HP-UX 11i v3 Installation and Update Guide, February 2007 (Initial Release)
Choosing an Installation Method
Security Considerations
Chapter 354
Secured Services and Protocols
Each security level provides incrementally higher security by locking
down various protocols and services. HP-UX Bastille uses a series of
questions to determine which services and protocols to secure. Using one
of the security levels applies a default security profile, simplifying the
lockdown process.
The following tables detail the services and protocols affected by the
security levels, listed in Table 3-2 on page 49, if you choose to apply one
at cold-install- or update-time:
• Table 3-3 on page 55 lists the security settings for Sec10Host. These
settings also apply to Sec20MngDMZ and Sec30DMZ.
• Table 3-4 on page 56 lists the security settings applied with
Sec20MngDMZ, in addition to the settings in Table 3-3.
• Table 3-5 on page 57 lists the security settings applied with
Sec30DMZ, in addition to the settings in Table 3-3 and Table 3-4.
IMPORTANT Review these tables carefully. Some of the locked down services and
protocols may be used by other applications, and may have adverse
effects on the behavior or functionality of these applications. For
example, HP Systems Insight Manager and ParMgr rely on WBEM to
communicate between hosts; Sec30DMZ blocks all incoming WBEM
connections via IPFilter, though local and outbound communication is
not blocked. In addition, some third-party installation scripts may not
correctly handle the more conservative umask value of 027 set by the
security levels.
You can change the security settings configured at cold-install- or
update-time by running HP-UX Bastille after installing or updating your
system. For more information about using HP-UX Bastille, refer to
HP-UX System Administrator’s Guide, or the HP-UX Bastille User’s
Guide located on your system at:
/opt/sec_mgmt/bastille/docs/user_guide.txt