HPE Community
Operating System - HP-UX
1833697 Members
3338 Online
110062 Solutions
New Discussion

Bastille and sendmail.cf

 
Berlene Herren
Honored Contributor

‎02-18-2003 06:26 AM

‎02-18-2003 06:26 AM

Bastille and sendmail.cf

Document ID Title
--------------- -----------
HPSBUX0302-245 SSRT3450 HP-UX Bastille sendmail.cf problem
HPSBUX0302-244 HP-UX Bastille Announcement

Title: SSRT3450 HP-UX Bastille sendmail.cf problem
HPSBUX0203-245

PROBLEM: HP has discovered a functional defect in Bastille
B.02.00.00 which caused the sendmail privacy options not
to be configured correctly if that option were chosen.

IMPACT: Not applying the recommended patch may result in unintended availability of usernames and aliases if the sendmail daemon is still running. This is the same as the behavior if you did not choose to restrict the vrfy and expn commands with Bastille.

PLATFORM: HP-UX 11.00 and HP-UX 11.11

SOLUTION: Install HP-UX Bastille B.02.00.05 or later or install PHSS_28558 on systems with HP-UX Bastille
B.02.00.00 installed. Either solution completely
addresses this problem.

MANUAL ACTIONS: No.

AVAILABILITY: Both the patch and Bastille B.02.00.05 are available now.
A. Background
Bastille is a security hardening/lockdown tool which can be used to enhance the security of the HP-UX operating system. It provides customized lockdown on a system by system basis by encoding functionality similar to the Bastion Host whitepaper and other hardening/lockdown checklists.

Bastille was originally developed by the open source community for use on Linux systems. HP is contributing by providing Bastille on HP-UX and helping to improve Bastille on both platforms.

The functional defect in Bastille B.02.00.00 which caused sendmail to be improperly configured does not affect Bastille Linux. If a sendmail daemon is running, the improper configuration may allow network users to verify the existence system users as well as expanding sendmail aliases if any are defined.

Specifically, HP-UX Bastille B.02.00.00 incorrectly configured
the novrfy and noexpn options in sendmail.cf. PHSS_28558 will Fix the problem.

PHSS_28558 has two effects. First, Bastille is modified to handle the novrfy and noexpn options correctly. Second, if the
novrfy and noexpn options in sendmail.cf had been configured incorrectly PHSS_28558 will modify sendmail.cf and cause sendmail to read the corrected configuration.

B. Recommended solution

If B.02.00.00 has been installed either download and install HP-UX Bastille B.02.00.05 (or later) or apply PHSS_28558.

Bastille B.02.00.05
===================
Download and install HP-UX Bastille B.02.00.05 or later from
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=B6849AA

("Receive for free" link at the bottom of the page)

Bastille B.02.00.00 and PHSS_28558

If you have already used Bastille 2.0.0 to configure your system, only applying PHSS_28558 is necessary. Applying this patch will fix the sendmail configuration (if applicable to your system) and the defect in Bastille for future runs.

Network carefully,
Berlene

http://www.mindspring.com/~bkherren/dobes/index.htm
0 Kudos
Reply
1 REPLY 1
Steven E. Protter
Exalted Contributor

‎02-18-2003 01:24 PM

‎02-18-2003 01:24 PM

Re: Bastille and sendmail.cf

Bastille
https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6849AA&date=

The patch
http://www2.itrc.hp.com/service/patch/patchDetail.do?patchid=PHSS_28558&context=hpux:800:11:00

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.