HP UX Bastille Software IPFilter.blocknetrange, IPFilter.blockping, IPFilter.blockSecureShell

Page 47

can result in attacks that go undetected and reports of many false alerts. HIDS will work but your system may still be vulnerable.

Prevent the onset of attacks. If your system is vulnerable to attacks, those vulnerabilities will remain even after HIDS is installed.

Find static security flaws on a system. For example, if the password file contained an illegitimate account before HIDS was installed, that illegitimate account remains a vulnerability even after HIDS is installed and operational. Furthermore, HIDS cannot authenticate users of a valid account. For example, if users share password information, HIDS cannot ascertain the identity of an unauthorized user gaining access to a system via a legitimate account login.

Actions

Enable incoming network traffic for this service by adding the following lines

 

to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX

 

Bastille:

 

# do allow hpidsagent incoming connections

 

pass in quick proto tcp from any to any port = hpidsagent flags S keep state

 

keep frags

IPFilter.block_netrange

Headline

Allow additional incoming network traffic from a select list of IP addresses.

Default

192.168.1.0/255.255.255.0 10.10.10.10

Description

The basic IPFilter rules setup by HP-UX Bastille only allow network traffic for

 

services associated with software that HP-UX Bastille recognizes as installed

 

on the system. All other incoming traffic is blocked by default. To allow

 

additional incoming traffic based on the IP address of the sending host, enter

 

specific IP addresses here with an optional netmask. Otherwise, answer 'N'.

Actions

Enable incoming network traffic for select hosts by adding the following lines

 

to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX

 

Bastille:

 

# Allow incoming connections from the following select IP

 

addresses:

 

pass in quick from <ip>/<netmask> to any

IPFilter.block_ping

Headline

BLOCK incoming ICMP echo requests with IPFilter.

Default

Y

Description

ICMP echo or ping is used for device discovery for a number of applications,

 

including System Insight Manager, and OpenView Network node manager.

 

Though this is commonly used by hackers to discover hosts, the information

 

returned to them is minimal. Past vulnerablities of ping are patched. For this

 

reason, you should block incoming icmp-echo requests if you do not need

 

management applications to discover the device.

Actions

Enable incoming network traffic for this service by adding the following lines

 

to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX

 

Bastille:

 

# do allow ping incoming connections

 

pass in quick proto icmp from any to any icmp-type

IPFilter.block_SecureShell

Headline

BLOCK incoming Secure Shell connections with IPFilter.

Default

N

Description

Secure Shell is the best replacement for Telnet, remote shell, and FTP. It is

 

authenticated and encrypted. If you want remote access to your machine, this

47

Page 46 Page 48
Image 47
Page 46 Page 48
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsSupport CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemIs not always detected. HP-UX Bastille might not detect all Using scored reportsAccepted standard configurations are detected Configuration for the corresponding question is notScored assessment report # bastille -r RevertingFor more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page General use tips TroubleshootingDiagnostic tips Known issues and workaroundsCannot use X because $DISPLAY is not set Problems opening, copying, or reading filesErrors related to individual configuration files HP-UX Bastille configures a firewall using IPFilterRelated information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.cronuser AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.crontabsfileAccountSecurity.lockaccountnopasswd AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.NUMBEROFLOGINSALLOWEDAccountSecurity.PASSWORDMAXDAYS AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDHISTORYDEPTHynAccountSecurity.restricthome AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.singleuserpasswordAccountSecurity.umask AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.systemauditingAccountSecurity.userrcfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userdotfilesDNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FTP.ftpusers FilePermissions.worldwriteableHPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.stackexecute HPUX.screensavertimeoutHPUX.restrictswacls HPUX.scanportsIPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd Hids does not IPFilter.blockhpidsadminIPFilter.blockhpidsagent You are managing some remote Hids agents, answer noIPFilter.blockSecureShell Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockpingOtherwise, answer no to this question IPFilter.blockwebadminIPFilter.configureipfilter IPFilter.blockwbemPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablepwgrdMiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nfscoreMiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spcrun Patches.spccronrunPatches.spccrontime Patches.spcproxyynSecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivateftp SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivatefingerSecureInetd.deactivateprinter SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivatentalkSecureInetd.deactivateswat SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivatertoolsSecureInetd.ftplogging SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.deactivateuucpSendmail.sendmailcron SecureInetd.loginetdSecureInetd.inetdgeneral SecureInetd.ownerSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents