IMPORTANT:
Review these tables carefully. Some locked-down services and protocols might
be used by other applications and have adverse effects on the behavior or functionality of these
applications. You can change these security settings after installing or updating your system.
Table A-2 Host-based Sec10Host, Sec20MngDMZ, and Sec30DMZ security settings
Action
Category
Deny login unless home directory exists
Deny non-root logins if
/etc/nologin
file exists
Set a default path for
su
command
Deny root logins from network
tty
Hide encrypted passwords
Deny
ftp
system account logins
Deny remote X logins
Logins and passwords
Modify ndd settings
1
,
2
Restrict remote access to
swlist
Set default
umask
Enable kernel-based stack execute protection
File system, network, and kernel
Disable
ptydaemon
Disable
pwgrd
Disable
rbootd
Disable NFS client daemons
Disable NFS server
Disable NIS client programs
Disable NIS server programs
Disable SNMPD
Daemons
Disable
bootp
Disable
inetd
built-in services
Disable CDE helper services
Disable
finger
Disable
ident
Disable
klogin
and
kshell
Disable
ntalk
Disable
login
,
shell
, and
exec
services
Disable
swat
Disable
printer
Disable
recserv
Disable
tftp
Disable
time
Disable
uucp
Disable Event Monitoring Services (EMS) network
communication
Enable logging for all
inetd
connections
inetd
services
Run
sendmail
via
cron
to process queue
Stop
sendmail
from running in daemon mode
Disable
vrfy
and
expn
commands
sendmail
Disable HP Apache 2.x Web Server
3
Set up
cron
job to run SWA
1
Other settings
28
Install-Time Security (ITS) using HP-UX Bastille