Cisco Cisco Broadband Access Center Telco Wireless 3.7 릴리즈 노트
Cisco BAC 3.7 Hardening Guidelines
3
## Checking for setuid/setgid programs.
Installing Solaris Security Toolkit 4.2.0 as <SUNWjass>
## Installing part 1 of 1.
[ verifying class <none> ]
Installation of <SUNWjass> was successful.
Disabling unused applications
1.
Disable unused daemons and services, especially services that use network resources. The following is an
example on how to disable services:
example on how to disable services:
# svcadm disable svc:/network/smtp:sendmail
# svcadm disable svc:/network/finger:default
2.
Uninstall all unused applications.
Password Management
1.
Apply the highest-level of password protection to all network applications and services. Ensure that you
change the default passwords.
change the default passwords.
Using HTTPS
1.
Use HTTPS to access the Cisco BAC administrator user interface and disable the HTTP access. The HTTP
access to the administrator user interface (using port 80) is enabled by default on the RDU. You cannot
disable the HTTP service using standard Cisco BAC administrative methods. However, you can disable the
HTTP access using the Tomcat server.xml file, which is located at BPR_HOME/rdu/tomcat/conf
(BPR_HOME is the Cisco BAC installation directory). To disable the HTTP access, do the following:
access to the administrator user interface (using port 80) is enabled by default on the RDU. You cannot
disable the HTTP service using standard Cisco BAC administrative methods. However, you can disable the
HTTP access using the Tomcat server.xml file, which is located at BPR_HOME/rdu/tomcat/conf
(BPR_HOME is the Cisco BAC installation directory). To disable the HTTP access, do the following:
a. Comment out the HTTP/80 connector directive in the Tomcat server.xml file. For example:
<!--
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
-->
b. Reload the Tomcat process to make your changes take effect:
# /etc/init.d/bprAgent restart tomcat
Process [tomcat] has been restarted.
Shutting down BAC SNMP service
1.
Shut down the SNMP service, if it is not used to manage the Cisco BAC components. The SNMP service is
enabled by default on the RDU and DPEs, and it uses UDP port 8001. You can disable this service on the
RDU or DPE by running the following command from the BPR_HOME/snmp/bin:
enabled by default on the RDU and DPEs, and it uses UDP port 8001. You can disable this service on the
RDU or DPE by running the following command from the BPR_HOME/snmp/bin:
# ./snmpAgentCfgUtil.sh stop
Process [snmpAgent] has stopped.
Note: Do not run snmpAgentCfgUtil.sh, if you are using SNMP service.
Cisco BAC supports TACACS+ feature. The user login was tested with TACACS+ server and local login.