HP UX Bastille Software manual CIS mapping to HP-UX Bastille, Cis Id

Page 67

E CIS mapping to HP-UX Bastille

CIS

Level 1 benchmark for HP-UX 11i (v1.5.0)

CIS ID

CIS benchmark section

1.1

Patches and Additional Software

1.1.1

Apply latest OS patches

1.1.2

Install and configure SSH

1.1.3

Install and Run Bastille

1.2

Minimize inetd network services

1.2.1Disable Standard Services

1.2.2

Only enable telnet

1.2.3

Only enable FTP

1.2.4

Only enable rlogin/remsh/rcp

1.2.5

Only enable TFTP

1.2.6

Only enable printer service

1.2.7

Only enable rquotad

1.2.8

Only enable CDE-related daemons

1.2.9

Only enable Kerberos-related daemons

1.2.10

Only enable BOOTP/DHCP daemon

1.3

Minimize boot services

1.3.1

Disable login: prompts on serial ports

1.3.2Disable NIS/NIS+ related processes

1.3.3 Disable printer daemons 1.3.4 Disable GUI login

1.3.5Disable email server

1.3.6 Disable SNMP and OpenVIew

Mapping to HP-UX Bastille

HP-UX Bastille lock down items

Not Scorable

MiscellaneousDaemons.configure_ssh

Not Scorable

SecureInetd.deactivate_builtin

SecureInetd.deactivate_finger

SecureInetd.deactivate_ident

SecureInetd.deactivate_ntalk

SecureInetd.deactivate_recserv

SecureInetd.deactivate_time

SecureInetd.deactivate_uucp

SecureInetd.deactivate_telnet

SecureInetd.deactivate_ftp

SecureInetd.deactivate_rtools

SecureInetd.deactivate_tftp

SecureInetd.deactivate_printer

SecureInetd.deactivate_rquotad

SecureInetd.deactivate_dttools

SecureInetd.deactivate_ktools

SecureInetd.deactivate_bootp

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

AccountSecurity.serial_port_login

MiscellaneousDaemons.nis_client

MiscellaneousDaemons.nis_server

MiscellaneousDaemons.nisplus_server

MiscellaneousDaemons.nisplus_client

Printing.printing

AccountSecurity.gui_login

Sendmail.sendmaildaemon

Sendmail.sendmailcron

MiscellaneousDaemons.snmpd

67

Page 66 Page 68
Image 67
Page 66 Page 68
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsPerformance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemIs not always detected. HP-UX Bastille might not detect all Using scored reportsAccepted standard configurations are detected Configuration for the corresponding question is notScored assessment report # bastille -r RevertingLocating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page General use tips TroubleshootingDiagnostic tips Known issues and workaroundsCannot use X because $DISPLAY is not set Problems opening, copying, or reading filesErrors related to individual configuration files HP-UX Bastille configures a firewall using IPFilterContacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.cronuser AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.crontabsfileAccountSecurity.lockaccountnopasswd AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.NUMBEROFLOGINSALLOWEDAccountSecurity.PASSWORDMAXDAYS AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDHISTORYDEPTHynAccountSecurity.restricthome AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.singleuserpasswordAccountSecurity.umask AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.systemauditingAccountSecurity.userrcfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userdotfilesApache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteableHPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.stackexecute HPUX.screensavertimeoutHPUX.restrictswacls HPUX.scanportsIPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery Hids does not IPFilter.blockhpidsadminIPFilter.blockhpidsagent You are managing some remote Hids agents, answer noIPFilter.blockSecureShell Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockpingOtherwise, answer no to this question IPFilter.blockwebadminIPFilter.configureipfilter IPFilter.blockwbemPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablepwgrdMiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nfscoreOtherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spcrun Patches.spccronrunPatches.spccrontime Patches.spcproxyynPrinting.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivateftp SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivatefingerSecureInetd.deactivateprinter SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivatentalkSecureInetd.deactivateswat SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivatertoolsSecureInetd.ftplogging SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.deactivateuucpSendmail.sendmailcron SecureInetd.loginetdSecureInetd.inetdgeneral SecureInetd.ownerSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents