|
» |
|
|
|
HP-UX Bastille is a security hardening/lockdown
tool that can be used to enhance the security of the HP-UX operating
system. It provides customized lockdown on a system-by-system basis
by encoding functionality similar to the Center for Internet Security
(CIS) Level 1 Benchmark for HP-UX and other hardening/lockdown checklists.
The Bastille technology is available in HP-UX 11i v1 and later versions
of HP-UX. This section describes how to make sure Ignite-UX requirements
are enabled on your Bastille system. For more information on HP-UX Bastille, see bastille(1M) , bastille_drift(1M), the HP-UX System
Administrator's Guide: Security Management if you
are running HP-UX 11i v3, and Managing Systems and Workgroups:
A Guide for HP-UX System Administrators for systems running
HP-UX 11i v2 and earlier. | | | | | CAUTION: The configuration processes in this section change the security
properties of your system. When enabling services, protocols, and
ports, careful consideration should be given to the impact to your
network and system security. | | | | |
Enabling Ignite-UX Server Requirements | |
To make sure Ignite-UX requirements are enabled on the server,
you must first discover your current lockdown state and then modify
that state, if necessary, to allow selected daemons and services to run. You must also allow access to certain ports
used by an Ignite-UX server. Discover your current lockdown state. If you are using Bastille 3.0
or later, create a configuration report. The report will be created
in /var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config. # bastille --assessnobrowser |
If you are using a version of Bastille earlier than
3.0, get the latest configuration file used by Bastille.
| | | | | NOTE: If you get the message NOTE: The system is in its pre-bastilled state. | there is no need to proceed with this configuration, as daemons, services, and ports required by Ignite-UX are
not locked-down in the pre-bastille state. | | | | |
Copy the last configuration file used or the assessment
report to a place of your choice. Bring up the latest configuration in the Bastille GUI. # bastille --os [HP-UX11.00 | HP-UX11.11 | HPUX11.23 | HPUX11.31] -f filename |
Make sure the settings in your configuration file
for the following daemons and services are
set to No. Note that if you have
to change a setting from Yes to No, you will likely be required to enable that daemon
or service on your system in order to use it. After you have made
changes, save the configuration file to a place of your choice. Would you like to deactivate the NFS server on this system
Would you like to deactivate NIS client programs?
Should Bastille ensure inetd's bootp service does not run on this system?
Should Bastille ensure inetd's TFTP service does not run on this system?
|
To update your firewall
or have Bastille create a new one: Backup your /etc/opt/ipf/ipf.conf file to a place of your choice. Update the port information for the Bastille-enabled
HP-UX IPFilter firewall by editing the file /etc/opt/sec_mgmt/bastille/ipf.customrules and making the following changes: Add the words keep frags to
the end of the udp outgoing rule line so it looks like pass out quick proto udp all keep state keep frags
|
Remove or comment-out the following line. block in quick proto udp from any to any port = portmap
|
Add the following lines after the End allow outgoing rules section. # ports required for Ignite-UX
############################################################
pass in log quick proto udp from any to any port = 69 keep state
pass in log quick proto udp from any port = 68 to any port = 67 keep state
pass in log quick proto udp from any port = 1068 to any port = 1067 keep state
pass in log quick proto tcp/udp from any to any port = 2049 keep frags
pass in log quick proto tcp/udp from any to any port = 2121
pass in log quick proto tcp/udp from any to any port 49152 >< 65535
pass in log quick proto tcp from any to any port = 20
pass in log quick proto tcp from any to any port = 21
pass in log quick proto tcp from any to any port = 22
pass in log quick proto tcp from any to any port = 514
pass in log quick proto icmp from any to any icmp-type 8 keep state
pass in log quick proto tcp from any port = 514 to any keep state
|
In the IPFilter Module of Bastille, change the following
line to Yes if it is not already. Should Bastille setup basic firewall rules with these properties?
|
Run Bastille. # bastille -b -f your_configuration_file |
If a Bastille baseline had been created for the system,
update that baseline. # bastille_drift --save_baseline baseline |
Enabling Ignite-UX Client Requirements | |
To make sure Ignite-UX requirements are enabled on the client,
you must first discover your current lockdown state and then modify
that state, if necessary, to allow the NFS daemon and rtools services to run. You must also allow access to certain
ports used by an Ignite-UX client. Discover your current lockdown state. If you are using Bastille 3.0
or later, create a configuration report. The report will be created
in /var/opt/sec_mgmt/bastille/log/Assessment/assessment-log.config. # bastille --assessnobrowser |
If you are using a version of Bastille earlier than
3.0, get the latest configuration file used by Bastille.
| | | | | NOTE: If you get the message NOTE: The system is in its pre-bastilled state. | there is no need to proceed with this configuration, as daemons,
services, and ports required by Ignite-UX are not locked-down in the
pre-bastille state. | | | | |
Copy the last configuration file used or the assessment
report to a place of your choice. Bring up the latest configuration in the Bastille
GUI. # bastille --os [HP-UX11.00 | HP-UX11.11 | HPUX11.23 | HPUX11.31] -f filename |
Make sure the settings in your configuration file
for the NFS daemon and rtools service are set to No. Note that if you have to change a setting from Yes to No, you
will likely be required to enable that daemon or service on your system
in order to use it. After you have made changes, save the configuration
file to a place of your choice. Would you like to deactivate the NFS client daemons?
Should Bastille ensure that the login, shell, and exec services do not run on this system?
|
To update your firewall
or have Bastille create a new one: Backup your /etc/opt/ipf/ipf.conf file to a place of your choice. Update the port information for the Bastille-enabled
HP-UX IPFilter firewall by editing the file /etc/opt/sec_mgmt/bastille/ipf.customrules and making the following changes: Add the words keep frags to
the end of the udp outgoing rule line so it looks like pass out quick proto udp all keep state keep frags
|
Add the following lines after the End allow outgoing rules section. # ports required for Ignite-UX
############################################################
pass in log quick proto icmp from any to any icmp-type 8 keep state
pass in log quick proto tcp from any to any port = 512
pass in log quick proto tcp from any to any port = 514
pass in log quick proto tcp/udp from any port = 2049 to any keep frags
pass in log quick proto tcp/udp from any to any port 49152 >< 65535
|
In the IPFilter Module of Bastille, change the following
line to Yes if it is not already. Should Bastille setup basic firewall rules with these properties?
|
Run Bastille. # bastille -b -f your_configuration_file |
If a Bastille baseline had been created for the system,
update that baseline. # bastille_drift --save_baseline baseline |
|