HP UX Bastille Software manual IPFilter.installipfilter, MiscellaneousDaemons.configuressh

Page 50

Block anything you are not asked about explicitly, including all incoming traffic. If this is the first time you are using HP-UX Bastille to configure your firewall, you will be asked about several service specific options if the applicable software appears to be installed. If you have already configured a firewall using HP-UX Bastille, you will only be asked about protocols which are currently allowed by the HP-UX Bastille configuration.

IMPORTANT: Manual action required to complete this configuration. See the TODO.txt file for details.

Actions Setup a basic default-deny firewall configuration.

IPFilter.install_ipfilter

Headline	Provide information on how to get a copy of IPFilter.
Default	Y
Description	Firewalls generally make up the first line of defense in any network security
	architecture. IPFilter is a free host-based firewall which is available for HP-UX.
	It looks like you have IPFilter installed, but that does not mean that it is
	configured. HP-UX Bastille cannot detect whether the rule-set is appropriate
	for your needs.
Actions	Provide information on how to get a copy of IPFilter in TODO.txt.

MiscellaneousDaemons.configure_ssh

Headline	Configure the HP-UX Secure Shell daemon to use generally-accepted defaults.
Default	N
Description	Secure Shell is one of the most important tools in the administrator security
	toolkit. It enables remote secure login and command execution, and can wrap
	otherwise-unauthenticated and non-protected X11 traffic in a secure SSL
	tunnel. This item configures SSH to conform with some generally-accepted
	best practices. This item configures:
	• Use only protocol 2, a protocol generally considered more secure
	• Ignore rhosts, to avoid trusting remote hosts to assert user id without
		user-based authentication
	• Forward X11 traffic, if any, in a secure SSL tunnel
	• Block use of accounts with empty passwords
	• Use the contents of /etc/issue (also set in HP-UX Bastille) as the login
		banner
Actions	Set the following parameters in /etc/opt/ssh/sshd_config:
	•	Protocol–2
	•	X11Forwarding–yes
	•	IgnoreRhosts–yes
	•	RhostsAuthentication–no
	•	RhostsRSAAuthentication–no
	•	PermitRootLogin–no
	•	PermitEmptyPasswords–no
	•	Banner– /etc/issue

MiscellaneousDaemons.diagnostics_localonly

Headline	Restrict the diagnostic daemon to local connections.
Default	N

50 Question modules

Image 50

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productSupport CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemConfiguration for the corresponding question is not Using scored reportsAccepted standard configurations are detected Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rFor more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page Known issues and workarounds TroubleshootingDiagnostic tips General use tipsHP-UX Bastille configures a firewall using IPFilter Problems opening, copying, or reading filesErrors related to individual configuration files Cannot use X because $DISPLAY is not setRelated information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.crontabsfile AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.cronuserAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDMAXDAYSAccountSecurity.singleuserpassword AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.restricthomeAccountSecurity.systemauditing AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.umaskAccountSecurity.userdotfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userrcfilesDNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FilePermissions.worldwriteable FTP.ftpusersHPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.scanports HPUX.screensavertimeoutHPUX.restrictswacls HPUX.stackexecuteIPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd You are managing some remote Hids agents, answer no IPFilter.blockhpidsadminIPFilter.blockhpidsagent Hids does notIPFilter.blockping Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockSecureShellIPFilter.blockwbem IPFilter.blockwebadminIPFilter.configureipfilter Otherwise, answer no to this questionPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.nfscore MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spcproxyyn Patches.spccronrunPatches.spccrontime Patches.spcrunSecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivatefinger SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivateftpSecureInetd.deactivatentalk SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivateprinterSecureInetd.deactivatertools SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivateswatSecureInetd.deactivateuucp SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.ftploggingSecureInetd.owner SecureInetd.loginetdSecureInetd.inetdgeneral Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index