Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

991

992

993

994

995

996

997

998

999

1000

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B992

Answer YES if you are NOT running the HP-UX Host HIDS GUI on this host. Also

answer YES if you are running the HP-UX Host HIDS GUI on this host, and it

only manages one LOCAL HIDS agent running on this host (i.e., you are not

managing any HIDS agents on any remote hosts using this GUI).

Answer NO if you are running an HP-UX Host HIDS GUI on this host AND you

are managing some remote HIDS agents.

Note: You need to install and configure HIDS separately from

Bastille. See http://www.hp.com/security for more information.

IPFilter Q: Do you want to BLOCK incoming web admin connections w/

IPFilter? [Y]

Port 1188 is used by web based tools that are replacements for

areas of SAM.

The listener on this port is HP's release of Apache with a custom

configuration file that loads only a minimum set of modules. It is

also restricted to use https for all communication and can only be used

to run the system management tools. In general, this web server is

running only when in use. It exits after a period of inactivity.

Disabling this port will mean that some system administration functions

will only be available using the command line.

IPFilter Q: Do you want to BLOCK external webadmin tool autostarts w/

IPFilter? [N]

Port 1110 is used to auto start the web administration server

on port 1188. This port is not used unless configured with the 'waconf'

command.

The listener on this port is inetd. When a request is made on this port,

inetd runs a program that checks for a valid url and then starts the web

administration server and redirects the requesting browser to port 1188.

Disabling this port will keep the auto start feature from working. Local

starting of the web administration server will continue to work.

Connections on this port are neither authenticated nor encrypted, but this

should be ok because of the limited functionality on this port. It is

important, as is the case with all web pages, when using the autostart

feature to verify the auto-redirect URL to make sure it says 'https://'

and has the correct hostname (and a valid certificate that matches the host).

IPFilter Q: Do you want to BLOCK incoming DNS query connections with

IPFilter? [Y]