Manualshelf

HP-UX 11i v3 Installation and Update Guide, March 2009 (Update 4 Release)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Enterprise OE
41424344454647484950
IMPORTANT: Review these tables carefully. Some of the locked down services and
protocols may be used by other applications, and may have adverse effects on the
behavior or functionality of these applications. For example, HP Systems Insight
Manager and Partition Manager rely on WBEM to communicate between hosts;
Sec30DMZ blocks all incoming WBEM connections via IPFilter, though local and
outbound communication is not blocked. In addition, some third-party installation
scripts may not correctly handle the more conservative umask value of 027 set by the
security levels.
You can change the security settings configured at cold-install- or update-time by
running HP-UX Bastille after installing or updating your system. For more information
about using HP-UX Bastille, refer to HP-UX System Administrator’s Guide or the HP-UX
Bastille User’s Guide located on your system: /opt/sec_mgmt/bastille/docs/
user_guide.txt
Table 3-3 Host-based Sec10Host Install-time Security Settings
1
ActionsCategory
Deny login unless home directory exists
Deny non-root logins if /etc/nologin file exists
Set a default path for su command
Disable root logins from network tty
Hide encrypted passwords
Disallow ftpd system account logins
Disable remote X logins
Restrict the use of at to administrative accounts
Disable login access to the system accounts
Lock the local accounts with no password
Restrict the home directory permissions
Remove the dot from the root path
Remove world-write permission from local user account dot files
Delete .shosts, .rhosts, and .netrc from the local user accounts
Set mesg n for all users
Disable the local graphical login
Logins and Passwords
Modify ndd settings
2,3
Restrict remote access to swlist
Set default umask
Enable kernel-based stack execute protection
Disable all serial ports besides the console
Assign unowned files to the bin user
Make TCP ISN RFC 1948 compliant
Disable the “nobody” user in the ONC Secure RPC
File System, Network, and
Kernel
42 Choosing an Installation Method