HP UX Bastille Software manual

Page 49

configured. HP-UX Bastille cannot detect whether the rule-set is appropriate for your needs. HP-UX Bastille can create a very basic firewall configuration.

WARNING! Firewalls are designed to keep people out of your machine. Therefore, the features in this section have the ability to keep you out too.

Blocked communication can include traffic from management applications like Serviceguard, System Insight Manager, OpenView, System Management Homepage, and others. To use communication from any application that is not explicitly allowed in one of the follow-up questions, please see that application's Firewall- or Bastille-interaction documentation for which ports to accept with the ipf.customrules file described below. The HP-UX Networking Ports Reference Guide is also helpful. The most problematic communications are externally-initiated, UDP, or RPC-based. Be careful when answering these questions. Verify that you can still log in to your machine remotely (and have physical access just in case) before logging out.

WARNING! IPFilter is only able to block traffic which is processed by the kernel. Network cards exist which take the processing of this traffic out of the kernel for performance reasons. This is referred to as TOE or TCP offload engine. If you are using such a card (can be used for iSCSI and 10Gb Ethernet), configuring an IPFilter-based firewall will have no effect for traffic processed by that card. Also, local traffic is not processed.

WARNING! This overwrites any existing firewall rules. If you already have sufficiently secure firewall rules in place, then say no to this question.

Answering yes to this question creates and applies firewall rules that:

Block incoming traffic with ip options set. These options are used frequently by attackers and infrequently for any other purpose.

Apply a custom rule-set from /etc/opt/sec_mgmt/bastille/ ipf.customrules. This file as delivered with HP-UX Bastille allows all outgoing connections and keeps track of them so that traffic which corresponds to those connections is allowed back in. This custom rule-set also contains rules to not log netbios nameserver, netbios datagram, and RPC portmap network traffic, all of which can fill up your logs rather quickly on a large network.

This basic configuration allows most local applications to operate properly without allowing attackers in through ports you don't use. You can add custom rules which better fit the specific needs of your environment. If you modify the custom file, rerun the HP-UX Bastille back-end (bastille -b) to apply the new rule-set.

IMPORTANT: Changing this file has the ability to either increase or decrease the security of your system. After applying this custom configuration, be sure to verify the active rule-set and the ipf.conf file to make sure the result is what you intended.

WARNING! If IPFilter is not enabled on your system,HP-UX Bastille enables it. This can bring down the network stack for about 10-15 seconds. All connections should be restored at that point, but all connections will suspend and some may be lost (including HP-UX Bastille's UI).

If your HP-UX Bastille connection is lost, check the results by running bastille -lto see if HP-UX Bastille correctly applied your configuration, or the action log for more detail. You can also save the HP-UX Bastille configuration file and run bastille -bon a console to check for HP-UX Bastille's full output real-time.

49

Page 48 Page 50
Image 49
Page 48 Page 50
Contents HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of FiguresQuestion modules Security levels List of TablesAbout this product Features and benefitsPerformance CompatibilitySupport Installation requirements Installing HP-UX BastilleInstallation Page Creating a security configuration profile Using HP-UX Bastille1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, useAssessing a system Configuring a systemAccepted standard configurations are detected Using scored reportsConfiguration for the corresponding question is not Is not always detected. HP-UX Bastille might not detect allScored assessment report # bastille -r RevertingLocating files Monitoring driftFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Check for a TOREVERT.txt file Removing HP-UX BastilleIf the file exists, complete the actions listed Page Diagnostic tips TroubleshootingKnown issues and workarounds General use tipsErrors related to individual configuration files Problems opening, copying, or reading filesHP-UX Bastille configures a firewall using IPFilter Cannot use X because $DISPLAY is not setContacting HP Support and other resourcesRelated information Typographic conventions To complete a task Or damage to hardware or softwareSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX BastilleEnable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installationConfiguring Sec20MngDMZ or Sec30DMZ security levels Configuring HP-UX Bastille for use with ServiceguardConfiguring Sec10Host level Page Question modules AccountSecurity.hidepasswords AccountSecurity.guiloginAccountSecurity.crontabsfile AccountSecurity.cronuserAccountSecurity.NOLOGIN AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.lockaccountnopasswdAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.PASSWORDMAXDAYSAccountSecurity.serialportlogin AccountSecurity.passwordpoliciesAccountSecurity.singleuserpassword AccountSecurity.restricthomeAccountSecurity.SUDEFAULTPATHyn AccountSecurity.SUDEFAULTPATHAccountSecurity.systemauditing AccountSecurity.umaskAccountSecurity.unownedfiles AccountSecurity.umaskynAccountSecurity.userdotfiles AccountSecurity.userrcfilesApache.deactivatehpwsapache Apache.chrootapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteableHPUX.guibanner HPUX.mailconfigHPUX.ndd HPUX.othertools HPUX.restrictswacls HPUX.screensavertimeoutHPUX.scanports HPUX.stackexecuteIPFilter.blockcfservd HPUX.tcpisnIPFilter.blockDNSquery IPFilter.blockhpidsagent IPFilter.blockhpidsadmin You are managing some remote Hids agents, answer no Hids does notIPFilter.blocknetrange Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blockping IPFilter.blockSecureShellIPFilter.configureipfilter IPFilter.blockwebadminIPFilter.blockwbem Otherwise, answer no to this questionPage MiscellaneousDaemons.configuressh IPFilter.installipfilterMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablebindMiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.disablerbootdMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.nfscore MiscellaneousDaemons.nobodysecurerpcOtherbootserv MiscellaneousDaemons.xaccessMiscellaneousDaemons.sysloglocalonly Patches.spccrontime Patches.spccronrunPatches.spcproxyyn Patches.spcrunPrinting.printing SecureInetd.deactivatebootpSecureInetd.banners SecureInetd.deactivatedttools SecureInetd.deactivatebuiltinSecureInetd.deactivatefinger SecureInetd.deactivateftpSecureInetd.deactivatektools SecureInetd.deactivateidentSecureInetd.deactivatentalk SecureInetd.deactivateprinterSecureInetd.deactivaterquotad SecureInetd.deactivaterecservSecureInetd.deactivatertools SecureInetd.deactivateswatSecureInetd.deactivatetime SecureInetd.deactivatetftpSecureInetd.deactivateuucp SecureInetd.ftploggingSecureInetd.inetdgeneral SecureInetd.loginetdSecureInetd.owner Sendmail.sendmailcronSendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight filesSample weight file below aligns with the CIS standard CIS.weightCIS.weight Page CIS ID CIS mapping to HP-UX BastilleApache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index
Top Page Image Contents