HP UX Bastille Software manual FilePermissions.worldwriteable, FTP.ftpusers

Page 41

 

is listening to untrusted data as much as possible. This is especially true of

 

network daemons, such as bind. If a vulnerability is found in the daemon,

 

then a chroot jail contains any intrusions. Only a root process can break out

 

of a chroot jail. HP-UX Bastille ensures that "named" is not running as root.

 

A successful attack on "named" in a chroot jail running as a non-privileged

 

user allows the attacker to modify only files owned or writeable by that

 

non-privileged user and protects the rest of the system.

 

IMPORTANT: On HP-UX, the general structure of the jail is created but several

 

entries are added to the HP-UX Bastille generated TODO.txt file which require

 

manual action on your part. HP-UX does not ship with a name server

 

configured by default, so much of this depends on how your system's name

 

server is configured. Manual action is required to complete this configuration.

 

See the TODO.txt file for details.

Actions

Make a copy of BIND and related binaries and libraries and place them inside

 

of a chroot jail.

FilePermissions.world_writeable

Headline

Scan for world-writeable directories.

Default

N

Description

HP-UX Bastille can scan your system for world-writeable directories, including

 

base OS, 3rd party applications, and user directories. A script is created which

 

can be edited to suit your needs and run to tighten these permissions. Changing

 

the permissions of directories in this way has the potential to break

 

compatibility with some applications and requires testing in your environment.

 

Note: The changes made by this script are NOT supported by HP. They have

 

a low likelihood of breaking things in a single purpose environment, but are

 

known to break some applications in very subtle ways in a general purpose

 

environment For example, applications which rely on unique process id's in

 

/tmp when run by different users can break when the process id's are recycled,

 

or programs which are run by different users but create logs in a common

 

directory might fail. Other examples are listed in the long explanation. As you

 

run the script, a revert-directory-perms.shscript is created which

 

allows you to revert to a supported state, independent of other HP-UX Bastille

 

configurations which are supported. Running bastille -rreverts all HP-UX

 

Bastille changes including running the revert-directory-perms.sh

 

script.

 

IMPORTANT: Manual action is required to complete this configuration. See

 

the TODO.txt file for details.

Actions

Scan the system for world-writeable directories. Create a script to tighten these

 

permissions. HP-UX Bastille does not run this script, but offers it as a starting

 

point for users to review and modify.

FTP.ftpbanner

 

Headline

Present an ftpd banner upon login to FTP.

Default

N

Description

ftpbanner provides for a login banner to be presented upon the initial access

 

to the FTP server.

Actions

Append suitable banner line to ftpaccess file.

FTP.ftpusers

 

Headline

Disallow system account logins through ftpd.

41

Page 40 Page 42
Image 41
Page 40 Page 42
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsSupport CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemAccepted standard configurations are detected Using scored reportsConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report # bastille -r RevertingFor more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page Diagnostic tips TroubleshootingKnown issues and workarounds General use tipsErrors related to individual configuration files Problems opening, copying, or reading filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setRelated information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.hidepasswords AccountSecurity.guiloginAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.NOLOGIN AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.serialportlogin AccountSecurity.passwordpoliciesAccountSecurity.singleuserpassword AccountSecurity.restricthome AccountSecurity.SUDEFAULTPATHyn AccountSecurity.SUDEFAULTPATH AccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.unownedfiles AccountSecurity.umaskynAccountSecurity.userdotfiles AccountSecurity.userrcfilesDNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FTP.ftpusers FilePermissions.worldwriteableHPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.restrictswacls HPUX.screensavertimeoutHPUX.scanports HPUX.stackexecuteIPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd IPFilter.blockhpidsagent IPFilter.blockhpidsadminYou are managing some remote Hids agents, answer no Hids does notIPFilter.blocknetrange Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blockping IPFilter.blockSecureShellIPFilter.configureipfilter IPFilter.blockwebadminIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablebindMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spccrontime Patches.spccronrunPatches.spcproxyyn Patches.spcrunSecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivatedttools SecureInetd.deactivatebuiltinSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivatektools SecureInetd.deactivateidentSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterquotad SecureInetd.deactivaterecservSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetime SecureInetd.deactivatetftpSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.inetdgeneral SecureInetd.loginetdSecureInetd.owner Sendmail.sendmailcronSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents