HP-UX 11i v3 Installation and Update Guide, February 2007 (Initial Release)
Choosing an Installation Method
Security Considerations
Chapter 3 51
Serviceguard Configuration (post-installation) to
Enable Use with Security Levels
Configuring Sec20MngDMZ or Sec30DMZ for Use with
Serviceguard
Serviceguard uses dynamic ports. To enable operation, the possible-SG
port range must be opened. Opening the port range is not consistent with
the security goals of Sec20MngDMZ (MANDMZ.config) and Sec30DMZ
(DMZ.config) since multiple services (including other rpc-like
applications), may also listen to this same port range. The firewall,
however, will still provide security benefits consistent with the
Serviceguard security deployment model as described in the Securing
Serviceguard document at:
http://docs.hp.com/
Before you open the Serviceguard port range make sure you review the
required IPFilter-SG rules, which are documented in the HP-UX IPFilter
(Version A.03.05.09 and later) Administrator's Guide at:
http://docs.hp.com/en/B9901-90021/B9901-90021.pdf
When the Serviceguard security patch of 2004 is installed, Serviceguard
requires one additional service, identd. Enable it by following the steps
below.
1. Edit the HP-UX Bastille /etc/opt/sec_mgmt/bastille/config
configuration file by changing the answer to the question:
Should Bastille ensure inetd's ident service does not run
on this system?
2. Change the answer from Y to N as follows:
SecureInetd.deactivate_ident="N"
3. Apply the configuration file changes. You can update your system
configuration manually or use HP-UX Bastille to update your system
configuration. The former will require fewer steps on systems that
have been manually configured, after a user has configured the
system using the Bastille tool, and the latter will require fewer steps
on systems that had not been manually configured, after a user has
configured the system using the Bastille tool.