SecureInetd.deactivatebuiltin | HP UX Bastille Software instruction

Default	Y
Description	The bootpd daemon implements three functions; a DHCP server, an Internet
	Boot Protocol (BOOTP) server, and a DHCP/BOOTP relay agent. If this system
	is not a BOOTP/DHCP server or a DHCP/BOOTP relay agent, HP recommends
	disabling this service.
Actions	Comment out the entry for bootp in the /etc/inetd.conf file.

SecureInetd.deactivate_builtin

Headline	Ensure that the inetd built-in services do not run on this system.
Default	N
Description	The inetd built-in services include chargen, daytime, discard, and echo.
	These services are rarely used and when they are it is generally for testing.
	The UDP versions of these services can be used in a Denial of Service attack
	and therefore HP recommends disabling these services.
	The daytime service sends the current date and time as a human-readable
	character string (RFC 867). The discard service throws away anything that
	is sent to it, similar to /dev/null (RFC 863). The chargen service character
	generator sends a stream of some undefined data, preferably data in some
	recognizable pattern (RFC 862). The echo service returns the packets sent to
	it (RFC 862).
Actions	Comment out the entries for daytime, echo, discard, and chargen in the
	/etc/inetd.conf file.

SecureInetd.deactivate_dttools

Headline	Ensure the inetd CDE helper services do not run on this system.
Default	N
Description	The dtspcd, ttdbserver, and cmsd services are used by CDE. Each service
	has merits, but they are all rarely used and mostly deprecated.
Actions	In the /etc/inetd.conf file, comment out the entries for:
	• dtspc stream tcp nowait root /usr/dt/bin/dtspcd
	/usr/dt/bin/dtspcd
	• rpc xti tcp swait root /usr/dt/bin/rpc.ttdbserver
	100083 1 /usr/dt/bin/rpc.ttdbserver
	• srpc dgram udp wait root /ur/dt/bin/rpc.cmsd 100068
	2-5 rpc.cmsd

SecureInetd.deactivate_finger

Headline	Ensure the inetd finger service does not run on this system.
Default	Y
Description	The server for the RFC 742 Name/Finger protocol is fingerd. It provides a
	network interface to finger, which gives a status report of users currently
	logged in the system or a detailed report about a specific user. For more
	information about the finger command, see finger(1). HP recommends disabling
	the service because fingerd provides local system user information to remote
	sources and this can be useful to someone attempting to break into your system.
Actions	In the /etc/inetd.conf file, comment out the entry for finger.

SecureInetd.deactivate_ftp

Headline	Ensure that the inetd FTP service does not run on this system.
Default	N

56 Question modules

Image 56

HP UX Bastille Software manual SecureInetd.deactivatebuiltin, SecureInetd.deactivatedttools, SecureInetd.deactivatefinger

Contents

HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index List of Figures HP-UX Bastille user interface Standard assessment report List of Tables Question modules Security levels Features and benefits About this product Support CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Using HP-UX Bastille Creating a security configuration profile If the Path environment variable has not been updated, use 1shows the main screen of the HP-UX Bastille user interface Configuring a system Assessing a system Using scored reports Accepted standard configurations are detectedConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect all Scored assessment report Reverting # bastille -r For more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page Troubleshooting Diagnostic tipsKnown issues and workarounds General use tips Problems opening, copying, or reading files Errors related to individual configuration filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not set Related information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Install-Time Security ITS using HP-UX Bastille Choosing security levels Enable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Selecting security levels during installation Choosing security dependencies Configuring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.guilogin AccountSecurity.hidepasswordsAccountSecurity.crontabsfile AccountSecurity.cronuser AccountSecurity.MINPASSWORDLENGTH AccountSecurity.NOLOGINAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswd AccountSecurity.NUMBEROFLOGINSALLOWEDyn AccountSecurity.PASSWORDHISTORYDEPTHAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYS AccountSecurity.passwordpolicies AccountSecurity.serialportloginAccountSecurity.singleuserpassword AccountSecurity.restricthome AccountSecurity.SUDEFAULTPATH AccountSecurity.SUDEFAULTPATHynAccountSecurity.systemauditing AccountSecurity.umask AccountSecurity.umaskyn AccountSecurity.unownedfilesAccountSecurity.userdotfiles AccountSecurity.userrcfiles DNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FilePermissions.worldwriteable FTP.ftpusers HPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.screensavertimeout HPUX.restrictswaclsHPUX.scanports HPUX.stackexecute IPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd IPFilter.blockhpidsadmin IPFilter.blockhpidsagentYou are managing some remote Hids agents, answer no Hids does not Default 192.168.1.0/255.255.255.0 Description IPFilter.blocknetrangeIPFilter.blockping IPFilter.blockSecureShell IPFilter.blockwebadmin IPFilter.configureipfilterIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disablebind MiscellaneousDaemons.disableptydaemonMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablesmbclient MiscellaneousDaemons.disablesmbserverMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spccronrun Patches.spccrontimePatches.spcproxyyn Patches.spcrun SecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivatebuiltin SecureInetd.deactivatedttoolsSecureInetd.deactivatefinger SecureInetd.deactivateftp SecureInetd.deactivateident SecureInetd.deactivatektoolsSecureInetd.deactivatentalk SecureInetd.deactivateprinter SecureInetd.deactivaterecserv SecureInetd.deactivaterquotadSecureInetd.deactivatertools SecureInetd.deactivateswat SecureInetd.deactivatetftp SecureInetd.deactivatetimeSecureInetd.deactivateuucp SecureInetd.ftplogging SecureInetd.loginetd SecureInetd.inetdgeneralSecureInetd.owner Sendmail.sendmailcron Sendmail.sendmaildaemon Sendmail.vrfyexpnPage Sample weight files All.weight CIS.weight Sample weight file below aligns with the CIS standard CIS.weight Page CIS mapping to HP-UX Bastille CIS ID Apache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index