Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

971

972

973

974

975

976

977

978

979

980

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B980

Secure Inetd Q: Should Bastille tell you to disable unneeded inetd services in the

TODO list? [Y]

In addition to the previously mentioned services, one should

also disable other unneeded inetd services. The aim is to only leave

those services running that are critical to the operation of

this machine. This is an example of the frequent tradeoff

between security and functionality. The most secure

machine is usually not very useful. For the most secure, but useful

system, you will need to enable only those services which this system

needs to fulfill its intended purpose.

You can further restrict access using the inetd.sec file or a program

like tcpwrappers. If you answer "Y" to this question, Bastille will

also point you to information on how to configure these tools.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,

see TODO list for details)

Miscellaneous

Daemons

(Explanation Only)

To make the operating system more secure, we try to deactivate all

system daemons, especially those running at a high/unlimited level of

privilege. Each active system daemon serves as a potential point of

break-in, which might allow an attacker illegitimate access to your

system. An attacker can use these system daemons to gain access if they

are later found to have a bug or security vulnerability.

We practice a minimalist principle here: minimize the number of privileged

system daemons and you can decrease your chances of being a victim should

one of the standard daemons be found later to have a vulnerability. This

section will require careful attention, but if you have doubts, you should

be able to safely select the default value in most cases.

Miscellaneous

Daemons

Q: Would you like to deactivate the NFS server on this system? [Y] [Y]

An NFS (Network File System) server allows it's host machine to

export file systems onto other designated machines on a network. NFS has

a history of major security vulnerabilities, as well as being a clear-text

protocol and relying on the presented username for authentication. Any

data transferred by NFS can be monitored and may be tampered with by any

other network machine. Transferred data includes file handles, which can

then be used to modify files.

This service can be made safer if it is locked behind a firewall that will

block NFS packets from entering or leaving your network. It is best to

deactivate it until you can investigate whether or not you need NFS and

how to best secure it.