HP UX Bastille Software manual SecureInetd.deactivaterecserv, SecureInetd.deactivaterquotad

Page 58

SecureInetd.deactivate_recserv

Headline	Ensure the inetd recserv service does not run on this system.
Default	N
Description	HP SharedX Receiver Service receives shared windows from another machine
	in X without explicitly performing any xhost command. This service is
	required for MPower remote windows. If you use MPower, leave this service
	running on your system. The SharedX Receiver Service is an automated
	wrapper around the xhost command. For more information about the xhost
	command, see xhost(1). This service should be disabled unless shared windows
	are viewed often on this machine. The xhost command is generally the more
	secure solution because it makes all sharing of windows explicit.
Actions	In the /etc/inetd.conf file, comment out the entry for recserv.

SecureInetd.deactivate_rquotad

Headline	Ensure the inetd rquotad service does not run on this system.
Default	Y
Description	The rquotad server is an RPC server that returns quotas for a user of a local
	file system mounted remotely through NFS. This service should be disabled
	if not using quotas with NFS.
Actions	In the /etc/inetd.conf file, comment out the entry for rpc.rquotad.

SecureInetd.deactivate_rtools

Headline	Ensure that the login, shell, and exec services do not run on this system.
Default	N
Description	The login, shell, and exec services use the r-tools: rlogind, remshd, and
	rexecd respectively, which use IP-based authentication. This form of
	authentication can be easily defeated with forging packets that suggest the
	connecting machine is a trusted host when in fact it may be an arbitrary
	machine on the network. Administrators in the past have found these services
	useful, but many are unaware of the security ramifications of leaving these
	services enabled.
Actions	In the /etc/inetd.conf file, comment out the entries for login, shell,
	and exec.

SecureInetd.deactivate_swat

Headline	Ensure the inetd swat service does not run on this system.
Default	N
Description	The swat service allows a Samba administrator to configure Samba through
	a web browser. The swat service allows administrators to view, change, and
	affect the change through the web. The drawback from a security standpoint
	comes from the authentication method used for the Samba administrator.
	Clear-text passwords are passed through the network if a connection is initiated
	from an outside source. This form of authentication is easily defeated and HP
	recommends not running the swat service on this machine.
Actions	In the /etc/inetd.conf file, comment out the entry for swat.

SecureInetd.deactivate_telnet

Headline	Ensure that the telnet service does not run on this system.
Default	N
Description	Telnet is not secure. Telnet is shipped on most operating systems for backward
	compatibility. Do not use it in an untrusted network. Telnet is a clear-text

58 Question modules

Image 58

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productPerformance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemConfiguration for the corresponding question is not Using scored reportsAccepted standard configurations are detected Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rLocating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page Known issues and workarounds TroubleshootingDiagnostic tips General use tipsHP-UX Bastille configures a firewall using IPFilter Problems opening, copying, or reading filesErrors related to individual configuration files Cannot use X because $DISPLAY is not setContacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.crontabsfile AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.cronuserAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDMAXDAYSAccountSecurity.singleuserpassword AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.restricthomeAccountSecurity.systemauditing AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.umaskAccountSecurity.userdotfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userrcfilesApache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FilePermissions.worldwriteable FTP.ftpusersHPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.scanports HPUX.screensavertimeoutHPUX.restrictswacls HPUX.stackexecuteIPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery You are managing some remote Hids agents, answer no IPFilter.blockhpidsadminIPFilter.blockhpidsagent Hids does notIPFilter.blockping Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockSecureShellIPFilter.blockwbem IPFilter.blockwebadminIPFilter.configureipfilter Otherwise, answer no to this questionPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.nfscore MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nobodysecurerpcOtherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spcproxyyn Patches.spccronrunPatches.spccrontime Patches.spcrun Printing.printing SecureInetd.deactivatebootp SecureInetd.banners SecureInetd.deactivatefinger SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivateftpSecureInetd.deactivatentalk SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivateprinterSecureInetd.deactivatertools SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivateswatSecureInetd.deactivateuucp SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.ftploggingSecureInetd.owner SecureInetd.loginetdSecureInetd.inetdgeneral Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index