About This Product; Features And Benefits - HP UX Bastille User Manual

1 About this product

HP-UX Bastille is a system hardening and reporting program that enhances the security of the
HP-UX operating system by consolidating essential hardening and lock-down checklists from
industry and government security organizations, and making them accessible to administrators
in an easy to use package. The HP-UX Bastille GUI interface guides users through creating a
custom security configuration profile. The policy configuration engine hardens HP-UX to
specification by locking down each selected security item. Security items include:
• Configuring daemons, services, firewalls, and client software to use more secure settings
• Disabling unused or unneeded inetd services
• Creating chroot jails for commonly used server programs
• Assessing the current HP-UX system against all relevant lock-down items with the reporting
feature
• Applying saved configuration profiles to multiple similar machines with a command-line
batch mode
These HP-UX Bastille features ease compliance with regulatory requirements and
industry-consensus security benchmarks like the Center for Internet Security (CIS) benchmark.
HP-UX Bastille also facilitates internal and external security audits.
NOTE:
HP-UX Bastille is built from the open-source, cross-platform software program Bastille.
HP made significant contributions to the open-source Bastille software over many years. The
original Linux version is now named Bastille-Linux to avoid confusion with other cross-platform
implementations, and is not covered by this document.

1.1 Features and benefits

HP-UX Bastille provides the following features and benefits:
• Locks down the system
— Increases security by configuring daemons and system settings
— Turns off unnecessary services such as pwgrd
— Assists with creation of chroot jails to partially limit the vulnerability of common
internet services such as web servers and DNS
— Configures automatic runs of Software Assistant (SWA) or Security Patch Check
— Configures an IPFilter-based firewall
• Provides an interactive, wizard-style GUI interface
— Guides users to optimize the trade off between security, usability, and functionality
— Explanatory text helps less experienced administrators make appropriate security
decisions
• Reports security configuration state
— Generates reports in HTML, text, and config file format
— Establishes a baseline for comparison to later configuration differences with the
bastille_drift command
• Returns the security configuration to the state before HP-UX Bastille was run with the revert
-r feature.
— Provides a safety net in case of unexpected incompatible changes when hardening
running systems
• Integrates with HP Systems Insight Manager (SIM)
— Locks down and reporting available from SIM menus
— SIM.config pretested configuration for SIM server lock down
1.1 Features and benefits 7