HP UX Bastille Software manual SecureInetd.inetdgeneral, SecureInetd.loginetd, SecureInetd.owner

Page 60

Description

Logging FTP connection and command activity is recommended. The only

 

reason not to do this is the frequency of logging from FTP fills logs more

 

quickly, particularly if FTP services are heavily used on this machine.

Actions

In the /etc/inetd.conf file, add the -lflag to the entry for ftpd.

SecureInetd.inetd_general

Headline

Reminder to disable unneeded inetd services in the TODO.txt file.

Default

N

Description

Disable unneeded inetd services. Leave only those services running that are

 

critical to the operation of this machine. This is an example of the frequent

 

trade off between security and functionality. The most secure machine is not

 

very useful. For the most secure but useful system, enable only those services

 

which this system needs to fulfill its intended purpose. You can further restrict

 

access using the inetd.sec file or a program like tcpwrappers. If you

 

answer Y to this question, HP-UX Bastille also points you to information on

 

how to configure these tools.

 

IMPORTANT: Manual action required to complete this configuration. See

 

TODO.txt file for details.

Actions

Instructions for manual actions provided in TODO.txt list.

SecureInetd.log_inetd

Headline

Enable logging for all inetd connections.

Default

N

Description

Logging connection attempts to inetd services is a good idea. The only reason

 

not to do this is the frequency of logging from inetd fills logs more quickly,

 

particularly if inetd services are heavily used on this machine.

Actions

In the /etc/rc.config.d/netdaemons file, add the -lflag to the

 

INETD_ARGS= parameter.

SecureInetd.owner

Headline

Who is responsible for granting authorization to use this machine?

Default

The owner

Description

HP-UX Bastille makes the banner more specific by telling the user who is

 

responsible for this machine. This will state explicitly who the user needs to

 

obtain authorization from to use this machine. Fill in the name of the company,

 

person, or other organization who owns or is responsible for this machine.

Actions

Parameter for default banner. No action.

Sendmail.sendmailcron

Headline

Run sendmail via cron to process the queue.

Default

Y

Description

Should sendmail run every 15 minutes to process the mail queue by

 

processing and sending out email? If this machine does not run sendmail in

daemon mode, you might want to enable this to make your outbound mail more reliable.

In most cases, mail queue processing is not required because most mailer programs activate sendmail to process their particular message. A message usually only gets written to the queue (and thus needs a cron entry) if sendmail has trouble delivering it. For example if the receiving mail server is down.

60 Question modules

Page 59 Page 61
Image 60
Page 59 Page 61
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productCompatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemUsing scored reports Accepted standard configurations are detectedConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rMonitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page Troubleshooting Diagnostic tipsKnown issues and workarounds General use tipsProblems opening, copying, or reading files Errors related to individual configuration filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setSupport and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.guilogin AccountSecurity.hidepasswordsAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.MINPASSWORDLENGTH AccountSecurity.NOLOGINAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.NUMBEROFLOGINSALLOWEDyn AccountSecurity.PASSWORDHISTORYDEPTHAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.passwordpolicies AccountSecurity.serialportloginAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATH AccountSecurity.SUDEFAULTPATHynAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.umaskyn AccountSecurity.unownedfilesAccountSecurity.userdotfiles AccountSecurity.userrcfilesApache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FilePermissions.worldwriteable FTP.ftpusersHPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.screensavertimeout HPUX.restrictswaclsHPUX.scanports HPUX.stackexecuteHPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery IPFilter.blockhpidsadmin IPFilter.blockhpidsagentYou are managing some remote Hids agents, answer no Hids does notDefault 192.168.1.0/255.255.255.0 Description IPFilter.blocknetrangeIPFilter.blockping IPFilter.blockSecureShellIPFilter.blockwebadmin IPFilter.configureipfilterIPFilter.blockwbem Otherwise, answer no to this questionPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablebind MiscellaneousDaemons.disableptydaemonMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbclient MiscellaneousDaemons.disablesmbserverMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spccronrun Patches.spccrontimePatches.spcproxyyn Patches.spcrunSecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivatebuiltin SecureInetd.deactivatedttoolsSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivateident SecureInetd.deactivatektoolsSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterecserv SecureInetd.deactivaterquotadSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetftp SecureInetd.deactivatetimeSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.loginetd SecureInetd.inetdgeneralSecureInetd.owner Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standardCIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents