Manuals / Brands / Computer Equipment / Software / HP / Computer Equipment / Software

HP UX Bastille Software 3.5 Monitoring drift, 3.6 Locating files

1 72

Download 72 pages, 1.59 Mb

IMPORTANT: When reverting to the configuration prior to the use of HP-UX Bastille, security configuration changes are undone temporarily. Other manual configuration changes or additional software installed after HP-UX Bastille was initially run might require a manual merge of configuration settings.

3.5 Monitoring drift

The bastille_drift program creates HP-UX Bastille configuration baselines and compares the current state of the system to a saved baseline. This enables the user to compare changes, if any, against a saved baseline.

NOTE: When first run successfully, HP-UX Bastille automatically saves a baseline in the default location /var/opt/sec_mgmt/bastille/baselines.

You can use HP-UX Bastille to monitor drift as follows:

•To save a baseline:

#bastille_drift --save_baseline baseline

•To compare the current state of the system to a saved baseline:

#bastille_drift --from_baseline baseline

Run the bastille_drift utility when new software or patches are installed to check for changes in the system. The bastille_drift utility also identifies system changes when swverify is run using -x fix=true or the -Foption for vendor-specific fix scripts.

For more information, see bastille_drift(1M).

3.6 Locating files

This section describes the location of important files.

The configuration file contains the answers to the most recently saved session.

/etc/opt/sec_mgmt/bastille/config

The error log contains any errors HP-UX Bastille encountered while making changes to the system.

/var/opt/sec_mgmt/bastille/log/error-log

The action log contains the specific steps that HP-UX Bastille performed when making changes to the system.

/var/opt/sec_mgmt/bastille/log/action-log

The TODO.txt file list contains the tasks the must be completed to ensure the system is secure.

/var/opt/sec_mgmt/bastille/TODO.txt

The revert-actionsscript is part of the revert feature. It returns the changed files to the state they were in before HP-UX Bastille was run.

/var/opt/sec_mgmt/bastille/revert/revert-actions

The TOREVERT.txt file contains the tasks that must be completed to finish reverting the machine to the state it was in before HP-UX Bastille was run.

/var/opt/sec_mgmt/bastille/TOREVERT.txt

The assessment reports are available as HTML, text, and a configuration file.

/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report.html

/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report.txt

/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report-log.txt

3.5 Monitoring drift

17

Contents

Page Page Table of Contents Install-Time Security (ITS) using C Question modules D Sample weight files E CIS mapping to List of Figures List of Tables 1 About this product 1.1 Features and benefits 1.2Compatibility 1.3 Performance 1.4 Support 2 Installing HP-UXBastille 2.1 Installation requirements 2.2Installation Page 3 Using HP-UXBastille 3.1Creating a security configuration profile Page 3.2Configuring a system 3.3 Assessing a system 3.3.1 Using scored reports Page 3.4 Reverting 3.5 Monitoring drift 3.6 Locating files Page 4 Removing HP-UXBastille Page 5 Troubleshooting 5.1 Diagnostic tips 5.2General use tips 5.3Known issues and workarounds 5.3.2 Cannot use X because $DISPLAY is not set 5.3.3 System is in original state 5.3.4 HP-UXBastille must be run as root 5.3.5 Problems opening, copying, or reading files 5.3.6 Errors related to individual configuration files 6 Support and other resources 6.1 Contacting HP 6.2 Related information 6.3 Typographic conventions Page Page A Install-TimeSecurity (ITS) using HP-UXBastille A.1 Choosing security levels Page Page A.2 Choosing security dependencies A.3 Selecting security levels during installation B Configuring HP-UXBastille for use with Serviceguard B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels B.2 Configuring Sec10Host level Page C Question modules AccountSecurity.crontabs_file AccountSecurity.cronuser AccountSecurity.gui_login AccountSecurity.hidepasswords AccountSecurity.lock_account_nopasswd AccountSecurity.mesgn AccountSecurity.MIN_PASSWORD_LENGTH AccountSecurity.NOLOGIN AccountSecurity.NUMBER_OF_LOGINS_ALLOWED AccountSecurity.NUMBER_OF_LOGINS_ALLOWEDyn AccountSecurity.PASSWORD_HISTORY_DEPTH AccountSecurity.PASSWORD_HISTORY_DEPTHyn AccountSecurity.PASSWORD_MAXDAYS AccountSecurity.PASSWORD_MINDAYS AccountSecurity.passwordpolicies AccountSecurity.restrict_home AccountSecurity.root_path AccountSecurity.serial_port_login AccountSecurity.single_user_password AccountSecurity.SU_DEFAULT_PATH AccountSecurity.SU_DEFAULT_PATHyn AccountSecurity.system_auditing AccountSecurity.umask AccountSecurity.umaskyn AccountSecurity.unowned_files AccountSecurity.user_dot_files AccountSecurity.user_rc_files Apache.chrootapache Apache.deactivate_hpws_apache DNS.chrootbind FilePermissions.world_writeable FTP.ftpbanner FTP.ftpusers HP_UX.gui_banner HP_UX.mail_config HP_UX.ndd HP_UX.other_tools HP_UX.restrict_swacls HP_UX.scan_ports HP_UX.screensaver_timeout HP_UX.stack_execute HP_UX.tcp_isn IPFilter.block_cfservd IPFilter.block_DNSquery IPFilter.block_hpidsadmin IPFilter.block_hpidsagent IPFilter.block_netrange IPFilter.block_ping IPFilter.block_SecureShell IPFilter.block_wbem IPFilter.block_webadmin IPFilter.configure_ipfilter Page IPFilter.install_ipfilter MiscellaneousDaemons.configure_ssh MiscellaneousDaemons.diagnostics_localonly MiscellaneousDaemons.disable_bind MiscellaneousDaemons.disable_ptydaemon MiscellaneousDaemons.disable_pwgrd MiscellaneousDaemons.disable_rbootd MiscellaneousDaemons.disable_smbclient MiscellaneousDaemons.disable_smbserver MiscellaneousDaemons.nfs_core MiscellaneousDaemons.nobody_secure_rpc MiscellaneousDaemons.snmpd MiscellaneousDaemons.syslog_localonly MiscellaneousDaemons.xaccess other_boot_serv Patches.spc_cron_run Patches.spc_cron_time Patches.spc_proxy_yn Patches.spc_run Printing.printing SecureInetd.banners SecureInetd.deactivate_bootp SecureInetd.deactivate_builtin SecureInetd.deactivate_dttools SecureInetd.deactivate_finger SecureInetd.deactivate_ftp SecureInetd.deactivate_ident SecureInetd.deactivate_ktools SecureInetd.deactivate_ntalk SecureInetd.deactivate_printer SecureInetd.deactivate_recserv SecureInetd.deactivate_rquotad SecureInetd.deactivate_rtools SecureInetd.deactivate_swat SecureInetd.deactivate_telnet SecureInetd.deactivate_tftp SecureInetd.deactivate_time SecureInetd.deactivate_uucp SecureInetd.ftp_logging SecureInetd.inetd_general SecureInetd.log_inetd SecureInetd.owner Sendmail.sendmailcron Sendmail.sendmaildaemon Sendmail.vrfyexpn Page D Sample weight files D.1 all.weight D.2 CIS.weight Page Page E CIS mapping to HP-UXBastille Page Page Page Index