HP UX Bastille Software manual HPUX.tcpisn, IPFilter.blockcfservd, IPFilter.blockDNSquery

Page 45

Default	Y
Description	A common way to gain privileged access is to provide some type of
	out-of-bounds input that is not checked by a program. This input can be used
	to overflow the stack in a way that leaves some cleverly written instructions
	stored in a place that will be executed by the program. The HP-UX kernel is
	able to disallow execution of commands from the stack. This contains many
	of these types of attacks, making them ineffective. Because this is done at the
	kernel level, it is independent of any application which may have a
	vulnerability of this type. This will break some applications designed to execute
	code off the stack, for example Java 1.2 programs using JDK/JRE 1.2.2 versions
	older than 1.2.2.06. However, you can run chatr +es <executable file>
	to override this for individual broken programs.
Actions	Invokes kctune -K executable_stack=0 to disable stack execution.

HP_UX.tcp_isn

Headline	Make TCP ISN RFC 1948 compliant.
Default	N
Description	The use of random sequence numbers makes TCP traffic difficult to spoof off
	network. By setting the TCP stack to use RFC 1948-compliant sequence
	numbers, you raise the difficulty level for a successful off-network attack. This
	setting does not prevent a "man in the middle" style attack where the attacker
	has access to a network that is along the routing path between two
	communicating nodes. TCP does not offer protections for this case without
	adding additional layers like IPSec.
Actions	Make TCP ISN RFC 1948 compliant.

IPFilter.block_cfservd

Headline	BLOCK incoming cfrun requests with IPFilter.
Default	Y
Description	The cfengine utility provides policy-based configuration management for
	groups of systems and Serviceguard clusters. A central "policy host" acts as a
	repository for the configuration policy files and reference files that are
	distributed to managed clients. Typically managed clients perform
	synchronization runs at administrator defined intervals, for example with a
	cron job on the managed client. The cfrun utility can also be used by the
	administrator on the policy host to contact each managed client and request
	an immediate or "on-demand" synchronization run. If this system should
	allow on-demand synchronization requests, answer no to this question.
	Otherwise, answer yes.
Actions	Enable incoming network traffic for this service by adding the following lines
	to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
	Bastille:
	# do allow cfservd incoming connections
	pass in quick proto tcp from any to any port = 5308 flags S keep state keep
	frags

IPFilter.block_DNSquery

Headline	BLOCK incoming DNS query connections with IPFilter.
Default	Y
Description	DNS query connections should only be allowed on DNS servers. If this machine
	is a DNS server for other machines, you should answer "No" to this question.
	Otherwise, you should block DNS queries by answering "Yes".

45

Image 45

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsCompatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemAccepted standard configurations are detected Using scored reportsConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report # bastille -r RevertingMonitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page Diagnostic tips TroubleshootingKnown issues and workarounds General use tipsErrors related to individual configuration files Problems opening, copying, or reading filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setSupport and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.hidepasswords AccountSecurity.guiloginAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.NOLOGIN AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.serialportlogin AccountSecurity.passwordpoliciesAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATHyn AccountSecurity.SUDEFAULTPATHAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.unownedfiles AccountSecurity.umaskynAccountSecurity.userdotfiles AccountSecurity.userrcfilesApache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteableHPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.restrictswacls HPUX.screensavertimeoutHPUX.scanports HPUX.stackexecuteHPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery IPFilter.blockhpidsagent IPFilter.blockhpidsadminYou are managing some remote Hids agents, answer no Hids does notIPFilter.blocknetrange Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blockping IPFilter.blockSecureShellIPFilter.configureipfilter IPFilter.blockwebadminIPFilter.blockwbem Otherwise, answer no to this questionPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablebindMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spccrontime Patches.spccronrunPatches.spcproxyyn Patches.spcrunSecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivatedttools SecureInetd.deactivatebuiltinSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivatektools SecureInetd.deactivateidentSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterquotad SecureInetd.deactivaterecservSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetime SecureInetd.deactivatetftpSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.inetdgeneral SecureInetd.loginetdSecureInetd.owner Sendmail.sendmailcronSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index