Manualshelf

HP-UX 11i v3 Installation and Update Guide, March 2009 (Update 4 Release)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Enterprise OE
31323334353637383940
The four security levels appear. By default, Sec00Tools is selected.
2. Select the security level appropriate for your deployment. See “Predefined Security
Levels” (page 38) for more information.
3. Select OK.
Serviceguard Configuration (Post-Installation) to Enable Use with Security Levels
NOTE: For the most complete information on configuring Bastille with Serviceguard,
see the appropriate version of the HP Serviceguard Release Notes at http://
www.docs.hp.com/en/ha.html#Serviceguard.
Configuring Sec20MngDMZ or Sec30DMZ for Use with Serviceguard
Serviceguard uses dynamic ports. To enable operation, the possible-SG port range must
be opened. Opening the port range is not consistent with the security goals of
Sec20MngDMZ (MANDMZ.config) and Sec30DMZ (DMZ.config) since multiple
services (including other rpc-like applications), may also listen to this same port range.
The firewall, however, will still provide security benefits consistent with the
Serviceguard security deployment model as described in the Securing Serviceguard
document at
http://docs.hp.com/
Before you open the Serviceguard port range make sure you review the required
IPFilter-SG rules, which are documented in the HP-UX IPFilter (Version A.03.05.09 and
later) Administrator's Guide at
http://docs.hp.com/en/B9901-90031
Serviceguard requires one additional service, identd. Enable it by following the steps
below.
1. Edit the HP-UX Bastille /etc/opt/sec_mgmt/bastille/config configuration
file by changing the answer to the question:
Should Bastille ensure inetd's ident service does not run on
this system?
2. Change the answer from Y to N as follows:
SecureInetd.deactivate_ident="N"
3. Apply the configuration file changes. You can update your system configuration
manually or use HP-UX Bastille to update your system configuration. The former
will require fewer steps on systems that have been manually configured, after a
user has configured the system using the Bastille tool, and the latter will require
Security Considerations 39