You can use HP-UX Bastille interactively or noninteractively
to do the following:
To lockdown your system (create a security-configuration file or
apply an existing one), enter:
To duplicate a security configuration file on multiple machines,
generate reports on the configuration status of the system, enter:
Create HP-UX Bastille-configuration baselines and compare the current
state of the system to a saved baseline. To save a baseline, enter:
# bastille_drift --save_baseline baseline
To compare the system state to the specified baseline,
# bastille_drift --from_baseline baseline
See bastille(1M) and bastille_drift(1M) for more information.
|NOTE: Rerun the bastille_drift utility whenever
new software or patches are installed to check and see if those patches
or software changed the system state. The bastille_drift utility also helps identify system state change when swverify is run using either the -x fix=true option or -F option to run vendor-specific fix scripts. |
Using HP-UX Bastille Interactively
HP-UX Bastille runs interactively using the X interface implemented
through Perl/Tk. The interface requires an X server and offers the
Random access between question modules.
Completed indicators to show the user's progress.
Tunneling of the X11 traffic over an encrypted channel
by using the following option:
See ssh(1) for more information.
Figure 3-1 shows the main screen of the HP-UX Bastille user interface.
Figure 3-1 HP-UX Bastille User Interface
The user interface educates users by guiding them through a
series of questions grouped by module (see Table 3-1). Each question
explains a security issue and describes the resulting action needed
to lockdown the HP-UX system. Each question also describes, at a high-level,
the cost and benefit of each decision, and the user decides how to
let the tool handle the issues.
all of the questions, HP-UX Bastille provides automated support in
performing each lock-down step. It performs the actions it can automatically
perform, then it produces a to-do list of the remaining manual actions
the user must perform. The to-do actions must be performed to complete
the HP-UX Bastille lock-down process.
Table 3-1 HP-UX Bastille Question Modules
|Patches Applications||Installs and configures
to help with security-bulletin-compliance checking.|
|File Permissions||Performs SUID and other permission tuning.|
|Account Security ||Configures login settings
and access to cron.|
|Secure inetd||Turns off
unneeded inetd services. |
|Miscellaneous Daemons||Turns off services
that are often unneeded or are a security risk.|
to be more secure, or allows the user to disable it.|
|DNS ||Turns off or configures DNS to be more
|Apache||Configures Apache Web servers to
be more secure.|
| FTP || Configures FTP servers to be more secure.|
|HP-UX || Performs security configuration
actions that are unique to the HP-UX platform.|
|IPFilter ||Creates an IPFilter-based
Using HP-UX Bastille NonInteractively
Security hardening can be performed directly through the configuration
engine. This method is useful for duplicating a security configuration
onto multiple machines that have the same operating system and applications
installed. The configuration engine uses a pre-defined configuration
file. This option can either use the file created in the default location
by an interactive session, or with an alternative one, specified by
the -f option, as follows:
Configuring a System
To configure a system or to create a configuration file that
can be re-used later on a different system, follow these steps:
Change to root user since HP-UX
Bastille needs to change system configuration and settings. If HP-UX
Bastille is not running locally, you may elect to tunnel the X11 traffic
over Secure Shell (ssh) or IPSec to limit network
exposure, or use a more complete desktop-sharing solution that addresses
attacks from local users as well as remote.
If you are making system changes, decide whether to
use HP-UX Bastille interactively or noninteractively. First-time users
must run HP-UX Bastille interactively to create a configuration profile,
unless your distribution shipped with prebuilt configuration files
such as DMZ.config. Allow yourself an hour to
read and answer all of the questions.
See Section for more information
on the interactive and noninteractive use of HP-UX Bastille.
Follow the appropriate procedure (interactive or non-interactive)
based on your decision in Step 2.
Start HP-UX Bastille
must run HP-UX Bastille interactively to create a configuration profile.
The tool updates the PATH environment variable
when installed, so if you have logged out and logged back in after
installing HP-UX Bastille, enter the following to start the tool:
If your PATH has not been updated, enter the following to start HP-UX Bastille:
Only the categories of questions relevant to the current configuration
will be displayed.
Answer the questions
The questions are
categorized by function, and check marks are used as completed indicators
to note whether a category has been finished. This allows you to track
your progress through the program.
When answering questions, use the Explanation-Detail menu to toggle between more or less verbose explanations. Not all
questions have both long and short answers.
Save your configuration and apply changes
You can use the menu bar at any time to save or load a configuration
file. Using the Save As option generates
a bigger configuration file since the tool assumes that you are not
necessarily done or might change the configuration at a later time.
Using the Save/Apply option tells
the tool that you are done and more filtering can be applied. Although
the configuration file generated can be of different size, the functionality
of HP-UX Bastille remains the same in both cases. The Save/Apply option always saves the configuration
file in the current location listed in the HP-UX Bastille title bar.
To view the logs in real time, enter:
The action log file, /var/opt/sec_mgmt/bastille/log/action-log, contains the specific steps HP-UX Bastille performed when making
changes to the system. It is only created if you apply the changes
to the system.
The error log file, /var/opt/sec_mgmt/bastille/log/error-log, contains any errors encountered by HP-UX Bastille while making
changes to the system. It is only created if errors occur during execution.
the items listed in the to-do list.
After performing the
actions it can do automatically, the tool produces a to-do list, /var/opt/sec_mgmt/bastille/TODO.txt, which describes the
remaining actions the user must manually perform. This includes reboots
if any of the changes require a reboot.
The actions in the to-do list must be completed to ensure a
|NOTE: The to-do list is only created when the changes are applied
to the system. |