Default
Y
Description
The
bootpd
daemon implements three functions; a DHCP server, an Internet
Boot Protocol (BOOTP) server, and a DHCP/BOOTP relay agent. If this system
is not a BOOTP/DHCP server or a DHCP/BOOTP relay agent, HP recommends
disabling this service.
Actions
Comment out the entry for
bootp
in the
/etc/inetd.conf
file.
SecureInetd.deactivate_builtin
Headline
Ensure that the
inetd
built-in services do not run on this system.
Default
N
Description
The
inetd
built-in services include
chargen
,
daytime
,
discard
, and
echo
.
These services are rarely used and when they are it is generally for testing.
The UDP versions of these services can be used in a Denial of Service attack
and therefore HP recommends disabling these services.
The
daytime
service sends the current date and time as a human-readable
character string (RFC 867). The
discard
service throws away anything that
is sent to it, similar to
/dev/null
(RFC 863). The
chargen
service character
generator sends a stream of some undefined data, preferably data in some
recognizable pattern (RFC 862). The
echo
service returns the packets sent to
it (RFC 862).
Actions
Comment out the entries for
daytime
,
echo
,
discard
, and
chargen
in the
/etc/inetd.conf
file.
SecureInetd.deactivate_dttools
Headline
Ensure the
inetd
CDE helper services do not run on this system.
Default
N
Description
The
dtspcd
,
ttdbserver
, and
cmsd
services are used by CDE. Each service
has merits, but they are all rarely used and mostly deprecated.
Actions
In the
/etc/inetd.conf
file, comment out the entries for:
•
dtspc stream tcp nowait root /usr/dt/bin/dtspcd
/usr/dt/bin/dtspcd
•
rpc xti tcp swait root /usr/dt/bin/rpc.ttdbserver
100083 1 /usr/dt/bin/rpc.ttdbserver
•
srpc dgram udp wait root /ur/dt/bin/rpc.cmsd 100068
2-5 rpc.cmsd
SecureInetd.deactivate_finger
Headline
Ensure the
inetd finger
service does not run on this system.
Default
Y
Description
The server for the RFC 742 Name/Finger protocol is
fingerd
. It provides a
network interface to
finger
, which gives a status report of users currently
logged in the system or a detailed report about a specific user. For more
information about the finger command, see finger(1). HP recommends disabling
the service because
fingerd
provides local system user information to remote
sources and this can be useful to someone attempting to break into your system.
Actions
In the
/etc/inetd.conf
file, comment out the entry for
finger
.
SecureInetd.deactivate_ftp
Headline
Ensure that the
inetd
FTP service does not run on this system.
Default
N
56
Question modules