Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

811

812

813

814

815

816

817

818

819

820

Administering a System: Managing System Security

HP-UX Bastille

Chapter 8 817

Predeﬁned Conﬁguration Files

Beginning with HP-UX 11i v2, Bastille includes three predeﬁned

conﬁguration ﬁles (see Table 8-5) that provide an increasing level of

lockdown. The ﬁles are delivered in /etc/opt/sec_mgmt/bastille

Table 8-5 Predeﬁned Conﬁguration Files

Conﬁguration

File Name

Install-Time

Module

Description

HOST.config Sec10Host Host lockdown: no ﬁrewall; networking runs

normally, including Telnet and FTP. See Table 8-6

on page 817.

MANDMZ.config Sec20MngDMZ Managed DMZ lockdown: IPFilter ﬁrewall blocks

incoming connections except common, secured,

management protocols. See Table 8-7 on page 820.

DMZ.config Sec30DMZ DMZ lockdown: IPFilter blocks all incoming

connections except Secure Shell. See Table 8-8 on

page 821.

Table 8-6 HOST.conﬁg: Host-Based Security Settings

Category Actions

Logins and

Passwords

• Deny login unless home directory exists

• Deny nonroot logins if /etc/nologin ﬁle

exists

• Set a default path for su command

• Disable root logins from network tty

• Hide encrypted passwords

• Disallow ftpd system account logins

• Disable remote X (XDMCP) logins

File System,

Network, and

Kernel

• Modify ndd settings

• Restrict remote access to swlist

• Set default umask

• Enable kernel-based stack execute

protection