User's Manual

ManualsBrandsHP ManualsSoftwareHP HP-UX Bastille Software

which analyze the software installed on the system. HP-UX Bastille runs SWA

version C.01.01 or later. Otherwise, SPC is used to create a security-compliance

report. The security compliance report lists:

• Installed patches that have warnings (recalls) issued by HP.

• Security patches announced by HP that will fix installed software but

have not been applied.

• Currently installed patches not properly configured.

• Software that needs to be removed or updated to comply with a bulletin.

• Manual actions necessary to bring the server to bulletin compliance.

SWA and SPC can work through a proxy-type firewall to download current

catalogs from HP with security and patch-warning information. Bulletin

compliance requires vigilance. New vulnerabilities are found and fixed on a

regular basis. HP recommends running one of these tools frequently, such as

in a nightly cron job.(A separate question will cover this). HP recommends

that you subscribe to the HP Security Bulletin mailing list.

NOTE: SPC uses clear-text protocols FTP or HTTP if a link can not be

established with https. The output of this tool is appended to the HP-UX

Bastille generated TODO.txt file so that you can apply the necessary patches.

IMPORTANT: Manual action required to complete this configuration. See

TODO.txt file for details.

Actions HP-UX Bastille runs SWA or SPC.

Printing.printing

Headline Disable printing.

Default N

Description If this machine does not print, stop the print scheduler and disable the

associated print daemon utilities. On Linux, this includes the restriction of the

daemon file permissions. On HP-UX, this includes the disablement of the

xprintserver and pd client services where applicable.

Actions

If running, stop processes lpsched pdclientd.

Set XPRINTSERVERS= in /etc/rc.config.d/tps.

Set LP=0 in /etc/rc.config.d/lp.

Set PD_CLIENT=0 in /etc/rc.config.d/pd.

SecureInetd.banners

Headline Display "Authorized Use" messages at login time.

Default N

Description You can create "Authorized Use Only" messages for your site. These can be

helpful in prosecuting system crackers you catch trying to break into your

system. HP-UX Bastille makes default messages that you can edit. This is like

an "anti-welcome mat" for your system.

Actions

Create default login banner messages in the /etc/motd and /etc/issue

files.

Modify the entries for rlogind and telnetd in the /etc/inetd.conf file

to use /etc/issue banner.

SecureInetd.deactivate_bootp

Headline

Ensure that the inetd bootp service does not run on this system.