HP UX Bastille Software manual Configuring a system, Assessing a system

Page 13

Table 3-1 Question modules (continued)

Question module

Description

HP-UX

Configures security services that are unique to the HP-UX platform

IPFilter

Creates an IPFilter-based firewall

5.After you answer all the questions, the Save/Apply button appears. If you want to proceed to configuring the system, click the Save/Apply button to save and apply your configuration. HP-UX Bastille applies the changes as described in “Configuring a system” (page 13).

NOTE: You can use the menu bar to save or load a configuration file at any time during the process. However, your configuration file contains additional questions that might be irrelevant to the target system unless the file is saved with the Save/Apply button. This button is at the end of the question list and only available after all the questions are complete.

The Save/Apply mechanism always saves a copy in the default location /etc/opt/ sec_mgmt/bastille/config. To save your configuration file in the location of your choice, use the menu bar File item.

3.2Configuring a system

1.Depending on the mode you are using:

If you are running HP-UX Bastille in batch mode to make configuration changes:

If you are using the default configuration file path /etc/opt/sec_mgmt/ bastille/config:

#bastille -b

Otherwise, specify the path to the configuration file explicity with the -f option:

#bastille -b -f file

If you are continuing from an HP-UX Bastille GUI session that is creating or modifying the configuration file (see “Creating a security configuration profile” (page 11)), status messages from the configuration process appear in the GUI box.

2.Review log files. To view the logs in real time:

# tail -f <log file>

The action log contains the steps performed when the system was changed. It is only created if the changes are applied to the system. Action log files appear in /var/opt/sec_mgmt/ bastille/log/action-log.

The error log contains any errors encountered when the system was changed. It is only created if errors occur during execution. Error log files appear in /var/opt/sec_mgmt/ bastille/log/error-log.

3.Complete the items in the TODO.txt file. This list is located in /var/opt/sec_mgmt/ bastille/TODO.txt.

NOTE: Changes must be applied to the system to create the TODO.txt file.

The configuration is secure after the items in the TODO.txt file are completed.

3.3 Assessing a system

HP-UX Bastille can assess the status of a system with the --assessor --assessnobrowseroptions. The --assessoption displays the report in a local browser.

The --assessnobrowseroption saves the report in the following file locations:

3.2 Configuring a system

13

Page 12 Page 14
Image 13
Page 12 Page 14
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsPerformance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemAccepted standard configurations are detected Using scored reportsConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report # bastille -r RevertingLocating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page Diagnostic tips TroubleshootingKnown issues and workarounds General use tipsErrors related to individual configuration files Problems opening, copying, or reading filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setContacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.hidepasswords AccountSecurity.guiloginAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.NOLOGIN AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.serialportlogin AccountSecurity.passwordpoliciesAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATHyn AccountSecurity.SUDEFAULTPATHAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.unownedfiles AccountSecurity.umaskynAccountSecurity.userdotfiles AccountSecurity.userrcfilesApache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteableHPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.restrictswacls HPUX.screensavertimeoutHPUX.scanports HPUX.stackexecuteIPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery IPFilter.blockhpidsagent IPFilter.blockhpidsadminYou are managing some remote Hids agents, answer no Hids does notIPFilter.blocknetrange Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blockping IPFilter.blockSecureShellIPFilter.configureipfilter IPFilter.blockwebadminIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablebindMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcOtherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spccrontime Patches.spccronrunPatches.spcproxyyn Patches.spcrunPrinting.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivatedttools SecureInetd.deactivatebuiltinSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivatektools SecureInetd.deactivateidentSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterquotad SecureInetd.deactivaterecservSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetime SecureInetd.deactivatetftpSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.inetdgeneral SecureInetd.loginetdSecureInetd.owner Sendmail.sendmailcronSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents