HP UX Bastille Software manual IPFilter.installipfilter, MiscellaneousDaemons.configuressh

Page 50

Block anything you are not asked about explicitly, including all incoming traffic. If this is the first time you are using HP-UX Bastille to configure your firewall, you will be asked about several service specific options if the applicable software appears to be installed. If you have already configured a firewall using HP-UX Bastille, you will only be asked about protocols which are currently allowed by the HP-UX Bastille configuration.

IMPORTANT: Manual action required to complete this configuration. See the TODO.txt file for details.

Actions Setup a basic default-deny firewall configuration.

IPFilter.install_ipfilter

Headline

Provide information on how to get a copy of IPFilter.

Default

Y

Description

Firewalls generally make up the first line of defense in any network security

 

architecture. IPFilter is a free host-based firewall which is available for HP-UX.

 

It looks like you have IPFilter installed, but that does not mean that it is

 

configured. HP-UX Bastille cannot detect whether the rule-set is appropriate

 

for your needs.

Actions

Provide information on how to get a copy of IPFilter in TODO.txt.

MiscellaneousDaemons.configure_ssh

Headline

Configure the HP-UX Secure Shell daemon to use generally-accepted defaults.

Default

N

 

Description

Secure Shell is one of the most important tools in the administrator security

 

toolkit. It enables remote secure login and command execution, and can wrap

 

otherwise-unauthenticated and non-protected X11 traffic in a secure SSL

 

tunnel. This item configures SSH to conform with some generally-accepted

 

best practices. This item configures:

 

• Use only protocol 2, a protocol generally considered more secure

 

• Ignore rhosts, to avoid trusting remote hosts to assert user id without

 

 

user-based authentication

 

• Forward X11 traffic, if any, in a secure SSL tunnel

 

• Block use of accounts with empty passwords

 

• Use the contents of /etc/issue (also set in HP-UX Bastille) as the login

 

 

banner

Actions

Set the following parameters in /etc/opt/ssh/sshd_config:

 

Protocol–2

 

X11Forwarding–yes

 

IgnoreRhosts–yes

 

RhostsAuthentication–no

 

RhostsRSAAuthentication–no

 

PermitRootLogin–no

 

PermitEmptyPasswords–no

 

Banner– /etc/issue

MiscellaneousDaemons.diagnostics_localonly

Headline

Restrict the diagnostic daemon to local connections.

Default

N

50 Question modules

Page 49 Page 51
Image 50
Page 49 Page 51
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productSupport CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemConfiguration for the corresponding question is not Using scored reportsAccepted standard configurations are detected Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rFor more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page Known issues and workarounds TroubleshootingDiagnostic tips General use tipsHP-UX Bastille configures a firewall using IPFilter Problems opening, copying, or reading filesErrors related to individual configuration files Cannot use X because $DISPLAY is not setRelated information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.crontabsfile AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.cronuserAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDMAXDAYSAccountSecurity.singleuserpassword AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.restricthomeAccountSecurity.systemauditing AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.umaskAccountSecurity.userdotfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userrcfilesDNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FilePermissions.worldwriteable FTP.ftpusersHPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.scanports HPUX.screensavertimeoutHPUX.restrictswacls HPUX.stackexecuteIPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd You are managing some remote Hids agents, answer no IPFilter.blockhpidsadminIPFilter.blockhpidsagent Hids does not IPFilter.blockping Default 192.168.1.0/255.255.255.0 Description IPFilter.blocknetrange IPFilter.blockSecureShellIPFilter.blockwbem IPFilter.blockwebadminIPFilter.configureipfilter Otherwise, answer no to this questionPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.nfscore MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spcproxyyn Patches.spccronrunPatches.spccrontime Patches.spcrunSecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivatefinger SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivateftpSecureInetd.deactivatentalk SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivateprinterSecureInetd.deactivatertools SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivateswatSecureInetd.deactivateuucp SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.ftploggingSecureInetd.owner SecureInetd.loginetdSecureInetd.inetdgeneral Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents