HP UX Bastille Software manual Patches.spccronrun, Patches.spccrontime, Patches.spcproxyyn

Page 54

sometimes configured to provide network services to other systems. Disable these services unless you know of a specific reason to leave them enabled.

Actions	Kill processes: mrouted, rwhod, rarpd, rdpd, snapdaemon
	Set MROUTED=0	in /etc/rc.config.d/netdaemons
	Set RWHOD=0	in /etc/rc.config.d/netdaemons
	Set RARPD=0	in /etc/rc.config.d/netconf
	Set RDPD=0	in /etc/rc.config.d/netconf
	Set START_SNAPLUS=0	in /etc/rc.config.d/snaplus2

Patches.spc_cron_run

Headline			Set up a cron job to run SWA or SPC.
Default			Y
Description			HP-UX Bastille can configure Software Assistant (SWA), or Security Patch
			Check (SPC) to run daily using the cron scheduling daemon. Keeping a system
			secure requires constant vigilance. Staying up-to-date on security bulletins
			issued by Hewlett-Packard is critical. These tools are the easiest way to make
			sure this system is compliant with the steps required in HP security bulletins.
			A subscription to the HP security bulletin mailing list provides the latest
			security fixes from HP.
			NOTE:	This question is asked whether or not you have Software Assistant,
			NOTE:
			or Security Patch Check installed so that HP-UX Bastille can pre-configure

			cron to run these applications after they are installed.
			NOTE:	HP recommends SWA. SPC uses FTP, a clear-text, unauthenticated
			protocol.
			Register for notification of all HP security bulletins at http://www.itrc.hp.com.
			Click on Maintenance and Support for HP Products then select Support
			Information Digests.
Actions			Set a daily cron job to run SWA or SPC.

Patches.spc_cron_time

Headline	Set hour for a security bulletin compliance report.
Default	11
Description	Specify a number between 0 and 23, corresponding to the hour in your time
	zone that is most convenient to run a security bulletin compliance report. For
	example, if you specify 0, Security Patch Check runs between 12:00 A.M. and
	12:59 A.M. in your local time zone. If you specify 23, the security bulletin
	compliance report runs between 11:00 P.M. and 11:59 P.M.
Actions	Parameter only.

Patches.spc_proxy_yn

Headline	Does this machine require a proxy to ftp to the Internet?
Default	N
Description	Sets spc_proxy_yn.
Actions	None.

Patches.spc_run

Headline	Run SWA/SPC.
Default	Y
Description	Patching, updating, and configuring software to address known security
	vulnerabilities is important for securing a system. SWA and SPC are tools

54 Question modules

Image 54

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productCompatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemConfiguration for the corresponding question is not Using scored reportsAccepted standard configurations are detected Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rMonitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page Known issues and workarounds TroubleshootingDiagnostic tips General use tipsHP-UX Bastille configures a firewall using IPFilter Problems opening, copying, or reading filesErrors related to individual configuration files Cannot use X because $DISPLAY is not setSupport and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.crontabsfile AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.cronuserAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDMAXDAYSAccountSecurity.singleuserpassword AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.restricthomeAccountSecurity.systemauditing AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.umaskAccountSecurity.userdotfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userrcfilesApache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FilePermissions.worldwriteable FTP.ftpusersHPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.scanports HPUX.screensavertimeoutHPUX.restrictswacls HPUX.stackexecuteHPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery You are managing some remote Hids agents, answer no IPFilter.blockhpidsadminIPFilter.blockhpidsagent Hids does notIPFilter.blockping Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockSecureShellIPFilter.blockwbem IPFilter.blockwebadminIPFilter.configureipfilter Otherwise, answer no to this questionPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.nfscore MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spcproxyyn Patches.spccronrunPatches.spccrontime Patches.spcrunSecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivatefinger SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivateftpSecureInetd.deactivatentalk SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivateprinterSecureInetd.deactivatertools SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivateswatSecureInetd.deactivateuucp SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.ftploggingSecureInetd.owner SecureInetd.loginetdSecureInetd.inetdgeneral Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index