HP UX Bastille Software manual HPUX.restrictswacls, HPUX.scanports, HPUX.screensavertimeout

Page 44

Actions	Adds a summary description of HP security and services to the TODO.txt
	file for user reference.

HP_UX.restrict_swacls

Headline	Restrict remote access to swlist.
Default	N
Description	The swagentd daemon allows remote access to list and install software on
	your system. This feature is convenient for remote administration. Security
	Patch Check can use this to query remote machines. It can also be a security
	risk because patch and other critical system information is available to anyone
	inside that system's firewall. HP recommends that you disallow the swagentd
	default, remote read access.
Actions	If the swagentd daemon is running, use swacl to remove remote read access:
	swacl -l host -D any_other
	swacl -l root -D any_other
	Otherwise, an item is created in the TODO.txt file to remind you to run HP-UX
	Bastille again when the daemon is up.

HP_UX.scan_ports

Headline	Provide instructions in your TODO.txt file on how to run a port scan.
Default	N
Description	One of the final steps in lock down is to verify that only the services you need
	are still running. Several tools do this, including netstat which is included
	with HP-UX, and lsof (List OpenFiles) which is a free downloadable tool.
	The lsof tool provides information about all the processes running on your
	system. If there are processes running that you don't recognize, take this
	opportunity to do some research and learn about them.
	IMPORTANT: Manual action required to complete this configuration. See
	the TODO.txt file for details.
Actions	Provide instructions in your TODO.txt file on how to run a port scan.
HP_UX.screensaver_timeout
Headline	Set the GUI screen-saver timeout to 10 minutes.
Default	N
Description	The GUI login screen-saver timeout varies from 10 to 30 minutes depending
	on the HP-UX version. This item ensures the value is set at a consistent 10
	minutes. Setting a short timeout ensures that extended absences don't leave
	a console unnecessarily open.
Actions	For all sys.resources files in /usr/dt/config/* directories, modify the
	matching /etc/dt/config/*/sys.resources file by adding the following
	lines:

dtsession*saverTimeout: 10

dtsession*lockTimeout: 10

Create the matching /etc/dt/config/*/sys.resources files if not present.

HP_UX.stack_execute

Headline

Enable kernel-based stack-execute protection.

44 Question modules

Image 44

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productSupport CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemUsing scored reports Accepted standard configurations are detectedConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rFor more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page Troubleshooting Diagnostic tipsKnown issues and workarounds General use tipsProblems opening, copying, or reading files Errors related to individual configuration filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setRelated information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.guilogin AccountSecurity.hidepasswordsAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.MINPASSWORDLENGTH AccountSecurity.NOLOGINAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.NUMBEROFLOGINSALLOWEDyn AccountSecurity.PASSWORDHISTORYDEPTHAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.passwordpolicies AccountSecurity.serialportloginAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATH AccountSecurity.SUDEFAULTPATHynAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.umaskyn AccountSecurity.unownedfilesAccountSecurity.userdotfiles AccountSecurity.userrcfilesDNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FilePermissions.worldwriteable FTP.ftpusersHPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.screensavertimeout HPUX.restrictswaclsHPUX.scanports HPUX.stackexecuteIPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd IPFilter.blockhpidsadmin IPFilter.blockhpidsagentYou are managing some remote Hids agents, answer no Hids does notDefault 192.168.1.0/255.255.255.0 Description IPFilter.blocknetrangeIPFilter.blockping IPFilter.blockSecureShellIPFilter.blockwebadmin IPFilter.configureipfilterIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disablebind MiscellaneousDaemons.disableptydaemonMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbclient MiscellaneousDaemons.disablesmbserverMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spccronrun Patches.spccrontimePatches.spcproxyyn Patches.spcrunSecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivatebuiltin SecureInetd.deactivatedttoolsSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivateident SecureInetd.deactivatektoolsSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterecserv SecureInetd.deactivaterquotadSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetftp SecureInetd.deactivatetimeSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.loginetd SecureInetd.inetdgeneralSecureInetd.owner Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index