Description

Logging FTP connection and command activity is recommended. The only

 

reason not to do this is the frequency of logging from FTP fills logs more

 

quickly, particularly if FTP services are heavily used on this machine.

Actions

In the /etc/inetd.conf file, add the -lflag to the entry for ftpd.

SecureInetd.inetd_general

Headline

Reminder to disable unneeded inetd services in the TODO.txt file.

Default

N

Description

Disable unneeded inetd services. Leave only those services running that are

 

critical to the operation of this machine. This is an example of the frequent

 

trade off between security and functionality. The most secure machine is not

 

very useful. For the most secure but useful system, enable only those services

 

which this system needs to fulfill its intended purpose. You can further restrict

 

access using the inetd.sec file or a program like tcpwrappers. If you

 

answer Y to this question, HP-UX Bastille also points you to information on

 

how to configure these tools.

 

IMPORTANT: Manual action required to complete this configuration. See

 

TODO.txt file for details.

Actions

Instructions for manual actions provided in TODO.txt list.

SecureInetd.log_inetd

Headline

Enable logging for all inetd connections.

Default

N

Description

Logging connection attempts to inetd services is a good idea. The only reason

 

not to do this is the frequency of logging from inetd fills logs more quickly,

 

particularly if inetd services are heavily used on this machine.

Actions

In the /etc/rc.config.d/netdaemons file, add the -lflag to the

 

INETD_ARGS= parameter.

SecureInetd.owner

Headline

Who is responsible for granting authorization to use this machine?

Default

The owner

Description

HP-UX Bastille makes the banner more specific by telling the user who is

 

responsible for this machine. This will state explicitly who the user needs to

 

obtain authorization from to use this machine. Fill in the name of the company,

 

person, or other organization who owns or is responsible for this machine.

Actions

Parameter for default banner. No action.

Sendmail.sendmailcron

Headline

Run sendmail via cron to process the queue.

Default

Y

Description

Should sendmail run every 15 minutes to process the mail queue by

 

processing and sending out email? If this machine does not run sendmail in

daemon mode, you might want to enable this to make your outbound mail more reliable.

In most cases, mail queue processing is not required because most mailer programs activate sendmail to process their particular message. A message usually only gets written to the queue (and thus needs a cron entry) if sendmail has trouble delivering it. For example if the receiving mail server is down.

60 Question modules

Page 60
Image 60
HP UX Bastille Software manual SecureInetd.inetdgeneral, SecureInetd.loginetd, SecureInetd.owner, Sendmail.sendmailcron