Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX 11i Version 2 Installation and Update Guide: HP Integrity Servers and HP Workstations > Chapter 2 Choosing a Migration Path

Install-time Security Considerations
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Beginning with HP-UX 11i v2, HP-UX Bastille (B6849AA) is included as default-installed software on the Operating Environment media and can be installed with Ignite-UX or Update-UX.

HP-UX Bastille is a security hardening/lockdown tool that can be used to enhance security of the HP-UX operating system. It provides customized lockdown on a system-by-system basis by encoding functionality similar to Bastion Host and other hardening/lockdown checklists.

NOTE: For more information about HP-UX Bastille, see the HP-UX 11i Version 2 Release Notes and Managing Systems and Workgroups.

At install- or update-time, you can choose one of the following security configuration bundles with each bundle providing incrementally higher security:

Table 2-2 Predefined Security Configuration Bundles

Bundle Name

Configuration File Name[1]

Description

Sec00Tools[2]

-

The install-time security infrastructure; no security changes

Sec10Host[3]

HOST.config

Host-based lockdown: no firewall; many some common clear-text services turned off, excluding Telnet and FTP

Sec20MngDMZ[3]

MANDMZ.config

Lockdown: IPFilter firewall blocks incoming connections except common, secured, management protocols

Sec30DMZ[3]

DMZ.config

Full lockdown: IPFilter blocks all incoming connections except HP-UX Secure Shell

[1] Configuration files are installed to /etc/opt/sec_mgmt/bastille.

[2] This is a default-installed bundle.

[3] This is a selectable bundle.

 

Security Choice Dependencies

The Sec00Tools security infrastructure bundle is default-installed on your system. While this bundle does not implement any security changes at install- or update-time, it does ensure that the required software (see Figure 2-1 “Install-time Security Software Dependencies”) is installed. By installing Sec00Tools, you can opt to run HP-UX Bastille at a later time to lock down your system.

Alternately, you can lock down your system using one of the following selectable security configuration bundles at install- or update-time:

  • Sec10Host

  • Sec20MngDMZ

  • Sec30DMZ

These bundles are dependent on the Sec00Tools bundle.

Figure 2-1 Install-time Security Software Dependencies

Install-time Security Software Dependencies

Secured Services and Protocols

Each security configuration bundle provides incrementally higher security by locking down various protocols and services. HP-UX Bastille uses a series of questions to determine which services and protocols to secure. Using one of the Install-time Security Configuration bundles applies a default security profile, simplifying the lockdown process.

The following tables detail the services and protocols affected by the security bundles, listed in Table 2-2 “Predefined Security Configuration Bundles”, if you choose to apply one at install- or update-time.

  • Table 2-3 lists the security settings for Sec10Host. These settings also apply to Sec20MngDMZ and Sec30DMZ

  • Table 2-4 lists the security settings applied with Sec20MngDMZ, additional to the settings in Table 2-3

  • Table 2-5 lists the security settings applied with Sec30DMZ. These settings are additional to the settings applied in Table 2-3 and Table 2-4

IMPORTANT: Review these tables carefully. Some of the locked down services and protocols may be used by other applications, and may have adverse effects on the behavior or functionality of these applications. For example, ServiceControl Manager and ParMgr rely on WBEM for part of their functionality; Sec30DMZ blocks all incoming WBEM connections via IPFilter.

You can change the security settings configured at install-time by running HP-UX Bastille after installing or updating your system. For more information about using HP-UX Bastille, see the Managing Systems and Workgroups manual, or the HP-UX Bastille User’s Guide, located on your system at /opt/sec_mgmt/bastille/docs/user_guide.txt

Table 2-3 Host-based Sec10Host Install-time Security Settings[1]

Category

Actions

Logins and Passwords

Deny login unless home directory exists
Deny non-root logins if /etc/nologin file exists
Set a default path for su command
Disable root logins from network tty
Hide encrypted passwords
Disallow ftpd system account logins
Disable remote X logins

File System, Network, and Kernel

Modify ndd settings [2],[3]
Restrict remote access to swlist
Set default umask
Enable kernel-based stack execute protection

Daemons

Disable ptydaemon
Disable pwgrd
Disable rbootd
Disable NFS client daemons
Disable NFS server
Disable NIS client programs
Disable NIS server programs
Disable SNMPD

inetd Services

Deactivate bootp
Deactivate inetd’s built-in services
Deactivate CDE helper services
Deactivate finger
Deactivate ident
Deactivate klogin and kshell
Deactivate ntalk
Deactivate login, shell, and exec services
Deactivate swat
Deactivate printer
Deactivate recserv
Deactivate tftp
Deactivate time
Deactivate uucp
Enable logging for all inetd connections

sendmail

Run sendmail via cron to process queue
Stop sendmail from running in daemon mode
Disable vrfy and expn commands

Other Settings

Deactivate HP Apache 2.x Web Server[4]
Set up cron job to Security Patch Check[2]

[1] Security settings listed here also apply to Sec20MngDMZ and Sec30DMZ

[2] Manual action may be required to complete configuration. See /etc/opt/sec_mgmt/bastille/TODO for more information, after install or update.

[3] The following ndd changes will be made:

ip_forward_directed_broadcasts=0
ip_forward_src_routed=0
ip_forwarding=0
ip_ire_gw_probe=0
ip_pmtu_strategy=1
ip_send_source_quench=0
tcp_conn_request_max=4096
tcp_syn_rcvd_max=1000

[4] Settings only applied if software is installed

 

Table 2-4 Additional Sec20MngDMZ Install-time Security Settings[1]

Category

Actions

inetd Services

Includes all disabled inetd services in Table 2-3 and:

Deactivate ftp
Deactivate telnet

IPFilter Configuration[2]

Block incoming DNS query connections
Block incoming HIDS administration connections[3],[4]
Configure IPFilter to allow outbound traffic, block incoming traffic with IP options set, and all other traffic except for HP-UX Secure Shell, HIDS agent, WBEM, web admin and web admin autostart.[5]

[1] Applies all security configuration settings in Table 2-3

[2] IPFilter rules are applied via a custom rules file located at /etc/opt/sec_mgmt/bastille/ipf.customrules

[3] HP-UX Host IDS is a selectable software bundle and only available for commercial servers

[4] Settings only applied if software is installed

[5] Manual action may be required to complete configuration. See /var/opt/sec_mgmt/bastille/TODO.txt for more information, after install or update.

 

Table 2-5 Additional Sec30DMZ Install-time Security Settings[1]

Category

Actions

IPFilter Configuration[2]

Includes all IPFilter settings in Table 2-4 and:

Block incoming HIDS agent connections[3],[4]
Block incoming WBEM connections[5]
Block incoming web admin connections
Block incoming web admin autostart connections
Block all traffic except HP-UX Secure Shell

[1] Applies all security configuration settings in Table 2-3 and Table 2-4

[2] IPFilter rules are applied via a custom rules file located at /etc/opt/sec_mgmt/bastille/ipf.customrules

[3] Settings only applied if software is installed

[4] HP-UX Host IDS is a selectable software bundle and only available for commercial servers

[5] WBEM is required for several HP management applications including ServiceControl Manager and ParMgr

 



Deciding Which Method to Use
  		 


The Next Steps  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2003 Hewlett-Packard Development Company, L.P.