Choosing security levels | HP UX Bastille Software specification

A Install-Time Security (ITS) using HP-UX Bastille

Install-Time Security (ITS) adds a security step to the installation or update process. This additional step allows the HP-UX Bastille security lock-down engine to run during system installation with one of four configurations ranging from default security to DMZ. ITS includes the following bundles:

•Sec00Tools (recommended software bundle)

•Sec10Host (optional software bundle)

•Sec20MngDMZ (optional software bundle)

•Sec30DMZ (optional software bundle)

A.1 Choosing security levels

At cold install or update time, you can choose one of the security levels listed in Table A-1. Each level provides incrementally higher security.

Table A-1 Security levels

Security level	Configuration file name1
Sec00Tools2	Not applicable
Sec10Host3	HOST.config
Sec20MngDMZ3	MANDMZ.config
Sec30DMZ3	DMZ.config

Description

The Install Time Security infrastructure. No security changes.

Host-based lock down with firewall pre-enablement. Some common clear-text services are turned off, excluding Telnet and FTP.

Lock down that allows secure management. IPFilter firewall blocks incoming connections except common, relatively safe, management protocols.

Network-DMZ lock down. IPFilter blocks all incoming connections except HP-UX Secure Shell.

1Configuration files are installed in /etc/opt/sec_mgmt/bastille/configs/defaults.

2 Sec00Tools is installed by default.

3 Sec10Host, Sec20MngDMZ, and Sec30DMZ are selectable.

NOTE: When you select either the Sec20MngDMZ or Sec30DMZ security level, IPFilter restricts inbound network connections. For more information on how to add inbound ports to your /etc/ opt/ipf.customerrules file, see the HP-UX IPFilter (Version A.03.05.09 and later)

Administrator's Guide and the HP-UX System Administrator's Guide.

Using one of these security levels applies a default security profile, simplifying the lock-down process. The following tables list the services and protocols affected by each security level.

A.1 Choosing security levels

27

Image 27

HP UX Bastille Software manual Install-Time Security ITS using HP-UX Bastille, Choosing security levels

Contents

HP-UX Bastille Version B.3.3 User Guide Trademark Acknowledgments Table of Contents Index HP-UX Bastille user interface Standard assessment report List of Figures Question modules Security levels List of Tables About this product Features and benefits Compatibility PerformanceSupport Installing HP-UX Bastille Installation requirementsInstallation Page Creating a security configuration profile Using HP-UX Bastille 1shows the main screen of the HP-UX Bastille user interface If the Path environment variable has not been updated, use Assessing a system Configuring a system Is not always detected. HP-UX Bastille might not detect all Using scored reportsAccepted standard configurations are detected Configuration for the corresponding question is not Scored assessment report # bastille -r Reverting Monitoring drift Locating filesFor more information, see bastilledrift1M Var/opt/secmgmt/bastille/log/Assessment/Drift.txt Removing HP-UX Bastille Check for a TOREVERT.txt fileIf the file exists, complete the actions listed Page General use tips TroubleshootingDiagnostic tips Known issues and workarounds Cannot use X because $DISPLAY is not set Problems opening, copying, or reading filesErrors related to individual configuration files HP-UX Bastille configures a firewall using IPFilter Support and other resources Contacting HPRelated information Typographic conventions Or damage to hardware or software To complete a taskSupplement important points of the main text Page Choosing security levels Install-Time Security ITS using HP-UX Bastille Enable kernel-based stack execute protection Table A-3 Additional Sec20MngDMZ security settings1 Choosing security dependencies Selecting security levels during installation Configuring HP-UX Bastille for use with Serviceguard Configuring Sec20MngDMZ or Sec30DMZ security levelsConfiguring Sec10Host level Page Question modules AccountSecurity.cronuser AccountSecurity.guiloginAccountSecurity.hidepasswords AccountSecurity.crontabsfile AccountSecurity.lockaccountnopasswd AccountSecurity.MINPASSWORDLENGTHAccountSecurity.NOLOGIN AccountSecurity.NUMBEROFLOGINSALLOWED AccountSecurity.PASSWORDMAXDAYS AccountSecurity.NUMBEROFLOGINSALLOWEDynAccountSecurity.PASSWORDHISTORYDEPTH AccountSecurity.PASSWORDHISTORYDEPTHyn AccountSecurity.restricthome AccountSecurity.passwordpoliciesAccountSecurity.serialportlogin AccountSecurity.singleuserpassword AccountSecurity.umask AccountSecurity.SUDEFAULTPATHAccountSecurity.SUDEFAULTPATHyn AccountSecurity.systemauditing AccountSecurity.userrcfiles AccountSecurity.umaskynAccountSecurity.unownedfiles AccountSecurity.userdotfiles Apache.chrootapache Apache.deactivatehpwsapacheDNS.chrootbind FTP.ftpusers FilePermissions.worldwriteable HPUX.mailconfig HPUX.guibannerHPUX.ndd HPUX.othertools HPUX.stackexecute HPUX.screensavertimeoutHPUX.restrictswacls HPUX.scanports HPUX.tcpisn IPFilter.blockcfservdIPFilter.blockDNSquery Hids does not IPFilter.blockhpidsadminIPFilter.blockhpidsagent You are managing some remote Hids agents, answer no IPFilter.blockSecureShell Default 192.168.1.0/255.255.255.0 DescriptionIPFilter.blocknetrange IPFilter.blockping Otherwise, answer no to this question IPFilter.blockwebadminIPFilter.configureipfilter IPFilter.blockwbemPage IPFilter.installipfilter MiscellaneousDaemons.configuresshMiscellaneousDaemons.diagnosticslocalonly MiscellaneousDaemons.disablerbootd MiscellaneousDaemons.disablebindMiscellaneousDaemons.disableptydaemon MiscellaneousDaemons.disablepwgrd MiscellaneousDaemons.nobodysecurerpc MiscellaneousDaemons.disablesmbclientMiscellaneousDaemons.disablesmbserver MiscellaneousDaemons.nfscore MiscellaneousDaemons.xaccess OtherbootservMiscellaneousDaemons.sysloglocalonly Patches.spcrun Patches.spccronrunPatches.spccrontime Patches.spcproxyyn SecureInetd.deactivatebootp Printing.printingSecureInetd.banners SecureInetd.deactivateftp SecureInetd.deactivatebuiltinSecureInetd.deactivatedttools SecureInetd.deactivatefinger SecureInetd.deactivateprinter SecureInetd.deactivateidentSecureInetd.deactivatektools SecureInetd.deactivatentalk SecureInetd.deactivateswat SecureInetd.deactivaterecservSecureInetd.deactivaterquotad SecureInetd.deactivatertools SecureInetd.ftplogging SecureInetd.deactivatetftpSecureInetd.deactivatetime SecureInetd.deactivateuucp Sendmail.sendmailcron SecureInetd.loginetdSecureInetd.inetdgeneral SecureInetd.owner Sendmail.vrfyexpn Sendmail.sendmaildaemonPage All.weight Sample weight files Sample weight file below aligns with the CIS standard CIS.weight CIS.weight Page CIS ID CIS mapping to HP-UX Bastille Apache.deactivatehpwsapache AccountSecurity.lockaccountnopasswd Page Index