Technology Confidential AIX / SUSE Linux / Solaris / HP-UX

Source

Control ID AIX: 1921 SUSE: 1281 Solaris: 2389 AIX: 1938 SUSE: 1288 Solaris: 2400 AIX: 1939 SUSE: 1290 Solaris: 2395 AIX: 1920 SUSE: 1276 Solaris: 2381

Section or Category

Control Statement 4/10/2012

Brabeion

Auditing, Logging and Files should not be writeable by users other than their owner (i.e., world writeable) unless such permission is Monitoring required for system functionality.

yes

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

File System Access and Management

Permission to modify environmental control files in user home directories should be restricted to the owner of the file.

yes

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

File System Access and Management

Unless required for specific operational reasons NFS file systems should be exported using the "read only" parameter.

yes

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

Auditing, Logging and File system activities, such as the creation of exported file systems and remote file system mounting, should be Monitoring audited and reviewed.

no

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

AIX: 1932 SUSE: 1284 Solaris: 2394

Auditing, Logging and Set user ID (setUID) and set group ID (setGID) files should only exist if they are needed for the proper Monitoring functioning of the system, and they should only be writeable by the owner of the file.

no

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

AIX: 1942 SUSE: 1285 Solaris: 2393

File System Access and Management

All users should have a "umask" value, which defines the permissions to newly created files, of 022 or 027.

no

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

AIX: 1968 SUSE: 1342 Solaris: 2412

System Configuration

The account lockout feature, disabling an account after a number of failed log in attempts, should be enabled and the related parameters should be set in accordance with corporate security standards and guidelines.

yes (5 attempts locked out)

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

AIX: 1986 SUSE: 1313 Solaris: 2442

User Accounts

Any account that has not logged into the system for an extended period of time should be disabled.

no

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

AIX: 1927 SUSE: 1279

All su (switch user) commands, which allow a user to gain access to the root account, should be monitored and Auditing, Logging and reviewed in accordance with corporate standards. All successful and unsuccessful su attempts must be logged. Monitoring Regular reviews must be conducted on

no

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

SUSE: 1315 Solaris: 2438

User Management

Each account should have a unique user ID (UID).

yes

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

AIX: 1952 SUSE: 1343

Password Management

Complex passwords should be enforced through the system configuration and password policy.

yes

AIX / Solaris / HP-UX

Brabeion

AIX: 1975 SUSE: 1293 Solaris: 2419

System Configuration Network File Systems (NFS) should not be exported with ''''root='''' option.

not using root= option

Common Technical Controls

Confidential AIX / SUSE Linux / Solaris / HP-UX Brabeion AIX: 1966 SUSE: 1336 Anonymous FTP should be disabled. If anonymous FTP is required, the host should be restricted to anonymous System Configuration FTP traffic and should not host other services. disabled

4/10/2012

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

AIX: 1941 Solaris: 2399

File System Access and Management

NFS mounts should specify the "nosuid" option.

no

AIX / SUSE Linux / Solaris / HP-UX SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX

Brabeion

AIX: 1918 SUSE: 1273 Solaris: 2380 SUSE: 1322 Solaris: 2437 AIX: 1928 Solaris: 2421 AIX: 1978 Solaris: 2418 AIX: 1974 Solaris: 2425 AIX: 1979 SUSE: 1309 Solaris: 2426

Auditing, Logging and Available disk or file system capacity should be monitored. Monitoring

yes

Brabeion Brabeion Brabeion Brabeion Brabeion

System Configuration The automount daemon should not be running unless there is a documented operational or business need. Auditing, Logging and The Berkley r-services (e.g., rexec, rlogin, rsh) should be disabled unless there is a documented business or Monitoring operational need for their use. System Configuration The "rexd" daemon should be disabled. System Configuration The "rstatd" service should be disabled. System Configuration The "netstat" service should be disabled.

yes yes yes yes yes

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

AIX: 1981 Solaris: 2415

System Configuration The "tftp" service should be disabled.

yes

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

AIX: 1982 SUSE: 1310 Solaris: 2428 AIX: 1984 SUSE: 1318 Solaris: 2434 AIX: 1962 Solaris: 2420 AIX: 1963 Solaris: 2430 AIX: 1965 SUSE: 1307 Solaris: 2424 AIX: 1969 Solaris: 2427 AIX: 1970 SUSE: 1297 Solaris: 2433

System Configuration The "finger" service should be disabled.

yes

AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX

Brabeion

System Configuration The "telnet" service should be disabled.

yes

Brabeion Brabeion Brabeion Brabeion

System Configuration The "rwall" service should be disabled. System Configuration The "rusers" service should be disabled. System Configuration The "systat" service should be disabled. System Configuration The "uucp" service should be disabled.

disabled disabled disabled disabled

Brabeion

System Configuration

If Sendmail is not necessary for business purposes it should be disabled. If it is necessary, the latest version should be installed and it should be configured with the minimum amount of functionality.

disabled

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

1977

System Configuration If required, Network File Systems (NFS) should be exported to specific, authorized hosts.

AIX / SUSE Linux / Solaris / HP-UX

Brabeion

SUSE: 1331

System Configuration

The SNMP server should be disabled if it is not being used for remote management. If SNMP is used, the default PUBLIC community name should be changed.

Common Technical Controls

Confidential AIX / SUSE Linux / Solaris / HP-UX Brabeion / IBM / Novell / TRMIS AIX: 1940 File System Access and Management The standard job scheduling programs "cron" and "at" should be available only to specifically authorized users. yes

4/10/2012

AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / Solaris / HPUX

Brabeion / TRMIS

AIX: 1944

File System Access and Management

All SUID and SGID programs should be inventoried and unauthorized programs removed.

no

CIS/NSA

Auditing, Logging and "cron" logging should be enabled. Monitoring

CIS/NSA

System Configuration Disable multicasting and routing discovery

CIS/NSA CIS/NSA

System Configuration Enable stack protection In order to remote make session hijacking attacks more difficult, a better TCP sequence number should be System Configuration used. Password Management

password complexity checking enabled

IBM

Passwords should not include standard UNIX words.

AIX / SUSE Linux / Solaris / HP-UX

IBM / CIS / NSA

System Configuration The "exec" service should be disabled.

no

AIX / SUSE Linux / Solaris / HP-UX

IBM / CIS / NSA

System Configuration The "talk" / "ntalk" service should be disabled.

no

AIX / SUSE Linux / Solaris / HP-UX

IBM / CIS / NSA

System Configuration The "daytime" service should be disabled.

no

AIX / SUSE Linux / Solaris / HP-UX

IBM / CIS / NSA

System Configuration The "chargen" service should be disabled.

yes

AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX

IBM / CIS / NSA

System Configuration The "echo" service should be disabled.

yes

IBM / CIS / NSA IBM/TRMIS IBM/TRMIS SUSE: 1299

System Configuration Desktop software, such as CDE, GNOME, or KDE, should not be installed on servers. User Accounts Password Management Password Management File System Access and Management File System Access and Management UNIX System Administrators must switch user (su) to root under his/her user ID when super user privileges are required. Anonymous root login must be allowed only from the system console for emergency purposes. The maximum password age should be set in accordance with corporate security standards and guidelines.

not running yes yes (28 days)

IBM/TRMIS

SUSE: 1333

The minimum password age should be set in accordance with corporate standards.

yes

TRMIS TRMIS

Ensure all files in the /dev or /devices directory are special files. Ensure that there are no unexpected special files outside /dev or /devices

yes yes

Common Technical Controls

Confidential AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX

4/10/2012 TRMIS Password Management File System Access and Management Remove or restrict to read only access root accounts .exrc and / or .vimrc file. yes

TRMIS

Remove user .netrc, .rhosts and .forward files.

yes

AIX / SUSE Linux / Solaris / HP-UX

TRMIS

User Accounts

An authorized use message must be displayed at login. All non essential system information, such as O/S and / or patch level must not be displayed pre-login.

yes

AIX / SUSE Linux / Solaris / HP-UX

TRMIS

User Accounts

Remove unnecessary default user accounts such as guest.

yes (guest account is locked)

AIX / SUSE Linux / Solaris / HP-UX

TRMIS

Password Management

Only one account with super-user privilege is permitted per TDBFG system. No other UID 0 accounts may exist other than root.

yes

AIX / SUSE Linux / Solaris / HP-UX

TRMIS

Additional Applications and Services SUSE: 1303 Solaris: 2409 AIX: 1922 SUSE: 1280 Solaris: 2386 AIX: 1926 SUSE: 1279 Solaris: 2383 AIX: 1919 SUSE: 1275 Solaris: 2384 AIX: 1923 Solaris: 2387 AIX: 1995 SUSE: 1325 Solaris: 2443 AIX: 1956 SUSE: 1302 Solaris: 1408 AIX: 1991 SUSE: 1312 Solaris: 2439 AIX: 1976 SUSE: 1296 Solaris: 2429 AIX: 1950 SUSE: 1304 Solaris: 2410 AIX: 1929 SUSE: 1283 Solaris: 2391 AIX: 1951 SUSE: 1320 Solaris: 2411 AIX: 1931 SUSE: 1274 Password Management

Install eTrust Access Control for UNIX agent and enable the agent service.

no

SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX Common Technical Controls

Brabeion

Password hashes should be stored in a "shadow" password file.

yes

Brabeion

Auditing, Logging and All audit files should be archived and purged in accordance with corporate standards. Monitoring Auditing, Logging and Trust relationships should be evaluated regularly. Any relationships that do not serve a business or operational Monitoring purpose should be removed. Auditing, Logging and The server should only run software that supports documented business or operational needs. Monitoring Auditing, Logging and An audit data reduction tool should be used to facilitate log review. Monitoring User Management Password Management User Accounts Only users who require domain-wide access should be listed in the NIS/NIS+ password file. Default passwords supplied with software packages should be changed upon installation. In addition, these passwords should be complex and conform to corporate security standards and guidelines. User accounts should not be shared among multiple users.

yes

Brabeion

yes

Brabeion Brabeion Brabeion

no no -

Brabeion

Brabeion

don't allow disabled (No NIS on AIX) not include

Brabeion

System Configuration If it is necessary to run NIS as opposed to NIS+, NIS clients should be configured to use the server-list mode. Password Management

Brabeion

The root user should not be included in the NIS or NIS+ password file.

Brabeion Brabeion Brabeion Brabeion

Auditing, Logging and System activities should be adequately logged and reviewed in accordance with corporate standards. Monitoring Password Management Password Management Auditing, Logging and Monitoring The password for the root account maintained on each server should be unique and changed in accordance with corporate standards. The password file should not be distributed using NIS unless there is a documented operational or business need. User access to data and executables should be audited in accordance with corporate policy.

no yes yes yes 4

AIX / SUSE Confidential Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX

Brabeion Brabeion / TRMIS / Novell TRMIS

AIX: 1943 AIX: 1973 Solaris: 2416

File System Access and Management System Configuration Additional Applications and Services User Accounts

Write access to terminals should be restricted. The latest security patches and any recommended maintenance must be applied according to corporate standards. Patches and maintenance must be verified and tested before being applied. Symantec Enterprise Security Manager (ESM) should be installed. The ESM agent service should be enabled on all PROD servers. To ensure a controlled environment with auditing and managing capabilities for the creation, modification and deletion of UNIX system logon Ids, UNIX access requests must be submitted by the Divisional Signature Authority (DIVSIG1) using the UNIX Access Request Form To ensure each group can be uniquely identified, GIDs must be requested through security operations. This unique GID is to be used on all required UNIX servers. The NIS domain name should not be easily guessable.

yes yes

4/10/2012

TRMIS

yes

TRMIS AIX: 1955 SUSE: 1300 Solaris: 2406 AIX: 1925 SUSE: 1278 Solaris: 2382 AIX: 1994

User Accounts Password Management

yes

Brabeion

yes

Brabeion

Repeated login failures (= 5) over 15 minutes must generate an alert in real time to the 7/24 Operations Auditing, Logging and monitoring team for action or page-out to the Technology Response Management team. Regular reviews of the Monitoring logs must be conducted to monitor abnormal. User Accounts Unnecessary default groups should be disabled or removed.

no

Brabeion

no

Brabeion

AIX: 1992 AIX: 1967 SUSE: 1294 Solaris: 2417 SUSE: 1317 Solaris: 2444 AIX: 1924 SUSE: 1272 Solaris: 2388 AIX: 1935 SUSE: 1287 Solaris: 2396 AIX: 1937 SUSE: 1271 Solaris: 2397 AIX: 1945 SUSE: 1291 Solaris: 2401 AIX: 1972 SUSE: 1311 Solaris: 2431 AIX: 1954 Solaris: 2404 AIX: 1917 SUSE: 1282 Solaris: 2390 AIX: 1980 SUSE: 1339 Solaris: 2413 AIX: 1959 SUSE: 1321 Solaris: 2405 AIX: 1971 Solaris: 2414 AIX: 1936 SUSE: 1289 Solaris: 2398

User Accounts

Automatic logoff should be enabled for all user accounts.

no

Brabeion Brabeion Brabeion Brabeion Brabeion

System Configuration File systems should only be exported to fully qualified hostnames. User Management Vendor accounts should be disabled after each specific instance of service.

yes no no yes yes *

Auditing, Logging and Security configuration file changes should be monitored in accordance with corporate standards. Unauthorized Monitoring changes to security configuration files should be investigated. File System Access and Management File System Access and Management File System Access and Management System Configuration Password Management Public directories, such as /tmp/, should have restrictions to protect files located within them from deletion by users other than their owners. Access to application data and programs should be restricted based on the user's business requirements. Rolebased access control should be used, granting access based on the principle of least-privilege. Sensitive operating system files and directories should be secured against unauthorized access. A legal notice and warning should be implemented in order to provide adequate protection and awareness of legal issues. All user accounts should have passwords.

Brabeion

yes *

Brabeion

yes only if ssh key auth is not used yes * yes (when FTP enabled) yes (No NIS in AIX) yes *

Brabeion

Brabeion

Auditing, Logging and Authorized password "cracking" programs should be periodically run to validate adherence to corporate Monitoring password policy. System Configuration Access to the File Transfer Protocol (FTP) server should be restricted by user.

Brabeion

AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX AIX / SUSE Linux / Solaris / HP-UX

Brabeion

Password Management

NIS+ servers should operate at a level 2 security mode (as opposed to running in NIS compatibility mode).

Brabeion

System Configuration

If the UNIX System is being used as a DNS Server, only the recent version of DNS Software (BIND) should be used. UNIX DNS servers should be single-purpose, and should have other services disabled..

Brabeion

File System Access and Management

File systems should not be exported outside the administrative scope of the system.

yes

Common Technical Controls

Technology Confidential

Source

Control Section or Category ID

Control Statement Base Build

Reason for control not in baseline build We have not look at this option On hardening NFS function is disabled, but they is no

Semi Harden

Fully Harden

4/10/2012 Base Build

AIX

Brabeion

1934

AIX AIX

Brabeion Brabeion

1949 1960

If the System administrator relies exclusively on the auditing functionality of AIX then the Auditing, Logging and /etc/security/audit/config file should contain a list of users Monitoring that are being audited as well as the level of auditing associated with each user. NFS v4 may be enabled for AIX 5.3 systems to increase NFS NFS security. Security Configuration Enable the sedmgr in AIX 5.3 to prevent execution of Controls code on the stack. System Configuration Telnet banners should not reveal system information. User Accounts Temporary accounts should be disabled if not in use.

no

no

no

using v3 not enabled system information revealed no

NFS not enabled not enabled

NFS not enabled not enabled

NFS not enabled not enabled system information revealed no

AIX AIX

Brabeion Brabeion

1961 1987

telnet to port 22 show ssh information we don't use temp accounts

system information system information revealed revealed no no

AIX

Brabeion / TRMIS

1988

AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX AIX Specific Controls

IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS

To ensure each end user can be uniquely identified, assign each end user the same UID consistently on all User Accounts required UNIX servers. Refer to the Access Request Portal for the Unix Access Request Form (UARF). New installations should be backed up and stored in a System Configuration secure location. System Configuration The "discard" service should be disabled. System Configuration The "dtspc" service should be disabled. System Configuration The "bootps" service should be disabled. System Configuration The "comsat" service should be disabled. System Configuration The "ftp" service should be disabled. The "i4ls" service should be disabled for production System Configuration machines only. System Configuration The "uprintfd" service should be disabled. System Configuration The "writesrv" service should be disabled. Use an alias for the "ls" command to show hidden files System Configuration and characters in a file name. Use an alias for the "rm" command to avoid accidentally System Configuration deleting files from the system. Network Security "bcastping" should be disabled. Network Security "clean_partial_conns" should be enabled Network Security Network Security Network Security Network Security Network Security Network Security "directed_broadcast" should be disabled. "icmpaddressmask" should be disabled. "ipforwarding" should be disabled. "ipignoreredirects" should be enabled "ipsendredirects" should be disabled. "ip6srcrouteforward" should be disabled.

yes tsm or nim backed up yes yes no yes yes yes no yes no no yes no yes yes yes no no no

yes tsm or nim backed up yes yes yes yes yes yes no yes no no yes no yes yes yes no no no

yes tsm or nim backed up yes yes yes yes yes yes no yes no no yes no yes yes yes no no no

yes tsm or nim backed up yes yes

yes yes yes

yes no no

yes yes yes no no no 6

Confidential AIX AIX AIX AIX AIX AIX

IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS IBM/TRMIS

Network Security Network Security Network Security Network Security Network Security Network Security

"ipsrcrouteforward" should be disabled. "ipsrcrouterecv" should be disabled. "ipsrcroutesend" should be disabled. "nonlocsroute" should be disabled. "tcp_pmtu_discover" should be disabled. "udp_pmtu_discover" should be disabled.

no yes no yes no no

no yes no yes no no

no yes no yes no no

4/10/2012 no yes no yes no no

AIX Specific Controls

Technology Confidential

Source

Control ID

Section or Category File System Access and Management Password and Account Management Password and Account Management Server Configuration Server Configuration

Control Statement Base Build Anonymous and unauthenticated access should not be enabled for Samba file shares. LDAP should be configured to utilize encryption to protect system authentication information from unauthorized access. The LDAP bind passwords should be protected from unauthorized access. The DES encryption algorithm should not be used for system password hashing. Credentials (usernames and passwords) to Windows file shares should not be stored in /etc/fstab for automounting Samba/Windows shares. X -Windows servers should not be running on SuSE servers unless there is a documented business or operational need. If graphical user interfaces are required, XWindows should be tunnelled through SSH.

Reason for control not Semi Harden Fully Harden in baseline build no no

4/10/2012 Base Build

SUSE Linux

Brabeion

1341

no

no

SUSE Linux

Brabeion

1344

no

no

no

no

SUSE Linux SUSE Linux

Brabeion Brabeion

1345 1334

yes yes

currently we are not using LDAP MD5 and/or blowfish

yes yes

yes yes yes

SUSE Linux

Brabeion

1340

yes

yes

yes

yes

SUSE Linux

Brabeion

1323

System Configuration

yes

Unless there is a business requirement

yes

yes

yes

SUSE Linux SUSE Linux SUSE Linux SUSE Linux SUSE Linux

Brabeion Brabeion Novell Novell Novell

1337 1338

The sudo command should be utilized to restrict access to root privileges. The ability to su to root should be limited to User Management users that are authorized to have root access. System The "IMAP" service should be disabled. Configuration System The "POP" service should be disabled. Configuration GUI Login should be disabled. Users should System login via SSH or a normal text-based Configuration console. User Management System Configuration System Configuration NFS server and client processes should be disabled. NIS server and client processes should be disabled.

yes yes yes yes yes unless there is a business requirement unless there is a business requirement

yes yes yes yes yes

yes yes yes yes yes

yes yes yes yes yes

SUSE Linux

Novell

yes

yes

yes

yes

SUSE Linux

Novell

yes

yes

yes

yes

SUSE Specific Controls

Technology

Source

Control ID Section or Category

Solaris

Brabeion

2423

System Configuration

Solaris

Brabeion

2432

System Configuration

Solaris

CIS/NSA

Auditing, Logging and Monitoring File System Access and Management File System Access and Management System Configuration System Configuration

Solaris

CIS/NSA

Solaris

CIS/NSA

Solaris Solaris

CIS/NSA CIS/NSA

Solaris

CIS/NSA

System Configuration

Solaris Solaris

NSA Brabeion 2436

System Configuration System Configuration

Current State Control Statement Base Build Reason for control not in Semi Harden Fully Harden baseline build Sending this password poses no no a huge operational risk sendmail daemon is not yes yes allowed It is a huge performance no no and log mgmt issue are we using Solaris as a no no desktop

An EEPROM password should be used on the server. The verify and expn commands within sendmail should be disabled. System accounting should be enabled

no

Yes

no

A default locking screensaver timeout should be set. Disable "nobody" access for secure RPC. Restrict NFS client requests to privileged ports Set EEPROM security-mode and log failed access. The "printer" service should be disabled.

no Brian needs to investigate yes ?

yes What is this could be a business requirement for printer services

yes

yes

yes

no

The "rquotad" service should be disabled. OpenWindows servers should not be running unless there is a documented business or operational need.

yes yes

yes no

yes no

Future State Base Build Reason for control not in baseline build Fully Harden

yes sendmail daemon is not allowed

yes

yes

yes

no

no

N/A

N/A

yes

yes

yes

yes

yes

no

yes no

yes no

Technology Confidential

Source

Control ID

Section or Category

Control Statement Base Build

HP-UX HP-UX HP-UX HP-UX HP-UX HP-UX HP-UX HP-UX

CIS/NSA IBM IBM / CIS / NSA IBM/TRMIS NSA SUSE: 1333

System Configuration The "printer" service should be disabled. Password Management Passwords should not include standard UNIX words.

yes

Reason for control not in baseline build could be a business requirement for printer services

Semi Harden yes

Fully Harden no

4/10/2012 Base Build yes

System Configuration Desktop software, such as CDE, GNOME, or KDE, should not be installed on servers. Password Management The minimum password age should be set in accordance with corporate standards. yes yes yes yes

System Configuration The "rquotad" service should be disabled. The "auth" service should be disabled. The "shell" service should be disabled. The "ncpmd" service should be disabled.

HP-UX

The "hipd" service should be disabled.

HP-UX HP-UX HP-UX HP-UX HP-UX HP-UX HP-UX HP-UX HP-UX

The "dtspcd" service should be disabled. Enable inetd logging by adding "export INETD_ARGS=-l" to /etc/rc.config.d/netdaemons Disable syslogd from listening on the network by modifying /etc/rc.config.d/syslogd Remove or lock unneeded pseudo accounts (nuucp, mysql, uucp, hpdb, lp, www, daemon) Tighten global privileges on chown Configure nsswitch.conf to not be DNS resolver (chmod 444 /etc/nsswitch.conf) Disable rpcbind daemon Disable pwgrd (password and group caching daemon The "bootps" service should be disabled.

HP-UX Specific Controls

12