Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

971

972

973

974

975

976

977

978

979

980

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B 979

HP SharedX Receiver Service is used to receive shared windows from

another machine in X without explicitly performing any xhost command. This service

is required for MPower remote windows, if you use MPower leave this service running

on your system. The SharedX Receiver Service is an automated wrapper around the xhos

t command, see

xhost(1). This service should be disabled unless the viewing of shared windows is

something that is often done on this machine. xhost is generally the more secure

solution as it makes all sharing of windows explicit.

Secure Inetd Q: Should Bastille ensure that inetd's swat service does not run on this

system? [Y]

The swat service allows a Samba administrator to configure Samba via

a Web browser. Also, swat allows administrators to view, change, and affect the

change all via the Web. The drawback from a security standpoint comes from the

authentication method used for the Samba administrator. That is, clear-text

passwords are passed through the network if a connection is initiated from an

outside source. This form of authentication is easily defeated and therefore, it is

recommended that this machine not run the swat service.

Secure Inetd Q: Should Bastille ensure that inetd's printer service does not run on

this system? [Y]

The printer service is a line printer daemon that accepts remote

spool requests. It uses the rlpdaemon to process remote print requests as well

as displaying the queue and removing jobs from the queue upon request. If this

machine is not used as a remote print spooler then this service should be

disabled.

Secure Inetd Q: Would you like to display "Authorized Use" messages at log-in

time? [Y] [Y]

At this point you can create "Authorized Use Only" messages for

your site. These may be very helpful in prosecuting system crackers you

may catch trying to break into your system. Bastille can make default

messages which you may then later edit. This is sort of like an

"anti-welcome mat" for your computer.

Secure Inetd Q: Who is responsible for granting authorization to use this machine?

[its owner]

Bastille will start to make the banner more specific by

telling the user who is responsible for this machine. This will state

explicitly from whom the user needs to obtain authorization to use this

machine. Please type in the name of the company, person, or other

organization who owns or is responsible for this machine.

Secure Inetd Q: Should Bastille enable logging for all inetd connections? [Y]

It is a good idea to log connection attempts to inetd services.

The only reason not to do this is the frequency of logging from inetd will

fill logs more quickly, particularly if inetd services are heavily used on

this machine.