HP UX Bastille Software manual MiscellaneousDaemons.disablesmbclient, MiscellaneousDaemons.nfscore

Page 52

Actions

If running, stop process rbootd.

 

Set START_RBOOTD=0 in /etc/rc.config.d/netdaemons.

MiscellaneousDaemons.disable_smbclient

Headline

Disable the HP-UX CIFS client.

Default

Y

Description

CIFS can be used to share files and other resources between computers. The

 

CIFS product suite integrates HP-UX with Microsoft Windows environments

 

by providing remote file sharing, printer access and authentication services

 

between HP-UX and Windows systems.

Actions

If running. stop process cifsclient.

 

Set RUN_CIFSCLIENT=0 in /etc/rc.config.d/cifsclient.

MiscellaneousDaemons.disable_smbserver

Headline

Disable the HP-UX CIFS (Samba) Server.

Default

N

Description

CIFS can be used to share files and other resources between computers. The

 

CIFS product suite integrates HP-UX with Microsoft Windows environments

 

by providing remote file sharing, printer access, and authentication services

 

between HP-UX and Windows systems.

Actions

If running, stop processes smbd and nmbd.

 

Set RUN_SAMBA=0 in /etc/rc.config.d/samba.

MiscellaneousDaemons.nfs_core

Headline

Disable the NFS and RPC infrastructure.

Default

N

Description

RPC is a traditional part of UNIX used in a variety of UNIX services, including

 

NIS, NFS, and others. If you are sure you are not using a service that is affected,

 

you may disable RPC. RPC has had security issues in the past and by default

 

does not support a strong authentication mechanism. If you disable the core

 

NFS infrastructure, HP-UX Bastille disables NIS, NIS+ and NFS.

Actions

Stop and disable NIS/NIS+ Server and Client.

 

Stop and disable NFS Server and Client.

 

Set NFS_CORE=0 in /etc/rc.config.d/nfsconf.

MiscellaneousDaemons.nobody_secure_rpc

Headline

Disable the nobody user in the ONC Secure RPC

Default

N

Description

Secure RPC is a cryptographically authenticated means to communicate with

 

a system. By configuring keyserv to prevent the use of default keys for the

 

nobody user, other users are prevented from accessing the nobody user with

 

default credentials. This is a safer way to operate Secure RPC.

Actions

Add the -dflag to the KEYSERV_OPTIONS= parameter line in /etc/

 

rc.config.d/namesvrs.

MiscellaneousDaemons.snmpd

Headline

Disable SNMPD.

Default

N

52 Question modules

Image 52
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productPerformance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemUsing scored reports Accepted standard configurations are detectedConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rLocating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page Troubleshooting Diagnostic tipsKnown issues and workarounds General use tipsProblems opening, copying, or reading files Errors related to individual configuration filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setContacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.guilogin AccountSecurity.hidepasswordsAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.MINPASSWORDLENGTH AccountSecurity.NOLOGINAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.NUMBEROFLOGINSALLOWEDyn AccountSecurity.PASSWORDHISTORYDEPTHAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.passwordpolicies AccountSecurity.serialportloginAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATH AccountSecurity.SUDEFAULTPATHynAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.umaskyn AccountSecurity.unownedfilesAccountSecurity.userdotfiles AccountSecurity.userrcfilesApache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FilePermissions.worldwriteable FTP.ftpusersHPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.screensavertimeout HPUX.restrictswaclsHPUX.scanports HPUX.stackexecuteIPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery IPFilter.blockhpidsadmin IPFilter.blockhpidsagentYou are managing some remote Hids agents, answer no Hids does notDefault 192.168.1.0/255.255.255.0 Description IPFilter.blocknetrangeIPFilter.blockping IPFilter.blockSecureShellIPFilter.blockwebadmin IPFilter.configureipfilterIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablebind MiscellaneousDaemons.disableptydaemonMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbclient MiscellaneousDaemons.disablesmbserverMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcOtherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spccronrun Patches.spccrontimePatches.spcproxyyn Patches.spcrunPrinting.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivatebuiltin SecureInetd.deactivatedttoolsSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivateident SecureInetd.deactivatektoolsSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterecserv SecureInetd.deactivaterquotadSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetftp SecureInetd.deactivatetimeSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.loginetd SecureInetd.inetdgeneralSecureInetd.owner Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index