HP-UX 11i v3 Installation and Update Guide, March 2009 (Update 4 Release)
1
Security settings listed here also apply to Sec20MngDMZ and Sec30DMZ
2
Manual action may be required to complete configuration. Refer to /etc/opt/sec_mgmt/bastille/
TODO.txt for more information, after install or update.
3
The following ndd changes will be made:
ip_forward_directed_broadcasts=0
ip_forward_src_routed=0
ip_forwarding=0
ip_ire_gw_probe=0
ip_pmtu_strategy=1
ip_respond_to_echo_broadcast= 0
ip_send_redirects= 0
ip_send_source_quench=0
tcp_conn_request_max=4096
tcp_syn_rcvd_max=1000
arp_cleanup_interval= 60000
ip_respond_to_timestamp= 0
ip_respond_to_timestamp_broadcast= 0
tcp_isn_passphrase= <set>
4 Settings applied only if software is installed
Table 3-4 Additional Sec20MngDMZ Install-time Security Settings
1
ActionsCategory
Includes all disabled inetdservices in Table 3-3 and:
inetd Services
Deactivate ftp
Deactivate telnet
Restrict syslog daemon to local connections
IPFilter Configuration
2
Block incoming DNS query connections
Block incoming HIDS administration connections
3,4
Configure IPFilter to allow outbound traffic, block incoming traffic with IP
options set, and all other traffic except for HP-UX Secure Shell, HIDS agent,
WBEM, web admin and web admin autostart
5
, ICMP echo.
Other Settings
Disable printing
1 Applies all security configuration settings in Table 3-3
2
Additional IPFilter rules may be applied via a custom rules file located at /etc/opt/sec_mgmt/
bastille/ipf.customrules
3 HP-UX Host IDS is a selectable software bundle and only available for commercial servers
4 Settings applied only if software is installed
5
Manual action may be required to complete configuration. Refer to /var/opt/sec_mgmt/bastille/
TODO.txt for more information, after install or update.
44 Choosing an Installation Method