HP UX Bastille Software manual HPUX.guibanner, HPUX.mailconfig, HPUX.ndd

Page 42

Default	N
Description	The ftpusers file allows the administrator to set accounts that shall not be
	allowed to log in through the ftpd. Default system users should not be allowed
	access to the system through the ftpd because it sends the username and
	password in clear text over the network. HP-UX Bastille disallows ftp logins
	to a WU-FTPD server from the following users: root, daemon, bin, sys, adm,
	uucp, lp, nuucp, hpdb, and guest. If you have a compelling reason to allow
	these users ftp access, then answer no to this question. Use this as a secondary
	measure if you deactivated the ftp server.
Actions	Add the following user names to the /etc/ftpd/ftpusers file: root,
	daemon, bin, sys, adm, uucp, lp, nuucp, hpdb, and guest.

HP_UX.gui_banner

Headline	Set up a login banner for graphical login.
Default	N
Description	Setting a GUI login banner notifies users that they may use the system, but
	they are subject to local policy and monitoring. It also serves as notification
	that the system is not for public use. This helps eliminate the claims of "I
	thought anyone could use it."
Actions	For all Xresources files in /usr/dt/config/* directories, modify the
	matching /etc/dt/config/*/Xresources file by adding the following
	lines:
	Dtlogin*greeting.labelString: "Authorized users only. All activity may be monitored and
	reported."
	Dtlogin*greeting.persLabelString: "Authorized users only. All activity may be monitored
	and reported."
	Create the matching /etc/dt/config/*/Xresources files if not present.

HP_UX.mail_config

Headline	Allow mailing of your configuration and TODO.txt files to HP.
Default	N
Description	The HP-UX Bastille development team would like to know how you use
	HP-UX Bastille. Based on how you answer these questions, HP can meet your
	needs better. You can help by sending your configuration and TODO.txt files
	back to HP. Answering yes to this question does that automatically. If you
	feel that your hostname or your security configuration is confidential,
	answerno. The information is sent unencrypted over the public Internet. If
	outbound mail is unable to reach the Internet from this machine, answer no.
	If you have suggestions for improvements, new questions, code, or tests,
	discuss these on the Bastille Linux discussion list at: http://lists.sourceforge.net/
	mailman/listinfo/bastille-linux-discuss. You can provide feedback concerning
	HP-UX Bastille directly to the IT Resource Center at http://itrc.hp.com, using
	the System Administration or Security forum. Please send all comments. We
	want to hear from you.
Actions	Mail the /etc/opt/sec_mgmt/bastille/config and /var/opt/
	sec_mgmt/bastille/TODO.txt files to HP so we can improve HP-UX
	Bastille.

HP_UX.ndd

Headline	Make suggested ndd changes.
Default	N
Description	The ndd utility gets and sets network device parameters. The following is a
	list of ndd changes HP-UX Bastille sets:

42 Question modules

Image 42

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productCompatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemConfiguration for the corresponding question is not Using scored reportsAccepted standard configurations are detected Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rMonitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page Known issues and workarounds TroubleshootingDiagnostic tips General use tipsHP-UX Bastille configures a firewall using IPFilter Problems opening, copying, or reading filesErrors related to individual configuration files Cannot use X because $DISPLAY is not setSupport and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.crontabsfile AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.cronuserAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDMAXDAYSAccountSecurity.singleuserpassword AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.restricthomeAccountSecurity.systemauditing AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.umaskAccountSecurity.userdotfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userrcfilesApache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FilePermissions.worldwriteable FTP.ftpusersHPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.scanports HPUX.screensavertimeoutHPUX.restrictswacls HPUX.stackexecuteHPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery You are managing some remote Hids agents, answer no IPFilter.blockhpidsadminIPFilter.blockhpidsagent Hids does notIPFilter.blockping Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockSecureShellIPFilter.blockwbem IPFilter.blockwebadminIPFilter.configureipfilter Otherwise, answer no to this questionPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.nfscore MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spcproxyyn Patches.spccronrunPatches.spccrontime Patches.spcrunSecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivatefinger SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivateftpSecureInetd.deactivatentalk SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivateprinterSecureInetd.deactivatertools SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivateswatSecureInetd.deactivateuucp SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.ftploggingSecureInetd.owner SecureInetd.loginetdSecureInetd.inetdgeneral Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index