HP UX Bastille Software manual SecureInetd.deactivateident, SecureInetd.deactivatektools

Page 57

Description

FTP is a legacy protocol. It is a clear-text protocol, like Telnet, and allows an

 

attacker to eavesdrop on sessions and steal passwords. This also allows an

 

attacker to take over an FTP session, using a clear-text-takeover tool like Hunt

 

or Ettercap. It can make effective firewalling difficult because of the way FTP

 

requires many ports to stay open. Every major FTP daemon has had a long

 

history of security vulnerability. They represent one of the major successful

 

attack vectors for remote root attacks.

Actions

In the /etc/inetd.conf file, comment out the entry for ftp.

SecureInetd.deactivate_ident

Headline

Ensure that the inetd ident service does not run on this system.

Default

N

Description

The ident service implements the TCP/IP proposed standard IDENT user

 

identification protocol as specified in the RFC 1413 document. The identd

 

service operates by looking up specific TCP/IP connections and returning the

 

user name of the process owning the connection. This service can be used to

 

determine user information on a given machine in preparation for a brute-force

 

password attack like a dictionary attack. HP recommends disabling this service

 

unless compelled by application specific needs.

Actions

In the /etc/inetd.conf file, comment out the entry for auth or ident.

SecureInetd.deactivate_ktools

Headline

Ensure that the inetd klogin and kshell services do not run on this

 

system.

Default

N

Description

The kshell and klogin services use Kerberos authentication protocols. If

 

this machine is not using the Kerberos scheme, HP recommends disabling

 

these services. Any service or daemon running on the system that is not needed

 

or used should be disabled.

Actions

In the /etc/inetd.conf file, comment out the entry for kshell and

 

klogin.

SecureInetd.deactivate_ntalk

Headline

Ensure that the inetd ntalk service does not run on this system.

Default

N

Description

The ntalk service is a visual communication program that predates instant

 

messaging applications and copies lines from your terminal to another user's

 

terminal. The ntalk service is considered a light security hazard, but should

 

be disabled if not used on this machine.

Actions

In the /etc/inetd.conf file, comment out the entry for ntalk.

SecureInetd.deactivate_printer

Headline

Ensure the inetd printer service does not run on this system.

Default

N

Description

The printer service is a line printer daemon that accepts remote spool

 

requests. It uses the rlp daemon to process remote print requests and displays

 

the queue and removes jobs from the queue upon request. If this machine is

 

not used as a remote print spooler, this service should be disabled.

Actions

In the /etc/inetd.conf file, comment out the entry for printer.

57

Image 57
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsCompatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemAccepted standard configurations are detected Using scored reportsConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report # bastille -r RevertingMonitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page Diagnostic tips TroubleshootingKnown issues and workarounds General use tipsErrors related to individual configuration files Problems opening, copying, or reading filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setSupport and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.hidepasswords AccountSecurity.guiloginAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.NOLOGIN AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.serialportlogin AccountSecurity.passwordpoliciesAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATHyn AccountSecurity.SUDEFAULTPATHAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.unownedfiles AccountSecurity.umaskynAccountSecurity.userdotfiles AccountSecurity.userrcfilesApache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteableHPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.restrictswacls HPUX.screensavertimeoutHPUX.scanports HPUX.stackexecuteHPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery IPFilter.blockhpidsagent IPFilter.blockhpidsadminYou are managing some remote Hids agents, answer no Hids does notIPFilter.blocknetrange Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blockping IPFilter.blockSecureShellIPFilter.configureipfilter IPFilter.blockwebadminIPFilter.blockwbem Otherwise, answer no to this questionPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablebindMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spccrontime Patches.spccronrunPatches.spcproxyyn Patches.spcrunSecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivatedttools SecureInetd.deactivatebuiltinSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivatektools SecureInetd.deactivateidentSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterquotad SecureInetd.deactivaterecservSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetime SecureInetd.deactivatetftpSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.inetdgeneral SecureInetd.loginetdSecureInetd.owner Sendmail.sendmailcronSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index