HP UX Bastille Software manual AccountSecurity.SUDEFAULTPATHyn, AccountSecurity.systemauditing

Page 38

has physical access to the machine and enough time, there is very little you can do to prevent unauthorized access. This may be more problematic when an authorized administrator can't remember the password. Note: For HP-UX

11.22and prior, this requires conversion to trusted mode. HP-UX Bastille will automatically do the conversion if you select this option. Trusted mode is incompatible with LDAP-UX client services prior to version 3.0 and can cause other incompatibility issues with applications which do their own authentication.

Actions

Sets the parameter BOOT_AUTH=1 in the /etc/default/security file. For

 

HP-UX 11.22 and prior, convert to trusted mode, and set ensure bootpw=YES

 

with modprdef.

AccountSecurity.SU_DEFAULT_PATH

Headline

Set the new PATH at su .

Default

/sbin:/usr/sbin:/bin:/usr/bin

Description

The SU_DEFAULT_PATH parameter defines a new default PATH environment

 

value to be set when su to a non-superuser account is executed. Refer to su(1).

 

Set SU_DEFAULT_PATH=new_PATH. This ensures that an su session will

 

always have a default PATH value, preventing the inheritance of a poisoned

 

PATH variable from your current login session. The PATH environment variable

 

is set to new_PATH when the su command is invoked. Other environment

 

values are not changed. The PATH value is not validated. This parameter does

 

not apply to a superuser account, and is applicable only when the "-" option

 

is not used along with the su command.

Actions

Sets the parameter SU_DEFAULT_PATH in the /etc/default/security

 

file.

AccountSecurity.SU_DEFAULT_PATHyn

Headline

Set a default path for the su command.

Default

Y

Description

Set the SU_DEFAULT_PATHyn parameter.

Actions

None.

AccountSecurity.system_auditing

Headline

Basic system security auditing enabled.

Default

N

Description

Enabling basic system security auditing logs a subset of system calls. This

 

logging produces system overhead. If this system is in a performance sensitive

 

role, the risk of not logging may be less than the risk of incurring a small

 

amount of overhead.

Actions

Configure and start auditing and acct programs. Convert to trusted mode if

 

necessary.

AccountSecurity.umask

Headline

Set umask for all users on the system.

Default

77

Description

The umask utility sets a default permission for files that you create. HP-UX

 

Bastille can set one of several umasks. Select one of the following or create

 

your own: 002–Everyone can read your files and people in your group can

 

alter them. 022–Everyone can read your files, but no one can write to them.

 

027–Only people in your group can read your files, but no one can write to

 

them. 077–No one on the system can read or write your files. In addition to

38 Question modules

Page 37 Page 39
Image 38
Page 37 Page 39
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productSupport CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemConfiguration for the corresponding question is not Using scored reportsAccepted standard configurations are detected Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rFor more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page Known issues and workarounds TroubleshootingDiagnostic tips General use tipsHP-UX Bastille configures a firewall using IPFilter Problems opening, copying, or reading filesErrors related to individual configuration files Cannot use X because $DISPLAY is not setRelated information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.crontabsfile AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.cronuser AccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.MINPASSWORDLENGTH AccountSecurity.NOLOGIN AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDMAXDAYSAccountSecurity.singleuserpassword AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.restricthomeAccountSecurity.systemauditing AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.umaskAccountSecurity.userdotfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userrcfilesDNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FilePermissions.worldwriteable FTP.ftpusersHPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.scanports HPUX.screensavertimeoutHPUX.restrictswacls HPUX.stackexecuteIPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd You are managing some remote Hids agents, answer no IPFilter.blockhpidsadminIPFilter.blockhpidsagent Hids does notIPFilter.blockping Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockSecureShellIPFilter.blockwbem IPFilter.blockwebadminIPFilter.configureipfilter Otherwise, answer no to this questionPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.nfscore MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spcproxyyn Patches.spccronrunPatches.spccrontime Patches.spcrunSecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivatefinger SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivateftpSecureInetd.deactivatentalk SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivateprinterSecureInetd.deactivatertools SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivateswatSecureInetd.deactivateuucp SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.ftploggingSecureInetd.owner SecureInetd.loginetdSecureInetd.inetdgeneral Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents