HP UX Bastille Software manual IPFilter.blockhpidsadmin, IPFilter.blockhpidsagent, Hids does not

Page 46

Actions

Enable incoming network traffic for this service by adding the following lines

 

to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX

 

Bastille:

 

# do allow DNSquery incoming connections

 

pass in quick proto udp from any to any port = domain keep

 

state"

IPFilter.block_hpidsadmin

Headline

 

 

BLOCK incoming connections to the HIDS GUI with IPFilter.

Default

 

 

Y

Description

 

 

The HP-UX Host Intrusion Detection System (HIDS) Management GUI listens

 

 

 

on port 2984 for incoming connections initiated by HIDS agents on each

 

 

 

configured host. If you are not running the HP-UX Host HIDS GUI on this

 

 

 

hos, answer yes. If you are running the HP-UX Host HIDS GUI on this host,

 

 

 

and it only manages one LOCAL HIDS agent running on this host (i.e., you

 

 

 

are not managing any HIDS agents on any remote hosts using this GUI),

 

 

 

answer yes. If you are running an HP-UX Host HIDS GUI on this host and

 

 

 

you are managing some remote HIDS agents, answer no.

 

 

 

NOTE: Install and configure HIDS separately from HP-UX Bastille. For more

 

 

 

 

 

 

information, see http://www.hp.com/security.

 

 

 

Actions

 

 

Enable incoming network traffic for this service by adding the following lines

 

 

 

to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX

 

 

 

Bastille:

 

 

 

# do allow hpidsadmin incoming connections

 

 

 

pass in quick proto tcp from any to any port = hpidsadmin flags S keep state

 

 

 

keep frags

IPFilter.block_hpidsagent

Headline

 

 

BLOCK incoming HIDS agent connections with IPFilter.

Default

 

 

N

Description

 

 

HP-UX HIDS enhances host-level security with near realtime automatic

 

 

 

monitoring of each configured host for signs of potentially damaging

 

 

 

intrusions. HIDS contains a System Management GUI that allows the

 

 

 

administrator to configure, control, and monitor the HIDS system, and a

 

 

 

host-based agent which is an intrusion detection sensor, that gathers system

 

 

 

data, monitors system activity, and issues intrusion alerts. The communication

 

 

 

between the GUI and agents is encrypted. The agent listens on port 2985 for

 

 

 

incoming connections initiated by the GUI. If you are not running the HP-UX

 

 

 

Host Intrusion Detection System (HIDS) agent on this host, answer yes. If you

 

 

 

are running the HP-UX Host HIDS agent on this host but you are running the

 

 

 

HP-UX Host HIDS GUI locally on this host (i.e., you are not remotely managing

 

 

 

this agent by running the GUI on a remote host, answer yes. If you are running

 

 

 

an HP-UX Host HIDS agent locally on this host and you are remotely managing

 

 

 

this agent with a remote HP-UX Host HIDS System Management GUI, answer

 

 

 

no.

 

 

 

NOTE: You must install and configure HIDS separately from HP-UX Bastille.

 

 

 

 

 

 

For more information, see http://www.hp.com/security.

 

 

 

 

 

 

HIDS does not:

 

 

 

• Replace comprehensive security policies and procedures. You must define

 

 

 

and implement such security policies and procedures and configure HIDS

 

 

 

to enforce them. A lack of such policies, procedures, and configuration

46 Question modules

Page 45 Page 47
Image 46
Page 45 Page 47
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productPerformance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemConfiguration for the corresponding question is not Using scored reportsAccepted standard configurations are detected Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rLocating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page Known issues and workarounds TroubleshootingDiagnostic tips General use tipsHP-UX Bastille configures a firewall using IPFilter Problems opening, copying, or reading filesErrors related to individual configuration files Cannot use X because $DISPLAY is not setContacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.crontabsfile AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.cronuserAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDMAXDAYSAccountSecurity.singleuserpassword AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.restricthomeAccountSecurity.systemauditing AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.umaskAccountSecurity.userdotfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userrcfilesApache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FilePermissions.worldwriteable FTP.ftpusersHPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.scanports HPUX.screensavertimeoutHPUX.restrictswacls HPUX.stackexecuteIPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery You are managing some remote Hids agents, answer no IPFilter.blockhpidsadminIPFilter.blockhpidsagent Hids does notIPFilter.blockping Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockSecureShellIPFilter.blockwbem IPFilter.blockwebadminIPFilter.configureipfilter Otherwise, answer no to this questionPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.nfscore MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nobodysecurerpcOtherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spcproxyyn Patches.spccronrunPatches.spccrontime Patches.spcrunPrinting.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivatefinger SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivateftpSecureInetd.deactivatentalk SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivateprinterSecureInetd.deactivatertools SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivateswatSecureInetd.deactivateuucp SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.ftploggingSecureInetd.owner SecureInetd.loginetdSecureInetd.inetdgeneral Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents