https://community.hpe.com/t5/operating-system-hp-ux/patching-hp-security-bulletin-175-dtspcd/m-p/3762407#M740765 Shalom Joe,<BR /><BR />You should not harden the 10.20 system, you should look into replacing it with a hardened system.<BR /><BR />The OS out of support some three years this July and the tools to harden newer releases are much more extensive.<BR /><BR />I'd have to see the data from the scanners and no what tool they are using to further assist. they could be wrong.<BR /><BR />You can close the vulnerability by not using the daemon at all. Bastille commonly offers to disable this on newer OS's.<BR /><BR />SEP Thu, 30 Mar 2006 13:16:52 GMT Steven E. Protter 2006-03-30T13:16:52Z https://community.hpe.com/t5/operating-system-hp-ux/patching-hp-security-bulletin-175-dtspcd/m-p/3762405#M740763 Hello,<BR /><BR />I'm trying to harden an HP-UX 10.20 system to withstand security scans. The network security folks tell me that I need to patch the CDE Subprocess Control daemon, and this vulnerability corresponds to HP Security Bulletin 175. <BR /><BR />So I use the HP software patch website and download the "recommended patch", PHSS_29201 (s700_800 10.20 CDE Runtime Patch), which is described as an updated version of the patch listed in the bulletin. It also has two dependencies which I added to the software depot. I used swinstall to put the depot on the system. The system said that all 8 packages were installed correctly.<BR /><BR />My only problem is that even though I believe the system is patched, the security people say their scanner still finds the vulnerability. At this point I'm stumped, because I've already tried removing and reinstalling the patches and the scan result remains the same. Anyone have any pointers on this?<BR /><BR />Joe Thu, 30 Mar 2006 12:29:09 GMT https://community.hpe.com/t5/operating-system-hp-ux/patching-hp-security-bulletin-175-dtspcd/m-p/3762405#M740763 joeone 2006-03-30T12:29:09Z https://community.hpe.com/t5/operating-system-hp-ux/patching-hp-security-bulletin-175-dtspcd/m-p/3762406#M740764 Do you need dtspcd? If you don't need it, then comment it out in /etc/inetd.conf and then stop and restart inetd.<BR /><BR />This should definitely fix the problem. Thu, 30 Mar 2006 12:33:14 GMT https://community.hpe.com/t5/operating-system-hp-ux/patching-hp-security-bulletin-175-dtspcd/m-p/3762406#M740764 Patrick Wallek 2006-03-30T12:33:14Z https://community.hpe.com/t5/operating-system-hp-ux/patching-hp-security-bulletin-175-dtspcd/m-p/3762407#M740765 Shalom Joe,<BR /><BR />You should not harden the 10.20 system, you should look into replacing it with a hardened system.<BR /><BR />The OS out of support some three years this July and the tools to harden newer releases are much more extensive.<BR /><BR />I'd have to see the data from the scanners and no what tool they are using to further assist. they could be wrong.<BR /><BR />You can close the vulnerability by not using the daemon at all. Bastille commonly offers to disable this on newer OS's.<BR /><BR />SEP Thu, 30 Mar 2006 13:16:52 GMT https://community.hpe.com/t5/operating-system-hp-ux/patching-hp-security-bulletin-175-dtspcd/m-p/3762407#M740765 Steven E. Protter 2006-03-30T13:16:52Z https://community.hpe.com/t5/operating-system-hp-ux/patching-hp-security-bulletin-175-dtspcd/m-p/3762408#M740766 Thanks for the tip... for some reason, the security bulletin didn't explicitly say to stop the service. But I think that stopping it solves the problem better than installing the patch... <BR /> Fri, 07 Apr 2006 16:38:46 GMT https://community.hpe.com/t5/operating-system-hp-ux/patching-hp-security-bulletin-175-dtspcd/m-p/3762408#M740766 joeone 2006-04-07T16:38:46Z