Choosing a Migration Path
Install-time Security Considerations
Chapter 2 47
Other Settings
Deactivate HP Apache 2.x Web Server
d
Set up cron job to Security Patch Check
b
a. Security settings listed here also apply to Sec20MngDMZ and Sec30DMZ
b. Manual action may be required to complete configuration. See
/etc/opt/sec_mgmt/bastille/TODO for more information, after install or
update.
c. The following ndd changes will be made:
ip_forward_directed_broadcasts=0
ip_forward_src_routed=0
ip_forwarding=0
ip_ire_gw_probe=0
ip_pmtu_strategy=1
ip_send_source_quench=0
tcp_conn_request_max=4096
tcp_syn_rcvd_max=1000
d. Settings only applied if software is installed
Table 2-4 Additional Sec20MngDMZ Install-time Security Settings
a
Category Actions
inetd Services Includes all disabled inetd services in Table 2-3
and:
Deactivate ftp
Deactivate telnet
IPFilter
Configuration
b
Block incoming DNS query connections
Block incoming HIDS administration connections
c,d
Configure IPFilter to allow outbound traffic, block
incoming traffic with IP options set, and all other traffic
except for HP-UX Secure Shell, HIDS agent, WBEM,
web admin and web admin autostart.
e
a. Applies all security configuration settings in Table 2-3
b. IPFilter rules are applied via a custom rules file located at
/etc/opt/sec_mgmt/bastille/ipf.customrules
c. HP-UX Host IDS is a selectable software bundle and only available for commercial
servers
d. Settings only applied if software is installed
Table 2-3 Host-based Sec10Host Install-time Security Settings
a
(Continued)
Category Actions