User's Manual

ManualsBrandsHP ManualsSoftwareHP HP-UX Bastille Software

SecureInetd.deactivate_recserv

Headline

Ensure the inetd recserv service does not run on this system.

Default N

Description HP SharedX Receiver Service receives shared windows from another machine

in X without explicitly performing any xhost command. This service is

required for MPower remote windows. If you use MPower, leave this service

running on your system. The SharedX Receiver Service is an automated

wrapper around the xhost command. For more information about the xhost

command, see xhost(1). This service should be disabled unless shared windows

are viewed often on this machine. The xhost command is generally the more

secure solution because it makes all sharing of windows explicit.

Actions

In the /etc/inetd.conf file, comment out the entry for recserv.

SecureInetd.deactivate_rquotad

Headline

Ensure the inetd rquotad service does not run on this system.

Default Y

Description

The rquotad server is an RPC server that returns quotas for a user of a local

file system mounted remotely through NFS. This service should be disabled

if not using quotas with NFS.

Actions

In the /etc/inetd.conf file, comment out the entry for rpc.rquotad.

SecureInetd.deactivate_rtools

Headline

Ensure that the login, shell, and exec services do not run on this system.

Default N

Description

The login, shell, and exec services use the r-tools: rlogind, remshd, and

rexecd respectively, which use IP-based authentication. This form of

authentication can be easily defeated with forging packets that suggest the

connecting machine is a trusted host when in fact it may be an arbitrary

machine on the network. Administrators in the past have found these services

useful, but many are unaware of the security ramifications of leaving these

services enabled.

Actions

In the /etc/inetd.conf file, comment out the entries for login, shell,

and exec.

SecureInetd.deactivate_swat

Headline

Ensure the inetd swat service does not run on this system.

Default N

Description

The swat service allows a Samba administrator to configure Samba through

a web browser. The swat service allows administrators to view, change, and

affect the change through the web. The drawback from a security standpoint

comes from the authentication method used for the Samba administrator.

Clear-text passwords are passed through the network if a connection is initiated

from an outside source. This form of authentication is easily defeated and HP

recommends not running the swat service on this machine.

Actions

In the /etc/inetd.conf file, comment out the entry for swat.

SecureInetd.deactivate_telnet

Headline

Ensure that the telnet service does not run on this system.

Default N

Description Telnet is not secure. Telnet is shipped on most operating systems for backward

compatibility. Do not use it in an untrusted network. Telnet is a clear-text

58 Question modules