HP UX Bastille Software guide

1Manual action may be required to complete configuration. For more information, see /etc/opt/sec_mgmt/ bastille/TODO.txt after update or installation.

2The following ndd changes are made:

ip_forward_directed_broadcasts=0 ip_forward_src_routed=0 ip_forwarding=0 ip_ire_gw_probe=0 ip_pmtu_strategy=1 ip_send_source_quench=0 tcp_conn_request_max=4096 tcp_syn_rcvd_max=1000

3Settings applied only if software is installed.

Table A-3 Additional Sec20MngDMZ security settings1

Category

inetd services

IPFilter configuration2

Action

Includes all disabled inetd services in Table A-2Disable ftp

Disable telnet

Restrict syslog daemon to local connections

Block incoming DNS query connections

Block incoming HIDS administration connections3, 4 Configure IPFilter to allow outbound traffic Configure IPFilter to block incoming traffic with IP options set

Configure IPFilter to block all other traffic except for HP-UX Secure Shell, HIDS agent, WBEM, web admin, web admin autostart,5 and ICMP echo

1Applies all security configuration settings in Table A-2.

2Additional IPFilter rules may be applied with a custom rules file located at /etc/opt/sec_mgmt/bastille/

ipf.customrules.

3HP-UX Host IDS is a selectable software bundle and only available for commercial servers.

4 Settings applied only if software is installed.

5 Manual action may be required to complete configuration. For more information, see /var/opt/sec_mgmt/ bastille/TODO.txt after installation or update.

Table A-4 Additional Sec30DMZ security settings1

Category

IPFilter configuration2

Action

Includes all IPFilter settings in Table A-3Block incoming HIDS agent connections3, 4 Block incoming WBEM connections5 Block incoming web admin connections

Block incoming web admin autostart connections Block all traffic except HP-UX Secure Shell Block ICMP echo

1Applies all security configuration settings in Table A-2and Table A-3.

2Additional IPFilter rules may be applied with a custom rules file located at /etc/opt/sec_mgmt/bastille/

ipf.customrules.

3Settings applied only if software is installed.

4HP-UX Host IDS is a selectable software bundle and only available for commercial servers.

5WBEM is required for several HP management applications including HP Systems Insight Manager (SIM) and ParMgr.

A.1 Choosing security levels

29

Image 29

HP UX Bastille Software manual Table A-3 Additional Sec20MngDMZ security settings1

Contents

HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of Figures Question modules Security levels List of Tables About this product Features and benefits Support CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Creating a security configuration profile Using HP-UX Bastille 1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, use Assessing a system Configuring a system Accepted standard configurations are detected Using scored reportsConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect all Scored assessment report # bastille -r Reverting For more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page Diagnostic tips TroubleshootingKnown issues and workarounds General use tips Errors related to individual configuration files Problems opening, copying, or reading filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not set Related information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Choosing security levels Install-Time Security ITS using HP-UX Bastille Enable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installation Configuring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.hidepasswords AccountSecurity.guiloginAccountSecurity.crontabsfile AccountSecurity.cronuser AccountSecurity.NOLOGIN AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswd AccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYS AccountSecurity.serialportlogin AccountSecurity.passwordpoliciesAccountSecurity.singleuserpassword AccountSecurity.restricthome AccountSecurity.SUDEFAULTPATHyn AccountSecurity.SUDEFAULTPATHAccountSecurity.systemauditing AccountSecurity.umask AccountSecurity.unownedfiles AccountSecurity.umaskynAccountSecurity.userdotfiles AccountSecurity.userrcfiles DNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FTP.ftpusers FilePermissions.worldwriteable HPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.restrictswacls HPUX.screensavertimeoutHPUX.scanports HPUX.stackexecute IPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd IPFilter.blockhpidsagent IPFilter.blockhpidsadminYou are managing some remote Hids agents, answer no Hids does not IPFilter.blocknetrange Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blockping IPFilter.blockSecureShell IPFilter.configureipfilter IPFilter.blockwebadminIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablebindMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spccrontime Patches.spccronrunPatches.spcproxyyn Patches.spcrun SecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivatedttools SecureInetd.deactivatebuiltinSecureInetd.deactivatefinger SecureInetd.deactivateftp SecureInetd.deactivatektools SecureInetd.deactivateidentSecureInetd.deactivatentalk SecureInetd.deactivateprinter SecureInetd.deactivaterquotad SecureInetd.deactivaterecservSecureInetd.deactivatertools SecureInetd.deactivateswat SecureInetd.deactivatetime SecureInetd.deactivatetftpSecureInetd.deactivateuucp SecureInetd.ftplogging SecureInetd.inetdgeneral SecureInetd.loginetdSecureInetd.owner Sendmail.sendmailcron Sendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight files Sample weight file below aligns with the CIS standard CIS.weight CIS.weight Page CIS ID CIS mapping to HP-UX Bastille Apache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index