HP UX Bastille Software IPFilter.blockwbem, IPFilter.blockwebadmin, IPFilter.configureipfilter

Page 48

	is the best way to do it. You should only block Secure Shell access if you have
	an alternate, secure method to manage your machine (such as physical access
	to the console or a secure terminal server) or if you do not use Secure Shell.
	Otherwise, answer no to this question.
Actions	Enable incoming network traffic for this service by adding the following lines
	to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
	Bastille:
	# do allow SecureShell incoming connections
	pass in quick proto tcp from any to any port = 22 flags S keep state
	keep frags

IPFilter.block_wbem

Headline	BLOCK incoming WBEM https connections with IPFilter.
Default	N
Description	Web-Based Enterprise Management (WBEM) is a Distributed Management
	Task Force (DMTF) industry standard, http(s)-based management protocol
	which features encryption and authentication. It is much better than SNMP,
	which has a history of security issues and is by default a clear-text,
	unauthenticated protocol. Like SNMP, WBEM can be a powerful aid in
	managing multiple machines and it is by default much more secure. However,
	any service can be a security risk, so you should block it if you are not going
	to use it.
Actions	Enable incoming network traffic for this service by adding the following lines
	to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
	Bastille:
	# do allow wbem incoming connections
	pass in quick proto tcp from any to any port = 5989 flags S keep state keep
	frags

IPFilter.block_webadmin

Headline	BLOCK incoming web admin connections with IPFilter.
Default	Y
Description	Port 1188 is used by web-based tools that are replacements for areas of SAM.
	The listener on this port is the HP release of Apache with a custom
	configuration file that loads only a minimum set of modules. It is also restricted
	to use https for all communication and can only be used to run the system
	management tools. In general, this web server is running only when in use.
	It exits after a period of inactivity. Disabling this port means that some system
	administration functions are only available using the command line.
Actions	Enable incoming network traffic for this service by adding the following lines
	to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
	Bastille:
	# do allow webadmin incoming connections
	pass in quick proto tcp from any to any port = 1188	flags S keep state keep
	frags
	# do allow webadminautostart incoming connections
	pass in quick proto tcp from any to any port = 1110	flags S keep state keep
	frags

IPFilter.configure_ipfilter

Headline	Set up basic firewall rules with these properties.
Default	N
Description	Firewalls generally make up the first line of defense in any network security
	architecture. IPFilter is a free, host-based firewall which is available for HP-UX.
	It looks like you have IPFilter installed, but that does not mean that it has been

48 Question modules

Image 48

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productCompatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemUsing scored reports Accepted standard configurations are detectedConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rMonitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page Troubleshooting Diagnostic tipsKnown issues and workarounds General use tipsProblems opening, copying, or reading files Errors related to individual configuration filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setSupport and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.guilogin AccountSecurity.hidepasswordsAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.MINPASSWORDLENGTH AccountSecurity.NOLOGINAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.NUMBEROFLOGINSALLOWEDyn AccountSecurity.PASSWORDHISTORYDEPTHAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.passwordpolicies AccountSecurity.serialportloginAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATH AccountSecurity.SUDEFAULTPATHynAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.umaskyn AccountSecurity.unownedfilesAccountSecurity.userdotfiles AccountSecurity.userrcfilesApache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FilePermissions.worldwriteable FTP.ftpusersHPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.screensavertimeout HPUX.restrictswaclsHPUX.scanports HPUX.stackexecuteHPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery IPFilter.blockhpidsadmin IPFilter.blockhpidsagentYou are managing some remote Hids agents, answer no Hids does notDefault 192.168.1.0/255.255.255.0 Description IPFilter.blocknetrangeIPFilter.blockping IPFilter.blockSecureShellIPFilter.blockwebadmin IPFilter.configureipfilterIPFilter.blockwbem Otherwise, answer no to this questionPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablebind MiscellaneousDaemons.disableptydaemonMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbclient MiscellaneousDaemons.disablesmbserverMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spccronrun Patches.spccrontimePatches.spcproxyyn Patches.spcrunSecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivatebuiltin SecureInetd.deactivatedttoolsSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivateident SecureInetd.deactivatektoolsSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterecserv SecureInetd.deactivaterquotadSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetftp SecureInetd.deactivatetimeSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.loginetd SecureInetd.inetdgeneralSecureInetd.owner Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index