HP UX Bastille Software manual Using HP-UX Bastille, Creating a security configuration profile

Page 11

3 Using HP-UX Bastille

HP-UX Bastille provides three main services:

Creating a security configuration profile for a system

An X Window GUI user interface presents a series of questions that explain a security issue and describe the resulting action needed to lock down the HP-UX system. Each question also describes the high-level cost and benefit of each decision. The user decides how HP-UX Bastille handles the issues during lock down. After answering all questions, HP-UX Bastille presents the option to save the security configuration profile information in a default configuration file, and use the configuration file to lock down the system. Alternatively, the user can choose to save the security configuration profile in a custom-named configuration file without continuing to lock down the system.

Configuring a system (hardening/lock down)

Reading from a configuration file, the HP-UX Bastille configuration-policy engine automatically completes each lock-down step and produces a list of the remaining actions that the user must manually perform to complete the lock-down process. Log files are produced to record all actions taken and any errors encountered during the configuration process. The configuration service is invoked either during the interactive session to create a configuration file (see above), or from the command line using the batch-mode option.

The command-line mode is useful for replicating a security configuration to multiple machines, or when using one of the predefined configuration files supplied with HP-UX Bastille. In these cases, an alternative configuration file is specified by using the -foption.

Assessing a system

HP-UX Bastille assesses the existing security configuration state of an HP-UX system by testing the system against each security issue. A reporting module creates files that contain an itemized summary of the current security status of the system configuration. Files are produced in HTML, text, and configuration formats. The percentage of weight items secured properly is generated. This service can be used to audit a large number machines that have the same operating system and applications installed. Scored assessment reports can be used to select only a subset of the security issues.

The most common use of HP-UX Bastille is on a single machine, using the GUI interface to create and apply a customized security configuration profile in the same session. Only the default configuration file is used. If modifications are required later, the HP-UX Bastille GUI interface is invoked again to make changes and apply them in the same session.

If multiple machines or configuration files must be managed, the creation and application of security configuration profiles are usually independent operations and scripted. In that case, non-interactive command-line options may be more useful when configuring a system. For example, with a set of similar HP-UX servers, a single initial "golden" configuration file can be created on one machine with the GUI interface, then copied and applied to all the other machines with the batch-mode option. Similarly, if multiple configuration files are needed, then scripts using the -foption are frequently used.

3.1Creating a security configuration profile

1.Change to root user.

2.If using a remote X server, ensure that it is running, and that the local $DISPLAY variable is set correctly. Test using xterm or xclock.

3.Start HP-UX Bastille. If HP-UX Bastille is installed, the PATH environment variable has been updated. In this case, use:

# bastille

3.1 Creating a security configuration profile

11

Image 11
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsSupport CompatibilityPerformance Installation Installing HP-UX BastilleInstallation requirements Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemIs not always detected. HP-UX Bastille might not detect all Using scored reportsAccepted standard configurations are detected Configuration for the corresponding question is notScored assessment report # bastille -r RevertingFor more information, see bastilledrift1M Monitoring driftLocating files Var/opt/secmgmt/bastille/log/Assessment/Drift.txt If the file exists, complete the actions listed Removing HP-UX BastilleCheck for a TOREVERT.txt file Page General use tips TroubleshootingDiagnostic tips Known issues and workaroundsCannot use X because $DISPLAY is not set Problems opening, copying, or reading filesErrors related to individual configuration files HP-UX Bastille configures a firewall using IPFilterRelated information Support and other resourcesContacting HP Typographic conventions Supplement important points of the main text Or damage to hardware or softwareTo complete a task Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec10Host level Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec20MngDMZ or Sec30DMZ security levels Page Question modules AccountSecurity.cronuser AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.crontabsfileAccountSecurity.lockaccountnopasswd AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.NUMBEROFLOGINSALLOWEDAccountSecurity.PASSWORDMAXDAYS AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDHISTORYDEPTHynAccountSecurity.restricthome AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.singleuserpasswordAccountSecurity.umask AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.systemauditingAccountSecurity.userrcfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userdotfilesDNS.chrootbind Apache.chrootapacheApache.deactivatehpwsapache FTP.ftpusers FilePermissions.worldwriteableHPUX.ndd HPUX.mailconfigHPUX.guibanner HPUX.othertools HPUX.stackexecute HPUX.screensavertimeoutHPUX.restrictswacls HPUX.scanportsIPFilter.blockDNSquery HPUX.tcpisnIPFilter.blockcfservd Hids does not IPFilter.blockhpidsadminIPFilter.blockhpidsagent You are managing some remote Hids agents, answer noIPFilter.blockSecureShell Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockpingOtherwise, answer no to this question IPFilter.blockwebadminIPFilter.configureipfilter IPFilter.blockwbemPage MiscellaneousDaemons.diagnosticslocalonly IPFilter.installipfilterMiscellaneousDaemons.configuressh MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablepwgrdMiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nfscoreMiscellaneousDaemons.sysloglocalonly MiscellaneousDaemons.xaccessOtherbootserv Patches.spcrun Patches.spccronrunPatches.spccrontime Patches.spcproxyynSecureInetd.banners SecureInetd.deactivatebootpPrinting.printing SecureInetd.deactivateftp SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivatefingerSecureInetd.deactivateprinter SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivatentalkSecureInetd.deactivateswat SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivatertoolsSecureInetd.ftplogging SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.deactivateuucpSendmail.sendmailcron SecureInetd.loginetdSecureInetd.inetdgeneral SecureInetd.ownerSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index