SecureInetd.deactivateident | HP UX Bastille Software specification

Description	FTP is a legacy protocol. It is a clear-text protocol, like Telnet, and allows an
	attacker to eavesdrop on sessions and steal passwords. This also allows an
	attacker to take over an FTP session, using a clear-text-takeover tool like Hunt
	or Ettercap. It can make effective firewalling difficult because of the way FTP
	requires many ports to stay open. Every major FTP daemon has had a long
	history of security vulnerability. They represent one of the major successful
	attack vectors for remote root attacks.
Actions	In the /etc/inetd.conf file, comment out the entry for ftp.

SecureInetd.deactivate_ident

Headline	Ensure that the inetd ident service does not run on this system.
Default	N
Description	The ident service implements the TCP/IP proposed standard IDENT user
	identification protocol as specified in the RFC 1413 document. The identd
	service operates by looking up specific TCP/IP connections and returning the
	user name of the process owning the connection. This service can be used to
	determine user information on a given machine in preparation for a brute-force
	password attack like a dictionary attack. HP recommends disabling this service
	unless compelled by application specific needs.
Actions	In the /etc/inetd.conf file, comment out the entry for auth or ident.

SecureInetd.deactivate_ktools

Headline	Ensure that the inetd klogin and kshell services do not run on this
	system.
Default	N
Description	The kshell and klogin services use Kerberos authentication protocols. If
	this machine is not using the Kerberos scheme, HP recommends disabling
	these services. Any service or daemon running on the system that is not needed
	or used should be disabled.
Actions	In the /etc/inetd.conf file, comment out the entry for kshell and
	klogin.

SecureInetd.deactivate_ntalk

Headline	Ensure that the inetd ntalk service does not run on this system.
Default	N
Description	The ntalk service is a visual communication program that predates instant
	messaging applications and copies lines from your terminal to another user's
	terminal. The ntalk service is considered a light security hazard, but should
	be disabled if not used on this machine.
Actions	In the /etc/inetd.conf file, comment out the entry for ntalk.

SecureInetd.deactivate_printer

Headline	Ensure the inetd printer service does not run on this system.
Default	N
Description	The printer service is a line printer daemon that accepts remote spool
	requests. It uses the rlp daemon to process remote print requests and displays
	the queue and removes jobs from the queue upon request. If this machine is
	not used as a remote print spooler, this service should be disabled.
Actions	In the /etc/inetd.conf file, comment out the entry for printer.

57

Image 57

HP UX Bastille Software manual SecureInetd.deactivateident, SecureInetd.deactivatektools, SecureInetd.deactivatentalk

Contents

HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of Figures Question modules Security levels List of Tables About this product Features and benefits Compatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Creating a security configuration profile Using HP-UX Bastille 1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, use Assessing a system Configuring a system Accepted standard configurations are detected Using scored reportsConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect all Scored assessment report # bastille -r Reverting Monitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page Diagnostic tips TroubleshootingKnown issues and workarounds General use tips Errors related to individual configuration files Problems opening, copying, or reading filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not set Support and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX Bastille Enable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installation Configuring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.hidepasswords AccountSecurity.guiloginAccountSecurity.crontabsfile AccountSecurity.cronuser AccountSecurity.NOLOGIN AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswd AccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYS AccountSecurity.serialportlogin AccountSecurity.passwordpoliciesAccountSecurity.singleuserpassword AccountSecurity.restricthome AccountSecurity.SUDEFAULTPATHyn AccountSecurity.SUDEFAULTPATHAccountSecurity.systemauditing AccountSecurity.umask AccountSecurity.unownedfiles AccountSecurity.umaskynAccountSecurity.userdotfiles AccountSecurity.userrcfiles Apache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteable HPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.restrictswacls HPUX.screensavertimeoutHPUX.scanports HPUX.stackexecute HPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery IPFilter.blockhpidsagent IPFilter.blockhpidsadminYou are managing some remote Hids agents, answer no Hids does not IPFilter.blocknetrange Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blockping IPFilter.blockSecureShell IPFilter.configureipfilter IPFilter.blockwebadminIPFilter.blockwbem Otherwise, answer no to this questionPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablebindMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spccrontime Patches.spccronrunPatches.spcproxyyn Patches.spcrun SecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivatedttools SecureInetd.deactivatebuiltinSecureInetd.deactivatefinger SecureInetd.deactivateftp SecureInetd.deactivatektools SecureInetd.deactivateidentSecureInetd.deactivatentalk SecureInetd.deactivateprinter SecureInetd.deactivaterquotad SecureInetd.deactivaterecservSecureInetd.deactivatertools SecureInetd.deactivateswat SecureInetd.deactivatetime SecureInetd.deactivatetftpSecureInetd.deactivateuucp SecureInetd.ftplogging SecureInetd.inetdgeneral SecureInetd.loginetdSecureInetd.owner Sendmail.sendmailcron Sendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight files Sample weight file below aligns with the CIS standard CIS.weight CIS.weight Page CIS ID CIS mapping to HP-UX Bastille Apache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index