Description | The simple network management protocol (SNMP) aids in the management |
| of machines over the network. This can be a powerful method of monitoring |
| and administering a set of networked machines. If you use network |
| management software to maintain the computers on your network, you should |
| audit the way in which SNMP is used by that software. |
| • Use SNMPv3 wherever possible. |
| • Set restrictive access control lists. |
| • Block SNMP traffic at your firewall. |
| • Disable the SNMP daemons. |
| The average home user or standalone server has no reason to run these |
| daemons. Depending on their default configuration, these deamons could be |
| a major security risk. However, if configured correctly and used in conjunction |
| with management software, these daemons can dramatically improve |
| accessibility and response time to problems when they occur. If this is disabled, |
| network management software such as HP Openview which relies on SNMP |
| does not work. |
Actions | If running stop process snmpdm. |
| Set SNMP_HPUNIX_START=0 in /etc/rc.config.d/Hpunix. |
| Set SNMP_MASTER_START=0 in /etc/rc.config.d/Master. |
| Set SNMP_MIB2_START=0 in /etc/rc.config.d/Master. |
| Set SNMP_TRAPDEST_START=0 in /etc/rc.config.d/TrpDst. |
Headline | Restrict the system logging daemon to local connections. |
Default | N |
Description | The system logging daemon syslogd listens on network ports to support |
| remote logging facilities. Remote logging can be helpful for security reasons |
| because if an attacker gains access to a single machine, he can probably modify |
| or delete the logs on that machine. Storing the logs on another machine can |
| help with forensics and incidence response, even if the logs have been tampered |
| with on the local machine. |
Actions | Add the |
| rc.config.d/syslogd. |
Headline | Disallow remote X logins. |
Default | N |
Description | XDMCP is an unencrypted protocol that allows remote connections to an X |
| server. This protocol is commonly used by dumb graphics terminals and |
| |
Actions | If the /etc/dt/config/Xconfig file does not exist, create it from /usr/ |
| dt/config/Xconfig. |
| Append the Dtlogin.requestPort:0 line in the /etc/dt/config/ |
| Xconfig file. |
Headline | Deactivate uncommon legacy boot services. |
Default | Y |
Description | The services mrouted, rwhod, ddfs, rarpd, rdpd, and snaplus2 are not |
| usually used on standalone or |
53