Manualshelf

PCI-DSS Compliance for an HP-UX Host

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
11121314151617181920
18
Requirement 12: Maintain a policy that addresses
information security for all personnel
This requirement is not in the purview of this document.
Appendix A
HP-UX IPFilter
HP-UX IPFilter can be used to explicitly permit or deny a packet from passing through a system based on the
following characteristics:
IP address or a range of IP addresses can be like IP protocol (ICMP/ICMPv6/TCP/UDP) or different IP fragments or
options or IP security classes or TCP/UDP port number or ICMP message type or NIC cards.
HP-UX IPFilter uses Network Address Translation (NAT), which enables an intermediate HP-UX system to map or
translate IP addresses and TCP or UDP ports.
HP-UX IPFilter uses the following two files for configuration.
1)HP-UX IPFilter Rules
The HP-UX IPFilter rules file is named /etc/opt/ipf/ipf.conf
HP-UX IPFilter provides example configuration files. These can be found in /opt/ipf/examples directory. These
example files contain useful rules that can be copied into /etc/opt/ipf/ipf.conf file.
By configuring these rules properly, you can restrict inbound and outbound traffic to that which is necessary for the
cardholder data environment.
HP-UX IPFilter allows only root user to modify or edit the rules file.
2)HP-UX IPFilter Configuration File
The ipfconf file determines HP-UX IPFilter’s startup configuration and the location of the rules file.
These rule configurations must be reviewed on a regular basis (at least once in 6 months). This can be achieved
using HP-UX Bastille.
HP-UX provides a system hardening tool called “Bastille” to automate common system lockdown procedures.
HP-UX Bastille hardens a system by changing common security parameters to more secure values and removes
unnecessary services and protocols. It comes by default with HP -UX operating system with set of modules
including IPFilter.
This tool can be used to configure the IPFilter firewall rules like removing insecure protocols, blocking particular
subnet or IP level traffic, and so on . For a list of questions and answers that can be configured as a starting point for
IPFilter, see HP-UX IPFilter User Guide. The list might not be complete for all environments and the reader might
answer additional questions relating to their environment requirements.
For more information about HP-UX IPFilter, see HP-UX IPFilter User Guide.
Click to download HP-UX IPFilter.
HP-UX Bastille
The following table contains a list of questions posed by HP-UX Bastille to the user and their recommended
answers.
Module Label Question Y/N/ANS
AccountSecuri
ty
Protectrhost Should Bastille disable clear-text r-protocols that
use IP-based authentication?
YES
Passwdage Would you like to enforce password aging?
Cronuser “Would you like to restrict the use of cron to
administrative
accounts
YES