Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

981

982

983

984

985

986

987

988

989

990

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B 983

access control lists, and (3) block SNMP traffic at your firewall. Otherwise

it makes sense to disable the SNMP daemons.

The average home user has no reason to run these daemons and

depending on their default configuration, they could be a major

security risk. Alternatively if configured correctly, and used

in conjunction with management software these daemons could be

used to dramatically improve accessibility and response time to

problems when they occur.

Things known to not work if this is disabled:

Network management software, such as HP Openview, which relies

on SNMP

Miscellaneous

Daemons

Q: Would you like to disable both the ptydaemon and vtdaemon? [Y]

The ptydaemon is used by the shell layers (shl) software.

shl is a historical alternative to job control. If no one on your system

is going to use shl, you should be able to safely turn the ptydaemon off.

If you disable and remove ptydaemon, Bastille will also disable

vtdaemon since it depends on ptydaemon to operate.

These are both used for very old protocols. If you don't know what uucp

is, you probably don't need these. If you want a history lesson, you

can look at the man pages for "vt", "vtdaemon", "uucp" and "shl".

The security benefit of turning these off is based on the principle of

minimalism. These daemons do run as root and accept input from a normal

user. There is probably a low security risk associated with leaving these

daemons running, but there is little reason to expose yourself to that

risk unnecessarily.

Miscellaneous

Daemons

Q: Would you like to disable pwgrd? [Y]

pwgrd is the Password and Group Hashing and Caching daemon.

pwgrd provides accelerated lookup of password and group information

for libc routines like getpwuid and getgrname. However, on systems

with normal sized (less than 50 entries) password files, pwgrd will

probably slow down lookups, due to the overhead presented by pwgrd's

use of Unix domain sockets.

The security benefit of turning this service off is also based on the principle

of minimalism. This daemon does run as root and accepts input from

non-privileged users.

Miscellaneous

Daemons

Q: Should Bastille deactivate rbootd? [Y]