HP UX Bastille Software MiscellaneousDaemons.disablebind, MiscellaneousDaemons.disableptydaemon

Page 51

Description	The HP-UX diagnostics daemon can listen on a network port. The diagnostics
	GUI can be run remotely for administrators and support personnel to find
	and fix hardware problems. Later versions of this daemon have the option to
	only listen to local UNIX domain sockets. This way, the GUI can still be run
	locally to diagnose hardware problems, but it does not allow a network attacker
	to take advantage of any vulnerabilities that might be found in the future.
Actions	Stop the diagnostics daemon.
	Create the /var/stm/config/sys/local_only file.
	Start the daemon.

MiscellaneousDaemons.disable_bind

Headline	Disable the Bind/DNS server on this system.
Default	Y
Description	The DNS server, Bind, is a useful but easily spoofed infrastructure for mapping
	IP addresses to their associated host names. If this system is not a DNS server,
	disable to reduce the risk to this system if an exploit is discovered.
Actions	If running, stop process named.
	Set NAMED=0 in /etc/rc.config.d/namesvrs.

MiscellaneousDaemons.disable_ptydaemon

Headline	Disable both the ptydaemon and vtdaemon.
Default	N
Description	The ptydaemon is used by the shell layers (shl) software. The shl utility is
	an alternative to job control. If no one on your system is going to use shl, you
	can safely turn the ptydaemon off.
Actions	If running, stop process ptydaemon.
	Set PTYDAEMON_START=0 in /etc/rc.config.d/ptydaemon.

MiscellaneousDaemons.disable_pwgrd

Headline	Disable pwgrd.
Default	N
Description	The pwgrd utility is the Password and Group Hashing and Caching daemon.
	The pwgrd utility provides accelerated lookup of password and group
	information for libc routines such as getpwuid and getgrname. However,
	on systems with normal sized (less than 50 entries) password files, pwgrd
	slows lookups due to UNIX domain sockets overhead. The security benefit of
	turning this service off is also based on the principle of minimalism. This
	daemon runs as root and accepts input from non-privileged users.
Actions	If running, stop process pwgrd.
	Set PWGR=0 in /etc/rc.config.d/pwgr.

MiscellaneousDaemons.disable_rbootd

Headline	Deactivate rbootd.
Default	Y
Description	The rbootd daemon is used for the RMP protocol, which is a predecessor to
	the "bootp" protocol which serves DHCP. Unless you are using this machine
	to serve dynamic IP addresses to very old HP-UX systems (prior to 10.0, or
	older than s712), you have no reason to run this.

51

Image 51

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsCompatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemIs not always detected. HP-UX Bastille might not detect all Using scored reportsAccepted standard configurations are detected Configuration for the corresponding question is notScored assessment report # bastille -r RevertingMonitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page General use tips TroubleshootingDiagnostic tips Known issues and workaroundsCannot use X because $DISPLAY is not set Problems opening, copying, or reading filesErrors related to individual configuration files HP-UX Bastille configures a firewall using IPFilterSupport and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.cronuser AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.crontabsfileAccountSecurity.lockaccountnopasswd AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.NUMBEROFLOGINSALLOWEDAccountSecurity.PASSWORDMAXDAYS AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDHISTORYDEPTHynAccountSecurity.restricthome AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.singleuserpasswordAccountSecurity.umask AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.systemauditingAccountSecurity.userrcfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userdotfilesApache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteableHPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.stackexecute HPUX.screensavertimeoutHPUX.restrictswacls HPUX.scanportsHPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery Hids does not IPFilter.blockhpidsadminIPFilter.blockhpidsagent You are managing some remote Hids agents, answer noIPFilter.blockSecureShell Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockping Otherwise, answer no to this question IPFilter.blockwebadmin IPFilter.configureipfilter IPFilter.blockwbemPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablepwgrdMiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nfscoreMiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spcrun Patches.spccronrunPatches.spccrontime Patches.spcproxyynSecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivateftp SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivatefingerSecureInetd.deactivateprinter SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivatentalkSecureInetd.deactivateswat SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivatertoolsSecureInetd.ftplogging SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.deactivateuucpSendmail.sendmailcron SecureInetd.loginetdSecureInetd.inetdgeneral SecureInetd.ownerSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index