User's Manual

ManualsBrandsHP ManualsSoftwareHP HP-UX Bastille Software

Actions

Adds a summary description of HP security and services to the TODO.txt

file for user reference.

HP_UX.restrict_swacls

Headline

Restrict remote access to swlist.

Default N

Description

The swagentd daemon allows remote access to list and install software on

your system. This feature is convenient for remote administration. Security

Patch Check can use this to query remote machines. It can also be a security

risk because patch and other critical system information is available to anyone

inside that system's firewall. HP recommends that you disallow the swagentd

default, remote read access.

Actions

If the swagentd daemon is running, use swacl to remove remote read access:

swacl -l host -D any_other

swacl -l root -D any_other

Otherwise, an item is created in the TODO.txt file to remind you to run HP-UX

Bastille again when the daemon is up.

HP_UX.scan_ports

Headline

Provide instructions in your TODO.txt file on how to run a port scan.

Default N

Description One of the final steps in lock down is to verify that only the services you need

are still running. Several tools do this, including netstat which is included

with HP-UX, and lsof (List OpenFiles) which is a free downloadable tool.

The lsof tool provides information about all the processes running on your

system. If there are processes running that you don't recognize, take this

opportunity to do some research and learn about them.

IMPORTANT: Manual action required to complete this configuration. See

the TODO.txt file for details.

Actions

Provide instructions in your TODO.txt file on how to run a port scan.

HP_UX.screensaver_timeout

Headline Set the GUI screen-saver timeout to 10 minutes.

Default N

Description The GUI login screen-saver timeout varies from 10 to 30 minutes depending

on the HP-UX version. This item ensures the value is set at a consistent 10

minutes. Setting a short timeout ensures that extended absences don't leave

a console unnecessarily open.

Actions

For all sys.resources files in /usr/dt/config/* directories, modify the

matching /etc/dt/config/*/sys.resources file by adding the following

lines:

dtsession*saverTimeout: 10

dtsession*lockTimeout: 10

Create the matching /etc/dt/config/*/sys.resources files if not

present.

HP_UX.stack_execute

Headline Enable kernel-based stack-execute protection.

44 Question modules