Manuals / Brands / Computer Equipment / Software / HP / Computer Equipment / Software

HP UX Bastille Software HP_UX.tcp_isn, IPFilter.block_cfservd, IPFilter.block_DNSquery

1 72

Download 72 pages, 1.59 Mb

Default	Y
Description	A common way to gain privileged access is to provide some type of
	out-of-bounds input that is not checked by a program. This input can be used
	to overflow the stack in a way that leaves some cleverly written instructions
	stored in a place that will be executed by the program. The HP-UX kernel is
	able to disallow execution of commands from the stack. This contains many
	of these types of attacks, making them ineffective. Because this is done at the
	kernel level, it is independent of any application which may have a
	vulnerability of this type. This will break some applications designed to execute
	code off the stack, for example Java 1.2 programs using JDK/JRE 1.2.2 versions
	older than 1.2.2.06. However, you can run chatr +es <executable file>
	to override this for individual broken programs.
Actions	Invokes kctune -K executable_stack=0 to disable stack execution.

HP_UX.tcp_isn

Headline	Make TCP ISN RFC 1948 compliant.
Default	N
Description	The use of random sequence numbers makes TCP traffic difficult to spoof off
	network. By setting the TCP stack to use RFC 1948-compliant sequence
	numbers, you raise the difficulty level for a successful off-network attack. This
	setting does not prevent a "man in the middle" style attack where the attacker
	has access to a network that is along the routing path between two
	communicating nodes. TCP does not offer protections for this case without
	adding additional layers like IPSec.
Actions	Make TCP ISN RFC 1948 compliant.

IPFilter.block_cfservd

Headline	BLOCK incoming cfrun requests with IPFilter.
Default	Y
Description	The cfengine utility provides policy-based configuration management for
	groups of systems and Serviceguard clusters. A central "policy host" acts as a
	repository for the configuration policy files and reference files that are
	distributed to managed clients. Typically managed clients perform
	synchronization runs at administrator defined intervals, for example with a
	cron job on the managed client. The cfrun utility can also be used by the
	administrator on the policy host to contact each managed client and request
	an immediate or "on-demand" synchronization run. If this system should
	allow on-demand synchronization requests, answer no to this question.
	Otherwise, answer yes.
Actions	Enable incoming network traffic for this service by adding the following lines
	to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
	Bastille:
	# do allow cfservd incoming connections
	pass in quick proto tcp from any to any port = 5308 flags S keep state keep
	frags

IPFilter.block_DNSquery

Headline	BLOCK incoming DNS query connections with IPFilter.
Default	Y
Description	DNS query connections should only be allowed on DNS servers. If this machine
	is a DNS server for other machines, you should answer "No" to this question.
	Otherwise, you should block DNS queries by answering "Yes".

45

Contents

Page Page Table of Contents Install-Time Security (ITS) using C Question modules D Sample weight files E CIS mapping to List of Figures List of Tables 1 About this product 1.1 Features and benefits 1.2Compatibility 1.3 Performance 1.4 Support 2 Installing HP-UXBastille 2.1 Installation requirements 2.2Installation Page 3 Using HP-UXBastille 3.1Creating a security configuration profile Page 3.2Configuring a system 3.3 Assessing a system 3.3.1 Using scored reports Page 3.4 Reverting 3.5 Monitoring drift 3.6 Locating files Page 4 Removing HP-UXBastille Page 5 Troubleshooting 5.1 Diagnostic tips 5.2General use tips 5.3Known issues and workarounds 5.3.2 Cannot use X because $DISPLAY is not set 5.3.3 System is in original state 5.3.4 HP-UXBastille must be run as root 5.3.5 Problems opening, copying, or reading files 5.3.6 Errors related to individual configuration files 6 Support and other resources 6.1 Contacting HP 6.2 Related information 6.3 Typographic conventions Page Page A Install-TimeSecurity (ITS) using HP-UXBastille A.1 Choosing security levels Page Page A.2 Choosing security dependencies A.3 Selecting security levels during installation B Configuring HP-UXBastille for use with Serviceguard B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels B.2 Configuring Sec10Host level Page C Question modules AccountSecurity.crontabs_file AccountSecurity.cronuser AccountSecurity.gui_login AccountSecurity.hidepasswords AccountSecurity.lock_account_nopasswd AccountSecurity.mesgn AccountSecurity.MIN_PASSWORD_LENGTH AccountSecurity.NOLOGIN AccountSecurity.NUMBER_OF_LOGINS_ALLOWED AccountSecurity.NUMBER_OF_LOGINS_ALLOWEDyn AccountSecurity.PASSWORD_HISTORY_DEPTH AccountSecurity.PASSWORD_HISTORY_DEPTHyn AccountSecurity.PASSWORD_MAXDAYS AccountSecurity.PASSWORD_MINDAYS AccountSecurity.passwordpolicies AccountSecurity.restrict_home AccountSecurity.root_path AccountSecurity.serial_port_login AccountSecurity.single_user_password AccountSecurity.SU_DEFAULT_PATH AccountSecurity.SU_DEFAULT_PATHyn AccountSecurity.system_auditing AccountSecurity.umask AccountSecurity.umaskyn AccountSecurity.unowned_files AccountSecurity.user_dot_files AccountSecurity.user_rc_files Apache.chrootapache Apache.deactivate_hpws_apache DNS.chrootbind FilePermissions.world_writeable FTP.ftpbanner FTP.ftpusers HP_UX.gui_banner HP_UX.mail_config HP_UX.ndd HP_UX.other_tools HP_UX.restrict_swacls HP_UX.scan_ports HP_UX.screensaver_timeout HP_UX.stack_execute HP_UX.tcp_isn IPFilter.block_cfservd IPFilter.block_DNSquery IPFilter.block_hpidsadmin IPFilter.block_hpidsagent IPFilter.block_netrange IPFilter.block_ping IPFilter.block_SecureShell IPFilter.block_wbem IPFilter.block_webadmin IPFilter.configure_ipfilter Page IPFilter.install_ipfilter MiscellaneousDaemons.configure_ssh MiscellaneousDaemons.diagnostics_localonly MiscellaneousDaemons.disable_bind MiscellaneousDaemons.disable_ptydaemon MiscellaneousDaemons.disable_pwgrd MiscellaneousDaemons.disable_rbootd MiscellaneousDaemons.disable_smbclient MiscellaneousDaemons.disable_smbserver MiscellaneousDaemons.nfs_core MiscellaneousDaemons.nobody_secure_rpc MiscellaneousDaemons.snmpd MiscellaneousDaemons.syslog_localonly MiscellaneousDaemons.xaccess other_boot_serv Patches.spc_cron_run Patches.spc_cron_time Patches.spc_proxy_yn Patches.spc_run Printing.printing SecureInetd.banners SecureInetd.deactivate_bootp SecureInetd.deactivate_builtin SecureInetd.deactivate_dttools SecureInetd.deactivate_finger SecureInetd.deactivate_ftp SecureInetd.deactivate_ident SecureInetd.deactivate_ktools SecureInetd.deactivate_ntalk SecureInetd.deactivate_printer SecureInetd.deactivate_recserv SecureInetd.deactivate_rquotad SecureInetd.deactivate_rtools SecureInetd.deactivate_swat SecureInetd.deactivate_telnet SecureInetd.deactivate_tftp SecureInetd.deactivate_time SecureInetd.deactivate_uucp SecureInetd.ftp_logging SecureInetd.inetd_general SecureInetd.log_inetd SecureInetd.owner Sendmail.sendmailcron Sendmail.sendmaildaemon Sendmail.vrfyexpn Page D Sample weight files D.1 all.weight D.2 CIS.weight Page Page E CIS mapping to HP-UXBastille Page Page Page Index