HP-UX 11i v2 Installation and Update Guide, December 2007
Choosing an Installation Method
Security Considerations
Chapter 360
Secured Services and Protocols
Each security level provides incrementally higher security by locking
down various protocols and services. HP-UX Bastille uses a series of
questions to determine which services and protocols to secure. Using one
of the security levels applies a default security profile, simplifying the
lockdown process.
The following tables detail the services and protocols affected by the
security levels, listed in Table 3-3 on page 55, if you choose to apply one
at cold-install- or update-time:
• Table 3-4 on page 61 lists the security settings for Sec10Host. These
settings also apply to Sec20MngDMZ and Sec30DMZ.
• Table 3-5 on page 62 lists the security settings applied with
Sec20MngDMZ, in addition to the settings in Table 3-4.
• Table 3-6 on page 63 lists the security settings applied with
Sec30DMZ, in addition to the settings in Table 3-4 and Table 3-5.
IMPORTANT Review these tables carefully. Some of the locked down services and
protocols may be used by other applications, and may have adverse
effects on the behavior or functionality of these applications. For
example, HP Systems Insight Manager and ParMgr rely on WBEM to
communicate between hosts; Sec30DMZ blocks all incoming WBEM
connections via IPFilter, though local and outbound communication is
not blocked. In addition, some third-party installation scripts may not
correctly handle the more conservative umask value of 027 set by the
security levels.
You can change the security settings configured at cold-install- or
update-time by running HP-UX Bastille after installing or updating your
system. For more information about using HP-UX Bastille, refer to
Managing Systems and Workgroups: A Guide for HP-UX System
Administrators, or the HP-UX Bastille User’s Guide located on your
system at: /opt/sec_mgmt/bastille/docs/user_guide.txt