Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 3 HP-UX Bastille

Using HP-UX Bastille


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

You can use HP-UX Bastille interactively or noninteractively to do the following:

  • To lockdown your system (create a security-configuration file or apply an existing one), enter:

    # bastille -x
  • To duplicate a security configuration file on multiple machines, enter:

    # bastille -b -f file
  • To generate reports on the configuration status of the system, enter:

    # bastille --assess
  • Create HP-UX Bastille-configuration baselines and compare the current state of the system to a saved baseline. To save a baseline, enter:

    # bastille_drift --save_baseline baseline

    To compare the system state to the specified baseline, enter:

    # bastille_drift --from_baseline baseline

See bastille(1M) and bastille_drift(1M) for more information.

NOTE: Rerun the bastille_drift utility whenever new software or patches are installed to check and see if those patches or software changed the system state. The bastille_drift utility also helps identify system state change when swverify is run using either the -x fix=true option or -F option to run vendor-specific fix scripts.

Using HP-UX Bastille Interactively

HP-UX Bastille runs interactively using the X interface implemented through Perl/Tk. The interface requires an X server and offers the following:

  • Random access between question modules.

  • Completed indicators to show the user's progress.

  • Tunneling of the X11 traffic over an encrypted channel by using the following option:

    # ssh -X

    See ssh(1) for more information.

Figure 3-1 shows the main screen of the HP-UX Bastille user interface.

Figure 3-1 HP-UX Bastille User Interface

HP-UX Bastille User Interface

The user interface educates users by guiding them through a series of questions grouped by module (see Table 3-1). Each question explains a security issue and describes the resulting action needed to lockdown the HP-UX system. Each question also describes, at a high-level, the cost and benefit of each decision, and the user decides how to let the tool handle the issues.

After answering all of the questions, HP-UX Bastille provides automated support in performing each lock-down step. It performs the actions it can automatically perform, then it produces a to-do list of the remaining manual actions the user must perform. The to-do actions must be performed to complete the HP-UX Bastille lock-down process.

Table 3-1 HP-UX Bastille Question Modules

Module NameDescription
Patches ApplicationsInstalls and configures to help with security-bulletin-compliance checking.
File PermissionsPerforms SUID and other permission tuning.
Account Security Configures login settings and access to cron.
Secure inetdTurns off unneeded inetd services.
Miscellaneous DaemonsTurns off services that are often unneeded or are a security risk.
sendmailConfigures mail to be more secure, or allows the user to disable it.
DNS Turns off or configures DNS to be more secure.
ApacheConfigures Apache Web servers to be more secure.
FTP Configures FTP servers to be more secure.
HP-UX Performs security configuration actions that are unique to the HP-UX platform.
IPFilter Creates an IPFilter-based firewall.


Using HP-UX Bastille NonInteractively

Security hardening can be performed directly through the configuration engine. This method is useful for duplicating a security configuration onto multiple machines that have the same operating system and applications installed. The configuration engine uses a pre-defined configuration file. This option can either use the file created in the default location by an interactive session, or with an alternative one, specified by the -f option, as follows:

# bastille -b -f file

Configuring a System

To configure a system or to create a configuration file that can be re-used later on a different system, follow these steps:

  1. Change to root user since HP-UX Bastille needs to change system configuration and settings. If HP-UX Bastille is not running locally, you may elect to tunnel the X11 traffic over Secure Shell (ssh) or IPSec to limit network exposure, or use a more complete desktop-sharing solution that addresses attacks from local users as well as remote.

  2. If you are making system changes, decide whether to use HP-UX Bastille interactively or noninteractively. First-time users must run HP-UX Bastille interactively to create a configuration profile, unless your distribution shipped with prebuilt configuration files such as DMZ.config. Allow yourself an hour to read and answer all of the questions.

    See Section  for more information on the interactive and noninteractive use of HP-UX Bastille.

  3. Follow the appropriate procedure (interactive or non-interactive) based on your decision in Step 2.

    Interactive Procedure

    1. Start HP-UX Bastille

      First-time users must run HP-UX Bastille interactively to create a configuration profile. The tool updates the PATH environment variable when installed, so if you have logged out and logged back in after installing HP-UX Bastille, enter the following to start the tool:

      # bastille

      If your PATH has not been updated, enter the following to start HP-UX Bastille:

      # /opt/sec_mgmt/bastille/bin/bastille

      Only the categories of questions relevant to the current configuration will be displayed.

    2. Answer the questions

      The questions are categorized by function, and check marks are used as completed indicators to note whether a category has been finished. This allows you to track your progress through the program.

      When answering questions, use the Explanation-Detail menu to toggle between more or less verbose explanations. Not all questions have both long and short answers.

    3. Save your configuration and apply changes

      You can use the menu bar at any time to save or load a configuration file. Using the Save As option generates a bigger configuration file since the tool assumes that you are not necessarily done or might change the configuration at a later time. Using the Save/Apply option tells the tool that you are done and more filtering can be applied. Although the configuration file generated can be of different size, the functionality of HP-UX Bastille remains the same in both cases. The Save/Apply option always saves the configuration file in the current location listed in the HP-UX Bastille title bar.

    NonInteractive Procedure

    1. Run HP-UX Bastille interactively to create a configuration file if one does not already exist

      A default configuration file is not provided for all distributions. In such cases, you must initially run HP-UX Bastille interactively to create a configuration file. See “Interactive Procedure” for more information.

    2. Copy the configuration file to each machine you want to replicate

      Copy the configuration file, /etc/opt/sec_mgmt/bastille/config, from its location on the first machine to the same location on the other machines:

      # bastille -b -f file
      NOTE: Since some of the questions are operating system-specific or installed security software-specific, the same operating system with the same installed software must be installed on the machines to be duplicated as the machine where the configuration file was created.
    3. Install HP-UX Bastille on each of the machines to be replicated

      This can be done en-masse and the action and error logs can be collected for later review. Enter:

      # bastille -b
  4. Review the log files

    To view the logs in real time, enter:

    # tail -f log_file

    The action log file, /var/opt/sec_mgmt/bastille/log/action-log, contains the specific steps HP-UX Bastille performed when making changes to the system. It is only created if you apply the changes to the system.

    The error log file, /var/opt/sec_mgmt/bastille/log/error-log, contains any errors encountered by HP-UX Bastille while making changes to the system. It is only created if errors occur during execution.

  5. Perform the items listed in the to-do list.

    After performing the actions it can do automatically, the tool produces a to-do list, /var/opt/sec_mgmt/bastille/TODO.txt, which describes the remaining actions the user must manually perform. This includes reboots if any of the changes require a reboot.

    The actions in the to-do list must be completed to ensure a secure configuration.

    NOTE: The to-do list is only created when the changes are applied to the system.
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.