Manualshelf

HP-UX 11i Version 2 Installation and Update Guide, May 2005

ManualsBrandsHP ManualsSoftwareHP-UX 11i v2 Foundation OE LTU
51525354555657585960
Choosing an Installation Method
Security Considerations
Chapter 3 59
Configuring HP-UX Bastille Sec10Host
Serviceguard's use of dynamic ports does not work if the predefined
Bastille Sec20MngDMZ (MANDMZ.config) or Sec30DMZ (DMZ.config)
configurations are installed. These configurations use different IPFilter
rules to define firewall protection than the rules Serviceguard uses. The
required IPFilter-SG rules are documented in the HP-UX IPFilter
Version A.03.05.09 Administrator's Guide at
http://docs.hp.com/en/B9901-90021/B9901-90021.pdf
When the Serviceguard security patch of 2004 is installed, Serviceguard
is not compatible with the default settings for the HP-UX Bastille
Sec10Host configuration. The Sec10Host configuration disables the
identd daemon, but Serviceguard with the security patch requires the
identd daemon to be running for authentication purposes.
To configure HP-UX Bastille Sec10Host, follow the steps below:
1. Edit the HP-UX Bastille /etc/opt/sec_mgmt/bastille/config
configuration file by changing the answer to the question:
Should Bastille ensure inetd's ident service does not run
on this system?
2. Change the answer from Y to N as follows:
SecureInetd.deactivate_ident="N"
3. Apply the configuration file changes. You can update your system
configuration manually or use HP-UX Bastille to update your system
configuration. Do one of the following:
Manually update the system configuration: Edit the
/etc/inetd.conf file by uncommenting (remove the #) the
following line:
#auth stream tcp6 wait bin /usr/lbin/identd identd
Force inetd to reread the configuration by running the following
command:
# inetd -c
Use HP-UX Bastille to update the configuration: Revert to the
previous HP-UX Bastille configuration; then apply the new
HP-UX Bastille configuration.