 |
» |
|
|
|
HP-UX Bastille (HPUXBastille) is included as recommended software on the Operating Environment
media and can be installed and run with Ignite-UX or Update-UX, (see “Predefined Security Levels”). HP-UX Bastille is a security hardening and lockdown tool that
can be used to enhance security of the HP-UX operating system. It
provides customized lockdown on a system-by-system basis by encoding
functionality similar to Bastion Host and other hardening and lockdown
checklists. | | | |  | NOTE: For more information about HP-UX Bastille, refer to the HP-UX 11i v3 Release Notes and the HP-UX System Administrator’s Guide. | | | | |
Predefined Security Levels | |
At cold-install or update-time, you can choose one of the security
levels listed in Table 3-2, with
each one providing incrementally higher security. Table 3-2 Predefined Security Configuration Security Level | Configuration File Name[1] | Description |
|---|
Sec00Tools[2] | Not applicable | The install-time security infrastructure; no security
changes. | Sec10Host[3] | HOST.config | Host-based lockdown: firewall pre-enablement;
some common clear-text services turned off, excluding Telnet and FTP. | Sec20MngDMZ[3] | MANDMZ.config | Lockdown while allowing secure management:
IPFilter firewall blocks incoming connections except common, relatively
safe, management protocols. | Sec30DMZ[3] | DMZ.config | Network-DMZ Lockdown: IPFilter blocks all
incoming connections except HP-UX Secure Shell. |
| | | | | NOTE: When you select either the Sec30DMZ, or MngDMZ security level,
IPFilter will restrict inbound network connections. For more information
on how to add inbound ports to your /etc/opt/ipf.customerrules file, refer to the HP-UX IPFilter (Version A.03.05.09
and later) Administrator's Guide and the HP-UX
System Administrator’s Guide. | | | | |
Selecting Your Security Levels at Install TimeDuring installation, you can configure your security levels
by navigating to the System tab from
the Ignite-UX Graphical User Interface Installation and Configuration
dialog box. The System tab allows you to configure information unique
to your system such as security levels, hostname, IP address, root
password, and the time zone. For ease of use, HP recommends using the System tab to select the security level appropriate for
your deployment as described below. Do one of the following: If you are using the Ignite-UX GUI, navigate to the System tab (from the Ignite-UX Installation
and Configuration dialog box) and select Security
Choices. If you are using the Ignite Install
HP-UX Wizard, navigate to the Additional
Software screen and select Security Choices.
The four security levels appear. By default, Sec00Tools is selected. Select the security level appropriate for your deployment. See “Predefined Security Levels” for more information. Select OK.
Serviceguard Configuration (post-installation) to Enable Use
with Security Levels | |
Configuring Sec20MngDMZ or Sec30DMZ for Use with ServiceguardServiceguard uses dynamic ports. To enable operation, the possible-SG
port range must be opened. Opening the port range is not consistent
with the security goals of Sec20MngDMZ (MANDMZ.config) and Sec30DMZ (DMZ.config) since multiple services (including other rpc-like applications),
may also listen to this same port range. The firewall, however, will
still provide security benefits consistent with the Serviceguard security
deployment model as described in the Securing Serviceguard document at: http://docs.hp.com/ Before you open the Serviceguard port range make sure you review
the required IPFilter-SG rules, which are documented in the HP-UX IPFilter (Version A.03.05.09 and later) Administrator's Guide at: http://docs.hp.com/en/B9901-90021/B9901-90021.pdf When the Serviceguard security patch of 2004 is installed, Serviceguard
requires one additional service, identd. Enable it by following the steps below. Edit the HP-UX Bastille /etc/opt/sec_mgmt/bastille/config configuration file by changing the answer to the question: Should Bastille ensure inetd's
ident service does not run on this system? Change the answer from Y to N as follows: SecureInetd.deactivate_ident="N" Apply the configuration file changes. You can update your system
configuration manually or use HP-UX Bastille to update your system
configuration. The former will require fewer steps on systems that
have been manually configured, after a user has configured the system
using the Bastille tool, and the latter will require fewer steps on
systems that had not been manually configured, after a user has configured
the system using the Bastille tool. Do one of the following: Manually update the system configuration: Edit the /etc/inetd.conf file by uncommenting (remove
the #) the following line: #auth stream tcp6 wait bin /usr/lbin/identd
identd Force inetd to reread the
configuration by running the following command: # inetd -c Use HP-UX Bastille to update the configuration: Revert to the
previous HP-UX Bastille configuration; then apply the new HP-UX Bastille
configuration.# bastille -r # bastille -b
Configuring HP-UX Bastille Sec10HostTo configure the HP-UX Bastille Sec10 Host, refer to the Securing Serviceguard document at: http://docs.hp.com/ Security Choice Dependencies | |
The Sec00Tools security
level is installed by default on your system. Although Sec00Tools does not implement any security
changes at cold-install- or update-time, it does ensure that the required
software (Figure 3-1) is installed.
The Sec00Tools security level
contains the pre-built configuration files that you can use to create
a security level or you can use it as a template to create a custom
security configuration. The Sec00Tools security level also ensures that the software needed by those security
levels is present. Alternately, you can lock down your system using one of the
following selectable security levels at cold-install- or update-time: Sec10Host, Sec20MngDMZ, and Sec30DMZ are dependent on Sec00Tools. Secured Services and Protocols | |
Each security level provides incrementally higher security
by locking down various protocols and services. HP-UX Bastille uses
a series of questions to determine which services and protocols to
secure. Using one of the security levels applies a default security
profile, simplifying the lockdown process. The following tables detail the services and protocols affected
by the security levels, listed in Table 3-2, if you choose to apply one at cold-install-
or update-time: Table 3-3 lists the
security settings for Sec10Host. These settings also apply to Sec20MngDMZ and Sec30DMZ. Table 3-4 lists the
security settings applied with Sec20MngDMZ, in addition to the settings in Table 3-3. Table 3-5 lists the
security settings applied with Sec30DMZ, in addition to the settings in Table 3-3 and Table 3-4.
Table 3-3 Host-based Sec10Host Install-time
Security Settings[1] Category | Actions |
|---|
Logins and Passwords | | Deny login unless home directory exists | | Deny non-root logins if /etc/nologin file exists | | Set a default path for su command | | Disable root logins from network tty | | Hide encrypted passwords | | Disallow ftpd system
account logins | | Disable remote X logins |
| File System, Network, and Kernel | | Modify ndd settings [2],[3] | | Restrict remote access to swlist | | Set default umask | | Enable kernel-based stack execute protection |
| Daemons | | Disable ptydaemon | | Disable pwgrd | | Disable rbootd | | Disable NFS client daemons | | Disable NFS server | | Disable NIS client programs | | Disable NIS server programs | | Disable SNMPD |
| inetd Services | | Deactivate bootp | | Deactivate inetd’s
built-in services | | Deactivate CDE helper services | | Deactivate finger | | Deactivate ident | | Deactivate klogin and kshell | | Deactivate ntalk | | Deactivate login, shell, and exec services | | Deactivate swat | | Deactivate printer | | Deactivate recserv | | Deactivate tftp | | Deactivate time | | Deactivate uucp | | Deactivates Event Monitoring Services (EMS) network communication | | Enable logging for all inetd connections |
| sendmail | | Run sendmail via cron to process queue | | Stop sendmail from running
in daemon mode | | Disable vrfy and expn commands |
| Other Settings | | Deactivate HP Apache 2.x Web Server[4] | | Set up cron job to run
Software Assistant[2] |
|
Table 3-4 Additional Sec20MngDMZ Install-time Security Settings[1] Category | Actions |
|---|
inetd Services | Includes all disabled inetdservices in Table 3-3 and: | Deactivate ftp | | Deactivate telnet | | Restrict syslog daemon
to local connections |
| IPFilter Configuration[2] | | Block incoming DNS query connections | | Block incoming HIDS administration connections[3],[4] | | Configure IPFilter to allow outbound traffic, block incoming
traffic with IP options set, and all other traffic except for HP-UX
Secure Shell, HIDS agent, WBEM, web admin and web admin autostart[5], ICMP echo. |
|
Table 3-5 Additional Sec30DMZ Install-time Security Settings[1] Category | Actions |
|---|
IPFilter Configuration[2] | Includes all IPFilter settings in Table 3-4 and: | Block incoming HIDS agent connections[3],[4] | | Block incoming WBEM connections[5] | | Block incoming web admin connections | | Block incoming web admin autostart connections | | Block all traffic except HP-UX Secure Shell | | Block ICMP echo |
|
|
Printable version
