Actions

Adds a summary description of HP security and services to the TODO.txt

 

file for user reference.

HP_UX.restrict_swacls

Headline

Restrict remote access to swlist.

Default

N

Description

The swagentd daemon allows remote access to list and install software on

 

your system. This feature is convenient for remote administration. Security

 

Patch Check can use this to query remote machines. It can also be a security

 

risk because patch and other critical system information is available to anyone

 

inside that system's firewall. HP recommends that you disallow the swagentd

 

default, remote read access.

Actions

If the swagentd daemon is running, use swacl to remove remote read access:

 

swacl -l host -D any_other

 

swacl -l root -D any_other

 

Otherwise, an item is created in the TODO.txt file to remind you to run HP-UX

 

Bastille again when the daemon is up.

HP_UX.scan_ports

Headline

Provide instructions in your TODO.txt file on how to run a port scan.

Default

N

Description

One of the final steps in lock down is to verify that only the services you need

 

are still running. Several tools do this, including netstat which is included

 

with HP-UX, and lsof (List OpenFiles) which is a free downloadable tool.

 

The lsof tool provides information about all the processes running on your

 

system. If there are processes running that you don't recognize, take this

 

opportunity to do some research and learn about them.

 

IMPORTANT: Manual action required to complete this configuration. See

 

the TODO.txt file for details.

Actions

Provide instructions in your TODO.txt file on how to run a port scan.

HP_UX.screensaver_timeout

Headline

Set the GUI screen-saver timeout to 10 minutes.

Default

N

Description

The GUI login screen-saver timeout varies from 10 to 30 minutes depending

 

on the HP-UX version. This item ensures the value is set at a consistent 10

 

minutes. Setting a short timeout ensures that extended absences don't leave

 

a console unnecessarily open.

Actions

For all sys.resources files in /usr/dt/config/* directories, modify the

 

matching /etc/dt/config/*/sys.resources file by adding the following

 

lines:

dtsession*saverTimeout: 10

dtsession*lockTimeout: 10

Create the matching /etc/dt/config/*/sys.resources files if not present.

HP_UX.stack_execute

Headline

Enable kernel-based stack-execute protection.

44 Question modules

Page 44
Image 44
HP UX Bastille Software manual HPUX.restrictswacls, HPUX.scanports, HPUX.screensavertimeout, HPUX.stackexecute