HP-UX Bastille (HPUXBastille) is included as recommended software on the
Operating Environment media and can be installed and run with Ignite-UX
or Update-UX, (see “Predefined Security Levels”).
HP-UX Bastille is a security hardening and lockdown tool that
can be used to enhance security of the HP-UX operating system. It
provides customized lockdown on a system-by-system basis by encoding
functionality similar to Bastion Host and other hardening and lockdown
|NOTE: For more information about HP-UX Bastille, refer to the HP-UX 11i v3 Release Notes and the HP-UX System Administrator’s
Predefined Security Levels
At cold-install or update-time, you can choose one of the security
levels listed in Table 3-2, with
each one providing incrementally higher security.
Table 3-2 Predefined Security Configuration
Configuration File Name
|Not applicable||The install-time security infrastructure; no security
Host-based lockdown: firewall
pre-enablement; some common clear-text services turned off, excluding
Telnet and FTP.
Lockdown while allowing secure management: IPFilter
firewall blocks incoming connections except common, relatively safe,
Network-DMZ Lockdown: IPFilter blocks all incoming connections
except HP-UX Secure Shell.
|NOTE: When you select either the Sec30DMZ, or MngDMZ security level, IPFilter will restrict inbound
network connections. For more information on how to add inbound ports
to your /etc/opt/ipf.customerrules file, refer
to the HP-UX IPFilter (Version A.03.05.09 and later) Administrator's
Guide and the HP-UX System Administrator’s
Selecting Your Security Levels at Install Time
During installation, you can configure
your security levels by navigating to the System tab
from the Ignite-UX Graphical User Interface Installation and Configuration
dialog box. The System tab allows you to configure information unique
to your system such as security levels, hostname, IP address, root
password, and the time zone.
For ease of use, HP recommends using the System tab to select the security level appropriate for your deployment
as described below.
Do one of the following:
If you are using the Ignite-UX GUI, navigate to the System tab (from the Ignite-UX Installation
and Configuration dialog box) and select Security
If you are using the Ignite Install HP-UX
Wizard, navigate to the Additional Software screen and select Security Choices.
The four security levels appear. By default, Sec00Tools is selected.
Select the security level appropriate for your deployment.
See “Predefined Security Levels” for
Serviceguard Configuration (post-installation) to Enable Use
with Security Levels
Configuring Sec20MngDMZ or Sec30DMZ for Use with Serviceguard
Serviceguard uses dynamic ports. To enable operation, the possible-SG
port range must be opened. Opening the port range is not consistent
with the security goals of Sec20MngDMZ (MANDMZ.config) and Sec30DMZ (DMZ.config) since multiple services (including other rpc-like
applications), may also listen to this same port range. The firewall,
however, will still provide security benefits consistent with the
Serviceguard security deployment model as described in the Securing Serviceguard document at:
Before you open the Serviceguard port range make sure you review
the required IPFilter-SG rules, which are documented in the HP-UX IPFilter (Version A.03.05.09 and later) Administrator's Guide at:
When the Serviceguard security patch of 2004 is installed, Serviceguard
requires one additional service, identd. Enable
it by following the steps below.
Edit the HP-UX Bastille /etc/opt/sec_mgmt/bastille/config configuration file by changing the answer to the question:
Should Bastille ensure inetd's ident service
does not run on this system?
Change the answer from Y to N as follows:
Apply the configuration file changes. You can update
your system configuration manually or use HP-UX Bastille to update
your system configuration. The former will require fewer steps on
systems that have been manually configured, after a user has configured
the system using the Bastille tool, and the latter will require fewer
steps on systems that had not been manually configured, after a user
has configured the system using the Bastille tool.
Do one of the following:
Manually update the system configuration: Edit the /etc/inetd.conf file by uncommenting (remove the #) the
#auth stream tcp6 wait bin /usr/lbin/identd
Force inetd to reread the configuration
by running the following command:
# inetd -c
Use HP-UX Bastille to update the configuration: Revert
to the previous HP-UX Bastille configuration; then apply the new HP-UX
# bastille -r
# bastille -b
Configuring HP-UX Bastille Sec10Host
To configure the HP-UX Bastille Sec10 Host, refer to the Securing Serviceguard document at:
Security Choice Dependencies
The Sec00Tools security level is
installed by default on your system. Although Sec00Tools does not implement any security changes at cold-install- or update-time,
it does ensure that the required software (Figure 3-1) is installed. The Sec00Tools security level contains the pre-built configuration files that you
can use to create a security level or you can use it as a template
to create a custom security configuration. The Sec00Tools security level also ensures that the software needed by those security
levels is present.
Alternately, you can lock down your system using one of the
following selectable security levels at cold-install- or update-time:
Sec10Host, Sec20MngDMZ, and Sec30DMZ are dependent on Sec00Tools.
Figure 3-1 Install-time Security Software Dependencies
Secured Services and Protocols
Each security level provides incrementally higher security
by locking down various protocols and services. HP-UX Bastille uses
a series of questions to determine which services and protocols to
secure. Using one of the security levels applies a default security
profile, simplifying the lockdown process.
The following tables detail the services and protocols affected
by the security levels, listed in Table 3-2, if you choose to apply one at cold-install-
Table 3-3 lists the security settings for Sec10Host.
These settings also apply to Sec20MngDMZ and Sec30DMZ.
Table 3-4 lists the security settings applied with Sec20MngDMZ, in addition to the settings in Table 3-3.
Table 3-5 lists the security settings applied with Sec30DMZ, in addition to the settings in Table 3-3 and Table 3-4.
Table 3-3 Host-based Sec10Host Install-time Security
Logins and Passwords
|Deny login unless home directory exists|
|Deny non-root logins if /etc/nologin file exists|
|Set a default path for su command|
|Disable root logins from network tty|
|Hide encrypted passwords|
|Disallow ftpd system account logins|
|Disable remote X logins|
File System, Network, and Kernel
|Modify ndd settings ,|
|Restrict remote access to swlist|
|Set default umask|
|Enable kernel-based stack execute protection|
|Disable NFS client daemons|
|Disable NFS server|
|Disable NIS client programs|
|Disable NIS server programs|
|Deactivate inetd’s built-in
|Deactivate CDE helper services|
|Deactivate klogin and kshell|
|Deactivate login, shell, and exec services|
|Deactivates Event Monitoring Services (EMS) network communication|
|Enable logging for all inetd connections|
|Run sendmail via cron to process queue|
|Stop sendmail from running in daemon mode|
|Disable vrfy and expn commands|
|Deactivate HP Apache 2.x Web Server|
|Set up cron job to run Software Assistant|
Table 3-4 Additional Sec20MngDMZ Install-time Security Settings
Includes all disabled inetdservices in Table 3-3 and:
|Restrict syslog daemon to local connections|
|Block incoming DNS query connections|
|Block incoming HIDS administration connections,|
|Configure IPFilter to allow outbound traffic, block incoming
traffic with IP options set, and all other traffic except for HP-UX
Secure Shell, HIDS agent, WBEM, web admin and web admin autostart, ICMP echo.|
Table 3-5 Additional Sec30DMZ Install-time Security Settings
Includes all IPFilter
settings in Table 3-4 and:
|Block incoming HIDS agent connections,|
|Block incoming WBEM connections|
|Block incoming web admin connections|
|Block incoming web admin autostart connections|
|Block all traffic except HP-UX Secure Shell|
|Block ICMP echo|