HP UX Bastille User Manual page 55

which analyze the software installed on the system. HP-UX Bastille runs SWA
version C.01.01 or later. Otherwise, SPC is used to create a security-compliance
report. The security compliance report lists:
•
•
•
•
•
SWA and SPC can work through a proxy-type firewall to download current
catalogs from HP with security and patch-warning information. Bulletin
compliance requires vigilance. New vulnerabilities are found and fixed on a
regular basis. HP recommends running one of these tools frequently, such as
in a nightly cron job.(A separate question will cover this). HP recommends
that you subscribe to the HP Security Bulletin mailing list.
NOTE:
established with https. The output of this tool is appended to the HP-UX
Bastille generated TODO.txt file so that you can apply the necessary patches.
IMPORTANT:
TODO.txt file for details.
Actions HP-UX Bastille runs SWA or SPC.
Printing.printing
Headline Disable printing.
Default N
Description If this machine does not print, stop the print scheduler and disable the
associated print daemon utilities. On Linux, this includes the restriction of the
daemon file permissions. On HP-UX, this includes the disablement of the
xprintserver and pd client services where applicable.
Actions
If running, stop processes lpsched pdclientd.
Set XPRINTSERVERS= in /etc/rc.config.d/tps.
Set LP=0 in /etc/rc.config.d/lp.
Set PD_CLIENT=0 in /etc/rc.config.d/pd.
SecureInetd.banners
Headline Display "Authorized Use" messages at login time.
Default N
Description You can create "Authorized Use Only" messages for your site. These can be
helpful in prosecuting system crackers you catch trying to break into your
system. HP-UX Bastille makes default messages that you can edit. This is like
an "anti-welcome mat" for your system.
Actions
Create default login banner messages in the /etc/motd and /etc/issue
files.
Modify the entries for rlogind and telnetd in the /etc/inetd.conf file
to use /etc/issue banner.
SecureInetd.deactivate_bootp
Headline Ensure that the inetd bootp service does not run on this system.
Installed patches that have warnings (recalls) issued by HP.
Security patches announced by HP that will fix installed software but
have not been applied.
Currently installed patches not properly configured.
Software that needs to be removed or updated to comply with a bulletin.
Manual actions necessary to bring the server to bulletin compliance.
SPC uses clear-text protocols FTP or HTTP if a link can not be
Manual action required to complete this configuration. See
55