HP UX Bastille Software manual Printing.printing, SecureInetd.banners, SecureInetd.deactivatebootp

Page 55

which analyze the software installed on the system. HP-UX Bastille runs SWA version C.01.01 or later. Otherwise, SPC is used to create a security-compliance report. The security compliance report lists:

Installed patches that have warnings (recalls) issued by HP.

Security patches announced by HP that will fix installed software but have not been applied.

Currently installed patches not properly configured.

Software that needs to be removed or updated to comply with a bulletin.

Manual actions necessary to bring the server to bulletin compliance.

SWA and SPC can work through a proxy-type firewall to download current catalogs from HP with security and patch-warning information. Bulletin compliance requires vigilance. New vulnerabilities are found and fixed on a regular basis. HP recommends running one of these tools frequently, such as in a nightly cron job.(A separate question will cover this). HP recommends that you subscribe to the HP Security Bulletin mailing list.

NOTE: SPC uses clear-text protocols FTP or HTTP if a link can not be established with https. The output of this tool is appended to the HP-UX Bastille generated TODO.txt file so that you can apply the necessary patches.

IMPORTANT: Manual action required to complete this configuration. See TODO.txt file for details.

Actions HP-UX Bastille runs SWA or SPC.

Printing.printing

Headline

Disable printing.

Default

N

Description

If this machine does not print, stop the print scheduler and disable the

 

associated print daemon utilities. On Linux, this includes the restriction of the

 

daemon file permissions. On HP-UX, this includes the disablement of the

 

xprintserver and pd client services where applicable.

Actions

If running, stop processes lpsched pdclientd.

 

Set XPRINTSERVERS= in /etc/rc.config.d/tps.

 

Set LP=0 in /etc/rc.config.d/lp.

 

Set PD_CLIENT=0 in /etc/rc.config.d/pd.

SecureInetd.banners

Headline

Display "Authorized Use" messages at login time.

Default

N

Description

You can create "Authorized Use Only" messages for your site. These can be

 

helpful in prosecuting system crackers you catch trying to break into your

 

system. HP-UX Bastille makes default messages that you can edit. This is like

 

an "anti-welcome mat" for your system.

Actions

Create default login banner messages in the /etc/motd and /etc/issue

 

files.

 

Modify the entries for rlogind and telnetd in the /etc/inetd.conf file

 

to use /etc/issue banner.

SecureInetd.deactivate_bootp

Headline

Ensure that the inetd bootp service does not run on this system.

55

Page 54 Page 56
Image 55
Page 54 Page 56
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsPerformance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemIs not always detected. HP-UX Bastille might not detect all Using scored reportsAccepted standard configurations are detected Configuration for the corresponding question is notScored assessment report # bastille -r RevertingLocating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page General use tips TroubleshootingDiagnostic tips Known issues and workaroundsCannot use X because $DISPLAY is not set Problems opening, copying, or reading filesErrors related to individual configuration files HP-UX Bastille configures a firewall using IPFilterContacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.cronuser AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.crontabsfileAccountSecurity.lockaccountnopasswd AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.NUMBEROFLOGINSALLOWEDAccountSecurity.PASSWORDMAXDAYS AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDHISTORYDEPTHynAccountSecurity.restricthome AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.singleuserpasswordAccountSecurity.umask AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.systemauditingAccountSecurity.userrcfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userdotfilesApache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteableHPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.stackexecute HPUX.screensavertimeoutHPUX.restrictswacls HPUX.scanportsIPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery Hids does not IPFilter.blockhpidsadminIPFilter.blockhpidsagent You are managing some remote Hids agents, answer noIPFilter.blockSecureShell Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockpingOtherwise, answer no to this question IPFilter.blockwebadminIPFilter.configureipfilter IPFilter.blockwbemPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.disablesmbclient MiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nfscoreOtherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spcrun Patches.spccronrunPatches.spccrontime Patches.spcproxyynPrinting.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivateftp SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivatefingerSecureInetd.deactivateprinter SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivatentalkSecureInetd.deactivateswat SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivatertoolsSecureInetd.ftplogging SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.deactivateuucpSendmail.sendmailcron SecureInetd.loginetdSecureInetd.inetdgeneral SecureInetd.ownerSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents