User's Manual
Default N
Description HP-UX Bastille can restrict root from logging into a tty over the network. This
forces administrators to log in first as a non-root user, then su to become root.
Root logins are still permitted on the console and through services that do not
use tty's like HP-UX Secure Shell.
Actions
Create or replace the file /etc/securetty with the single entry console.
AccountSecurity.crontabs_file
Headline
Ensure the crontab files are only accessible by root.
Default Y
Description Because a variety of administrators, scripts, and users edit crontab files,
sometimes these files contain incorrect permissions. HP-UX Bastille ensures
these files can only be read and changed by the root user. Perform this task
to ensure these files can only be read and written-to by root, with the crontab
command.
Actions Change ownership and permissions for all crontab files permitting access only
to root.
AccountSecurity.cronuser
Headline
Restrict the use of cron to administrative accounts.
Default N
Description
The cron function allows you to schedule jobs to run automatically at a certain
time, possibly recurring. Administrators can use cron to check the system
logs every night at midnight or confirm file integrity every hour. However,
executing jobs later or automatically represents a privilege that can be abused
and makes actions slightly harder to track.
Actions
Delete the file cron.deny
Create or replace the file cron.allow with a single entry for user root
Set permissions to 0400
Change ownership to root:sys
AccountSecurity.gui_login
Headline Disable the local graphical login.
Default Y
Description Most servers do not have a graphics console directly attached, and do not run
a graphics login. Disabling this feature reduces targets for hackers and saves
system resources for systems that do not have a graphics console.
Actions
In the /etc/rc.config.d/xfs file, set RUN_X_FONT_SERVER=0.
In the /etc/rc.config.d/audio file, set AUDIO_SERVER=0.
In the /etc/rc.config.d/slsd file, set SLSD_DAEMON=0.
In the /etc/rc.config.d/desktop file, set DESKTOP=0.
Terminate the following daemon processes if running: xfs, Aserver, SLSd,
dtlogin, dtrc.
AccountSecurity.hidepasswords
Headline Hide the encrypted passwords on this system.
Default N
34 Question modules