HP UX Bastille Software manual Apache.deactivatehpwsapache

Page 68

	CIS	Level 1 benchmark for HP-UX 11i (v1.5.0)	Mapping to HP-UX Bastille
	1.3.7	Disable other standard boot services	MiscellaneousDaemons.disable_rbootd
			MiscellaneousDaemons.nfs_server
			MiscellaneousDaemons.nfs_client
			MiscellaneousDaemons.disable_ptydaemon
			Apache.deactivate_hpws_apache
			MiscellaneousDaemons.snmpd
			MiscellaneousDaemons.nfs_core
			MiscellaneousDaemons.other_boot_serv
			MiscellaneousDaemons.disable_smbclient
			MiscellaneousDaemons.disable_smbserver
			MiscellaneousDaemons.disable_bind
	1.3.8	Only enable Windows-compatibility server processes	Not Applicable
	1.3.9	Only enable Windows-compatibility client processes	Not Applicable
	1.3.10	Only enable NFS server processes	Not Applicable
	1.3.11	Only enable NFS client processes	Not Applicable
	1.3.12	Only enable RPC-based services	Not Applicable
	1.3.13	Only enable Web server	Not Applicable
	1.3.14	Only enable BIND DNS server	Not Applicable
	1.4	Kernel Tuning
	1.4.1	Enable stack protection	HP_UX.stack_execute
	1.4.2	Network parameter modifications	HP_UX.ndd
	1.4.3	Use better TCP sequence numbers	HP_UX.tcp_isn
	1.4.4	Additional network parameter modifications	HP_UX.ndd
	1.5	File/Directory Permissions/Access
	1.5.1	Set Sticky Bit on World Writable Directories	Not Scorable
		Find unauthorized world-writable files and SUID/SGID
	1.5.2	executables	Not Scorable
	1.5.3	Find 'unowned' files and directories	AccountSecurity.unowned_files
	1.6	System Access, Authentication, and Authorization
	1.6.1	Enable Hidden Passwords	AccountSecurity.hidepasswords
	1.6.2	Restrict users who can access to FTP	FTP.ftpusers
	1.6.3	Prevent Syslog from accepting messages from the network	MiscellaneousDaemons.syslog_localonly
	1.6.4	Disable XDMCP port	MiscellaneousDaemons.xaccess
	1.6.5	Set default-lock screensaver timeout	HP_UX.screensaver_timeout
	1.6.6	Configure IPFilter to allow only select communication	Not Scorable
	1.6.7	Restrict at/cron to authorized users	AccountSecurity.cronuser
			AccountSecurity.atuser
	1.6.8	Restrict crontab file permissions	AccountSecurity.crontabs_file
	1.6.9	Restrict root logins to system console	AccountSecurity.create_securetty
	1.6.10	Set retry limit for account lockout	AccountSecurity.AUTH_MAXTRIES
	1.6.11	Disable 'nobody' access for secure RPC	MiscellaneousDaemons.nobody_secure_rpc
	1.7	Logging
68	CIS mapping to HP-UX Bastille

Image 68

Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment reportList of Tables Question modules Security levelsFeatures and benefits About this productSupport CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Using HP-UX Bastille Creating a security configuration profileIf the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interfaceConfiguring a system Assessing a systemUsing scored reports Accepted standard configurations are detectedConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report Reverting # bastille -rFor more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page Troubleshooting Diagnostic tipsKnown issues and workarounds General use tipsProblems opening, copying, or reading files Errors related to individual configuration filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setRelated information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Install-Time Security ITS using HP-UX Bastille Choosing security levelsEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependenciesConfiguring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.guilogin AccountSecurity.hidepasswordsAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.MINPASSWORDLENGTH AccountSecurity.NOLOGINAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.NUMBEROFLOGINSALLOWEDyn AccountSecurity.PASSWORDHISTORYDEPTHAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.passwordpolicies AccountSecurity.serialportloginAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATH AccountSecurity.SUDEFAULTPATHynAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.umaskyn AccountSecurity.unownedfilesAccountSecurity.userdotfiles AccountSecurity.userrcfilesDNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FilePermissions.worldwriteable FTP.ftpusersHPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.screensavertimeout HPUX.restrictswaclsHPUX.scanports HPUX.stackexecuteIPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd IPFilter.blockhpidsadmin IPFilter.blockhpidsagentYou are managing some remote Hids agents, answer no Hids does notDefault 192.168.1.0/255.255.255.0 Description IPFilter.blocknetrangeIPFilter.blockping IPFilter.blockSecureShellIPFilter.blockwebadmin IPFilter.configureipfilterIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disablebind MiscellaneousDaemons.disableptydaemonMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbclient MiscellaneousDaemons.disablesmbserverMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcMiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spccronrun Patches.spccrontimePatches.spcproxyyn Patches.spcrunSecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivatebuiltin SecureInetd.deactivatedttoolsSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivateident SecureInetd.deactivatektoolsSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterecserv SecureInetd.deactivaterquotadSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetftp SecureInetd.deactivatetimeSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.loginetd SecureInetd.inetdgeneralSecureInetd.owner Sendmail.sendmailcronSendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weightCIS.weight Sample weight file below aligns with the CIS standard CIS.weight Page CIS mapping to HP-UX Bastille CIS IDApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index