Manuals / Brands / Computer Equipment / Software / HP / Computer Equipment / Software

HP UX Bastille Software AccountSecurity.cronuser, AccountSecurity.gui_login, AccountSecurity.crontabs_file, AccountSecurity.hidepasswords

1 72

Download 72 pages, 1.59 Mb

Default	N
Description	HP-UX Bastille can restrict root from logging into a tty over the network. This
	forces administrators to log in first as a non-root user, then su to become root.
	Root logins are still permitted on the console and through services that do not
	use tty's like HP-UX Secure Shell.
Actions	Create or replace the file /etc/securetty with the single entry console.

AccountSecurity.crontabs_file

Headline	Ensure the crontab files are only accessible by root.
Default	Y
Description	Because a variety of administrators, scripts, and users edit crontab files,
	sometimes these files contain incorrect permissions. HP-UX Bastille ensures
	these files can only be read and changed by the root user. Perform this task
	to ensure these files can only be read and written-to by root, with the crontab
	command.
Actions	Change ownership and permissions for all crontab files permitting access only
	to root.

AccountSecurity.cronuser

Headline	Restrict the use of cron to administrative accounts.
Default	N
Description	The cron function allows you to schedule jobs to run automatically at a certain
	time, possibly recurring. Administrators can use cron to check the system
	logs every night at midnight or confirm file integrity every hour. However,
	executing jobs later or automatically represents a privilege that can be abused
	and makes actions slightly harder to track.
Actions	Delete the file cron.deny
	Create or replace the file cron.allow with a single entry for user root
	Set permissions to 0400
	Change ownership to root:sys

AccountSecurity.gui_login

Headline	Disable the local graphical login.
Default	Y
Description	Most servers do not have a graphics console directly attached, and do not run
	a graphics login. Disabling this feature reduces targets for hackers and saves
	system resources for systems that do not have a graphics console.
Actions	In the /etc/rc.config.d/xfs file, set RUN_X_FONT_SERVER=0.
	In the /etc/rc.config.d/audio file, set AUDIO_SERVER=0.
	In the /etc/rc.config.d/slsd file, set SLSD_DAEMON=0.
	In the /etc/rc.config.d/desktop file, set DESKTOP=0.
	Terminate the following daemon processes if running: xfs, Aserver, SLSd,
	dtlogin, dtrc.

AccountSecurity.hidepasswords

Headline	Hide the encrypted passwords on this system.
Default	N

34 Question modules

Contents

Page Page Table of Contents Install-Time Security (ITS) using C Question modules D Sample weight files E CIS mapping to List of Figures List of Tables 1 About this product 1.1 Features and benefits 1.2Compatibility 1.3 Performance 1.4 Support 2 Installing HP-UXBastille 2.1 Installation requirements 2.2Installation Page 3 Using HP-UXBastille 3.1Creating a security configuration profile Page 3.2Configuring a system 3.3 Assessing a system 3.3.1 Using scored reports Page 3.4 Reverting 3.5 Monitoring drift 3.6 Locating files Page 4 Removing HP-UXBastille Page 5 Troubleshooting 5.1 Diagnostic tips 5.2General use tips 5.3Known issues and workarounds 5.3.2 Cannot use X because $DISPLAY is not set 5.3.3 System is in original state 5.3.4 HP-UXBastille must be run as root 5.3.5 Problems opening, copying, or reading files 5.3.6 Errors related to individual configuration files 6 Support and other resources 6.1 Contacting HP 6.2 Related information 6.3 Typographic conventions Page Page A Install-TimeSecurity (ITS) using HP-UXBastille A.1 Choosing security levels Page Page A.2 Choosing security dependencies A.3 Selecting security levels during installation B Configuring HP-UXBastille for use with Serviceguard B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels B.2 Configuring Sec10Host level Page C Question modules AccountSecurity.crontabs_file AccountSecurity.cronuser AccountSecurity.gui_login AccountSecurity.hidepasswords AccountSecurity.lock_account_nopasswd AccountSecurity.mesgn AccountSecurity.MIN_PASSWORD_LENGTH AccountSecurity.NOLOGIN AccountSecurity.NUMBER_OF_LOGINS_ALLOWED AccountSecurity.NUMBER_OF_LOGINS_ALLOWEDyn AccountSecurity.PASSWORD_HISTORY_DEPTH AccountSecurity.PASSWORD_HISTORY_DEPTHyn AccountSecurity.PASSWORD_MAXDAYS AccountSecurity.PASSWORD_MINDAYS AccountSecurity.passwordpolicies AccountSecurity.restrict_home AccountSecurity.root_path AccountSecurity.serial_port_login AccountSecurity.single_user_password AccountSecurity.SU_DEFAULT_PATH AccountSecurity.SU_DEFAULT_PATHyn AccountSecurity.system_auditing AccountSecurity.umask AccountSecurity.umaskyn AccountSecurity.unowned_files AccountSecurity.user_dot_files AccountSecurity.user_rc_files Apache.chrootapache Apache.deactivate_hpws_apache DNS.chrootbind FilePermissions.world_writeable FTP.ftpbanner FTP.ftpusers HP_UX.gui_banner HP_UX.mail_config HP_UX.ndd HP_UX.other_tools HP_UX.restrict_swacls HP_UX.scan_ports HP_UX.screensaver_timeout HP_UX.stack_execute HP_UX.tcp_isn IPFilter.block_cfservd IPFilter.block_DNSquery IPFilter.block_hpidsadmin IPFilter.block_hpidsagent IPFilter.block_netrange IPFilter.block_ping IPFilter.block_SecureShell IPFilter.block_wbem IPFilter.block_webadmin IPFilter.configure_ipfilter Page IPFilter.install_ipfilter MiscellaneousDaemons.configure_ssh MiscellaneousDaemons.diagnostics_localonly MiscellaneousDaemons.disable_bind MiscellaneousDaemons.disable_ptydaemon MiscellaneousDaemons.disable_pwgrd MiscellaneousDaemons.disable_rbootd MiscellaneousDaemons.disable_smbclient MiscellaneousDaemons.disable_smbserver MiscellaneousDaemons.nfs_core MiscellaneousDaemons.nobody_secure_rpc MiscellaneousDaemons.snmpd MiscellaneousDaemons.syslog_localonly MiscellaneousDaemons.xaccess other_boot_serv Patches.spc_cron_run Patches.spc_cron_time Patches.spc_proxy_yn Patches.spc_run Printing.printing SecureInetd.banners SecureInetd.deactivate_bootp SecureInetd.deactivate_builtin SecureInetd.deactivate_dttools SecureInetd.deactivate_finger SecureInetd.deactivate_ftp SecureInetd.deactivate_ident SecureInetd.deactivate_ktools SecureInetd.deactivate_ntalk SecureInetd.deactivate_printer SecureInetd.deactivate_recserv SecureInetd.deactivate_rquotad SecureInetd.deactivate_rtools SecureInetd.deactivate_swat SecureInetd.deactivate_telnet SecureInetd.deactivate_tftp SecureInetd.deactivate_time SecureInetd.deactivate_uucp SecureInetd.ftp_logging SecureInetd.inetd_general SecureInetd.log_inetd SecureInetd.owner Sendmail.sendmailcron Sendmail.sendmaildaemon Sendmail.vrfyexpn Page D Sample weight files D.1 all.weight D.2 CIS.weight Page Page E CIS mapping to HP-UXBastille Page Page Page Index