User's Manual

ManualsBrandsHP ManualsSoftwareHP HP-UX Bastille Software

Default Y

Description

The bootpd daemon implements three functions; a DHCP server, an Internet

Boot Protocol (BOOTP) server, and a DHCP/BOOTP relay agent. If this system

is not a BOOTP/DHCP server or a DHCP/BOOTP relay agent, HP recommends

disabling this service.

Actions

Comment out the entry for bootp in the /etc/inetd.conf file.

SecureInetd.deactivate_builtin

Headline

Ensure that the inetd built-in services do not run on this system.

Default N

Description

The inetd built-in services include chargen, daytime, discard, and echo.

These services are rarely used and when they are it is generally for testing.

The UDP versions of these services can be used in a Denial of Service attack

and therefore HP recommends disabling these services.

The daytime service sends the current date and time as a human-readable

character string (RFC 867). The discard service throws away anything that

is sent to it, similar to /dev/null (RFC 863). The chargen service character

generator sends a stream of some undefined data, preferably data in some

recognizable pattern (RFC 862). The echo service returns the packets sent to

it (RFC 862).

Actions

Comment out the entries for daytime, echo, discard, and chargen in the

/etc/inetd.conf file.

SecureInetd.deactivate_dttools

Headline

Ensure the inetd CDE helper services do not run on this system.

Default N

Description

The dtspcd, ttdbserver, and cmsd services are used by CDE. Each service

has merits, but they are all rarely used and mostly deprecated.

Actions

In the /etc/inetd.conf file, comment out the entries for:

• dtspc stream tcp nowait root /usr/dt/bin/dtspcd

/usr/dt/bin/dtspcd

• rpc xti tcp swait root /usr/dt/bin/rpc.ttdbserver

100083 1 /usr/dt/bin/rpc.ttdbserver

• srpc dgram udp wait root /ur/dt/bin/rpc.cmsd 100068

2-5 rpc.cmsd

SecureInetd.deactivate_finger

Headline

Ensure the inetd finger service does not run on this system.

Default Y

Description

The server for the RFC 742 Name/Finger protocol is fingerd. It provides a

network interface to finger, which gives a status report of users currently

logged in the system or a detailed report about a specific user. For more

information about the finger command, see finger(1). HP recommends disabling

the service because fingerd provides local system user information to remote

sources and this can be useful to someone attempting to break into your system.

Actions

In the /etc/inetd.conf file, comment out the entry for finger.

SecureInetd.deactivate_ftp

Headline

Ensure that the inetd FTP service does not run on this system.

Default N

56 Question modules