Manualshelf

PCI-DSS Compliance for an HP-UX Host

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
12345678910
6
Requirement 2: Do not use vendor-supplied defaults for
system passwords and other security parameters
Sub Req# Requirement Products
2.1
Changing Vendor Supplied Defaults Change passwords of default UIDs of HP-UX
and other products.
2.2
Configuration Standards Configure HP-UX Bastille
2.3
Encrypt Non-Console Administrative Access Use “HP-UX Secure Shell”, disable insecure
protocols
2.4 Shared hosting providers to protect hosting environment
and cardholder data
Not in Scope
2.1 Change vendor supplied defaults
Most devices ship with some kind of default logins and passwords. It is always a good practice to change those
default account passwords or remove the default accounts completely so as to prevent them from being used as
backdoors by malicious users.
HP-UX ships with a default root account. In a fresh HP-UX installation, it is possible that the root login does not have
a password and must be assigned before a system is connected to the network.
Some products on HP-UX like AAA ship with default user accounts and passwords. HP recommends that such
accounts be identified and deleted. The passwords must be changed wherever complete removal of these accounts
is not possible.
2.2 Develop configuration standards for all system components
System configurations can vary greatly across installations and environments and thus any configuration standard
that addresses system security must be specifically tailored to the necessities of that environment. This
requirement mandates that anyone trying to comply with PCI-DSS must draw up such a standard and implement it
across their environment. This section gives a few thumb rules that can be of assistance.
2.2.1 One primary function per server
The PCI-DSS standard advocates that each machine or virtual machine or container have only one primary function.
For example, if a machine is designated as an authentication gateway, then it must not be assigned any other major
role in the network. This ensures fault isolation and easier resolution of problems.
2.2.2 Enable only necessary and secure services, protocols and daemons
UNIX platforms have a variety of insecure services like telnet, rlogin, ftp, and so on that are in common usage.
Newer protocols and services like ssh and Secure ftp are designed to be more secure and must be preferred over the
insecure ones.
HP-UX provides a system hardening tool called “Bastille” to automate common system lockdown procedures.
HP-UX Bastille hardens a system by changing common security parameters to more secure values and removes
unnecessary services and protocols.
This tool typically configures common security parameters, security services, removes insecure protocols, and so
on. For a list of questions and answers that can be configured as a starting point, see Appendix A. The list in
Appendix A may not be complete for all environments. The reader must answer additional questions relating to
their environment requirements.
For more information about HP-UX Bastille Support Manuals, see Appendix A.