HP UX Bastille Software manual MiscellaneousDaemons.sysloglocalonly, MiscellaneousDaemons.xaccess

Page 53

Description

The simple network management protocol (SNMP) aids in the management

 

of machines over the network. This can be a powerful method of monitoring

 

and administering a set of networked machines. If you use network

 

management software to maintain the computers on your network, you should

 

audit the way in which SNMP is used by that software.

 

• Use SNMPv3 wherever possible.

 

• Set restrictive access control lists.

 

• Block SNMP traffic at your firewall.

 

• Disable the SNMP daemons.

 

The average home user or standalone server has no reason to run these

 

daemons. Depending on their default configuration, these deamons could be

 

a major security risk. However, if configured correctly and used in conjunction

 

with management software, these daemons can dramatically improve

 

accessibility and response time to problems when they occur. If this is disabled,

 

network management software such as HP Openview which relies on SNMP

 

does not work.

Actions

If running stop process snmpdm.

 

Set SNMP_HPUNIX_START=0 in /etc/rc.config.d/Hpunix.

 

Set SNMP_MASTER_START=0 in /etc/rc.config.d/Master.

 

Set SNMP_MIB2_START=0 in /etc/rc.config.d/Master.

 

Set SNMP_TRAPDEST_START=0 in /etc/rc.config.d/TrpDst.

MiscellaneousDaemons.syslog_localonly

Headline

Restrict the system logging daemon to local connections.

Default

N

Description

The system logging daemon syslogd listens on network ports to support

 

remote logging facilities. Remote logging can be helpful for security reasons

 

because if an attacker gains access to a single machine, he can probably modify

 

or delete the logs on that machine. Storing the logs on another machine can

 

help with forensics and incidence response, even if the logs have been tampered

 

with on the local machine.

Actions

Add the -Nflag to the SYSLOGD_OPTS= parameter line in /etc/

 

rc.config.d/syslogd.

MiscellaneousDaemons.xaccess

Headline

Disallow remote X logins.

Default

N

Description

XDMCP is an unencrypted protocol that allows remote connections to an X

 

server. This protocol is commonly used by dumb graphics terminals and

 

PC-based X-emulation software to bring up a remote login and desktop.

Actions

If the /etc/dt/config/Xconfig file does not exist, create it from /usr/

 

dt/config/Xconfig.

 

Append the Dtlogin.requestPort:0 line in the /etc/dt/config/

 

Xconfig file.

other_boot_serv

Headline

Deactivate uncommon legacy boot services.

Default

Y

Description

The services mrouted, rwhod, ddfs, rarpd, rdpd, and snaplus2 are not

 

usually used on standalone or specific-purpose servers. These services are

53

Page 52 Page 54
Image 53
Page 52 Page 54
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsSupport CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemAccepted standard configurations are detected Using scored reportsConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report # bastille -r RevertingFor more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page Diagnostic tips TroubleshootingKnown issues and workarounds General use tipsErrors related to individual configuration files Problems opening, copying, or reading filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setRelated information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.hidepasswords AccountSecurity.guiloginAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.NOLOGIN AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.serialportlogin AccountSecurity.passwordpoliciesAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATHyn AccountSecurity.SUDEFAULTPATHAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.unownedfiles AccountSecurity.umaskynAccountSecurity.userdotfiles AccountSecurity.userrcfilesDNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FTP.ftpusers FilePermissions.worldwriteableHPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.restrictswacls HPUX.screensavertimeoutHPUX.scanports HPUX.stackexecuteIPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd IPFilter.blockhpidsagent IPFilter.blockhpidsadminYou are managing some remote Hids agents, answer no Hids does notIPFilter.blocknetrange Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blockping IPFilter.blockSecureShellIPFilter.configureipfilter IPFilter.blockwebadminIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilter MiscellaneousDaemons.configuressh MiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablebindMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spccrontime Patches.spccronrunPatches.spcproxyyn Patches.spcrunSecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivatedttools SecureInetd.deactivatebuiltinSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivatektools SecureInetd.deactivateidentSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterquotad SecureInetd.deactivaterecservSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetime SecureInetd.deactivatetftpSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.inetdgeneral SecureInetd.loginetdSecureInetd.owner Sendmail.sendmailcronSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents