3 Using HP-UX Bastille
HP-UX Bastille provides three main services:
•Creating a security configuration profile for a system
An X Window GUI user interface presents a series of questions that explain a security issue and describe the resulting action needed to lock down the HP-UX system. Each question also describes the high-level cost and benefit of each decision. The user decides how HP-UX Bastille handles the issues during lock down. After answering all questions, HP-UX Bastille presents the option to save the security configuration profile information in a default configuration file, and use the configuration file to lock down the system. Alternatively, the user can choose to save the security configuration profile in a custom-named configuration file without continuing to lock down the system.
•Configuring a system (hardening/lock down)
Reading from a configuration file, the HP-UX Bastille configuration-policy engine automatically completes each lock-down step and produces a list of the remaining actions that the user must manually perform to complete the lock-down process. Log files are produced to record all actions taken and any errors encountered during the configuration process. The configuration service is invoked either during the interactive session to create a configuration file (see above), or from the command line using the batch-mode option.
The command-line mode is useful for replicating a security configuration to multiple machines, or when using one of the predefined configuration files supplied with HP-UX Bastille. In these cases, an alternative configuration file is specified by using the -foption.
•Assessing a system
HP-UX Bastille assesses the existing security configuration state of an HP-UX system by testing the system against each security issue. A reporting module creates files that contain an itemized summary of the current security status of the system configuration. Files are produced in HTML, text, and configuration formats. The percentage of weight items secured properly is generated. This service can be used to audit a large number machines that have the same operating system and applications installed. Scored assessment reports can be used to select only a subset of the security issues.
The most common use of HP-UX Bastille is on a single machine, using the GUI interface to create and apply a customized security configuration profile in the same session. Only the default configuration file is used. If modifications are required later, the HP-UX Bastille GUI interface is invoked again to make changes and apply them in the same session.
If multiple machines or configuration files must be managed, the creation and application of security configuration profiles are usually independent operations and scripted. In that case, non-interactive command-line options may be more useful when configuring a system. For example, with a set of similar HP-UX servers, a single initial "golden" configuration file can be created on one machine with the GUI interface, then copied and applied to all the other machines with the batch-mode option. Similarly, if multiple configuration files are needed, then scripts using the -foption are frequently used.
3.1Creating a security configuration profile
1.Change to root user.
2.If using a remote X server, ensure that it is running, and that the local $DISPLAY variable is set correctly. Test using xterm or xclock.
3.Start HP-UX Bastille. If HP-UX Bastille is installed, the PATH environment variable has been updated. In this case, use:
# bastille