HP UX Bastille User Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Software
  5. UX Bastille
  6. User manual
HP UX Bastille User Manual

HP UX Bastille User Manual

Version b.3.3
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
HP-UX Bastille Version B.3.3 User Guide
HP Part Number: 5900-0871
Published: June 2010
Edition: 1

Advertisement

Table of Contents
loading

Related Manuals for HP UX Bastille

Summary of Contents for HP UX Bastille

  • Page 1 HP-UX Bastille Version B.3.3 User Guide HP Part Number: 5900-0871 Published: June 2010 Edition: 1...
  • Page 2 Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. UNIX is a registered trademark of The Open Group.

  • Page 3: Table Of Contents

    5.1 Diagnostic tips..........................21 5.2 General use tips..........................21 5.3 Known issues and workarounds.....................21 5.3.1 Changes made by HP-UX Bastille might cause other software to stop working....21 5.3.2 Cannot use X because $DISPLAY is not set................22 5.3.3 System is in original state......................22 5.3.4 HP-UX Bastille must be run as root..................22...
  • Page 4 A Install-Time Security (ITS) using HP-UX Bastille............27 A.1 Choosing security levels.........................27 A.2 Choosing security dependencies....................30 A.3 Selecting security levels during installation...................30 B Configuring HP-UX Bastille for use with Serviceguard..........31 B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels............31 B.2 Configuring Sec10Host level......................31 C Question modules......................33 D Sample weight files......................63...
  • Page 5 List of Figures HP-UX Bastille user interface......................12 Standard assessment report......................14 Scored assessment report......................15 Assessment report score........................16 Security software dependencies....................30...
  • Page 6 List of Tables Question modules.........................12 Security levels..........................27 Host-based Sec10Host, Sec20MngDMZ, and Sec30DMZ security settings........28 Additional Sec20MngDMZ security settings................29 Additional Sec30DMZ security settings..................29 List of Tables...

  • Page 7: About This Product

    HP-UX operating system by consolidating essential hardening and lock-down checklists from industry and government security organizations, and making them accessible to administrators in an easy to use package. The HP-UX Bastille GUI interface guides users through creating a custom security configuration profile. The policy configuration engine hardens HP-UX to specification by locking down each selected security item.

  • Page 8: Compatibility

    1.2 Compatibility There are no differences between the Intel Itanium-based and PA-RISC implementation. Some products depend on services, system settings, or network ports that HP-UX Bastille secures. In cases where products depend on out-of-the-box settings that HP-UX Bastille might change, dependencies are documented.

  • Page 9: Installing Hp-Ux Bastille

    HP-UX Bastille is included as recommended software on the Operating Environment media and can be installed and run with Ignite-UX or Update-UX. HP-UX Bastille is installed by default, and a manual installation is only necessary to obtain the latest version from the web.

  • Page 11: Using Hp-Ux Bastille

    The most common use of HP-UX Bastille is on a single machine, using the GUI interface to create and apply a customized security configuration profile in the same session. Only the default configuration file is used.

  • Page 12: Hp-Ux Bastille User Interface

    Only questions that apply to your operating system and relate to installed tools appear. Each question explains a security issue and describes the resulting action needed to lock down the HP-UX system. Each question also describes the high-level cost and benefit of each decision.

  • Page 13: Configuring A System

    — Otherwise, specify the path to the configuration file explicity with the -f option: # bastille -b -f file • If you are continuing from an HP-UX Bastille GUI session that is creating or modifying the configuration file (see “Creating a security configuration profile” (page 11)), status messages from the configuration process appear in the GUI box.

  • Page 14: Using Scored Reports

    For example, a weights file can be prepared to select only HP-UX Bastille lock-down items that match equivalent items in an industry-consensus security benchmark. By reviewing scored reports using this file on all similar HP-UX servers in the datacenter, a systems manager can evaluate the resources required to bring these servers into compliance with the benchmark.

  • Page 15: Scored Assessment Report

    Enable scored reports by creating the /etc/opt/sec_mgmt/bastille/HPWeights.txt file, and populating it with an entry for each HP-UX Bastille lock-down item to be considered in the final score. The HPWeights.txt file format is similar to an HP-UX Bastille configuration file, except only entries for items to be scored are present, and the item value is always set to "1".

  • Page 16: Reverting

    HP-UX question items as selected. For sample files, Appendix D (page 63). 3.4 Reverting If you want to revert the system files to the state they were in before HP-UX Bastille was run, use the revert option: # bastille -r IMPORTANT: Before using the revert feature, read the revert-actions script to ensure changes do not disrupt your system.

  • Page 17: Monitoring Drift

    When reverting to the configuration prior to the use of HP-UX Bastille, security configuration changes are undone temporarily. Other manual configuration changes or additional software installed after HP-UX Bastille was initially run might require a manual merge of configuration settings.
  • Page 18 The Drift file contains information about any configuration drift experienced since the last HP-UX Bastille run. This file is only created when an earlier HP-UX Bastille configuration was applied to the system. /var/opt/sec_mgmt/bastille/log/Assessment/Drift.txt Using HP-UX Bastille...

  • Page 19: Removing Hp-Ux Bastille

    Use the swremove command to remove HP-UX Bastille from an HP-UX machine. When HP-UX Bastille is removed, the system does not revert to the state it was in before HP-UX Bastille was installed. HP-UX Bastille removal leaves behind the revert-actions script. This script enables the administrator to revert the configuration files that HP-UX Bastille modified without an HP-UX Bastille installation.

  • Page 21: Troubleshooting

    — When patches are installed — When system customizations are made that might affect security — On HP-UX if swverify is used with the -x fix=true option or the -F option to run vendor-specific fix scripts 5.3 Known issues and workarounds 5.3.1 Changes made by HP-UX Bastille might cause other software to stop working...

  • Page 22: Cannot Use X Because $Display Is Not Set

    5.3.8 HP-UX Bastille configures a firewall using IPFilter The most common conflicts are with firewalls. When a network service is not working, and it is not turned off by HP-UX Bastille, verify the firewall rules pass the ports needed. For more information, see ipfstat(8) and ipmon(8).

  • Page 23: Support And Other Resources

    For HP technical support: • In the United States, for contact options see the Contact HP United States webpage (http:// welcome.hp.com/country/us/en/contact_us.html). To contact HP by phone: — Call 1-800-HP-INVENT (1-800-474-6836). This service is available 24 hours a day, 7 days a week.

  • Page 24: Typographic Conventions

    • bastille_drift(1M) in HP-UX 11i v3 Reference 1M System at: http://docs.hp.com/en/hpuxman_pages.html The HP-UX Security Forum is offered through the HP IT Resource Center (ITRC) at: ITRC Forums Security Product specifications and download: http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA. For more information about HP-UX Bastille compatibility with Serviceguard, see the Serviceguard documentation available at: http://www.hp.com/go/hpux-serviceguard-docs.
  • Page 25 CAUTION A caution calls attention to important information that if not understood or followed will result in data loss, data corruption, or damage to hardware or software. IMPORTANT This alert provides essential information to explain a concept or to complete a task. NOTE A note contains additional information to emphasize or supplement important points of the main text.

  • Page 27: A Install-Time Security (Its) Using Hp-Ux Bastille

    Install-Time Security (ITS) adds a security step to the installation or update process. This additional step allows the HP-UX Bastille security lock-down engine to run during system installation with one of four configurations ranging from default security to DMZ. ITS includes the following bundles: •...

  • Page 28: Host-Based Sec10Host, Sec20Mngdmz, And Sec30Dmz Security Settings

    Run sendmail via cron to process queue Stop sendmail from running in daemon mode sendmail Disable vrfy and expn commands Disable HP Apache 2.x Web Server Other settings Set up cron job to run SWA Install-Time Security (ITS) using HP-UX Bastille...

  • Page 29: Additional Sec20Mngdmz Security Settings

    Settings applied only if software is installed. HP-UX Host IDS is a selectable software bundle and only available for commercial servers. WBEM is required for several HP management applications including HP Systems Insight Manager (SIM) and ParMgr. A.1 Choosing security levels...

  • Page 30: Choosing Security Dependencies

    A.2 Choosing security dependencies The Sec00Tools security level is installed by default but does not implement any security changes when you install or update HP-UX Bastille. The Sec00Tools security level has the following benefits: • Ensures that the required software is installed.

  • Page 31: B Configuring Hp-Ux Bastille For Use With Serviceguard

    SecureInetd.deactivate_ident=N Apply the configuration file changes. • If you have not made any configuration changes to the system since the last time HP-UX Bastille was used, use HP-UX Bastille to apply the changes. Revert to the previous HP-UX Bastille configuration:...

  • Page 33: C Question Modules

    However, executing jobs later or automatically represents a privilege that can be abused and makes actions slightly harder to track. Many sites choose to restrict the at command to administrative accounts. HP suggests restricting permission to new administrators until they understand how it can be abused and which users need access.
  • Page 34 Default Description HP-UX Bastille can restrict root from logging into a tty over the network. This forces administrators to log in first as a non-root user, then su to become root. Root logins are still permitted on the console and through services that do not use tty's like HP-UX Secure Shell.
  • Page 35 Description HP-UX stores the encrypted password string for each user in the /etc/passwd file. These encrypted strings are viewable by anyone with access to the /etc/ file system, typically all users. Using the encrypted string, an attacker can find valid passwords for your system.
  • Page 36 Description This parameter controls the default maximum number of days that passwords are valid. For systems running HP-UX 11.11and HP-UX 11.0, setting this value requires conversion to trusted mode. For HP-UX 11.22 and later, shadowed password conversion is required. This parameter applies only to local non-root users.
  • Page 37 This parameter controls the default number of days before password expiration that a user is warned that the password must be changed. For systems running HP-UX 11.11 and HP-UX 11.0, setting this value requires conversion to trusted mode. For HP-UX 11.22 and later, shadowed password conversion is required.
  • Page 38 This may be more problematic when an authorized administrator can't remember the password. Note: For HP-UX 11.22 and prior, this requires conversion to trusted mode. HP-UX Bastille will automatically do the conversion if you select this option. Trusted mode is incompatible with LDAP-UX client services prior to version 3.0 and can cause...
  • Page 39 HP-UX 11.22 and later have an option in the /etc/default/security file to set the default system umask. This parameter controls umask(2) of all sessions initiated with pam_unix(5) which can then be overridden by the shell. NOTE: If your system is converted to trusted mode, this parameter will be overridden by the trusted system default umask, which is 077.
  • Page 40 Default Description If you do not plan to use this system as a web server, HP recommends that you deactivate your Apache web server. Programs that require an Apache server installation but do not bind to port 80 can still start their own instances of the web server.
  • Page 41 Only a root process can break out of a chroot jail. HP-UX Bastille ensures that "named" is not running as root. A successful attack on "named" in a chroot jail running as a non-privileged user allows the attacker to modify only files owned or writeable by that non-privileged user and protects the rest of the system.
  • Page 42 Description The HP-UX Bastille development team would like to know how you use HP-UX Bastille. Based on how you answer these questions, HP can meet your needs better. You can help by sending your configuration and TODO.txt files back to HP. Answering yes to this question does that automatically. If you feel that your hostname or your security configuration is confidential, answerno.
  • Page 43 Otherwise, an item is created in the TODO.txt file for you to manually integrate the parameter changes. HP_UX.other_tools Headline Provide information about other security tools that HP has to offer. Default Description Although HP-UX Bastille helps to configure most of the security-relevant features of your operating system, it is not a substitute for a complete security solution.
  • Page 44 If the swagentd daemon is running, use swacl to remove remote read access: swacl -l host -D any_other swacl -l root -D any_other Otherwise, an item is created in the TODO.txt file to remind you to run HP-UX Bastille again when the daemon is up. HP_UX.scan_ports Headline Provide instructions in your TODO.txt file on how to run a port scan.
  • Page 45 The HP-UX kernel is able to disallow execution of commands from the stack. This contains many of these types of attacks, making them ineffective.
  • Page 46 If you are not running the HP-UX Host HIDS GUI on this hos, answer yes. If you are running the HP-UX Host HIDS GUI on this host, and it only manages one LOCAL HIDS agent running on this host (i.e., you are not managing any HIDS agents on any remote hosts using this GUI), answer yes.
  • Page 47 Default 192.168.1.0/255.255.255.0 10.10.10.10 Description The basic IPFilter rules setup by HP-UX Bastille only allow network traffic for services associated with software that HP-UX Bastille recognizes as installed on the system. All other incoming traffic is blocked by default. To allow additional incoming traffic based on the IP address of the sending host, enter specific IP addresses here with an optional netmask.
  • Page 48 Port 1188 is used by web-based tools that are replacements for areas of SAM. The listener on this port is the HP release of Apache with a custom configuration file that loads only a minimum set of modules. It is also restricted to use https for all communication and can only be used to run the system management tools.
  • Page 49 If your HP-UX Bastille connection is lost, check the results by running bastille -l to see if HP-UX Bastille correctly applied your configuration, or the action log for more detail. You can also save the HP-UX Bastille configuration file and run bastille -b on a console to check for HP-UX...
  • Page 50 Block anything you are not asked about explicitly, including all incoming traffic. If this is the first time you are using HP-UX Bastille to configure your firewall, you will be asked about several service specific options if the applicable software appears to be installed. If you have already configured a firewall using HP-UX Bastille, you will only be asked about protocols which are currently allowed by the HP-UX Bastille configuration.
  • Page 51 The rbootd daemon is used for the RMP protocol, which is a predecessor to the "bootp" protocol which serves DHCP. Unless you are using this machine to serve dynamic IP addresses to very old HP-UX systems (prior to 10.0, or older than s712), you have no reason to run this.
  • Page 52 RPC. RPC has had security issues in the past and by default does not support a strong authentication mechanism. If you disable the core NFS infrastructure, HP-UX Bastille disables NIS, NIS+ and NFS. Actions Stop and disable NIS/NIS+ Server and Client.
  • Page 53 However, if configured correctly and used in conjunction with management software, these daemons can dramatically improve accessibility and response time to problems when they occur. If this is disabled, network management software such as HP Openview which relies on SNMP does not work. Actions If running stop process snmpdm.
  • Page 54 Staying up-to-date on security bulletins issued by Hewlett-Packard is critical. These tools are the easiest way to make sure this system is compliant with the steps required in HP security bulletins. A subscription to the HP security bulletin mailing list provides the latest security fixes from HP.
  • Page 55 You can create "Authorized Use Only" messages for your site. These can be helpful in prosecuting system crackers you catch trying to break into your system. HP-UX Bastille makes default messages that you can edit. This is like an "anti-welcome mat" for your system.
  • Page 56 Description The bootpd daemon implements three functions; a DHCP server, an Internet Boot Protocol (BOOTP) server, and a DHCP/BOOTP relay agent. If this system is not a BOOTP/DHCP server or a DHCP/BOOTP relay agent, HP recommends disabling this service. Actions Comment out the entry for bootp in the /etc/inetd.conf file.
  • Page 57 This service can be used to determine user information on a given machine in preparation for a brute-force password attack like a dictionary attack. HP recommends disabling this service unless compelled by application specific needs.
  • Page 58 Samba administrator. Clear-text passwords are passed through the network if a connection is initiated from an outside source. This form of authentication is easily defeated and HP recommends not running the swat service on this machine.
  • Page 59 Hunt or Ettercap. The standard practice among security-conscious sites is to migrate as rapidly as practical from Telnet to Secure Shell (command: ssh). HP recommends to make this move as soon as possible. Secure shell implementations are available from openssh.org and ssh.com. Most operating system vendors also distribute a version of secure shell.
  • Page 60 You can further restrict access using the inetd.sec file or a program like tcpwrappers. If you answer Y to this question, HP-UX Bastille also points you to information on how to configure these tools.
  • Page 61 Daemon mode means that sendmail is constantly listening on a network connection waiting to receive mail. If you disable daemon mode, HP-UX Bastille asks if you would like to run sendmail every few minutes to process the queue of outgoing mail. Most programs send mail immediately, and processing the queue takes care of transient errors.

  • Page 63: D Sample Weight Files

    D Sample weight files D.1 all.weight The weight file below is located in /etc/opt/sec_mgmt/bastille/configs/defaults. This template file contains all possible HP-UX question items as selected. AccountSecurity.ABORT_LOGIN_ON_MISSING_HOMEDIR=1 AccountSecurity.AUTH_MAXTRIES=1 AccountSecurity.MIN_PASSWORD_LENGTH=1 AccountSecurity.NOLOGIN=1 AccountSecurity.NUMBER_OF_LOGINS_ALLOWED=1 AccountSecurity.PASSWORD_HISTORY_DEPTH=1 AccountSecurity.PASSWORD_MAXDAYS=1 AccountSecurity.PASSWORD_MINDAYS=1 AccountSecurity.PASSWORD_WARNDAYS=1 AccountSecurity.SU_DEFAULT_PATH=1 AccountSecurity.atuser=1 AccountSecurity.block_system_accounts=1 AccountSecurity.create_securetty=1 AccountSecurity.crontabs_file=1 AccountSecurity.cronuser=1 AccountSecurity.gui_login=1...

  • Page 64: Cis.weight

    MiscellaneousDaemons.disable_bind=1 MiscellaneousDaemons.disable_ptydaemon=1 MiscellaneousDaemons.disable_pwgrd=1 MiscellaneousDaemons.disable_rbootd=1 MiscellaneousDaemons.disable_smbclient=1 MiscellaneousDaemons.disable_smbserver=1 MiscellaneousDaemons.nfs_client=1 MiscellaneousDaemons.nfs_core=1 MiscellaneousDaemons.nfs_server=1 MiscellaneousDaemons.nis_client=1 MiscellaneousDaemons.nis_server=1 MiscellaneousDaemons.nisplus_client=1 MiscellaneousDaemons.nisplus_server=1 MiscellaneousDaemons.nobody_secure_rpc=1 MiscellaneousDaemons.other_boot_serv=1 MiscellaneousDaemons.snmpd=1 MiscellaneousDaemons.syslog_localonly=1 MiscellaneousDaemons.xaccess=1 Patches.spc_cron_run=1 Patches.spc_run=1 Printing.printing=1 SecureInetd.banners=1 SecureInetd.deactivate_bootp=1 SecureInetd.deactivate_builtin=1 SecureInetd.deactivate_dttools=1 SecureInetd.deactivate_finger=1 SecureInetd.deactivate_ftp=1 SecureInetd.deactivate_ident=1 SecureInetd.deactivate_ktools=1 SecureInetd.deactivate_ntalk=1 SecureInetd.deactivate_printer=1 SecureInetd.deactivate_recserv=1 SecureInetd.deactivate_rquotad=1 SecureInetd.deactivate_rtools=1 SecureInetd.deactivate_swat=1 SecureInetd.deactivate_telnet=1 SecureInetd.deactivate_tftp=1 SecureInetd.deactivate_time=1 SecureInetd.deactivate_uucp=1 SecureInetd.ftp_logging=1 SecureInetd.log_inetd=1 SecureInetd.owner=1 Sendmail.sendmailcron=1...
  • Page 65 AccountSecurity.restrict_home=1 AccountSecurity.root_path=1 AccountSecurity.serial_port_login=1 AccountSecurity.system_auditing=1 AccountSecurity.umask=1 AccountSecurity.unowned_files=1 AccountSecurity.user_dot_files=1 AccountSecurity.user_rc_files=1 Apache.deactivate_hpws_apache=1 FTP.ftpbanner=1 FTP.ftpusers=1 HP_UX.gui_banner=1 HP_UX.ndd=1 HP_UX.screensaver_timeout=1 HP_UX.stack_execute=1 HP_UX.tcp_isn=1 MiscellaneousDaemons.configure_ssh=1 MiscellaneousDaemons.disable_bind=1 MiscellaneousDaemons.disable_ptydaemon=1 MiscellaneousDaemons.disable_rbootd=1 MiscellaneousDaemons.disable_smbclient=1 MiscellaneousDaemons.disable_smbserver=1 MiscellaneousDaemons.nfs_client=1 MiscellaneousDaemons.nfs_core=1 MiscellaneousDaemons.nfs_server=1 MiscellaneousDaemons.nis_client=1 MiscellaneousDaemons.nis_server=1 MiscellaneousDaemons.nisplus_client=1 MiscellaneousDaemons.nisplus_server=1 MiscellaneousDaemons.nobody_secure_rpc=1 MiscellaneousDaemons.other_boot_serv=1 MiscellaneousDaemons.snmpd=1 MiscellaneousDaemons.syslog_localonly=1 MiscellaneousDaemons.xaccess=1 Printing.printing=1 SecureInetd.banners=1 SecureInetd.deactivate_bootp=1 SecureInetd.deactivate_builtin=1 SecureInetd.deactivate_dttools=1 SecureInetd.deactivate_finger=1 SecureInetd.deactivate_ftp=1 SecureInetd.deactivate_ident=1 SecureInetd.deactivate_ktools=1...

  • Page 67: E Cis Mapping To Hp-Ux Bastille

    E CIS mapping to HP-UX Bastille Level 1 benchmark for HP-UX 1 1i (v1.5.0) Mapping to HP-UX Bastille CIS ID CIS benchmark section HP-UX Bastille lock down items Patches and Additional Software 1.1.1 Apply latest OS patches Not Scorable 1.1.2 Install and configure SSH MiscellaneousDaemons.configure_ssh...
  • Page 68 Level 1 benchmark for HP-UX 1 1i (v1.5.0) Mapping to HP-UX Bastille 1.3.7 Disable other standard boot services MiscellaneousDaemons.disable_rbootd MiscellaneousDaemons.nfs_server MiscellaneousDaemons.nfs_client MiscellaneousDaemons.disable_ptydaemon Apache.deactivate_hpws_apache MiscellaneousDaemons.snmpd MiscellaneousDaemons.nfs_core MiscellaneousDaemons.other_boot_serv MiscellaneousDaemons.disable_smbclient MiscellaneousDaemons.disable_smbserver MiscellaneousDaemons.disable_bind 1.3.8 Only enable Windows-compatibility server processes Not Applicable 1.3.9 Only enable Windows-compatibility client processes Not Applicable 1.3.10...
  • Page 69 Level 1 benchmark for HP-UX 1 1i (v1.5.0) Mapping to HP-UX Bastille 1.7.1 Enable kernel-level auditing AccountSecurity.system_auditing 1.7.2 Enable logging from inetd SecureInetd.log_inetd 1.7.3 Turn on additional logging for FTP daemon SecureInetd.ftp_logging User Accounts and Environment 1.8.1 Block system accounts AccountSecurity.block_system_accounts...

  • Page 71: Index

    Index assessing, 11 weight files samples, 63 workarounds, 21 compatibility, 8 configuration batch mode, 13 creating, 11 replicating, 11 Serviceguard, 31 drift, 17 features, 7 file locations, 17 installation requirements, 9 installing, 9 ITS, 27 known issues, 21 performance, 8 question modules, 33 related information, 23 removing, 19...

This manual is also suitable for:

Ux bastille b.3.3

Table of Contents