A Install-Time Security (ITS) using HP-UX Bastille
Install-Time Security (ITS) adds a security step to the installation or update process. This additional
step allows the HP-UX Bastille security lock-down engine to run during system installation with
one of four configurations ranging from default security to DMZ. ITS includes the following
bundles:
•
Sec00Tools (recommended software bundle)
•
Sec10Host (optional software bundle)
•
Sec20MngDMZ (optional software bundle)
•
Sec30DMZ (optional software bundle)
A.1 Choosing security levels
At cold install or update time, you can choose one of the security levels listed in
level provides incrementally higher security.
Table A-1 Security levels
Security level
2
Sec00Tools
3
Sec10Host
Sec20MngDMZ
3
Sec30DMZ
1
Configuration files are installed in /etc/opt/sec_mgmt/bastille/configs/defaults.
2
Sec00Tools is installed by default.
3
Sec10Host, Sec20MngDMZ, and Sec30DMZ are selectable.
NOTE:
When you select either the Sec20MngDMZ or Sec30DMZ security level, IPFilter restricts
inbound network connections. For more information on how to add inbound ports to your /etc/
opt/ipf.customerrules file, see the HP-UX IPFilter (Version A.03.05.09 and later)
Administrator's Guide and the HP-UX System Administrator's Guide.
Using one of these security levels applies a default security profile, simplifying the lock-down
process. The following tables list the services and protocols affected by each security level.
Configuration file name
Not applicable
HOST.config
3
MANDMZ.config
DMZ.config
1
Description
The Install Time Security infrastructure. No security changes.
Host-based lock down with firewall pre-enablement. Some common
clear-text services are turned off, excluding Telnet and FTP.
Lock down that allows secure management. IPFilter firewall blocks
incoming connections except common, relatively safe, management
protocols.
Network-DMZ lock down. IPFilter blocks all incoming connections
except HP-UX Secure Shell.
Table
A-1. Each
A.1 Choosing security levels
27