HP UX Bastille Software manual Question modules

Page 33

C Question modules

AccountSecurity.ABORT_LOGIN_ON_MISSING_HOMEDIR

Headline	Do not allow logins unless the home directory exists.
Default	N
Description	The ABORT_LOGIN_ON_MISSING_HOMEDIR parameter controls login behavior
	if a user's home directory does not exist.
Actions	Set ABORT_LOGIN_ON_MISSING_HOMEDIR=1 in /etc/security.

AccountSecurity.atuser

Headline	Restrict the use of at to administrative accounts.
Default	N
Description	The at command allows users to submit jobs for the system to run at a
	particular time. Administrators can use at to defer jobs to run when the system
	is otherwise unused. However, executing jobs later or automatically represents
	a privilege that can be abused and makes actions slightly harder to track. Many
	sites choose to restrict the at command to administrative accounts. HP suggests
	restricting permission to new administrators until they understand how it can
	be abused and which users need access. Create the /etc/at.allow file of
	users with permission. This file can be edited later. If this file is not created,
	all users have permission to use the at command.
Actions	Delete the file at.deny
	Create or replace the file at.allow with a single entry for user root
	Set permissions to 0400
	Change ownership to root:sys

AccountSecurity.AUTH_MAXTRIES

Headline	Lock account after too many consecutive authentication failures.
Default	N
Description	The AUTH_MAXTRIES parameter controls whether an account is locked after
	too many consecutive authentication failures. It does not apply to trusted
	systems. This parameter is supported for users in all name server switch
	repositories, such as local, NIS, and LDAP.
Actions	Set AUTH_MAXTRIES=1 in /etc/security.

AccountSecurity.block_system_accounts

Headline	Disable login access to the system accounts.
Default	N
Description	System accounts are provisioned on a new system, for example bin, sys, uucp,
	et-cetera. These accounts (except for root) exist to own files, processes, or
	system resources but are not generally logged into. Because these accounts
	have broad access to the system, HP recommends disabling them. This item
	disables default system accounts.
Actions	Lock the account and change the user shell to /bin/false for the following
	users: www sys smbnull iwww owww sshd hpsmh named uucp nuucp adm
	daemon bin lp nobody noaccess hpdb useradm.

AccountSecurity.create_securetty

Headline

Disallow root logins from network TTYs.

33

Image 33

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsCompatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemAccepted standard configurations are detected Using scored reportsConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report # bastille -r RevertingMonitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page Diagnostic tips TroubleshootingKnown issues and workarounds General use tipsErrors related to individual configuration files Problems opening, copying, or reading filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setSupport and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.hidepasswords AccountSecurity.guiloginAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.NOLOGIN AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.serialportlogin AccountSecurity.passwordpoliciesAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATHyn AccountSecurity.SUDEFAULTPATHAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.unownedfiles AccountSecurity.umaskynAccountSecurity.userdotfiles AccountSecurity.userrcfilesApache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteableHPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.restrictswacls HPUX.screensavertimeoutHPUX.scanports HPUX.stackexecuteHPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery IPFilter.blockhpidsagent IPFilter.blockhpidsadminYou are managing some remote Hids agents, answer no Hids does notIPFilter.blocknetrange Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blockping IPFilter.blockSecureShellIPFilter.configureipfilter IPFilter.blockwebadminIPFilter.blockwbem Otherwise, answer no to this questionPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablebindMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spccrontime Patches.spccronrunPatches.spcproxyyn Patches.spcrunSecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivatedttools SecureInetd.deactivatebuiltinSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivatektools SecureInetd.deactivateidentSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterquotad SecureInetd.deactivaterecservSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetime SecureInetd.deactivatetftpSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.inetdgeneral SecureInetd.loginetdSecureInetd.owner Sendmail.sendmailcronSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index