Table of Contents
Advertisement
3 Using HP-UX Bastille
HP-UX Bastille provides three main services:
•
Creating a security configuration profile for a system
An X Window GUI user interface presents a series of questions that explain a security issue
and describe the resulting action needed to lock down the HP-UX system. Each question
also describes the high-level cost and benefit of each decision. The user decides how HP-UX
Bastille handles the issues during lock down. After answering all questions, HP-UX Bastille
presents the option to save the security configuration profile information in a default
configuration file, and use the configuration file to lock down the system. Alternatively, the
user can choose to save the security configuration profile in a custom-named configuration
file without continuing to lock down the system.
•
Configuring a system (hardening/lock down)
Reading from a configuration file, the HP-UX Bastille configuration-policy engine
automatically completes each lock-down step and produces a list of the remaining actions
that the user must manually perform to complete the lock-down process. Log files are
produced to record all actions taken and any errors encountered during the configuration
process. The configuration service is invoked either during the interactive session to create
a configuration file (see above), or from the command line using the batch-mode option.
The command-line mode is useful for replicating a security configuration to multiple
machines, or when using one of the predefined configuration files supplied with HP-UX
Bastille. In these cases, an alternative configuration file is specified by using the -f option.
•
Assessing a system
HP-UX Bastille assesses the existing security configuration state of an HP-UX system by
testing the system against each security issue. A reporting module creates files that contain
an itemized summary of the current security status of the system configuration. Files are
produced in HTML, text, and configuration formats. The percentage of weight items secured
properly is generated. This service can be used to audit a large number machines that have
the same operating system and applications installed. Scored assessment reports can be used
to select only a subset of the security issues.
The most common use of HP-UX Bastille is on a single machine, using the GUI interface to
create and apply a customized security configuration profile in the same session. Only the
default configuration file is used. If modifications are required later, the HP-UX Bastille GUI
interface is invoked again to make changes and apply them in the same session.
If multiple machines or configuration files must be managed, the creation and application
of security configuration profiles are usually independent operations and scripted. In that
case, non-interactive command-line options may be more useful when configuring a system.
For example, with a set of similar HP-UX servers, a single initial "golden" configuration file
can be created on one machine with the GUI interface, then copied and applied to all the
other machines with the batch-mode option. Similarly, if multiple configuration files are
needed, then scripts using the -f option are frequently used.
3.1 Creating a security configuration profile
1.
Change to root user.
2.
If using a remote X server, ensure that it is running, and that the local $DISPLAY variable
is set correctly. Test using xterm or xclock.
3.
Start HP-UX Bastille. If HP-UX Bastille is installed, the PATH environment variable has been
updated. In this case, use:
# bastille
3.1 Creating a security configuration profile
11
Advertisement
Table of Contents
