Manuals / Brands / Computer Equipment / Software / HP / Computer Equipment / Software

HP UX Bastille Software SecureInetd.deactivate_swat, SecureInetd.deactivate_rtools, SecureInetd.deactivate_telnet, SecureInetd.deactivate_recserv, SecureInetd.deactivate_rquotad

1 72

Download 72 pages, 1.59 Mb

SecureInetd.deactivate_recserv

Headline	Ensure the inetd recserv service does not run on this system.
Default	N
Description	HP SharedX Receiver Service receives shared windows from another machine
	in X without explicitly performing any xhost command. This service is
	required for MPower remote windows. If you use MPower, leave this service
	running on your system. The SharedX Receiver Service is an automated
	wrapper around the xhost command. For more information about the xhost
	command, see xhost(1). This service should be disabled unless shared windows
	are viewed often on this machine. The xhost command is generally the more
	secure solution because it makes all sharing of windows explicit.
Actions	In the /etc/inetd.conf file, comment out the entry for recserv.

SecureInetd.deactivate_rquotad

Headline	Ensure the inetd rquotad service does not run on this system.
Default	Y
Description	The rquotad server is an RPC server that returns quotas for a user of a local
	file system mounted remotely through NFS. This service should be disabled
	if not using quotas with NFS.
Actions	In the /etc/inetd.conf file, comment out the entry for rpc.rquotad.

SecureInetd.deactivate_rtools

Headline	Ensure that the login, shell, and exec services do not run on this system.
Default	N
Description	The login, shell, and exec services use the r-tools: rlogind, remshd, and
	rexecd respectively, which use IP-based authentication. This form of
	authentication can be easily defeated with forging packets that suggest the
	connecting machine is a trusted host when in fact it may be an arbitrary
	machine on the network. Administrators in the past have found these services
	useful, but many are unaware of the security ramifications of leaving these
	services enabled.
Actions	In the /etc/inetd.conf file, comment out the entries for login, shell,
	and exec.

SecureInetd.deactivate_swat

Headline	Ensure the inetd swat service does not run on this system.
Default	N
Description	The swat service allows a Samba administrator to configure Samba through
	a web browser. The swat service allows administrators to view, change, and
	affect the change through the web. The drawback from a security standpoint
	comes from the authentication method used for the Samba administrator.
	Clear-text passwords are passed through the network if a connection is initiated
	from an outside source. This form of authentication is easily defeated and HP
	recommends not running the swat service on this machine.
Actions	In the /etc/inetd.conf file, comment out the entry for swat.

SecureInetd.deactivate_telnet

Headline	Ensure that the telnet service does not run on this system.
Default	N
Description	Telnet is not secure. Telnet is shipped on most operating systems for backward
	compatibility. Do not use it in an untrusted network. Telnet is a clear-text

58 Question modules

Contents

Page Page Table of Contents Install-Time Security (ITS) using C Question modules D Sample weight files E CIS mapping to List of Figures List of Tables 1 About this product 1.1 Features and benefits 1.2Compatibility 1.3 Performance 1.4 Support 2 Installing HP-UXBastille 2.1 Installation requirements 2.2Installation Page 3 Using HP-UXBastille 3.1Creating a security configuration profile Page 3.2Configuring a system 3.3 Assessing a system 3.3.1 Using scored reports Page 3.4 Reverting 3.5 Monitoring drift 3.6 Locating files Page 4 Removing HP-UXBastille Page 5 Troubleshooting 5.1 Diagnostic tips 5.2General use tips 5.3Known issues and workarounds 5.3.2 Cannot use X because $DISPLAY is not set 5.3.3 System is in original state 5.3.4 HP-UXBastille must be run as root 5.3.5 Problems opening, copying, or reading files 5.3.6 Errors related to individual configuration files 6 Support and other resources 6.1 Contacting HP 6.2 Related information 6.3 Typographic conventions Page Page A Install-TimeSecurity (ITS) using HP-UXBastille A.1 Choosing security levels Page Page A.2 Choosing security dependencies A.3 Selecting security levels during installation B Configuring HP-UXBastille for use with Serviceguard B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels B.2 Configuring Sec10Host level Page C Question modules AccountSecurity.crontabs_file AccountSecurity.cronuser AccountSecurity.gui_login AccountSecurity.hidepasswords AccountSecurity.lock_account_nopasswd AccountSecurity.mesgn AccountSecurity.MIN_PASSWORD_LENGTH AccountSecurity.NOLOGIN AccountSecurity.NUMBER_OF_LOGINS_ALLOWED AccountSecurity.NUMBER_OF_LOGINS_ALLOWEDyn AccountSecurity.PASSWORD_HISTORY_DEPTH AccountSecurity.PASSWORD_HISTORY_DEPTHyn AccountSecurity.PASSWORD_MAXDAYS AccountSecurity.PASSWORD_MINDAYS AccountSecurity.passwordpolicies AccountSecurity.restrict_home AccountSecurity.root_path AccountSecurity.serial_port_login AccountSecurity.single_user_password AccountSecurity.SU_DEFAULT_PATH AccountSecurity.SU_DEFAULT_PATHyn AccountSecurity.system_auditing AccountSecurity.umask AccountSecurity.umaskyn AccountSecurity.unowned_files AccountSecurity.user_dot_files AccountSecurity.user_rc_files Apache.chrootapache Apache.deactivate_hpws_apache DNS.chrootbind FilePermissions.world_writeable FTP.ftpbanner FTP.ftpusers HP_UX.gui_banner HP_UX.mail_config HP_UX.ndd HP_UX.other_tools HP_UX.restrict_swacls HP_UX.scan_ports HP_UX.screensaver_timeout HP_UX.stack_execute HP_UX.tcp_isn IPFilter.block_cfservd IPFilter.block_DNSquery IPFilter.block_hpidsadmin IPFilter.block_hpidsagent IPFilter.block_netrange IPFilter.block_ping IPFilter.block_SecureShell IPFilter.block_wbem IPFilter.block_webadmin IPFilter.configure_ipfilter Page IPFilter.install_ipfilter MiscellaneousDaemons.configure_ssh MiscellaneousDaemons.diagnostics_localonly MiscellaneousDaemons.disable_bind MiscellaneousDaemons.disable_ptydaemon MiscellaneousDaemons.disable_pwgrd MiscellaneousDaemons.disable_rbootd MiscellaneousDaemons.disable_smbclient MiscellaneousDaemons.disable_smbserver MiscellaneousDaemons.nfs_core MiscellaneousDaemons.nobody_secure_rpc MiscellaneousDaemons.snmpd MiscellaneousDaemons.syslog_localonly MiscellaneousDaemons.xaccess other_boot_serv Patches.spc_cron_run Patches.spc_cron_time Patches.spc_proxy_yn Patches.spc_run Printing.printing SecureInetd.banners SecureInetd.deactivate_bootp SecureInetd.deactivate_builtin SecureInetd.deactivate_dttools SecureInetd.deactivate_finger SecureInetd.deactivate_ftp SecureInetd.deactivate_ident SecureInetd.deactivate_ktools SecureInetd.deactivate_ntalk SecureInetd.deactivate_printer SecureInetd.deactivate_recserv SecureInetd.deactivate_rquotad SecureInetd.deactivate_rtools SecureInetd.deactivate_swat SecureInetd.deactivate_telnet SecureInetd.deactivate_tftp SecureInetd.deactivate_time SecureInetd.deactivate_uucp SecureInetd.ftp_logging SecureInetd.inetd_general SecureInetd.log_inetd SecureInetd.owner Sendmail.sendmailcron Sendmail.sendmaildaemon Sendmail.vrfyexpn Page D Sample weight files D.1 all.weight D.2 CIS.weight Page Page E CIS mapping to HP-UXBastille Page Page Page Index