CIS mapping to HP-UX Bastille, Cis Id | HP UX Bastille Software

E CIS mapping to HP-UX Bastille

CIS	Level 1 benchmark for HP-UX 11i (v1.5.0)
CIS ID	CIS benchmark section
1.1	Patches and Additional Software
1.1.1	Apply latest OS patches
1.1.2	Install and configure SSH
1.1.3	Install and Run Bastille
1.2	Minimize inetd network services

1.2.1Disable Standard Services

1.2.2	Only enable telnet
1.2.3	Only enable FTP
1.2.4	Only enable rlogin/remsh/rcp
1.2.5	Only enable TFTP
1.2.6	Only enable printer service
1.2.7	Only enable rquotad
1.2.8	Only enable CDE-related daemons
1.2.9	Only enable Kerberos-related daemons
1.2.10	Only enable BOOTP/DHCP daemon
1.3	Minimize boot services
1.3.1	Disable login: prompts on serial ports

1.3.2Disable NIS/NIS+ related processes

1.3.3 Disable printer daemons 1.3.4 Disable GUI login

1.3.5Disable email server

1.3.6 Disable SNMP and OpenVIew

Mapping to HP-UX Bastille

HP-UX Bastille lock down items

Not Scorable

MiscellaneousDaemons.configure_ssh

Not Scorable

SecureInetd.deactivate_builtin

SecureInetd.deactivate_finger

SecureInetd.deactivate_ident

SecureInetd.deactivate_ntalk

SecureInetd.deactivate_recserv

SecureInetd.deactivate_time

SecureInetd.deactivate_uucp

SecureInetd.deactivate_telnet

SecureInetd.deactivate_ftp

SecureInetd.deactivate_rtools

SecureInetd.deactivate_tftp

SecureInetd.deactivate_printer

SecureInetd.deactivate_rquotad

SecureInetd.deactivate_dttools

SecureInetd.deactivate_ktools

SecureInetd.deactivate_bootp

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

AccountSecurity.serial_port_login

MiscellaneousDaemons.nis_client

MiscellaneousDaemons.nis_server

MiscellaneousDaemons.nisplus_server

MiscellaneousDaemons.nisplus_client

Printing.printing

AccountSecurity.gui_login

Sendmail.sendmaildaemon

Sendmail.sendmailcron

MiscellaneousDaemons.snmpd

67

Image 67

HP UX Bastille Software manual CIS mapping to HP-UX Bastille, Cis Id

Contents

HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of Figures Question modules Security levels List of Tables About this product Features and benefits Performance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Creating a security configuration profile Using HP-UX Bastille 1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, use Assessing a system Configuring a system Is not always detected. HP-UX Bastille might not detect all Using scored reportsAccepted standard configurations are detected Configuration for the corresponding question is not Scored assessment report # bastille -r Reverting Locating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page General use tips TroubleshootingDiagnostic tips Known issues and workarounds Cannot use X because $DISPLAY is not set Problems opening, copying, or reading filesErrors related to individual configuration files HP-UX Bastille configures a firewall using IPFilter Contacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX Bastille Enable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installation Configuring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.cronuser AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.crontabsfile AccountSecurity.lockaccountnopasswd AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.PASSWORDMAXDAYS AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.restricthome AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.singleuserpassword AccountSecurity.umask AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.systemauditing AccountSecurity.userrcfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userdotfiles Apache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteable HPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.stackexecute HPUX.screensavertimeoutHPUX.restrictswacls HPUX.scanports IPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery Hids does not IPFilter.blockhpidsadminIPFilter.blockhpidsagent You are managing some remote Hids agents, answer no IPFilter.blockSecureShell Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockping Otherwise, answer no to this question IPFilter.blockwebadminIPFilter.configureipfilter IPFilter.blockwbemPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nfscore Otherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spcrun Patches.spccronrunPatches.spccrontime Patches.spcproxyyn Printing.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivateftp SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivatefinger SecureInetd.deactivateprinter SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivatentalk SecureInetd.deactivateswat SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivatertools SecureInetd.ftplogging SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.deactivateuucp Sendmail.sendmailcron SecureInetd.loginetdSecureInetd.inetdgeneral SecureInetd.owner Sendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight files Sample weight file below aligns with the CIS standard CIS.weight CIS.weight Page CIS ID CIS mapping to HP-UX Bastille Apache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index