HP UX Bastille Software 69

CIS	Level 1 benchmark for HP-UX 11i (v1.5.0)	Mapping to HP-UX Bastille
1.7.1	Enable kernel-level auditing	AccountSecurity.system_auditing

1.7.2	Enable logging from inetd	SecureInetd.log_inetd

1.7.3	Turn on additional logging for FTP daemon	SecureInetd.ftp_logging

1.8User Accounts and Environment

1.8.1	Block system accounts	AccountSecurity.block_system_accounts
1.8.2	Verify that there are no accounts with empty password fields	AccountSecurity.lock_account_nopasswd

1.8.3	Set account expiration parameters on active accounts	AccountSecurity.PASSWORD_MAXDAYS
		AccountSecurity.PASSWORD_MINDAYS
		AccountSecurity.PASSWORD_WARNDAYS

1.8.4	Set strong password enforcement policies	AccountSecurity.PASSWORD_HISTORY_DEPTH
		AccountSecurity.MIN_PASSWORD_LENGTH

1.8.5	Verify no legacy '+' entries exist in passwd and group files	MiscellaneousDaemons.nis_client

1.8.6	No '.' or group/world-writable directory in root $PATH	AccountSecurity.root_path

	User home directories should be mode 750 or more
1.8.7	restrictive	AccountSecurity.restrict_home

1.8.8	No user dot-files should be group/world writable	AccountSecurity.user_dot_files

1.8.9	Remove user .netrc, .rhosts and .shosts files	AccountSecurity.user_rc_files

1.8.10	Set default umask for users	AccountSecurity.umask

1.8.11	Set "mesg n" as default for all users	AccountSecurity.mesgn

1.9Warning Banners

1.9.1 Create warning banners for terminal-session logins		SecureInetd.banners
1.9.2	Create warning banners for GUI logins	HP_UX.gui_banner

1.9.3	Create warning banners for FTP daemon	FTP.ftpbanner

69

Contents

Page Page Table of Contents Install-Time Security (ITS) using C Question modules D Sample weight files E CIS mapping to List of Figures List of Tables 1 About this product 1.1 Features and benefits 1.2Compatibility 1.3 Performance 1.4 Support 2 Installing HP-UXBastille 2.1 Installation requirements 2.2Installation Page 3 Using HP-UXBastille 3.1Creating a security configuration profile Page 3.2Configuring a system 3.3 Assessing a system 3.3.1 Using scored reports Page 3.4 Reverting 3.5 Monitoring drift 3.6 Locating files Page 4 Removing HP-UXBastille Page 5 Troubleshooting 5.1 Diagnostic tips 5.2General use tips 5.3Known issues and workarounds 5.3.2 Cannot use X because $DISPLAY is not set 5.3.3 System is in original state 5.3.4 HP-UXBastille must be run as root 5.3.5 Problems opening, copying, or reading files 5.3.6 Errors related to individual configuration files 6 Support and other resources 6.1 Contacting HP 6.2 Related information 6.3 Typographic conventions Page Page A Install-TimeSecurity (ITS) using HP-UXBastille A.1 Choosing security levels Page Page A.2 Choosing security dependencies A.3 Selecting security levels during installation B Configuring HP-UXBastille for use with Serviceguard B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels B.2 Configuring Sec10Host level Page C Question modules AccountSecurity.crontabs_file AccountSecurity.cronuser AccountSecurity.gui_login AccountSecurity.hidepasswords AccountSecurity.lock_account_nopasswd AccountSecurity.mesgn AccountSecurity.MIN_PASSWORD_LENGTH AccountSecurity.NOLOGIN AccountSecurity.NUMBER_OF_LOGINS_ALLOWED AccountSecurity.NUMBER_OF_LOGINS_ALLOWEDyn AccountSecurity.PASSWORD_HISTORY_DEPTH AccountSecurity.PASSWORD_HISTORY_DEPTHyn AccountSecurity.PASSWORD_MAXDAYS AccountSecurity.PASSWORD_MINDAYS AccountSecurity.passwordpolicies AccountSecurity.restrict_home AccountSecurity.root_path AccountSecurity.serial_port_login AccountSecurity.single_user_password AccountSecurity.SU_DEFAULT_PATH AccountSecurity.SU_DEFAULT_PATHyn AccountSecurity.system_auditing AccountSecurity.umask AccountSecurity.umaskyn AccountSecurity.unowned_files AccountSecurity.user_dot_files AccountSecurity.user_rc_files Apache.chrootapache Apache.deactivate_hpws_apache DNS.chrootbind FilePermissions.world_writeable FTP.ftpbanner FTP.ftpusers HP_UX.gui_banner HP_UX.mail_config HP_UX.ndd HP_UX.other_tools HP_UX.restrict_swacls HP_UX.scan_ports HP_UX.screensaver_timeout HP_UX.stack_execute HP_UX.tcp_isn IPFilter.block_cfservd IPFilter.block_DNSquery IPFilter.block_hpidsadmin IPFilter.block_hpidsagent IPFilter.block_netrange IPFilter.block_ping IPFilter.block_SecureShell IPFilter.block_wbem IPFilter.block_webadmin IPFilter.configure_ipfilter Page IPFilter.install_ipfilter MiscellaneousDaemons.configure_ssh MiscellaneousDaemons.diagnostics_localonly MiscellaneousDaemons.disable_bind MiscellaneousDaemons.disable_ptydaemon MiscellaneousDaemons.disable_pwgrd MiscellaneousDaemons.disable_rbootd MiscellaneousDaemons.disable_smbclient MiscellaneousDaemons.disable_smbserver MiscellaneousDaemons.nfs_core MiscellaneousDaemons.nobody_secure_rpc MiscellaneousDaemons.snmpd MiscellaneousDaemons.syslog_localonly MiscellaneousDaemons.xaccess other_boot_serv Patches.spc_cron_run Patches.spc_cron_time Patches.spc_proxy_yn Patches.spc_run Printing.printing SecureInetd.banners SecureInetd.deactivate_bootp SecureInetd.deactivate_builtin SecureInetd.deactivate_dttools SecureInetd.deactivate_finger SecureInetd.deactivate_ftp SecureInetd.deactivate_ident SecureInetd.deactivate_ktools SecureInetd.deactivate_ntalk SecureInetd.deactivate_printer SecureInetd.deactivate_recserv SecureInetd.deactivate_rquotad SecureInetd.deactivate_rtools SecureInetd.deactivate_swat SecureInetd.deactivate_telnet SecureInetd.deactivate_tftp SecureInetd.deactivate_time SecureInetd.deactivate_uucp SecureInetd.ftp_logging SecureInetd.inetd_general SecureInetd.log_inetd SecureInetd.owner Sendmail.sendmailcron Sendmail.sendmaildaemon Sendmail.vrfyexpn Page D Sample weight files D.1 all.weight D.2 CIS.weight Page Page E CIS mapping to HP-UXBastille Page Page Page Index