Manualshelf

HP-UX 11i v3 Installation and Update Guide, September 2008 (Update 3 Release)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Enterprise OE
31323334353637383940
The four security levels appear. By default, Sec00Tools is selected.
2. Select the security level appropriate for your deployment. See “Predefined Security
Levels” (page 38) for more information.
3. Select OK.
Serviceguard Configuration (Post-Installation) to Enable Use with Security Levels
Configuring Sec20MngDMZ or Sec30DMZ for Use with Serviceguard
Serviceguard uses dynamic ports. To enable operation, the possible-SG port range must
be opened. Opening the port range is not consistent with the security goals of
Sec20MngDMZ (MANDMZ.config) and Sec30DMZ (DMZ.config) since multiple
services (including other rpc-like applications), may also listen to this same port range.
The firewall, however, will still provide security benefits consistent with the
Serviceguard security deployment model as described in the Securing Serviceguard
document at
http://docs.hp.com/
Before you open the Serviceguard port range make sure you review the required
IPFilter-SG rules, which are documented in the HP-UX IPFilter (Version A.03.05.09 and
later) Administrator's Guide at
http://docs.hp.com/en/B9901-90031
When the Serviceguard security patch of 2004 is installed, Serviceguard requires one
additional service, identd. Enable it by following the steps below.
1. Edit the HP-UX Bastille /etc/opt/sec_mgmt/bastille/config configuration
file by changing the answer to the question:
Should Bastille ensure inetd's ident service does not run on
this system?
2. Change the answer from Y to N as follows:
SecureInetd.deactivate_ident="N"
3. Apply the configuration file changes. You can update your system configuration
manually or use HP-UX Bastille to update your system configuration. The former
will require fewer steps on systems that have been manually configured, after a
user has configured the system using the Bastille tool, and the latter will require
fewer steps on systems that had not been manually configured, after a user has
configured the system using the Bastille tool.
4. Do one of the following:
Manually update the system configuration: Edit the /etc/inetd.conf file
by uncommenting (remove the #) the following line:
#auth stream tcp6 wait bin /usr/lbin/identd identd
Force inetd to reread the configuration by running the following command:
Security Considerations 39