User's Manual

ManualsBrandsHP ManualsSoftwareHP HP-UX Bastille Software

Description The simple network management protocol (SNMP) aids in the management

of machines over the network. This can be a powerful method of monitoring

and administering a set of networked machines. If you use network

management software to maintain the computers on your network, you should

audit the way in which SNMP is used by that software.

• Use SNMPv3 wherever possible.

• Set restrictive access control lists.

• Block SNMP traffic at your firewall.

• Disable the SNMP daemons.

The average home user or standalone server has no reason to run these

daemons. Depending on their default configuration, these deamons could be

a major security risk. However, if configured correctly and used in conjunction

with management software, these daemons can dramatically improve

accessibility and response time to problems when they occur. If this is disabled,

network management software such as HP Openview which relies on SNMP

does not work.

Actions

If running stop process snmpdm.

Set SNMP_HPUNIX_START=0 in /etc/rc.config.d/Hpunix.

Set SNMP_MASTER_START=0 in /etc/rc.config.d/Master.

Set SNMP_MIB2_START=0 in /etc/rc.config.d/Master.

Set SNMP_TRAPDEST_START=0 in /etc/rc.config.d/TrpDst.

MiscellaneousDaemons.syslog_localonly

Headline Restrict the system logging daemon to local connections.

Default N

Description

The system logging daemon syslogd listens on network ports to support

remote logging facilities. Remote logging can be helpful for security reasons

because if an attacker gains access to a single machine, he can probably modify

or delete the logs on that machine. Storing the logs on another machine can

help with forensics and incidence response, even if the logs have been tampered

with on the local machine.

Actions

Add the -N flag to the SYSLOGD_OPTS= parameter line in /etc/

rc.config.d/syslogd.

MiscellaneousDaemons.xaccess

Headline Disallow remote X logins.

Default N

Description XDMCP is an unencrypted protocol that allows remote connections to an X

server. This protocol is commonly used by dumb graphics terminals and

PC-based X-emulation software to bring up a remote login and desktop.

Actions

If the /etc/dt/config/Xconfig file does not exist, create it from /usr/

dt/config/Xconfig.

Append the Dtlogin.requestPort:0 line in the /etc/dt/config/

Xconfig file.

other_boot_serv

Headline Deactivate uncommon legacy boot services.

Default Y

Description

The services mrouted, rwhod, ddfs, rarpd, rdpd, and snaplus2 are not

usually used on standalone or specific-purpose servers. These services are