HP-UX 11i v3 Installation and Update Guide, February 2007 (Initial Release)

Choosing an Installation Method

Security Considerations

Chapter 356

sendmail

Run sendmail via cron to process queue

Stop sendmail from running in daemon mode

Disable vrfy and expn commands

Other Settings

Deactivate HP Apache 2.x Web Server

Set up cron job to Security Patch Check

1. Security settings listed here also apply to Sec20MngDMZ and Sec30DMZ

2. Manual action may be required to complete configuration. Refer to

/etc/opt/sec_mgmt/bastille/TODO.txt for more information, after install or

update.

3. The following ndd changes will be made:

ip_forward_directed_broadcasts=0

ip_forward_src_routed=0

ip_forwarding=0

ip_ire_gw_probe=0

ip_pmtu_strategy=1

ip_send_source_quench=0

tcp_conn_request_max=4096

tcp_syn_rcvd_max=1000

4. Settings applied only if software is installed

Table 3-4 Additional Sec20MngDMZ Install-time Security Settings

Category Actions

inetd Services Includes all disabled inetd services in Table 3-3 and:

Deactivate ftp

Deactivate telnet

IPFilter

Configuration

Block incoming DNS query connections

Block incoming HIDS administration connections

3,4

Configure IPFilter to allow outbound traffic, block

incoming traffic with IP options set, and all other traffic

except for HP-UX Secure Shell, HIDS agent, WBEM,

web admin and web admin autostart

, ICMP echo.

1. Applies all security configuration settings in Table 3-3

2. IPFilter rules are applied via a custom rules file located at

/etc/opt/sec_mgmt/bastille/ipf.customrules

3. HP-UX Host IDS is a selectable software bundle and only available for commercial

servers

Table 3-3 Host-based Sec10Host Install-time Security Settings

(Continued)

Category Actions