HP-UX 11i v2 Installation and Update Guide, December 2005

Choosing an Installation Method

Security Considerations

Chapter 362

Other Settings

Deactivate HP Apache 2.x Web Server

Set up cron job to Security Patch Check

1. Security settings listed here also apply to Sec20MngDMZ and Sec30DMZ

2. Manual action may be required to complete configuration. Refer to

/etc/opt/sec_mgmt/bastille/TODO.txt for more information, after install or

update.

3. The following ndd changes will be made:

ip_forward_directed_broadcasts=0

ip_forward_src_routed=0

ip_forwarding=0

ip_ire_gw_probe=0

ip_pmtu_strategy=1

ip_send_source_quench=0

tcp_conn_request_max=4096

tcp_syn_rcvd_max=1000

4. Settings applied only if software is installed

Table 3-5 Additional Sec20MngDMZ Install-time Security Settings

Category Actions

inetd Services Includes all disabled inetd services in Table 3-4 and:

Deactivate ftp

Deactivate telnet

IPFilter

Configuration

Block incoming DNS query connections

Block incoming HIDS administration connections

3,4

Configure IPFilter to allow outbound traffic, block

incoming traffic with IP options set, and all other traffic

except for HP-UX Secure Shell, HIDS agent, WBEM,

web admin and web admin autostart.

1. Applies all security configuration settings in Table 3-4

2. IPFilter rules are applied via a custom rules file located at

/etc/opt/sec_mgmt/bastille/ipf.customrules

3. HP-UX Host IDS is a selectable software bundle and only available for commercial

servers

4. Settings applied only if software is installed

5. Manual action may be required to complete configuration. Refer to

/var/opt/sec_mgmt/bastille/TODO.txt for more information, after install or

update.

Table 3-4 Host-based Sec10Host Install-time Security Settings

(Continued)

Category Actions