HP UX Bastille Software manual AccountSecurity.umaskyn, AccountSecurity.unownedfiles

Page 39

configuring a umask for all of the user shells, HP-UX 11.22 and later have an option in the /etc/default/security file to set the default system umask. This parameter controls umask(2) of all sessions initiated with pam_unix(5) which can then be overridden by the shell. NOTE: If your system is converted to trusted mode, this parameter will be overridden by the trusted system default umask, which is 077.

Actions Set the selected umask in all known shell startup scripts.

AccountSecurity.umaskyn

Headline

Set the default umask.

Default

N

Description

Set the default umask.

Actions

None.

AccountSecurity.unowned_files

Headline

Assign unowned files to the bin user.

Default

N

Description

Do not leave files owned by users or groups that do not have meaning to the

 

system. If a user or group is later defined with the uid or gid that owns that

 

file, the data could be exposed to potentially unauthorized access. This can

 

happen when a user is deleted without cleaning up the file system. This item

 

will look for files that are not owned by a defined system user or group and

 

assign those files to bin.

Actions

Find all local files that are not owned by a defined system user and/or group.

 

Assign those files to bin. Remove world-writable, suid and sgid bits from

 

these files.

AccountSecurity.user_dot_files

Headline

Remove world-write permission from local user account dot files.

Default

Y

Description

Dot files, or those that begin with a "." are hidden from standard file lists and

 

are often used for configuration. The combination of being less visible and

 

being used to change the behavior of the user account means that if an incorrect

 

permission is set (perhaps with a loose umask), the account could be subject

 

to attack. This item reviews the local user account store, finds the local home

 

directories, and removes the world-writeable bit, if any. This is a simple, and

 

relatively safe operation.

Actions

Find all local non-root login home directories and ensure that any "dot" files

 

within those directories do not have world-writable permissions.

AccountSecurity.user_rc_files

Headline

Delete .shosts, .rhosts, and .netrc from the local user accounts

Default

Y

Description

.shosts, .rhosts, and .netrc are files that sit in the home directories of users and

 

are used to create trust relationships between given users on a system and

 

other systems. Such non-interactive trust is dangerous as it creates the potential

 

for an attacker to leverage those trust relationships if they manage to expose

 

an account. If there is no business need for static trust, delete these files.

Actions

Find all local non-root login home directories, and delete the files .shosts,

 

.rhosts, and .netrc if found within those directories.

39

Page 38 Page 40
Image 39
Page 38 Page 40
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsCompatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemIs not always detected. HP-UX Bastille might not detect all Using scored reportsAccepted standard configurations are detected Configuration for the corresponding question is notScored assessment report # bastille -r RevertingMonitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page General use tips TroubleshootingDiagnostic tips Known issues and workaroundsCannot use X because $DISPLAY is not set Problems opening, copying, or reading filesErrors related to individual configuration files HP-UX Bastille configures a firewall using IPFilterSupport and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.cronuser AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.crontabsfileAccountSecurity.lockaccountnopasswd AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.PASSWORDMAXDAYS AccountSecurity.NUMBEROFLOGINSALLOWEDyn AccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDHISTORYDEPTHynAccountSecurity.restricthome AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.singleuserpasswordAccountSecurity.umask AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.systemauditingAccountSecurity.userrcfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userdotfilesApache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteableHPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.stackexecute HPUX.screensavertimeoutHPUX.restrictswacls HPUX.scanportsHPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery Hids does not IPFilter.blockhpidsadminIPFilter.blockhpidsagent You are managing some remote Hids agents, answer noIPFilter.blockSecureShell Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockpingOtherwise, answer no to this question IPFilter.blockwebadminIPFilter.configureipfilter IPFilter.blockwbemPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablepwgrdMiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nfscoreMiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spcrun Patches.spccronrunPatches.spccrontime Patches.spcproxyynSecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivateftp SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivatefingerSecureInetd.deactivateprinter SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivatentalkSecureInetd.deactivateswat SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivatertoolsSecureInetd.ftplogging SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.deactivateuucpSendmail.sendmailcron SecureInetd.loginetdSecureInetd.inetdgeneral SecureInetd.ownerSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents