HP-UX Bastille Version B.3.3 User Guide
can result in attacks that go undetected and reports of many false alerts.
HIDS will work but your system may still be vulnerable.
• Prevent the onset of attacks. If your system is vulnerable to attacks, those
vulnerabilities will remain even after HIDS is installed.
• Find static security flaws on a system. For example, if the password file
contained an illegitimate account before HIDS was installed, that
illegitimate account remains a vulnerability even after HIDS is installed
and operational. Furthermore, HIDS cannot authenticate users of a valid
account. For example, if users share password information, HIDS cannot
ascertain the identity of an unauthorized user gaining access to a system
via a legitimate account login.
Actions Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow hpidsagent incoming connections
pass in quick proto tcp from any to any port = hpidsagent flags S keep state
keep frags
IPFilter.block_netrange
Headline Allow additional incoming network traffic from a select list of IP addresses.
Default 192.168.1.0/255.255.255.0 10.10.10.10
Description The basic IPFilter rules setup by HP-UX Bastille only allow network traffic for
services associated with software that HP-UX Bastille recognizes as installed
on the system. All other incoming traffic is blocked by default. To allow
additional incoming traffic based on the IP address of the sending host, enter
specific IP addresses here with an optional netmask. Otherwise, answer 'N'.
Actions Enable incoming network traffic for select hosts by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# Allow incoming connections from the following select IP
addresses:
pass in quick from <ip>/<netmask> to any
IPFilter.block_ping
Headline BLOCK incoming ICMP echo requests with IPFilter.
Default Y
Description
ICMP echo or ping is used for device discovery for a number of applications,
including System Insight Manager, and OpenView Network node manager.
Though this is commonly used by hackers to discover hosts, the information
returned to them is minimal. Past vulnerablities of ping are patched. For this
reason, you should block incoming icmp-echo requests if you do not need
management applications to discover the device.
Actions Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow ping incoming connections
pass in quick proto icmp from any to any icmp-type
IPFilter.block_SecureShell
Headline BLOCK incoming Secure Shell connections with IPFilter.
Default N
Description Secure Shell is the best replacement for Telnet, remote shell, and FTP. It is
authenticated and encrypted. If you want remote access to your machine, this
47