HP UX Bastille Software 1 About this product, 1.1 Features and benefits

1 About this product

HP-UX Bastille is a system hardening and reporting program that enhances the security of the HP-UX operating system by consolidating essential hardening and lock-down checklists from industry and government security organizations, and making them accessible to administrators in an easy to use package. The HP-UX Bastille GUI interface guides users through creating a custom security configuration profile. The policy configuration engine hardens HP-UX to specification by locking down each selected security item. Security items include:

•Configuring daemons, services, firewalls, and client software to use more secure settings

•Disabling unused or unneeded inetd services

•Creating chroot jails for commonly used server programs

•Assessing the current HP-UX system against all relevant lock-down items with the reporting feature

•Applying saved configuration profiles to multiple similar machines with a command-line batch mode

These HP-UX Bastille features ease compliance with regulatory requirements and industry-consensus security benchmarks like the Center for Internet Security (CIS) benchmark. HP-UX Bastille also facilitates internal and external security audits.

NOTE: HP-UX Bastille is built from the open-source, cross-platform software program Bastille. HP made significant contributions to the open-source Bastille software over many years. The original Linux version is now named Bastille-Linux to avoid confusion with other cross-platform implementations, and is not covered by this document.

1.1 Features and benefits

HP-UX Bastille provides the following features and benefits:

•Locks down the system

—Increases security by configuring daemons and system settings

—Turns off unnecessary services such as pwgrd

—Assists with creation of chroot jails to partially limit the vulnerability of common internet services such as web servers and DNS

—Configures automatic runs of Software Assistant (SWA) or Security Patch Check

—Configures an IPFilter-based firewall

•Provides an interactive, wizard-style GUI interface

—Guides users to optimize the trade off between security, usability, and functionality

—Explanatory text helps less experienced administrators make appropriate security decisions

•Reports security configuration state

—Generates reports in HTML, text, and config file format

—Establishes a baseline for comparison to later configuration differences with the bastille_drift command

•Returns the security configuration to the state before HP-UX Bastille was run with the revert -rfeature.

—Provides a safety net in case of unexpected incompatible changes when hardening running systems

•Integrates with HP Systems Insight Manager (SIM)

—Locks down and reporting available from SIM menus

—SIM.config pretested configuration for SIM server lock down