HP UX Bastille Software E CIS mapping to HP-UXBastille

E CIS mapping to HP-UX Bastille

CIS	Level 1 benchmark for HP-UX 11i (v1.5.0)	Mapping to HP-UX Bastille
CIS ID	CIS benchmark section	HP-UX Bastille lock down items

1.1Patches and Additional Software

1.1.1 Apply latest OS patches		Not Scorable
1.1.2	Install and configure SSH	MiscellaneousDaemons.configure_ssh

1.1.3	Install and Run Bastille	Not Scorable

1.2Minimize inetd network services

1.2.1	Disable Standard Services	SecureInetd.deactivate_builtin
		SecureInetd.deactivate_finger
		SecureInetd.deactivate_ident
		SecureInetd.deactivate_ntalk
		SecureInetd.deactivate_recserv
		SecureInetd.deactivate_time
		SecureInetd.deactivate_uucp
		SecureInetd.deactivate_telnet
		SecureInetd.deactivate_ftp
		SecureInetd.deactivate_rtools
		SecureInetd.deactivate_tftp
		SecureInetd.deactivate_printer
		SecureInetd.deactivate_rquotad
		SecureInetd.deactivate_dttools
		SecureInetd.deactivate_ktools
		SecureInetd.deactivate_bootp

1.2.2	Only enable telnet	Not Applicable

1.2.3	Only enable FTP	Not Applicable

1.2.4	Only enable rlogin/remsh/rcp	Not Applicable

1.2.5	Only enable TFTP	Not Applicable

1.2.6	Only enable printer service	Not Applicable

1.2.7	Only enable rquotad	Not Applicable

1.2.8	Only enable CDE-related daemons	Not Applicable

1.2.9	Only enable Kerberos-related daemons	Not Applicable

1.2.10	Only enable BOOTP/DHCP daemon	Not Applicable

1.3Minimize boot services

1.3.1 Disable login: prompts on serial ports		AccountSecurity.serial_port_login
1.3.2 Disable NIS/NIS+ related processes		MiscellaneousDaemons.nis_client
		MiscellaneousDaemons.nis_server
		MiscellaneousDaemons.nisplus_server
		MiscellaneousDaemons.nisplus_client

1.3.3	Disable printer daemons	Printing.printing

1.3.4	Disable GUI login	AccountSecurity.gui_login

1.3.5	Disable email server	Sendmail.sendmaildaemon
		Sendmail.sendmailcron

1.3.6 Disable SNMP and OpenVIew		MiscellaneousDaemons.snmpd

67

Contents

Page Page Table of Contents Install-Time Security (ITS) using C Question modules D Sample weight files E CIS mapping to List of Figures List of Tables 1 About this product 1.1 Features and benefits 1.2Compatibility 1.3 Performance 1.4 Support 2 Installing HP-UXBastille 2.1 Installation requirements 2.2Installation Page 3 Using HP-UXBastille 3.1Creating a security configuration profile Page 3.2Configuring a system 3.3 Assessing a system 3.3.1 Using scored reports Page 3.4 Reverting 3.5 Monitoring drift 3.6 Locating files Page 4 Removing HP-UXBastille Page 5 Troubleshooting 5.1 Diagnostic tips 5.2General use tips 5.3Known issues and workarounds 5.3.2 Cannot use X because $DISPLAY is not set 5.3.3 System is in original state 5.3.4 HP-UXBastille must be run as root 5.3.5 Problems opening, copying, or reading files 5.3.6 Errors related to individual configuration files 6 Support and other resources 6.1 Contacting HP 6.2 Related information 6.3 Typographic conventions Page Page A Install-TimeSecurity (ITS) using HP-UXBastille A.1 Choosing security levels Page Page A.2 Choosing security dependencies A.3 Selecting security levels during installation B Configuring HP-UXBastille for use with Serviceguard B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels B.2 Configuring Sec10Host level Page C Question modules AccountSecurity.crontabs_file AccountSecurity.cronuser AccountSecurity.gui_login AccountSecurity.hidepasswords AccountSecurity.lock_account_nopasswd AccountSecurity.mesgn AccountSecurity.MIN_PASSWORD_LENGTH AccountSecurity.NOLOGIN AccountSecurity.NUMBER_OF_LOGINS_ALLOWED AccountSecurity.NUMBER_OF_LOGINS_ALLOWEDyn AccountSecurity.PASSWORD_HISTORY_DEPTH AccountSecurity.PASSWORD_HISTORY_DEPTHyn AccountSecurity.PASSWORD_MAXDAYS AccountSecurity.PASSWORD_MINDAYS AccountSecurity.passwordpolicies AccountSecurity.restrict_home AccountSecurity.root_path AccountSecurity.serial_port_login AccountSecurity.single_user_password AccountSecurity.SU_DEFAULT_PATH AccountSecurity.SU_DEFAULT_PATHyn AccountSecurity.system_auditing AccountSecurity.umask AccountSecurity.umaskyn AccountSecurity.unowned_files AccountSecurity.user_dot_files AccountSecurity.user_rc_files Apache.chrootapache Apache.deactivate_hpws_apache DNS.chrootbind FilePermissions.world_writeable FTP.ftpbanner FTP.ftpusers HP_UX.gui_banner HP_UX.mail_config HP_UX.ndd HP_UX.other_tools HP_UX.restrict_swacls HP_UX.scan_ports HP_UX.screensaver_timeout HP_UX.stack_execute HP_UX.tcp_isn IPFilter.block_cfservd IPFilter.block_DNSquery IPFilter.block_hpidsadmin IPFilter.block_hpidsagent IPFilter.block_netrange IPFilter.block_ping IPFilter.block_SecureShell IPFilter.block_wbem IPFilter.block_webadmin IPFilter.configure_ipfilter Page IPFilter.install_ipfilter MiscellaneousDaemons.configure_ssh MiscellaneousDaemons.diagnostics_localonly MiscellaneousDaemons.disable_bind MiscellaneousDaemons.disable_ptydaemon MiscellaneousDaemons.disable_pwgrd MiscellaneousDaemons.disable_rbootd MiscellaneousDaemons.disable_smbclient MiscellaneousDaemons.disable_smbserver MiscellaneousDaemons.nfs_core MiscellaneousDaemons.nobody_secure_rpc MiscellaneousDaemons.snmpd MiscellaneousDaemons.syslog_localonly MiscellaneousDaemons.xaccess other_boot_serv Patches.spc_cron_run Patches.spc_cron_time Patches.spc_proxy_yn Patches.spc_run Printing.printing SecureInetd.banners SecureInetd.deactivate_bootp SecureInetd.deactivate_builtin SecureInetd.deactivate_dttools SecureInetd.deactivate_finger SecureInetd.deactivate_ftp SecureInetd.deactivate_ident SecureInetd.deactivate_ktools SecureInetd.deactivate_ntalk SecureInetd.deactivate_printer SecureInetd.deactivate_recserv SecureInetd.deactivate_rquotad SecureInetd.deactivate_rtools SecureInetd.deactivate_swat SecureInetd.deactivate_telnet SecureInetd.deactivate_tftp SecureInetd.deactivate_time SecureInetd.deactivate_uucp SecureInetd.ftp_logging SecureInetd.inetd_general SecureInetd.log_inetd SecureInetd.owner Sendmail.sendmailcron Sendmail.sendmaildaemon Sendmail.vrfyexpn Page D Sample weight files D.1 all.weight D.2 CIS.weight Page Page E CIS mapping to HP-UXBastille Page Page Page Index