HP UX Bastille Software manual HPUX.guibanner, HPUX.mailconfig, HPUX.ndd

Page 42

Default

N

Description

The ftpusers file allows the administrator to set accounts that shall not be

 

allowed to log in through the ftpd. Default system users should not be allowed

 

access to the system through the ftpd because it sends the username and

 

password in clear text over the network. HP-UX Bastille disallows ftp logins

 

to a WU-FTPD server from the following users: root, daemon, bin, sys, adm,

 

uucp, lp, nuucp, hpdb, and guest. If you have a compelling reason to allow

 

these users ftp access, then answer no to this question. Use this as a secondary

 

measure if you deactivated the ftp server.

Actions

Add the following user names to the /etc/ftpd/ftpusers file: root,

 

daemon, bin, sys, adm, uucp, lp, nuucp, hpdb, and guest.

HP_UX.gui_banner

Headline

Set up a login banner for graphical login.

Default

N

Description

Setting a GUI login banner notifies users that they may use the system, but

 

they are subject to local policy and monitoring. It also serves as notification

 

that the system is not for public use. This helps eliminate the claims of "I

 

thought anyone could use it."

Actions

For all Xresources files in /usr/dt/config/* directories, modify the

 

matching /etc/dt/config/*/Xresources file by adding the following

 

lines:

 

Dtlogin*greeting.labelString: "Authorized users only. All activity may be monitored and

 

reported."

 

Dtlogin*greeting.persLabelString: "Authorized users only. All activity may be monitored

 

and reported."

 

Create the matching /etc/dt/config/*/Xresources files if not present.

HP_UX.mail_config

Headline

Allow mailing of your configuration and TODO.txt files to HP.

Default

N

Description

The HP-UX Bastille development team would like to know how you use

 

HP-UX Bastille. Based on how you answer these questions, HP can meet your

 

needs better. You can help by sending your configuration and TODO.txt files

 

back to HP. Answering yes to this question does that automatically. If you

 

feel that your hostname or your security configuration is confidential,

 

answerno. The information is sent unencrypted over the public Internet. If

 

outbound mail is unable to reach the Internet from this machine, answer no.

 

If you have suggestions for improvements, new questions, code, or tests,

 

discuss these on the Bastille Linux discussion list at: http://lists.sourceforge.net/

 

mailman/listinfo/bastille-linux-discuss. You can provide feedback concerning

 

HP-UX Bastille directly to the IT Resource Center at http://itrc.hp.com, using

 

the System Administration or Security forum. Please send all comments. We

 

want to hear from you.

Actions

Mail the /etc/opt/sec_mgmt/bastille/config and /var/opt/

 

sec_mgmt/bastille/TODO.txt files to HP so we can improve HP-UX

 

Bastille.

HP_UX.ndd

Headline

Make suggested ndd changes.

Default

N

Description

The ndd utility gets and sets network device parameters. The following is a

 

list of ndd changes HP-UX Bastille sets:

42 Question modules

Page 41 Page 43
Image 42
Page 41 Page 43
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productCompatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemConfiguration for the corresponding question is not Using scored reportsAccepted standard configurations are detected Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rMonitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page Known issues and workarounds TroubleshootingDiagnostic tips General use tipsHP-UX Bastille configures a firewall using IPFilter Problems opening, copying, or reading filesErrors related to individual configuration files Cannot use X because $DISPLAY is not setSupport and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.crontabsfile AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.cronuserAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDMAXDAYSAccountSecurity.singleuserpassword AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.restricthomeAccountSecurity.systemauditing AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.umask AccountSecurity.userdotfiles AccountSecurity.umaskyn AccountSecurity.unownedfiles AccountSecurity.userrcfilesApache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FilePermissions.worldwriteable FTP.ftpusersHPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.scanports HPUX.screensavertimeoutHPUX.restrictswacls HPUX.stackexecuteHPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery You are managing some remote Hids agents, answer no IPFilter.blockhpidsadminIPFilter.blockhpidsagent Hids does notIPFilter.blockping Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockSecureShellIPFilter.blockwbem IPFilter.blockwebadminIPFilter.configureipfilter Otherwise, answer no to this questionPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.nfscore MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spcproxyyn Patches.spccronrunPatches.spccrontime Patches.spcrunSecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivatefinger SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivateftpSecureInetd.deactivatentalk SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivateprinterSecureInetd.deactivatertools SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivateswatSecureInetd.deactivateuucp SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.ftploggingSecureInetd.owner SecureInetd.loginetdSecureInetd.inetdgeneral Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents