HP UX Bastille Software manual AccountSecurity.crontabsfile, AccountSecurity.cronuser

Page 34

Default	N
Description	HP-UX Bastille can restrict root from logging into a tty over the network. This
	forces administrators to log in first as a non-root user, then su to become root.
	Root logins are still permitted on the console and through services that do not
	use tty's like HP-UX Secure Shell.
Actions	Create or replace the file /etc/securetty with the single entry console.

AccountSecurity.crontabs_file

Headline	Ensure the crontab files are only accessible by root.
Default	Y
Description	Because a variety of administrators, scripts, and users edit crontab files,
	sometimes these files contain incorrect permissions. HP-UX Bastille ensures
	these files can only be read and changed by the root user. Perform this task
	to ensure these files can only be read and written-to by root, with the crontab
	command.
Actions	Change ownership and permissions for all crontab files permitting access only
	to root.

AccountSecurity.cronuser

Headline	Restrict the use of cron to administrative accounts.
Default	N
Description	The cron function allows you to schedule jobs to run automatically at a certain
	time, possibly recurring. Administrators can use cron to check the system
	logs every night at midnight or confirm file integrity every hour. However,
	executing jobs later or automatically represents a privilege that can be abused
	and makes actions slightly harder to track.
Actions	Delete the file cron.deny
	Create or replace the file cron.allow with a single entry for user root
	Set permissions to 0400
	Change ownership to root:sys

AccountSecurity.gui_login

Headline	Disable the local graphical login.
Default	Y
Description	Most servers do not have a graphics console directly attached, and do not run
	a graphics login. Disabling this feature reduces targets for hackers and saves
	system resources for systems that do not have a graphics console.
Actions	In the /etc/rc.config.d/xfs file, set RUN_X_FONT_SERVER=0.
	In the /etc/rc.config.d/audio file, set AUDIO_SERVER=0.
	In the /etc/rc.config.d/slsd file, set SLSD_DAEMON=0.
	In the /etc/rc.config.d/desktop file, set DESKTOP=0.
	Terminate the following daemon processes if running: xfs, Aserver, SLSd,
	dtlogin, dtrc.

AccountSecurity.hidepasswords

Headline	Hide the encrypted passwords on this system.
Default	N

34 Question modules

Image 34

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productPerformance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemConfiguration for the corresponding question is not Using scored reportsAccepted standard configurations are detected Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rLocating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page Known issues and workarounds TroubleshootingDiagnostic tips General use tipsHP-UX Bastille configures a firewall using IPFilter Problems opening, copying, or reading filesErrors related to individual configuration files Cannot use X because $DISPLAY is not setContacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependencies Configuring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with Serviceguard Configuring Sec10Host level Page Question modules AccountSecurity.crontabsfile AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.cronuserAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDMAXDAYSAccountSecurity.singleuserpassword AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.restricthomeAccountSecurity.systemauditing AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.umaskAccountSecurity.userdotfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userrcfilesApache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FilePermissions.worldwriteable FTP.ftpusersHPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.scanports HPUX.screensavertimeoutHPUX.restrictswacls HPUX.stackexecuteIPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery You are managing some remote Hids agents, answer no IPFilter.blockhpidsadminIPFilter.blockhpidsagent Hids does notIPFilter.blockping Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockSecureShellIPFilter.blockwbem IPFilter.blockwebadminIPFilter.configureipfilter Otherwise, answer no to this questionPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.nfscore MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nobodysecurerpcOtherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spcproxyyn Patches.spccronrunPatches.spccrontime Patches.spcrunPrinting.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivatefinger SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivateftpSecureInetd.deactivatentalk SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivateprinterSecureInetd.deactivatertools SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivateswatSecureInetd.deactivateuucp SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.ftploggingSecureInetd.owner SecureInetd.loginetdSecureInetd.inetdgeneral Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index