Page 1
HP-UX Bastille Version B.3.3 User Guide HP Part Number: 5900-0871 Published: June 2010 Edition: 1...
Page 2
Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. UNIX is a registered trademark of The Open Group.
5.1 Diagnostic tips..........................21 5.2 General use tips..........................21 5.3 Known issues and workarounds.....................21 5.3.1 Changes made by HP-UX Bastille might cause other software to stop working....21 5.3.2 Cannot use X because $DISPLAY is not set................22 5.3.3 System is in original state......................22 5.3.4 HP-UX Bastille must be run as root..................22...
Page 4
A Install-Time Security (ITS) using HP-UX Bastille............27 A.1 Choosing security levels.........................27 A.2 Choosing security dependencies....................30 A.3 Selecting security levels during installation...................30 B Configuring HP-UX Bastille for use with Serviceguard..........31 B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels............31 B.2 Configuring Sec10Host level......................31 C Question modules......................33 D Sample weight files......................63...
Page 5
List of Figures HP-UX Bastille user interface......................12 Standard assessment report......................14 Scored assessment report......................15 Assessment report score........................16 Security software dependencies....................30...
Page 6
List of Tables Question modules.........................12 Security levels..........................27 Host-based Sec10Host, Sec20MngDMZ, and Sec30DMZ security settings........28 Additional Sec20MngDMZ security settings................29 Additional Sec30DMZ security settings..................29 List of Tables...
HP-UX operating system by consolidating essential hardening and lock-down checklists from industry and government security organizations, and making them accessible to administrators in an easy to use package. The HP-UX Bastille GUI interface guides users through creating a custom security configuration profile. The policy configuration engine hardens HP-UX to specification by locking down each selected security item.
1.2 Compatibility There are no differences between the Intel Itanium-based and PA-RISC implementation. Some products depend on services, system settings, or network ports that HP-UX Bastille secures. In cases where products depend on out-of-the-box settings that HP-UX Bastille might change, dependencies are documented.
HP-UX Bastille is included as recommended software on the Operating Environment media and can be installed and run with Ignite-UX or Update-UX. HP-UX Bastille is installed by default, and a manual installation is only necessary to obtain the latest version from the web.
The most common use of HP-UX Bastille is on a single machine, using the GUI interface to create and apply a customized security configuration profile in the same session. Only the default configuration file is used.
Only questions that apply to your operating system and relate to installed tools appear. Each question explains a security issue and describes the resulting action needed to lock down the HP-UX system. Each question also describes the high-level cost and benefit of each decision.
— Otherwise, specify the path to the configuration file explicity with the -f option: # bastille -b -f file • If you are continuing from an HP-UX Bastille GUI session that is creating or modifying the configuration file (see “Creating a security configuration profile” (page 11)), status messages from the configuration process appear in the GUI box.
For example, a weights file can be prepared to select only HP-UX Bastille lock-down items that match equivalent items in an industry-consensus security benchmark. By reviewing scored reports using this file on all similar HP-UX servers in the datacenter, a systems manager can evaluate the resources required to bring these servers into compliance with the benchmark.
Enable scored reports by creating the /etc/opt/sec_mgmt/bastille/HPWeights.txt file, and populating it with an entry for each HP-UX Bastille lock-down item to be considered in the final score. The HPWeights.txt file format is similar to an HP-UX Bastille configuration file, except only entries for items to be scored are present, and the item value is always set to "1".
HP-UX question items as selected. For sample files, Appendix D (page 63). 3.4 Reverting If you want to revert the system files to the state they were in before HP-UX Bastille was run, use the revert option: # bastille -r IMPORTANT: Before using the revert feature, read the revert-actions script to ensure changes do not disrupt your system.
When reverting to the configuration prior to the use of HP-UX Bastille, security configuration changes are undone temporarily. Other manual configuration changes or additional software installed after HP-UX Bastille was initially run might require a manual merge of configuration settings.
Page 18
The Drift file contains information about any configuration drift experienced since the last HP-UX Bastille run. This file is only created when an earlier HP-UX Bastille configuration was applied to the system. /var/opt/sec_mgmt/bastille/log/Assessment/Drift.txt Using HP-UX Bastille...
Use the swremove command to remove HP-UX Bastille from an HP-UX machine. When HP-UX Bastille is removed, the system does not revert to the state it was in before HP-UX Bastille was installed. HP-UX Bastille removal leaves behind the revert-actions script. This script enables the administrator to revert the configuration files that HP-UX Bastille modified without an HP-UX Bastille installation.
— When patches are installed — When system customizations are made that might affect security — On HP-UX if swverify is used with the -x fix=true option or the -F option to run vendor-specific fix scripts 5.3 Known issues and workarounds 5.3.1 Changes made by HP-UX Bastille might cause other software to stop working...
5.3.8 HP-UX Bastille configures a firewall using IPFilter The most common conflicts are with firewalls. When a network service is not working, and it is not turned off by HP-UX Bastille, verify the firewall rules pass the ports needed. For more information, see ipfstat(8) and ipmon(8).
For HP technical support: • In the United States, for contact options see the Contact HP United States webpage (http:// welcome.hp.com/country/us/en/contact_us.html). To contact HP by phone: — Call 1-800-HP-INVENT (1-800-474-6836). This service is available 24 hours a day, 7 days a week.
• bastille_drift(1M) in HP-UX 11i v3 Reference 1M System at: http://docs.hp.com/en/hpuxman_pages.html The HP-UX Security Forum is offered through the HP IT Resource Center (ITRC) at: ITRC Forums Security Product specifications and download: http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA. For more information about HP-UX Bastille compatibility with Serviceguard, see the Serviceguard documentation available at: http://www.hp.com/go/hpux-serviceguard-docs.
Page 25
CAUTION A caution calls attention to important information that if not understood or followed will result in data loss, data corruption, or damage to hardware or software. IMPORTANT This alert provides essential information to explain a concept or to complete a task. NOTE A note contains additional information to emphasize or supplement important points of the main text.
Install-Time Security (ITS) adds a security step to the installation or update process. This additional step allows the HP-UX Bastille security lock-down engine to run during system installation with one of four configurations ranging from default security to DMZ. ITS includes the following bundles: •...
Run sendmail via cron to process queue Stop sendmail from running in daemon mode sendmail Disable vrfy and expn commands Disable HP Apache 2.x Web Server Other settings Set up cron job to run SWA Install-Time Security (ITS) using HP-UX Bastille...
Settings applied only if software is installed. HP-UX Host IDS is a selectable software bundle and only available for commercial servers. WBEM is required for several HP management applications including HP Systems Insight Manager (SIM) and ParMgr. A.1 Choosing security levels...
A.2 Choosing security dependencies The Sec00Tools security level is installed by default but does not implement any security changes when you install or update HP-UX Bastille. The Sec00Tools security level has the following benefits: • Ensures that the required software is installed.
SecureInetd.deactivate_ident=N Apply the configuration file changes. • If you have not made any configuration changes to the system since the last time HP-UX Bastille was used, use HP-UX Bastille to apply the changes. Revert to the previous HP-UX Bastille configuration:...
However, executing jobs later or automatically represents a privilege that can be abused and makes actions slightly harder to track. Many sites choose to restrict the at command to administrative accounts. HP suggests restricting permission to new administrators until they understand how it can be abused and which users need access.
Page 34
Default Description HP-UX Bastille can restrict root from logging into a tty over the network. This forces administrators to log in first as a non-root user, then su to become root. Root logins are still permitted on the console and through services that do not use tty's like HP-UX Secure Shell.
Page 35
Description HP-UX stores the encrypted password string for each user in the /etc/passwd file. These encrypted strings are viewable by anyone with access to the /etc/ file system, typically all users. Using the encrypted string, an attacker can find valid passwords for your system.
Page 36
Description This parameter controls the default maximum number of days that passwords are valid. For systems running HP-UX 11.11and HP-UX 11.0, setting this value requires conversion to trusted mode. For HP-UX 11.22 and later, shadowed password conversion is required. This parameter applies only to local non-root users.
Page 37
This parameter controls the default number of days before password expiration that a user is warned that the password must be changed. For systems running HP-UX 11.11 and HP-UX 11.0, setting this value requires conversion to trusted mode. For HP-UX 11.22 and later, shadowed password conversion is required.
Page 38
This may be more problematic when an authorized administrator can't remember the password. Note: For HP-UX 11.22 and prior, this requires conversion to trusted mode. HP-UX Bastille will automatically do the conversion if you select this option. Trusted mode is incompatible with LDAP-UX client services prior to version 3.0 and can cause...
Page 39
HP-UX 11.22 and later have an option in the /etc/default/security file to set the default system umask. This parameter controls umask(2) of all sessions initiated with pam_unix(5) which can then be overridden by the shell. NOTE: If your system is converted to trusted mode, this parameter will be overridden by the trusted system default umask, which is 077.
Page 40
Default Description If you do not plan to use this system as a web server, HP recommends that you deactivate your Apache web server. Programs that require an Apache server installation but do not bind to port 80 can still start their own instances of the web server.
Page 41
Only a root process can break out of a chroot jail. HP-UX Bastille ensures that "named" is not running as root. A successful attack on "named" in a chroot jail running as a non-privileged user allows the attacker to modify only files owned or writeable by that non-privileged user and protects the rest of the system.
Page 42
Description The HP-UX Bastille development team would like to know how you use HP-UX Bastille. Based on how you answer these questions, HP can meet your needs better. You can help by sending your configuration and TODO.txt files back to HP. Answering yes to this question does that automatically. If you feel that your hostname or your security configuration is confidential, answerno.
Page 43
Otherwise, an item is created in the TODO.txt file for you to manually integrate the parameter changes. HP_UX.other_tools Headline Provide information about other security tools that HP has to offer. Default Description Although HP-UX Bastille helps to configure most of the security-relevant features of your operating system, it is not a substitute for a complete security solution.
Page 44
If the swagentd daemon is running, use swacl to remove remote read access: swacl -l host -D any_other swacl -l root -D any_other Otherwise, an item is created in the TODO.txt file to remind you to run HP-UX Bastille again when the daemon is up. HP_UX.scan_ports Headline Provide instructions in your TODO.txt file on how to run a port scan.
Page 45
The HP-UX kernel is able to disallow execution of commands from the stack. This contains many of these types of attacks, making them ineffective.
Page 46
If you are not running the HP-UX Host HIDS GUI on this hos, answer yes. If you are running the HP-UX Host HIDS GUI on this host, and it only manages one LOCAL HIDS agent running on this host (i.e., you are not managing any HIDS agents on any remote hosts using this GUI), answer yes.
Page 47
Default 192.168.1.0/255.255.255.0 10.10.10.10 Description The basic IPFilter rules setup by HP-UX Bastille only allow network traffic for services associated with software that HP-UX Bastille recognizes as installed on the system. All other incoming traffic is blocked by default. To allow additional incoming traffic based on the IP address of the sending host, enter specific IP addresses here with an optional netmask.
Page 48
Port 1188 is used by web-based tools that are replacements for areas of SAM. The listener on this port is the HP release of Apache with a custom configuration file that loads only a minimum set of modules. It is also restricted to use https for all communication and can only be used to run the system management tools.
Page 49
If your HP-UX Bastille connection is lost, check the results by running bastille -l to see if HP-UX Bastille correctly applied your configuration, or the action log for more detail. You can also save the HP-UX Bastille configuration file and run bastille -b on a console to check for HP-UX...
Page 50
Block anything you are not asked about explicitly, including all incoming traffic. If this is the first time you are using HP-UX Bastille to configure your firewall, you will be asked about several service specific options if the applicable software appears to be installed. If you have already configured a firewall using HP-UX Bastille, you will only be asked about protocols which are currently allowed by the HP-UX Bastille configuration.
Page 51
The rbootd daemon is used for the RMP protocol, which is a predecessor to the "bootp" protocol which serves DHCP. Unless you are using this machine to serve dynamic IP addresses to very old HP-UX systems (prior to 10.0, or older than s712), you have no reason to run this.
Page 52
RPC. RPC has had security issues in the past and by default does not support a strong authentication mechanism. If you disable the core NFS infrastructure, HP-UX Bastille disables NIS, NIS+ and NFS. Actions Stop and disable NIS/NIS+ Server and Client.
Page 53
However, if configured correctly and used in conjunction with management software, these daemons can dramatically improve accessibility and response time to problems when they occur. If this is disabled, network management software such as HP Openview which relies on SNMP does not work. Actions If running stop process snmpdm.
Page 54
Staying up-to-date on security bulletins issued by Hewlett-Packard is critical. These tools are the easiest way to make sure this system is compliant with the steps required in HP security bulletins. A subscription to the HP security bulletin mailing list provides the latest security fixes from HP.
Page 55
You can create "Authorized Use Only" messages for your site. These can be helpful in prosecuting system crackers you catch trying to break into your system. HP-UX Bastille makes default messages that you can edit. This is like an "anti-welcome mat" for your system.
Page 56
Description The bootpd daemon implements three functions; a DHCP server, an Internet Boot Protocol (BOOTP) server, and a DHCP/BOOTP relay agent. If this system is not a BOOTP/DHCP server or a DHCP/BOOTP relay agent, HP recommends disabling this service. Actions Comment out the entry for bootp in the /etc/inetd.conf file.
Page 57
This service can be used to determine user information on a given machine in preparation for a brute-force password attack like a dictionary attack. HP recommends disabling this service unless compelled by application specific needs.
Page 58
Samba administrator. Clear-text passwords are passed through the network if a connection is initiated from an outside source. This form of authentication is easily defeated and HP recommends not running the swat service on this machine.
Page 59
Hunt or Ettercap. The standard practice among security-conscious sites is to migrate as rapidly as practical from Telnet to Secure Shell (command: ssh). HP recommends to make this move as soon as possible. Secure shell implementations are available from openssh.org and ssh.com. Most operating system vendors also distribute a version of secure shell.
Page 60
You can further restrict access using the inetd.sec file or a program like tcpwrappers. If you answer Y to this question, HP-UX Bastille also points you to information on how to configure these tools.
Page 61
Daemon mode means that sendmail is constantly listening on a network connection waiting to receive mail. If you disable daemon mode, HP-UX Bastille asks if you would like to run sendmail every few minutes to process the queue of outgoing mail. Most programs send mail immediately, and processing the queue takes care of transient errors.
D Sample weight files D.1 all.weight The weight file below is located in /etc/opt/sec_mgmt/bastille/configs/defaults. This template file contains all possible HP-UX question items as selected. AccountSecurity.ABORT_LOGIN_ON_MISSING_HOMEDIR=1 AccountSecurity.AUTH_MAXTRIES=1 AccountSecurity.MIN_PASSWORD_LENGTH=1 AccountSecurity.NOLOGIN=1 AccountSecurity.NUMBER_OF_LOGINS_ALLOWED=1 AccountSecurity.PASSWORD_HISTORY_DEPTH=1 AccountSecurity.PASSWORD_MAXDAYS=1 AccountSecurity.PASSWORD_MINDAYS=1 AccountSecurity.PASSWORD_WARNDAYS=1 AccountSecurity.SU_DEFAULT_PATH=1 AccountSecurity.atuser=1 AccountSecurity.block_system_accounts=1 AccountSecurity.create_securetty=1 AccountSecurity.crontabs_file=1 AccountSecurity.cronuser=1 AccountSecurity.gui_login=1...
E CIS mapping to HP-UX Bastille Level 1 benchmark for HP-UX 1 1i (v1.5.0) Mapping to HP-UX Bastille CIS ID CIS benchmark section HP-UX Bastille lock down items Patches and Additional Software 1.1.1 Apply latest OS patches Not Scorable 1.1.2 Install and configure SSH MiscellaneousDaemons.configure_ssh...
Page 68
Level 1 benchmark for HP-UX 1 1i (v1.5.0) Mapping to HP-UX Bastille 1.3.7 Disable other standard boot services MiscellaneousDaemons.disable_rbootd MiscellaneousDaemons.nfs_server MiscellaneousDaemons.nfs_client MiscellaneousDaemons.disable_ptydaemon Apache.deactivate_hpws_apache MiscellaneousDaemons.snmpd MiscellaneousDaemons.nfs_core MiscellaneousDaemons.other_boot_serv MiscellaneousDaemons.disable_smbclient MiscellaneousDaemons.disable_smbserver MiscellaneousDaemons.disable_bind 1.3.8 Only enable Windows-compatibility server processes Not Applicable 1.3.9 Only enable Windows-compatibility client processes Not Applicable 1.3.10...
Page 69
Level 1 benchmark for HP-UX 1 1i (v1.5.0) Mapping to HP-UX Bastille 1.7.1 Enable kernel-level auditing AccountSecurity.system_auditing 1.7.2 Enable logging from inetd SecureInetd.log_inetd 1.7.3 Turn on additional logging for FTP daemon SecureInetd.ftp_logging User Accounts and Environment 1.8.1 Block system accounts AccountSecurity.block_system_accounts...