 |
» |
|
|
|
HP-UX Bastille (B6849AA) is included as default-installed software on the Operating
Environment media and can be installed and run with Ignite-UX or
Update-UX, (see “Predefined
Security Levels”). HP-UX Bastille is a security hardening and lockdown tool that
can be used to enhance security of the HP-UX operating system. It
provides customized lockdown on a system-by-system basis by encoding functionality
similar to Bastion Host and other hardening and lockdown checklists. | | | |  | NOTE: For more information about HP-UX Bastille, refer to
the HP-UX 11i Version 2 Release Notes and Managing Systems and Workgroups: A Guide for HP-UX
System Administrators. | | | | |
Predefined
Security Levels | |
At cold-install- or update-time, you can choose one of the
security levels listed in Table 3-3 “Predefined Security Configuration”,
with each one providing incrementally higher security. Table 3-3 Predefined Security Configuration Security Level | Configuration File Name[1] | Description |
|---|
Sec00Tools[2] | Not applicable | The install-time security infrastructure; no
security changes. | Sec10Host[3] | HOST.config | Host-based lockdown: no firewall; some
common clear-text services turned off, excluding Telnet and FTP. | Sec20MngDMZ[3] | MANDMZ.config | Lockdown while allowinf secure management: IPFilter
firewall blocks incoming connections except common, secured, management
protocols. | Sec30DMZ[3] | DMZ.config | Network-DMZ Lockdown: IPFilter blocks
all incoming connections except HP-UX Secure Shell. |
| | | | | NOTE: When you select the Sec10Host security level, you may have conflicts with other products.
For more information on the Bastille Sec10Host security level, refer to the HP-UX IPFilter
Version A.03.05.09 Administrator's Guide and the Managing
Systems and Workgroups: A Guide for System Administrators. | | | | |
Selecting
Your Security Levels at Install TimeDuring
installation, you can configure your security levels by navigating to
either the System tab or the Software tab from the Ignite-UX Graphical User Interface Installation
and Configuration dialog box. The System tab allows you to configure
information unique to your system such as security levels, hostname,
IP address, root password, and the time zone. HP recommends using the System tab to select the security level appropriate for your
deployment as described below. Do one of the
following: If you
are using the Ignite-UX UI, navigate to the System tab (from
the Ignite-UX Installation and Configuration dialog box) and select
Security Choices. If you are using the Ignite
Install HP-UX Wizard, navigate to the Additional Software screen and select Security Choices.
The four security levels appear. By default, Sec00Tools is selected. Select the security level
appropriate for you deployment. See “Predefined
Security Levels” for more information. Select OK.
Configuring
Sec20MngDMZ or Sec30DMZ for Use with ServiceguardServiceguard uses dynamic ports. To enable operation, the
possible-SG port range must be opened. Opening the port range is
not consistent with the security goals of Sec20MngDMZ (MANDMZ.config) and Sec30DMZ (DMZ.config) since multiple services (including other rpc-like applications),
may also listen to this same port range. The firewall, however,
will still provide security benefits consistent with the Serviceguard
security deployment model as described in the Securing Serviceguard document
at: http://docs.hp.com/en/5874/securingserviceguard.pdf Before you open the Serviceguard port range make sure you
review the required IPFilter-SG rules, which are documented in the HP-UX
IPFilter Version A.03.05.09 Administrator's Guide at: http://docs.hp.com/en/B9901-90021/B9901-90021.pdf Configuring
HP-UX Bastille Sec10HostWhen the Serviceguard security patch of 2004 is installed,
Serviceguard is not compatible with the Sec10Host security deployment assumptions. Specifically, the Sec10Host configuration disables the identd daemon, but Serviceguard with the security patch requires
the identd daemon to be running for authentication purposes consistent
with the Service Guard security deployment model described above. To configure HP-UX Bastille Sec10Host, follow the steps below: Edit the HP-UX
Bastille /etc/opt/sec_mgmt/bastille/config configuration file by changing the answer to the question: Should Bastille ensure inetd's ident service does not run on this system? Change the answer from Y
to N as follows: SecureInetd.deactivate_ident="N" Apply the configuration file
changes. You can update your system configuration manually or use
HP-UX Bastille to update your system configuration. The former will
require fewer steps on systems that have been manually configured,
post-Bastille, and the latter will require fewer steps on systems
that had not been manually configured, post-Bastille. Do one of
the following: Manually
update the system configuration: Edit the /etc/inetd.conf file by uncommenting (remove the #) the following line: #auth stream tcp6 wait bin /usr/lbin/identd identd Force inetd to reread the configuration by running the following command: # inetd -c Use HP-UX Bastille to update
the configuration: Revert to the previous HP-UX Bastille configuration;
then apply the new HP-UX Bastille configuration.
# bastille -r
# bastille -b
Security
Choice Dependencies | |
The Sec00Tools security level is installed by default on your system. Although Sec00Tools does
not implement any security changes at cold-install- or update-time,
it does ensure that the required software (Figure 3-1 “Install-time Security Software Dependencies”) is installed. The Sec00Tools security level contains the pre-built configuration
files that you can use to create a security level or you can use
it as a template to create a custom security configuration. The
Sec00Tools security level also ensures that the software needed
by those security levels is present. Alternately, you can lock down your system using one of the
following selectable security levels at cold-install- or update-time: Sec10Host, Sec20MngDMZ, and Sec30DMZ are dependent on Sec00Tools. Secured
Services and Protocols | |
Each security level provides
incrementally higher security by locking down various protocols
and services. HP-UX Bastille uses a series of questions to determine
which services and protocols to secure. Using one of the security
levels applies a default security profile, simplifying the lockdown
process. The following tables detail the services and protocols affected
by the security levels, listed in Table 3-3 “Predefined Security Configuration”, if you choose to apply one at cold-install- or
update-time: Table 3-4 Host-based Sec10Host Install-time Security Settings[1] Category | Actions |
|---|
Logins and Passwords | | Deny login unless home
directory exists | | Deny non-root logins if /etc/nologin file exists | | Set a default path for su command | | Disable root logins from network tty | | Hide encrypted passwords | | Disallow ftpd system account logins | | Disable remote X logins |
| File System, Network, and Kernel | | Modify ndd settings [2],[3] | | Restrict remote access to swlist | | Set default umask | | Enable kernel-based stack execute protection |
| Daemons | | Disable ptydaemon | | Disable pwgrd | | Disable rbootd | | Disable NFS client daemons | | Disable NFS server | | Disable NIS client programs | | Disable NIS server programs | | Disable SNMPD |
| inetd Services | | Deactivate bootp | | Deactivate inetd’s built-in
services | | Deactivate CDE helper services | | Deactivate finger | | Deactivate ident | | Deactivate klogin and kshell | | Deactivate ntalk | | Deactivate login, shell,
and exec services | | Deactivate swat | | Deactivate printer | | Deactivate recserv | | Deactivate tftp | | Deactivate time | | Deactivate uucp | | Enable logging for all inetd connections |
| sendmail | | Run sendmail via cron to process queue | | Stop sendmail from running in daemon mode | | Disable vrfy and expn commands |
| Other Settings | | Deactivate HP Apache 2.x
Web Server[4] | | Set up cron job to Security Patch Check[2] |
|
Table 3-5 Additional Sec20MngDMZ Install-time Security Settings[1] Category | Actions |
|---|
inetd Services | Includes all disabled inetd services in Table 3-4 “Host-based Sec10Host Install-time Security Settings” and:
| Deactivate ftp | | Deactivate telnet |
| IPFilter Configuration[2] | | Block incoming DNS query
connections | | Block incoming HIDS administration connections[3],[4] | | Configure IPFilter to allow outbound traffic, block incoming
traffic with IP options set, and all other traffic except for HP-UX
Secure Shell, HIDS agent, WBEM, web admin and web admin autostart.[5] |
|
Table 3-6 Additional Sec30DMZ Install-time Security Settings[1] Category | Actions |
|---|
IPFilter Configuration[2] | Includes all IPFilter settings in Table 3-5 “Additional Sec20MngDMZ Install-time Security Settings” and:
| Block incoming HIDS agent connections[3],[4] | | Block incoming WBEM connections[5] | | Block incoming web admin connections | | Block incoming web admin autostart connections | | Block all traffic except HP-UX Secure Shell |
|
|
Printable version
