HP UX Bastille Software manual AccountSecurity.passwordpolicies, AccountSecurity.restricthome

Page 37

Description	This parameter controls the default number of days before password expiration
	that a user is warned that the password must be changed. For systems running
	HP-UX 11.11 and HP-UX 11.0, setting this value requires conversion to trusted
	mode. For HP-UX 11.22 and later, shadowed password conversion is required.
	This parameter applies only to local non-root users.
Actions	Sets the parameter PASSWORD_WARNDAYS in the /etc/default/security
	file.

AccountSecurity.passwordpolicies

Headline	Set up password policies.
Default	N
Description	Set up password policies.
Actions	None.

AccountSecurity.restrict_home

Headline	Restrict the home directory permissions.
Default	N
Description	Home directories should not be world-writable or world-readable. This item
	removes world-visibility and group-write from the local account directories,
	similar to executing chmod o-rwx,g-w <dir>.
Actions	Remove world visibility and group write from the local account home
	directories, similar to executing chmod o-rwx,g-w <home dir>.

AccountSecurity.root_path

Headline	Remove the dot from the root path.
Default	N
Description	A dot in the root path instructs the shell to look in the current directory for
	an executable. This can cause a local command to either override a common
	administrative command, or cause an incorrectly typed command to execute
	a local command. This allows malicious users to plant rogue commands that
	could potentially run malicious software as root. This item removes the current
	working directory, "dot" from the root path startup scripts.
Actions	Remove the current working directory "." or any group/world-writable
	directory from the root $PATH.

AccountSecurity.serial_port_login

Headline	Disable all serial ports except the console.
Default	Y
Description	The ability to login on a serial port except the console is a rare need.
	Historically, these were used for terminal devices or modems, but it is unlikely
	that a site would need this capability. This item turns off the process that
	listens to the tty devices.
Actions	Comment out serial port tty entries in the /etc/inittab file and invoke
	init to reread the file.

AccountSecurity.single_user_password

Headline	Password protect single-user mode.
Default	N
Description	Password protecting single-user mode provides limited protection against
	anyone who has physical access to the machine, because they cannot reboot
	and have root access without typing the password. However, if an attacker

37

Image 37

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsPerformance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemAccepted standard configurations are detected Using scored reportsConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report # bastille -r RevertingLocating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page Diagnostic tips TroubleshootingKnown issues and workarounds General use tipsErrors related to individual configuration files Problems opening, copying, or reading filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setContacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.hidepasswords AccountSecurity.guiloginAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.NOLOGIN AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.serialportlogin AccountSecurity.passwordpoliciesAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATHyn AccountSecurity.SUDEFAULTPATHAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.unownedfiles AccountSecurity.umaskynAccountSecurity.userdotfiles AccountSecurity.userrcfilesApache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteableHPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.restrictswacls HPUX.screensavertimeoutHPUX.scanports HPUX.stackexecuteIPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery IPFilter.blockhpidsagent IPFilter.blockhpidsadminYou are managing some remote Hids agents, answer no Hids does notIPFilter.blocknetrange Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blockping IPFilter.blockSecureShellIPFilter.configureipfilter IPFilter.blockwebadminIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablebindMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcOtherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spccrontime Patches.spccronrunPatches.spcproxyyn Patches.spcrunPrinting.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivatedttools SecureInetd.deactivatebuiltinSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivatektools SecureInetd.deactivateidentSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterquotad SecureInetd.deactivaterecservSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetime SecureInetd.deactivatetftpSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.inetdgeneral SecureInetd.loginetdSecureInetd.owner Sendmail.sendmailcronSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index