HP UX Bastille Software manual Configuring HP-UX Bastille for use with Serviceguard

Page 31

B Configuring HP-UX Bastille for use with Serviceguard

B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels

Serviceguard uses dynamic ports. To enable operation, the possible-SG port range must be opened. Opening the port range is not consistent with the security goals of Sec20MngDMZ MANDMZ.config and Sec30DMZ DMZ.config because multiple services (including applications similar to rcp), might also listen to this same port range. At these security levels, the firewall provides security benefits consistent with the Serviceguard security deployment model.

For more information about HP-UX Bastille compatibility with Serviceguard, see the Serviceguard documentation available at:

http://docs.hp.com/en/netsys.html.

Before you open the Serviceguard port range, review the required IPFilter-SG rules. IPFilter documentation is available at:

http://docs.hp.com/en/internet.html

When the Serviceguard security patch of 2004 is installed, Serviceguard requires identd. To enable identd:

1.Edit the HP-UX Bastille /etc/opt/sec_mgmt/bastille/config configuration file by changing the answer to the question:

Should Bastille ensure inetd's ident service does not run on this system?

Change the answer from Y to N.

SecureInetd.deactivate_ident=N

2.Apply the configuration file changes.

If you have not made any configuration changes to the system since the last time HP-UX Bastille was used, use HP-UX Bastille to apply the changes.

a.Revert to the previous HP-UX Bastille configuration:

#bastille -r

b.Apply the new HP-UX Bastille configuration:

#bastille -b

If the you have applied configuration changes to the system since the last time HP-UX Bastille was used, apply the changes manually.

a.Remove the # from the /etc/inetd.conf file line:

#auth stream tcp6 wait bin /usr/lbin/identd identd

b.Force inetd to read the configuration:

#inetd -c

B.2 Configuring Sec10Host level

If HP-UX Bastille is started using Sec10Host host.config level security, change the following line:

SecureInetd.deactivate_ident=Y

Change the Y to N:

SecureInetd.deactivate_ident=N

If you are using the Serviceguard SNMP subagent, set:

MiscellaneousDaemons.snmpd=N

B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels 31

Page 30 Page 32
Image 31
Page 30 Page 32
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsPerformance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemIs not always detected. HP-UX Bastille might not detect all Using scored reportsAccepted standard configurations are detected Configuration for the corresponding question is notScored assessment report # bastille -r RevertingLocating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page General use tips TroubleshootingDiagnostic tips Known issues and workaroundsCannot use X because $DISPLAY is not set Problems opening, copying, or reading filesErrors related to individual configuration files HP-UX Bastille configures a firewall using IPFilterContacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX Bastille Enable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.cronuser AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.crontabsfileAccountSecurity.lockaccountnopasswd AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.NUMBEROFLOGINSALLOWEDAccountSecurity.PASSWORDMAXDAYS AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDHISTORYDEPTHynAccountSecurity.restricthome AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.singleuserpasswordAccountSecurity.umask AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.systemauditingAccountSecurity.userrcfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userdotfilesApache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteableHPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.stackexecute HPUX.screensavertimeoutHPUX.restrictswacls HPUX.scanportsIPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery Hids does not IPFilter.blockhpidsadminIPFilter.blockhpidsagent You are managing some remote Hids agents, answer noIPFilter.blockSecureShell Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockpingOtherwise, answer no to this question IPFilter.blockwebadminIPFilter.configureipfilter IPFilter.blockwbemPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablepwgrdMiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nfscoreOtherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spcrun Patches.spccronrunPatches.spccrontime Patches.spcproxyynPrinting.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivateftp SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivatefingerSecureInetd.deactivateprinter SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivatentalkSecureInetd.deactivateswat SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivatertoolsSecureInetd.ftplogging SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.deactivateuucpSendmail.sendmailcron SecureInetd.loginetdSecureInetd.inetdgeneral SecureInetd.ownerSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents