HP UX Bastille Software manual SecureInetd.deactivatetftp, SecureInetd.deactivatetime

Page 59

protocol. Any data transferred, including passwords, can be monitored by anyone else on your network even if you use a switching router. Switches were designed for performance, not security and can be made to broadcast. Other networks can monitor this information too if the Telnet session crosses multiple LANs. There are also other more active attacks. For example, anyone who can eavesdrop can usually take over your Telnet session using a tool like Hunt or Ettercap. The standard practice among security-conscious sites is to migrate as rapidly as practical from Telnet to Secure Shell (command: ssh). HP recommends to make this move as soon as possible. Secure shell implementations are available from openssh.org and ssh.com. Most operating system vendors also distribute a version of secure shell. Check with your vendor first to see if there is a version that has been tested with your OS.

NOTE: Deactivating the telnetd service will not affect your Telnet client.

Actions In the /etc/inetd.conf file, comment out the entry for telnet.

SecureInetd.deactivate_tftp

Headline

Ensure the inetd TFTP service does not run on this system.

Default

Y

Description

The Trivial File Transfer Protocol (TFTP) is often used to download operating

 

system images and configuration data to diskless hosts. TFTP is a UDP-based

 

file-transfer program that provides little security. If this machine is not a boot

 

server for diskless host/appliances or an Ignite-UX server, TFTP should be

 

disabled.

Actions

In the /etc/inetd.conf file, comment out the entry for tftp.

SecureInetd.deactivate_time

Headline

Ensure the inetd time service does not run on this system.

Default

N

Description

The time service built into inetd produces machine-readable time in seconds

 

since midnight on 1 January 1900 (RFC 868). It is used for clock

 

synchronization, but it lacks the ability to be configured securely. HP

 

recommends disabling the time service for this machine. Use the Network

 

Time Protocol to synchronize clocks because XNTP can be configured securely.

 

For more information on XNTP, xntpd(1).

Actions

In the /etc/inetd.conf file, comment out the entry for time.

SecureInetd.deactivate_uucp

Headline

Ensure the inetd uucp service does not run on this system.

Default

Y

Description

UNIX to UNIX Copy (UUCP) copies files named by the source_files

 

argument to the destination identified by the destination_file argument.

 

UUCP uses clear-text transport for authentication. It is not commonly used.

 

HP recommends disabling this service and using a more secure file transfer

 

program such as scp.

Actions

In the /etc/inetd.conf file, comment out the entry for uucp.

SecureInetd.ftp_logging

Headline

Enable logging for FTP connections.

Default

N

59

Image 59
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsSupport CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemIs not always detected. HP-UX Bastille might not detect all Using scored reportsAccepted standard configurations are detected Configuration for the corresponding question is notScored assessment report # bastille -r RevertingFor more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page General use tips TroubleshootingDiagnostic tips Known issues and workaroundsCannot use X because $DISPLAY is not set Problems opening, copying, or reading filesErrors related to individual configuration files HP-UX Bastille configures a firewall using IPFilterRelated information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.cronuser AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.crontabsfileAccountSecurity.lockaccountnopasswd AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.NUMBEROFLOGINSALLOWEDAccountSecurity.PASSWORDMAXDAYS AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDHISTORYDEPTHynAccountSecurity.restricthome AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.singleuserpasswordAccountSecurity.umask AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.systemauditingAccountSecurity.userrcfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userdotfilesDNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FTP.ftpusers FilePermissions.worldwriteableHPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.stackexecute HPUX.screensavertimeoutHPUX.restrictswacls HPUX.scanportsIPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd Hids does not IPFilter.blockhpidsadminIPFilter.blockhpidsagent You are managing some remote Hids agents, answer noIPFilter.blockSecureShell Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockpingOtherwise, answer no to this question IPFilter.blockwebadminIPFilter.configureipfilter IPFilter.blockwbemPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablepwgrdMiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nfscoreMiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spcrun Patches.spccronrunPatches.spccrontime Patches.spcproxyynSecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivateftp SecureInetd.deactivatebuiltin SecureInetd.deactivatedttools SecureInetd.deactivatefingerSecureInetd.deactivateprinter SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivatentalkSecureInetd.deactivateswat SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivatertoolsSecureInetd.ftplogging SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.deactivateuucpSendmail.sendmailcron SecureInetd.loginetdSecureInetd.inetdgeneral SecureInetd.ownerSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index