Table of Contents
Advertisement
Default
Y
Description
A common way to gain privileged access is to provide some type of
out-of-bounds input that is not checked by a program. This input can be used
to overflow the stack in a way that leaves some cleverly written instructions
stored in a place that will be executed by the program. The HP-UX kernel is
able to disallow execution of commands from the stack. This contains many
of these types of attacks, making them ineffective. Because this is done at the
kernel level, it is independent of any application which may have a
vulnerability of this type. This will break some applications designed to execute
code off the stack, for example Java 1.2 programs using JDK/JRE 1.2.2 versions
older than 1.2.2.06. However, you can run chatr +es <executable file>
to override this for individual broken programs.
Actions
Invokes kctune -K executable_stack=0 to disable stack execution.
HP_UX.tcp_isn
Headline
Make TCP ISN RFC 1948 compliant.
Default
N
Description
The use of random sequence numbers makes TCP traffic difficult to spoof off
network. By setting the TCP stack to use RFC 1948-compliant sequence
numbers, you raise the difficulty level for a successful off-network attack. This
setting does not prevent a "man in the middle" style attack where the attacker
has access to a network that is along the routing path between two
communicating nodes. TCP does not offer protections for this case without
adding additional layers like IPSec.
Actions
Make TCP ISN RFC 1948 compliant.
IPFilter.block_cfservd
Headline
BLOCK incoming cfrun requests with IPFilter.
Default
Y
Description
The cfengine utility provides policy-based configuration management for
groups of systems and Serviceguard clusters. A central "policy host" acts as a
repository for the configuration policy files and reference files that are
distributed to managed clients. Typically managed clients perform
synchronization runs at administrator defined intervals, for example with a
cron job on the managed client. The cfrun utility can also be used by the
administrator on the policy host to contact each managed client and request
an immediate or "on-demand" synchronization run. If this system should
allow on-demand synchronization requests, answer no to this question.
Otherwise, answer yes.
Actions
Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow cfservd incoming connections
pass in quick proto tcp from any to any port = 5308 flags S keep state keep
frags
IPFilter.block_DNSquery
Headline
BLOCK incoming DNS query connections with IPFilter.
Default
Y
Description
DNS query connections should only be allowed on DNS servers. If this machine
is a DNS server for other machines, you should answer "No" to this question.
Otherwise, you should block DNS queries by answering "Yes".
45
Advertisement
Table of Contents
