HP UX Bastille Software manual MiscellaneousDaemons.disablesmbclient, MiscellaneousDaemons.nfscore

Page 52

Actions	If running, stop process rbootd.
	Set START_RBOOTD=0 in /etc/rc.config.d/netdaemons.

MiscellaneousDaemons.disable_smbclient

Headline	Disable the HP-UX CIFS client.
Default	Y
Description	CIFS can be used to share files and other resources between computers. The
	CIFS product suite integrates HP-UX with Microsoft Windows environments
	by providing remote file sharing, printer access and authentication services
	between HP-UX and Windows systems.
Actions	If running. stop process cifsclient.
	Set RUN_CIFSCLIENT=0 in /etc/rc.config.d/cifsclient.

MiscellaneousDaemons.disable_smbserver

Headline	Disable the HP-UX CIFS (Samba) Server.
Default	N
Description	CIFS can be used to share files and other resources between computers. The
	CIFS product suite integrates HP-UX with Microsoft Windows environments
	by providing remote file sharing, printer access, and authentication services
	between HP-UX and Windows systems.
Actions	If running, stop processes smbd and nmbd.
	Set RUN_SAMBA=0 in /etc/rc.config.d/samba.

MiscellaneousDaemons.nfs_core

Headline	Disable the NFS and RPC infrastructure.
Default	N
Description	RPC is a traditional part of UNIX used in a variety of UNIX services, including
	NIS, NFS, and others. If you are sure you are not using a service that is affected,
	you may disable RPC. RPC has had security issues in the past and by default
	does not support a strong authentication mechanism. If you disable the core
	NFS infrastructure, HP-UX Bastille disables NIS, NIS+ and NFS.
Actions	Stop and disable NIS/NIS+ Server and Client.
	Stop and disable NFS Server and Client.
	Set NFS_CORE=0 in /etc/rc.config.d/nfsconf.

MiscellaneousDaemons.nobody_secure_rpc

Headline	Disable the nobody user in the ONC Secure RPC
Default	N
Description	Secure RPC is a cryptographically authenticated means to communicate with
	a system. By configuring keyserv to prevent the use of default keys for the
	nobody user, other users are prevented from accessing the nobody user with
	default credentials. This is a safer way to operate Secure RPC.
Actions	Add the -dflag to the KEYSERV_OPTIONS= parameter line in /etc/
	rc.config.d/namesvrs.

MiscellaneousDaemons.snmpd

Headline	Disable SNMPD.
Default	N

52 Question modules

Image 52

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productPerformance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemUsing scored reports Accepted standard configurations are detectedConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rLocating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page Troubleshooting Diagnostic tipsKnown issues and workarounds General use tipsProblems opening, copying, or reading files Errors related to individual configuration filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setContacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.guilogin AccountSecurity.hidepasswordsAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.MINPASSWORDLENGTH AccountSecurity.NOLOGINAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.NUMBEROFLOGINSALLOWEDyn AccountSecurity.PASSWORDHISTORYDEPTHAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.passwordpolicies AccountSecurity.serialportloginAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATH AccountSecurity.SUDEFAULTPATHynAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.umaskyn AccountSecurity.unownedfilesAccountSecurity.userdotfiles AccountSecurity.userrcfilesApache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FilePermissions.worldwriteable FTP.ftpusersHPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.screensavertimeout HPUX.restrictswaclsHPUX.scanports HPUX.stackexecuteIPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery IPFilter.blockhpidsadmin IPFilter.blockhpidsagentYou are managing some remote Hids agents, answer no Hids does notDefault 192.168.1.0/255.255.255.0 Description IPFilter.blocknetrangeIPFilter.blockping IPFilter.blockSecureShellIPFilter.blockwebadmin IPFilter.configureipfilterIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablebind MiscellaneousDaemons.disableptydaemonMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbclient MiscellaneousDaemons.disablesmbserverMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcOtherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spccronrun Patches.spccrontimePatches.spcproxyyn Patches.spcrunPrinting.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivatebuiltin SecureInetd.deactivatedttoolsSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivateident SecureInetd.deactivatektoolsSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterecserv SecureInetd.deactivaterquotadSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetftp SecureInetd.deactivatetimeSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.loginetd SecureInetd.inetdgeneralSecureInetd.owner Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index