Samba on NonStop User Manual
Set revalidate = true to force revalidation for each service accessed.
Include the /E and, if appropriate for your usage, /G directories in the do not descend list.
Administration:
Restrict administrator access to those who need it.
Do not provide an admin users list, as their file access is not restricted by file permissions.
Do not configure SWAT to run in demo/disable authentication (-a) mode.
Configure SWAT to use HP SSL. For more information, see “Securing SWAT” (page 24).
Auditing:
Because NS-Samba does not support syslog, Samba events are not captured in EMS. Security
administrators must monitor Samba’s logs separately. Set log level or debuglevel = 1, at a minimum.
You may need to set them to 2, depending on which audit you wish to capture. Security
administrators need to become familiar with Samba log management, and must decide whether
to specify separate log files for individual services or users. NS-Samba does have basic support
for log rollover, but it is not as comprehensive as what Safeguard provides.
Connection management:
Configure a non-zero value for dead time (minutes of inactivity before NS-Samba terminates a
connection).
Set status = yes (default) so the smbstatus program can show active connections.
If NS-Samba is launched as a daemon rather than from inetd, you can limit concurrent connections
by specifying a value for max smbd processes. If it is launched from inetd, the -R rate option
can be used to limit the number of service connections per minute. It defaults to 40.
22 Security Considerations