.

4HP-UX Host IDS is a selectable software bundle and only available for commercial servers.

5WBEM is required for several HP management applications including HP Systems Insight Manager (SIM) and ParMgr.

A.1 Choosing security levels

29

Image 29

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsSupport CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemAccepted standard configurations are detected Using scored reportsConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report # bastille -r RevertingFor more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page Diagnostic tips TroubleshootingKnown issues and workarounds General use tipsErrors related to individual configuration files Problems opening, copying, or reading filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setRelated information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.hidepasswords AccountSecurity.guiloginAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.NOLOGIN AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.serialportlogin AccountSecurity.passwordpoliciesAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATHyn AccountSecurity.SUDEFAULTPATHAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.unownedfiles AccountSecurity.umaskynAccountSecurity.userdotfiles AccountSecurity.userrcfilesDNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FTP.ftpusers FilePermissions.worldwriteableHPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.restrictswacls HPUX.screensavertimeoutHPUX.scanports HPUX.stackexecuteIPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd IPFilter.blockhpidsagent IPFilter.blockhpidsadminYou are managing some remote Hids agents, answer no Hids does notIPFilter.blocknetrange Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blockping IPFilter.blockSecureShellIPFilter.configureipfilter IPFilter.blockwebadminIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablebindMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spccrontime Patches.spccronrunPatches.spcproxyyn Patches.spcrunSecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivatedttools SecureInetd.deactivatebuiltinSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivatektools SecureInetd.deactivateidentSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterquotad SecureInetd.deactivaterecservSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetime SecureInetd.deactivatetftpSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.inetdgeneral SecureInetd.loginetdSecureInetd.owner Sendmail.sendmailcronSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index