HP UX Bastille User Manual page 58

SecureInetd.deactivate_recserv
Headline
Default
Description
Actions
SecureInetd.deactivate_rquotad
Headline
Default
Description
Actions
SecureInetd.deactivate_rtools
Headline
Default
Description
Actions
SecureInetd.deactivate_swat
Headline
Default
Description
Actions
SecureInetd.deactivate_telnet
Headline
Default
Description
58 Question modules
Ensure the inetd recserv service does not run on this system.
N
HP SharedX Receiver Service receives shared windows from another machine
in X without explicitly performing any xhost command. This service is
required for MPower remote windows. If you use MPower, leave this service
running on your system. The SharedX Receiver Service is an automated
wrapper around the xhost command. For more information about the xhost
command, see xhost(1). This service should be disabled unless shared windows
are viewed often on this machine. The xhost command is generally the more
secure solution because it makes all sharing of windows explicit.
In the /etc/inetd.conf file, comment out the entry for recserv.
Ensure the inetd rquotad service does not run on this system.
Y
The rquotad server is an RPC server that returns quotas for a user of a local
file system mounted remotely through NFS. This service should be disabled
if not using quotas with NFS.
In the /etc/inetd.conf file, comment out the entry for rpc.rquotad.
Ensure that the login, shell, and exec services do not run on this system.
N
The login, shell, and exec services use the r-tools: rlogind, remshd, and
rexecd respectively, which use IP-based authentication. This form of
authentication can be easily defeated with forging packets that suggest the
connecting machine is a trusted host when in fact it may be an arbitrary
machine on the network. Administrators in the past have found these services
useful, but many are unaware of the security ramifications of leaving these
services enabled.
In the /etc/inetd.conf file, comment out the entries for login, shell,
and exec.
Ensure the inetd swat service does not run on this system.
N
The swat service allows a Samba administrator to configure Samba through
a web browser. The swat service allows administrators to view, change, and
affect the change through the web. The drawback from a security standpoint
comes from the authentication method used for the Samba administrator.
Clear-text passwords are passed through the network if a connection is initiated
from an outside source. This form of authentication is easily defeated and HP
recommends not running the swat service on this machine.
In the /etc/inetd.conf file, comment out the entry for swat.
Ensure that the telnet service does not run on this system.
N
Telnet is not secure. Telnet is shipped on most operating systems for backward
compatibility. Do not use it in an untrusted network. Telnet is a clear-text