HP-UX 11i v3 Installation and Update Guide, September 2008 (Update 3 Release)

IMPORTANT: Review these tables carefully. Some of the locked down services and

protocols may be used by other applications, and may have adverse effects on the

behavior or functionality of these applications. For example, HP Systems Insight

Manager and Partition Manager rely on WBEM to communicate between hosts;

Sec30DMZ blocks all incoming WBEM connections via IPFilter, though local and

outbound communication is not blocked. In addition, some third-party installation

scripts may not correctly handle the more conservative umask value of 027 set by the

security levels.

You can change the security settings configured at cold-install- or update-time by

running HP-UX Bastille after installing or updating your system. For more information

about using HP-UX Bastille, refer to HP-UX System Administrator’s Guide, or the HP-UX

Bastille User’s Guide located on your system: /opt/sec_mgmt/bastille/docs/

user_guide.txt

Table 3-3 Host-based Sec10Host Install-time Security Settings

ActionsCategory

Deny login unless home directory exists

Deny non-root logins if /etc/nologin file exists

Set a default path for su command

Disable root logins from network tty

Hide encrypted passwords

Disallow ftpd system account logins

Disable remote X logins

Logins and Passwords

Modify ndd settings

2,3

Restrict remote access to swlist

Set default umask

Enable kernel-based stack execute protection

File System, Network, and

Kernel

Disable ptydaemon

Disable pwgrd

Disable rbootd

Disable NFS client daemons

Disable NFS server

Disable NIS client programs

Disable NIS server programs

Disable SNMPD

Daemons

42 Choosing an Installation Method