HP UX Bastille Software specs

IMPORTANT: Review these tables carefully. Some locked-down services and protocols might be used by other applications and have adverse effects on the behavior or functionality of these applications. You can change these security settings after installing or updating your system.

Table A-2 Host-based Sec10Host, Sec20MngDMZ, and Sec30DMZ security settings

Category

Logins and passwords

File system, network, and kernel

Daemons

inetd services

Action

Deny login unless home directory exists

Deny non-root logins if /etc/nologin file exists Set a default path for su command

Deny root logins from network tty Hide encrypted passwords

Deny ftp system account logins Deny remote X logins

Modify ndd settings1, 2

Restrict remote access to swlist Set default umask

Enable kernel-based stack execute protection

Disable ptydaemon

Disable pwgrd

Disable rbootd

Disable NFS client daemons

Disable NFS server

Disable NIS client programs

Disable NIS server programs

Disable SNMPD

Disable bootp

Disable inetd built-in services Disable CDE helper services Disable finger

Disable ident

Disable klogin and kshell Disable ntalk

Disable login, shell, and exec services Disable swat

Disable printer Disable recserv Disable tftp Disable time Disable uucp

Disable Event Monitoring Services (EMS) network communication

Enable logging for all inetd connections

sendmail

Other settings

Run sendmail via cron to process queue Stop sendmail from running in daemon mode Disable vrfy and expn commands

Disable HP Apache 2.x Web Server3 Set up cron job to run SWA1

28 Install-Time Security (ITS) using HP-UX Bastille

Image 28

HP UX Bastille Software manual Enable kernel-based stack execute protection

Contents

HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment report List of Tables Question modules Security levels Features and benefits About this product Performance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Using HP-UX Bastille Creating a security configuration profile If the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interface Configuring a system Assessing a system Using scored reports Accepted standard configurations are detectedConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect all Scored assessment report Reverting # bastille -r Locating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page Troubleshooting Diagnostic tipsKnown issues and workarounds General use tips Problems opening, copying, or reading files Errors related to individual configuration filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not set Contacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Install-Time Security ITS using HP-UX Bastille Choosing security levels Enable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependencies Configuring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.guilogin AccountSecurity.hidepasswordsAccountSecurity.crontabsfile AccountSecurity.cronuser AccountSecurity.MINPASSWORDLENGTH AccountSecurity.NOLOGINAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswd AccountSecurity.NUMBEROFLOGINSALLOWEDyn AccountSecurity.PASSWORDHISTORYDEPTHAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYS AccountSecurity.passwordpolicies AccountSecurity.serialportloginAccountSecurity.singleuserpassword AccountSecurity.restricthome AccountSecurity.SUDEFAULTPATH AccountSecurity.SUDEFAULTPATHynAccountSecurity.systemauditing AccountSecurity.umask AccountSecurity.umaskyn AccountSecurity.unownedfilesAccountSecurity.userdotfiles AccountSecurity.userrcfiles Apache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FilePermissions.worldwriteable FTP.ftpusers HPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.screensavertimeout HPUX.restrictswaclsHPUX.scanports HPUX.stackexecute IPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery IPFilter.blockhpidsadmin IPFilter.blockhpidsagentYou are managing some remote Hids agents, answer no Hids does not Default 192.168.1.0/255.255.255.0 Description IPFilter.blocknetrangeIPFilter.blockping IPFilter.blockSecureShell IPFilter.blockwebadmin IPFilter.configureipfilterIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablebind MiscellaneousDaemons.disableptydaemonMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablesmbclient MiscellaneousDaemons.disablesmbserverMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpc Otherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spccronrun Patches.spccrontimePatches.spcproxyyn Patches.spcrun Printing.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivatebuiltin SecureInetd.deactivatedttoolsSecureInetd.deactivatefinger SecureInetd.deactivateftp SecureInetd.deactivateident SecureInetd.deactivatektoolsSecureInetd.deactivatentalk SecureInetd.deactivateprinter SecureInetd.deactivaterecserv SecureInetd.deactivaterquotadSecureInetd.deactivatertools SecureInetd.deactivateswat SecureInetd.deactivatetftp SecureInetd.deactivatetimeSecureInetd.deactivateuucp SecureInetd.ftplogging SecureInetd.loginetd SecureInetd.inetdgeneralSecureInetd.owner Sendmail.sendmailcron Sendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weight CIS.weight Sample weight file below aligns with the CIS standard CIS.weight Page CIS mapping to HP-UX Bastille CIS ID Apache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index