Manualshelf

HP-UX 11i v3 Installation and Update Guide, September 2007 (Update 1 Release)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Foundation OE
41424344454647484950
Secured Services and Protocols
Each security level provides incrementally higher security by locking down various
protocols and services. HP-UX Bastille uses a series of questions to determine which
services and protocols to secure. Using one of the security levels applies a default
security profile, simplifying the lockdown process.
The following tables detail the services and protocols affected by the security levels,
listed in Table 3-2 (page 41), if you choose to apply one at cold-install- or update-time:
Table 3-3 (page 46) lists the security settings for Sec10Host. These settings also
apply to Sec20MngDMZ and Sec30DMZ.
Table 3-4 (page 48) lists the security settings applied with Sec20MngDMZ, in addition
to the settings in Table 3-3.
Table 3-5 (page 48) lists the security settings applied with Sec30DMZ, in addition
to the settings in Table 3-3 and Table 3-4.
IMPORTANT: Review these tables carefully. Some of the locked down services and
protocols may be used by other applications, and may have adverse effects on the
behavior or functionality of these applications. For example, HP Systems Insight
Manager and ParMgr rely on WBEM to communicate between hosts; Sec30DMZ blocks
all incoming WBEM connections via IPFilter, though local and outbound communication
is not blocked. In addition, some third-party installation scripts may not correctly
handle the more conservative umask value of 027 set by the security levels.
You can change the security settings configured at cold-install- or update-time by
running HP-UX Bastille after installing or updating your system. For more information
about using HP-UX Bastille, refer to HP-UX System Administrator's Guide, or the HP-UX
Bastille User's Guide located on your system at: /opt/sec_mgmt/bastille/docs/
user_guide.txt
Table 3-3 Host-based Sec10Host Install-time Security Settings
1
ActionsCategory
Deny login unless home directory exists
Deny non-root logins if /etc/nologin file exists
Set a default path for su command
Disable root logins from network tty
Hide encrypted passwords
Disallow ftpd system account logins
Disable remote X logins
Logins and Passwords
Modify ndd settings
2,3
Restrict remote access to swlist
Set default umask
Enable kernel-based stack execute protection
File System, Network, and
Kernel
46 Choosing an Installation Method