Manuals / Brands / Computer Equipment / Software / HP / Computer Equipment / Software

HP UX Bastille Software C Question modules, AccountSecurity.atuser, AccountSecurity.AUTH_MAXTRIES, AccountSecurity.create_securetty, AccountSecurity.block_system_accounts

1 72

Download 72 pages, 1.59 Mb

C Question modules

AccountSecurity.ABORT_LOGIN_ON_MISSING_HOMEDIR

Headline	Do not allow logins unless the home directory exists.
Default	N
Description	The ABORT_LOGIN_ON_MISSING_HOMEDIR parameter controls login behavior
	if a user's home directory does not exist.
Actions	Set ABORT_LOGIN_ON_MISSING_HOMEDIR=1 in /etc/security.

AccountSecurity.atuser

Headline	Restrict the use of at to administrative accounts.
Default	N
Description	The at command allows users to submit jobs for the system to run at a
	particular time. Administrators can use at to defer jobs to run when the system
	is otherwise unused. However, executing jobs later or automatically represents
	a privilege that can be abused and makes actions slightly harder to track. Many
	sites choose to restrict the at command to administrative accounts. HP suggests
	restricting permission to new administrators until they understand how it can
	be abused and which users need access. Create the /etc/at.allow file of
	users with permission. This file can be edited later. If this file is not created,
	all users have permission to use the at command.
Actions	Delete the file at.deny
	Create or replace the file at.allow with a single entry for user root
	Set permissions to 0400
	Change ownership to root:sys

AccountSecurity.AUTH_MAXTRIES

Headline	Lock account after too many consecutive authentication failures.
Default	N
Description	The AUTH_MAXTRIES parameter controls whether an account is locked after
	too many consecutive authentication failures. It does not apply to trusted
	systems. This parameter is supported for users in all name server switch
	repositories, such as local, NIS, and LDAP.
Actions	Set AUTH_MAXTRIES=1 in /etc/security.

AccountSecurity.block_system_accounts

Headline	Disable login access to the system accounts.
Default	N
Description	System accounts are provisioned on a new system, for example bin, sys, uucp,
	et-cetera. These accounts (except for root) exist to own files, processes, or
	system resources but are not generally logged into. Because these accounts
	have broad access to the system, HP recommends disabling them. This item
	disables default system accounts.
Actions	Lock the account and change the user shell to /bin/false for the following
	users: www sys smbnull iwww owww sshd hpsmh named uucp nuucp adm
	daemon bin lp nobody noaccess hpdb useradm.

AccountSecurity.create_securetty

Headline

Disallow root logins from network TTYs.

33

Contents

Page Page Table of Contents Install-Time Security (ITS) using C Question modules D Sample weight files E CIS mapping to List of Figures List of Tables 1 About this product 1.1 Features and benefits 1.2Compatibility 1.3 Performance 1.4 Support 2 Installing HP-UXBastille 2.1 Installation requirements 2.2Installation Page 3 Using HP-UXBastille 3.1Creating a security configuration profile Page 3.2Configuring a system 3.3 Assessing a system 3.3.1 Using scored reports Page 3.4 Reverting 3.5 Monitoring drift 3.6 Locating files Page 4 Removing HP-UXBastille Page 5 Troubleshooting 5.1 Diagnostic tips 5.2General use tips 5.3Known issues and workarounds 5.3.2 Cannot use X because $DISPLAY is not set 5.3.3 System is in original state 5.3.4 HP-UXBastille must be run as root 5.3.5 Problems opening, copying, or reading files 5.3.6 Errors related to individual configuration files 6 Support and other resources 6.1 Contacting HP 6.2 Related information 6.3 Typographic conventions Page Page A Install-TimeSecurity (ITS) using HP-UXBastille A.1 Choosing security levels Page Page A.2 Choosing security dependencies A.3 Selecting security levels during installation B Configuring HP-UXBastille for use with Serviceguard B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels B.2 Configuring Sec10Host level Page C Question modules AccountSecurity.crontabs_file AccountSecurity.cronuser AccountSecurity.gui_login AccountSecurity.hidepasswords AccountSecurity.lock_account_nopasswd AccountSecurity.mesgn AccountSecurity.MIN_PASSWORD_LENGTH AccountSecurity.NOLOGIN AccountSecurity.NUMBER_OF_LOGINS_ALLOWED AccountSecurity.NUMBER_OF_LOGINS_ALLOWEDyn AccountSecurity.PASSWORD_HISTORY_DEPTH AccountSecurity.PASSWORD_HISTORY_DEPTHyn AccountSecurity.PASSWORD_MAXDAYS AccountSecurity.PASSWORD_MINDAYS AccountSecurity.passwordpolicies AccountSecurity.restrict_home AccountSecurity.root_path AccountSecurity.serial_port_login AccountSecurity.single_user_password AccountSecurity.SU_DEFAULT_PATH AccountSecurity.SU_DEFAULT_PATHyn AccountSecurity.system_auditing AccountSecurity.umask AccountSecurity.umaskyn AccountSecurity.unowned_files AccountSecurity.user_dot_files AccountSecurity.user_rc_files Apache.chrootapache Apache.deactivate_hpws_apache DNS.chrootbind FilePermissions.world_writeable FTP.ftpbanner FTP.ftpusers HP_UX.gui_banner HP_UX.mail_config HP_UX.ndd HP_UX.other_tools HP_UX.restrict_swacls HP_UX.scan_ports HP_UX.screensaver_timeout HP_UX.stack_execute HP_UX.tcp_isn IPFilter.block_cfservd IPFilter.block_DNSquery IPFilter.block_hpidsadmin IPFilter.block_hpidsagent IPFilter.block_netrange IPFilter.block_ping IPFilter.block_SecureShell IPFilter.block_wbem IPFilter.block_webadmin IPFilter.configure_ipfilter Page IPFilter.install_ipfilter MiscellaneousDaemons.configure_ssh MiscellaneousDaemons.diagnostics_localonly MiscellaneousDaemons.disable_bind MiscellaneousDaemons.disable_ptydaemon MiscellaneousDaemons.disable_pwgrd MiscellaneousDaemons.disable_rbootd MiscellaneousDaemons.disable_smbclient MiscellaneousDaemons.disable_smbserver MiscellaneousDaemons.nfs_core MiscellaneousDaemons.nobody_secure_rpc MiscellaneousDaemons.snmpd MiscellaneousDaemons.syslog_localonly MiscellaneousDaemons.xaccess other_boot_serv Patches.spc_cron_run Patches.spc_cron_time Patches.spc_proxy_yn Patches.spc_run Printing.printing SecureInetd.banners SecureInetd.deactivate_bootp SecureInetd.deactivate_builtin SecureInetd.deactivate_dttools SecureInetd.deactivate_finger SecureInetd.deactivate_ftp SecureInetd.deactivate_ident SecureInetd.deactivate_ktools SecureInetd.deactivate_ntalk SecureInetd.deactivate_printer SecureInetd.deactivate_recserv SecureInetd.deactivate_rquotad SecureInetd.deactivate_rtools SecureInetd.deactivate_swat SecureInetd.deactivate_telnet SecureInetd.deactivate_tftp SecureInetd.deactivate_time SecureInetd.deactivate_uucp SecureInetd.ftp_logging SecureInetd.inetd_general SecureInetd.log_inetd SecureInetd.owner Sendmail.sendmailcron Sendmail.sendmaildaemon Sendmail.vrfyexpn Page D Sample weight files D.1 all.weight D.2 CIS.weight Page Page E CIS mapping to HP-UXBastille Page Page Page Index