HP-UX 11i Version 2 Installation and Update Guide, May 2005

Choosing an Installation Method

Security Considerations

Chapter 3 63

• Table 3-7 on page 66 lists the security settings applied with

Sec30DMZ, in addition to the settings in Table 3-5 and Table 3-6.

IMPORTANT Review these tables carefully. Some of the locked down services and

protocols may be used by other applications, and may have adverse

effects on the behavior or functionality of these applications. For

example, Servicecontrol Manager and ParMgr rely on WBEM for part of

their functionality; Sec30DMZ blocks all incoming WBEM connections via

IPFilter. In addition, some third-party installation scripts may not

correctly handle the more conservative value of 027 set by the security

levels.

You can change the security settings configured at cold-install- or

update-time by running HP-UX Bastille after installing or updating your

system. For more information about using HP-UX Bastille, refer to

Managing Systems and Workgroups: A Guide for HP-UX System

Administrators, or the HP-UX Bastille User’s Guide located on your

system at: /opt/sec_mgmt/bastille/docs/user_guide.txt

Table 3-5 Host-based Sec10Host Install-time Security Settings

Category Actions

Logins and

Passwords

Deny login unless home directory exists

Deny non-root logins if /etc/nologin file exists

Set a default path for su command

Disable root logins from network tty

Hide encrypted passwords

Disallow ftpd system account logins

Disable remote X logins

File System,

Network, and Kernel

Modify ndd settings

2,3

Restrict remote access to swlist

Set default umask

Enable kernel-based stack execute protection