 |
» |
|
|
|
HP-UX Bastille (HPUXBastille) is included as recommended software on the Operating
Environment media and can be installed and run with Ignite-UX or
Update-UX, (see “Predefined
Security Levels”). HP-UX Bastille is a security hardening and lockdown tool that
can be used to enhance security of the HP-UX operating system. It
provides customized lockdown on a system-by-system basis by encoding functionality
similar to Bastion Host and other hardening and lockdown checklists. | | | |  | NOTE: For more information about HP-UX Bastille, refer to
the HP-UX 11i v3 Release Notes and
the HP-UX System Administrator’s
Guide. | | | | |
Predefined
Security Levels | |
At cold-install or update-time, you can choose one of the
security levels listed in Table 3-2 “Predefined Security Configuration”,
with each one providing incrementally higher security. Table 3-2 Predefined Security Configuration Security Level | Configuration File Name[1] | Description |
|---|
Sec00Tools[2] | Not applicable | The install-time security infrastructure; no
security changes. | Sec10Host[3] | HOST.config | Host-based lockdown: firewall pre-enablement;
some common clear-text services turned off, excluding Telnet and
FTP. | Sec20MngDMZ[3] | MANDMZ.config | Lockdown while allowing secure management: IPFilter
firewall blocks incoming connections except common, relatively safe,
management protocols. | Sec30DMZ[3] | DMZ.config | Network-DMZ Lockdown: IPFilter blocks
all incoming connections except HP-UX Secure Shell. |
| | | | | NOTE: When you select either the Sec30DMZ, or MngDMZ security level, IPFilter will restrict inbound network
connections. For more information on how to add inbound ports to
your /etc/opt/ipf.customerrules file, refer to the HP-UX IPFilter (Version
A.03.05.09 and later) Administrator's Guide and the HP-UX
System Administrator’s Guide. | | | | |
Selecting
Your Security Levels at Install TimeDuring
installation, you can configure your security levels by navigating to
either the System tab or the Software tab from the Ignite-UX Graphical User Interface Installation
and Configuration dialog box. The System tab allows you to configure
information unique to your system such as security levels, hostname,
IP address, root password, and the time zone. For ease of use, HP recommends using the System tab to select the security level appropriate for your
deployment as described below. Do one of the
following: If you
are using the Ignite-UX GUI, navigate to the System tab (from
the Ignite-UX Installation and Configuration dialog box) and select
Security Choices. If you are using the Ignite
Install HP-UX Wizard, navigate to the Additional Software screen and select Security Choices.
The four security levels appear. By default, Sec00Tools is selected. Select the security level
appropriate for your deployment. See “Predefined
Security Levels” for more information. Select OK.
Serviceguard
Configuration (post-installation) to Enable Use with Security Levels | |
Configuring
Sec20MngDMZ or Sec30DMZ for Use with ServiceguardServiceguard uses dynamic ports. To enable operation, the
possible-SG port range must be opened. Opening the port range is
not consistent with the security goals of Sec20MngDMZ (MANDMZ.config) and Sec30DMZ (DMZ.config) since multiple services (including other rpc-like applications),
may also listen to this same port range. The firewall, however,
will still provide security benefits consistent with the Serviceguard
security deployment model as described in the Securing Serviceguard document
at: http://docs.hp.com/ Before you open the Serviceguard port range make sure you
review the required IPFilter-SG rules, which are documented in the HP-UX
IPFilter (Version A.03.05.09 and later) Administrator's Guide at: http://docs.hp.com/en/B9901-90021/B9901-90021.pdf When the Serviceguard security patch of 2004 is installed,
Serviceguard requires one additional service, identd. Enable it by following the steps below. Edit the HP-UX
Bastille /etc/opt/sec_mgmt/bastille/config configuration file by changing the answer to the question: Should Bastille ensure inetd's ident service does not run on this system? Change the answer from Y
to N as follows: SecureInetd.deactivate_ident="N" Apply the configuration file
changes. You can update your system configuration manually or use
HP-UX Bastille to update your system configuration. The former will
require fewer steps on systems that have been manually configured,
after a user has configured the system using the Bastille tool,
and the latter will require fewer steps on systems that had not
been manually configured, after a user has configured the system
using the Bastille tool. Do one of the following: Manually
update the system configuration: Edit the /etc/inetd.conf file by uncommenting (remove the #) the following line: #auth stream tcp6 wait bin /usr/lbin/identd identd Force inetd to reread the configuration by running the following command: # inetd -c Use HP-UX Bastille to update
the configuration: Revert to the previous HP-UX Bastille configuration;
then apply the new HP-UX Bastille configuration.
# bastille -r
# bastille -b
Configuring
HP-UX Bastille Sec10HostTo configure the HP-UX Bastille Sec10 Host, refer to the Securing Serviceguard document
at: http://docs.hp.com/ Security
Choice Dependencies | |
The Sec00Tools security level is installed by default on your system. Although Sec00Tools does not implement any security changes at cold-install-
or update-time, it does ensure that the required software (Figure 3-1 “Install-time Security Software Dependencies”) is installed. The Sec00Tools security level contains the pre-built configuration
files that you can use to create a security level or you can use
it as a template to create a custom security configuration. The
Sec00Tools security level also ensures that the software needed
by those security levels is present. Alternately, you can lock down your system using one of the
following selectable security levels at cold-install- or update-time: Sec10Host, Sec20MngDMZ, and Sec30DMZ are dependent on Sec00Tools. Secured
Services and Protocols | |
Each security level provides
incrementally higher security by locking down various protocols
and services. HP-UX Bastille uses a series of questions to determine
which services and protocols to secure. Using one of the security
levels applies a default security profile, simplifying the lockdown
process. The following tables detail the services and protocols affected
by the security levels, listed in Table 3-2 “Predefined Security Configuration”, if you choose to apply one at cold-install- or
update-time: Table 3-3 Host-based Sec10Host Install-time Security Settings[1] Category | Actions |
|---|
Logins and Passwords | | Deny login unless home
directory exists | | Deny non-root logins if /etc/nologin file exists | | Set a default path for su command | | Disable root logins from network tty | | Hide encrypted passwords | | Disallow ftpd system account logins | | Disable remote X logins |
| File System, Network, and Kernel | | Modify ndd settings [2],[3] | | Restrict remote access to swlist | | Set default umask | | Enable kernel-based stack execute protection |
| Daemons | | Disable ptydaemon | | Disable pwgrd | | Disable rbootd | | Disable NFS client daemons | | Disable NFS server | | Disable NIS client programs | | Disable NIS server programs | | Disable SNMPD |
| inetd Services | | Deactivate bootp | | Deactivate inetd’s built-in
services | | Deactivate CDE helper services | | Deactivate finger | | Deactivate ident | | Deactivate klogin and kshell | | Deactivate ntalk | | Deactivate login, shell,
and exec services | | Deactivate swat | | Deactivate printer | | Deactivate recserv | | Deactivate tftp | | Deactivate time | | Deactivate uucp | | Deactivates Event Monitoring Services (EMS) network communication | | Enable logging for all inetd connections |
| sendmail | | Run sendmail via cron to process queue | | Stop sendmail from running in daemon mode | | Disable vrfy and expn commands |
| Other Settings | | Deactivate HP Apache 2.x
Web Server[4] | | Set up cron job to Security Patch Check[2] |
|
Table 3-4 Additional Sec20MngDMZ Install-time Security Settings[1] Category | Actions |
|---|
inetd Services | Includes all disabled inetd services in Table 3-3 “Host-based Sec10Host Install-time Security Settings” and:
| Deactivate ftp | | Deactivate telnet |
| IPFilter Configuration[2] | | Block incoming DNS query
connections | | Block incoming HIDS administration connections[3],[4] | | Configure IPFilter to allow outbound traffic, block incoming
traffic with IP options set, and all other traffic except for HP-UX
Secure Shell, HIDS agent, WBEM, web admin and web admin autostart[5],
ICMP echo. |
|
Table 3-5 Additional Sec30DMZ Install-time Security Settings[1] Category | Actions |
|---|
IPFilter Configuration[2] | Includes all IPFilter settings in Table 3-4 “Additional Sec20MngDMZ Install-time Security Settings” and:
| Block incoming HIDS agent connections[3],[4] | | Block incoming WBEM connections[5] | | Block incoming web admin connections | | Block incoming web admin autostart connections | | Block all traffic except HP-UX Secure Shell | | Block ICMP echo |
|
|
Printable version
