 |
» |
|
|
|
Overview | |
Bastille is a security hardening, lockdown tool that can be
used to enhance the security of the HP-UX operating system. It provides customized
lockdown on a system-by-system basis by encoding functionality similar
to the Bastion Host (see “Documentation”) and other hardening/lockdown checklists. Bastille was originally developed by the open source community
for use on Linux systems. HP is contributing by providing Bastille
on HP-UX. Configures daemons, system settings,
and client software, such as sendmail to be more secure Turns off unneeded services, such as pwgrd and printing Helps create chroot “jails” that help limit the vulnerability
of common Internet services such as web servers and Domain Name Service
(DNS) Has an educational administrator interface Removes security settings with a revert feature
that returns the security configuration to the state it was in before
Bastille was run Configures conversion to Trusted Systems or Shadowed
Passwords, as appropriate Configures Security Patch Check to run automatically Configures the IPFilter firewall
Installing
Bastille | |
Beginning with HP-UX 11i v2, Bastille is included as default-installed software
on the Operating Environments media and can be installed with Ignite-UX
or Update-UX. See the HP-UX 11i Version 2 Installation and
Update Guide for details. For previous HP-UX 11.x and 11i releases, Bastille is also
available from the HP Software Depot, at http://www.software.hp.com/. If you install from an Operating Environment medium, the default Bastille
installation automatically includes Bastille, Perl, Security Patch Check,
IPFilter, and Secure Shell. If you downloaded from the HP Software Depot, you may need
to download the other four packages as well. Bastille requires Perl
version 5.6.1.E or newer. Predefined
Configuration Files | |
Beginning with HP-UX 11i v2, Bastille includes three predefined configuration
files (see Table 8-5 “Predefined Configuration Files”) that provide
an increasing level of lockdown. The files are delivered in /etc/opt/sec_mgmt/bastille Table 8-5 Predefined Configuration Files Table 8-6 HOST.config: Host-Based Security Settings Category | Actions |
|---|
Logins and Passwords | Deny login unless home directory exists Deny nonroot logins if
/etc/nologin file exists Set a default path for su command Disable root logins from
network tty Disallow ftpd system
account logins Disable remote X (XDMCP)
logins
| File System, Network, and Kernel | Modify ndd settings
[1]
[2] Restrict remote access to
swlist Enable kernel-based stack
execute protection
| Daemons | Disable NFS client daemons Disable NIS client programs Disable NIS server programs
| IPFilter | | Sendmail | Run sendmail via cron to process queue Stop sendmail from running in daemon mode Disable vrfy and expn commands
| Other settings | Deactivate HP Apache 2.x Web Server[3] Set up cron job to run Security Patch Check[1]
| Inetd Services | Deactivate inetd’s
built-in services Deactivate CDE helper services Deactivate klogin and
kshell Deactivate login,
shell, and exec services Enable logging for all
inetd connections
|
Table 8-7 MANDMZ.config: Additional Security Settings Category | Actions |
|---|
Includes all security settings
from HOST.config (Table 8-6 “HOST.config: Host-Based Security Settings”) | inetd Services | Additions: | IPFilter[1] | Additions: Block
incoming DNS query connections Block incoming HIDS administration connections
[2] Block incoming traffic with
IP options set Block all other traffic except:
[3]
|
Table 8-8 DMZ.config: Additional Security Settings Configuring
Bastille | |
Once you have installed Bastille you may configure it to lock
down your system in one of the following ways: If you chose one of the predefined install-time
modules (Table 8-5 “Predefined Configuration Files”) during
installation with Ignite-UX or Update-UX, it was installed and applied
during the system reboot. Go to “Applying
Bastille” to review the log files and perform any necessary
manual operations. In the /etc/opt/sec_mgmt/bastille directory, you can copy one of the predefined configuration files
(see “Predefined
Configuration Files”) to the
config file. Go to “Applying
Bastille” to install it. In the /etc/opt/sec_mgmt/bastille directory, you can copy a custom configuration to the config file (perhaps one you made with the interactive interface).
Go to “Applying
Bastille” to install
it. Typically, you would create a special configuration on one
system and then copy that configuration to other systems that you
wish to protect identically. You should also copy your modified TODO.txt file in order to complete the process as described in “Applying
Bastille”. Each system must be running the same version of the operating system with
the same Bastille-affected components installed for the configuration
to be noninteractive. If different software is installed that causes
Bastille to need more information, Bastille will quit with an error
indicating that it needs more information. If you then run Bastille
interactively, you will see the missing check marks for the needed
information. You can use the interactive interface (see “Interactive
Configuration”) to create a new configuration
or to modify a previous, or predefined, or customized configuration
file. To modify a configuration, copy the old configuration into
the /etc/opt/sec_mgmt/bastille/config file.
Interactive
Configuration | |
| | | |  | CAUTION: Since the interactive configuration uses an insecure
GUI, it is important that you review “Security
Considerations” before proceeding. | | | | |
Bastille uses a series of questions, extracted from the file /etc/sec_mgmt/bastille/Questions.txt, to prepare the configuration file, /etc/sec_mgmt/bastille/config. The questions and explanations relevant to HP-UX are
displayed in . When you start Bastille, it displays the following messages: # bastille
NOTE: Valid display found; defaulting to Tk (X) interface.
NOTE: Using Tk user interface module.
NOTE: Only displaying questions relevant to the current configuration. |
If this is the first time, it displays the terms of use and
asks you to accept them. ...
You must accept the terms of this disclaimer to use
Bastille. Type "accept" (without quotes) within 5
minutes to accept the terms of the above disclaimer
> |
Then, Bastille analyzes your system to determine the current
lockdown state and the questions that will result in increased lockdown. NOTE: Bastille is scanning the system configuration... |
If there is no configuration file, it prepares the questions
with default answers. NOTE: Could not open config file /etc/opt/sec_mgmt/bastille/config, defaults used. |
If the configuration file exists, Bastille uses those answers
as the initial answers to the questions. NOTE: Existing config file found. Populating answers... |
At this point, it displays the title screen (Figure 8-2 “Bastille Title Screen”) of the graphical interface. After the Title Screen, Bastille always displays
the Security Patch Check screen (Figure 8-3 “Bastille Security Patch Check (long)”). This allows you to reconfigure this important software. NavigationYou can return to a previous question by selecting the Back
button. You move to the next question with the OK button. Most questions
take Yes or No as an answer; click the appropriate button. Some
questions require a typed response in the Answer window. You can
reset to the default answer by clicking the Restore Defaults button. Long and Short ExplanationsMany of the question screens have both short and long explanations.
You can toggle between them with the Explain Less/Explain More buttons. Figure 8-3 “Bastille Security Patch Check (long)” shows the long version; Figure 8-4 “Bastille Security Patch Check (short)” shows the corresponding short
version. Progress CheckmarksAs you complete a section of the questions, Bastille places
a check mark in the Modules list, as shown in Figure 8-5 “Bastille Check Boxes”. All of the modules must be checked (except End
Screen) before the configuration is valid. You can move among the
modules by clicking a name in the Modules list. When you reach (or select) the End Screen, you can go back
and make further modifications (by choosing Back or No) or you can
complete your session (by choosing Yes and OK). On the Save Changes screen (Figure 8-7 “Bastille Save Changes”), you can go back and make further modifications, exit
without saving the current configuration, or save the current configuration
in /etc/opt/sec_mgmt/bastille/config and go on. If you save your changes, the Finishing Up screen (Figure 8-8 “Bastille Finishing Up”) gives you one more chance to change
the configuration, or you can exit without applying the new configuration,
or you can have the new configuration applied immediately. When you exit from the interactive configuration by selecting “Apply Configuration
to System” from the Finishing Up screen (Figure 8-8 “Bastille Finishing Up”), Bastille automatically executes bastille -b. Go to “Applying
Bastille” for
details and to review the log files and perform any necessary manual
operations. Applying
Bastille | |
After you have prepared your configuration file (see “Configuring
Bastille”), you must apply the
configuration. There are two steps: run Bastille, and execute any
recommendations from the TODO.txt file. Run Bastille. Bastille applies the changes it can do automatically and creates
a TODO.txt list of actions you must manually apply to the system. This command is executed automatically if you installed Bastille with
a security option using Ignite-UX or Update-UX or if you chose “Apply
the configuration to the system” at the end of interactive
configuration. For example: NOTE: Entering Critical Code Execution.
Bastille has disabled keyboard interrupts.
NOTE: Bastille is scanning the system configuration...
Bastille is now locking down your system in accordance with your
answers in the "config" file. Please be patient as some modules
may take a number of minutes, depending on the speed of your machine.
Executing File Permissions Specific Configuration
Executing Account Security Specific Configuration
Executing Inetd Specific Configuration
Executing Daemon Specific Configuration
Executing Sendmail Specific Configuration
Executing Apache Specific Configuration
Executing FTP Specific Configuration
Executing HP-UX's Security Patch Check Configuration
Executing IPFilter Configuration
Executing HP-UX Specific Configuration |
If there are problems, Bastille reports warnings and errors. ...
Executing Account Security Specific Configuration
WARNING: Failed to Execute Command: /usr/lbin/tsconvert
Command Output: Creating secure password database...
Directories created.
...
Moving passwords...
Can't write protected database;
password file unchanged.
ERROR: Trusted system conversion was unsuccessful for an unknown reason.
You may try using SAM to do the conversion instead of Bastille.
Executing Inetd Specific Configuration
...
Executing HP-UX Specific Configuration
Please check
/var/opt/sec_mgmt/bastille/TODO.txt
for further instructions on how to secure your system.
########################################################
Errors have occurred in the configuration.
Please view the following file for more details:
/var/opt/sec_mgmt/bastille/log/error-log
######################################################## |
The TODO.txt file has instructions that you may need to follow to complete
the lockdown. The error-log file explains what went wrong in more detail. If there are errors, Bastille has locked down your system
as much as possible. When you correct the problems, you can run bastille -b to apply the rest of the lockdown. If you prefer, you can return the system to its unlocked state
with the revert command, bastille -r, and then make any corrections that you need. Review the log files. - /var/opt/sec_mgmt/bastille/log/action-log
Records the specific actions that Bastille performed. - /var/opt/sec_mgmt/bastille/log/error-log
Records any errors that were encountered. - /var/opt/sec_mgmt/bastille/log/level-application-actions
Records additional actions if Bastille was configured
and applied with the Install-Time Security feature of Ignite-UX/Update-UX. - /var/opt/sec_mgmt/bastille/log/level-application-errors
Records additional errors if Bastille was configured and
applied with the Install-Time Security feature of Ignite-UX/Update-UX.
Perform the actions listed in the file /var/opt/sec_mgmt/bastille/TODO.txt. You may wish to edit some of the commands since you may have special
circumstances. Many of those circumstances are described in the
explanations associated with questions in the interactive configuration
process. We suggest that you delete or comment-out entries in the TODO.txt list as you complete them.
Rerunning
Bastille | |
You should rerun Bastille whenever new software or patches
are installed or if swverify is run with either the -x fix=true or -F option to
run vendor-specific fix scripts. It should also be rerun whenever customizations
are made that might loosen security. If the log files exist, any
new actions or errors are appended to the existing files. Reverting
Bastille | |
To revert the security configuration to the state before Bastille
was run, execute the command: If there are any manual actions that need to be performed
to restore the pre-Bastille state, this process creates a file, /var/opt/sec_mgmt/bastille/TOREVERT.txt. It is important that you perform the listed actions. Uninstalling
Bastille | |
When Bastille is uninstalled from a system, with swremove, it does not revert the system to its pre-Bastille state.
Instead, it leaves behind a revert-actions script, which allows you to “unapply” Bastille’s
changes yourself. Execute the script: # /var/opt/sec_mgmt/bastille/revert/revert-actions |
Check for a /var/opt/sec_mgmt/bastille/TOREVERT.txt file. It is only created if there are manual actions
required. It is important that you perform the listed actions.
(Alternatively, you could execute bastille -r before you uninstall it; see “Reverting
Bastille”, above.) Interactions
with Other Software | |
Since Bastille shuts off services and configures supported
HP-UX parameters, some tools that rely on other settings, or services
that Bastille turns off may not be fully functional or may cease
to function. Security Patch Check Bastille can configure Security Patch Check to run as a daily cron job. IPFilter Bastille can configure the IPFilter firewall software to constrain incoming
network traffic. TCP/IP Stack performance is slightly slower with a Bastille configuration that
utilizes IPFilter. HP-UX HIDS If you are also running HP-UX Host Intrusion Detection System,
you may need to modify the IPFilter firewall rules. See HP-UX
Host Intrusion Detection System Administrator’s Guide for
details. MC/ServiceGuard MC/ServiceGuard’s use of dynamic ports does not work
if the MANDMZ.config or DMZ.config predefined
configuration of IPFilter is installed.
Documentation | |
More information can be found in the following documents: HP References bastille(1M) manpage (in /opt/sec_mgmt/share/man/) Bastille User’s Guide delivered
in /opt/sec_mgmt/bastille/docs/user_guide.txt HP-UX 11i Version 2 Installation and
Update Guide, online at http://docs.hp.com HP-UX Host Intrusion Detection System
Administrator’s Guide, online at http://docs.hp.com Installing and Administering HP-UX IPFilter,
online at http://docs.hp.com HP-UX Secure Shell A.03.10.X Release
Notes, online at http://docs.hp.com
Other ReferencesCommand
Execution | |
The bastille command performs the following operations. - bastille
Starts an interactive session to create a configuration file
for HP-UX in the configuration file, /etc/opt/sec_mgmt/bastille/config. - bastille -b
Executes the instructions in the configuration file, automatically
making some changes to your system and creating a TODO.txt list of commands for you to edit and execute. You can create the configuration file interactively, as above,
or copy a predefined file into the configuration file. This is useful
whether you want to use one of the files described in Table 8-5 “Predefined Configuration Files” to distribute a standard file
of your own making to several systems. - bastille -l
Lists the configuration files in /etc/opt/sec_mgmt/bastille that correspond to the last run of bastille. - bastille -r
Returns your system to its fully “unlockeddown” state, automatically
undoing some changes and providing a TODO.txt list of commands for you to edit and execute. - bastille --os
Displays the names of operating systems that are supported
by Bastille. - bastille --os osname
Starts an interactive session to create a configuration file
for the osname operating system.
Configuration
and Log Files | |
Bastille uses and/or creates the following configuration and
log files: - /etc/opt/sec_mgmt/bastille/config
Current configuration file that will be processed
by the command bastille -b. - /etc/opt/sec_mgmt/bastille/DMZ.config
Predefined configuration file. See “Predefined
Configuration Files”. - /etc/opt/sec_mgmt/bastille/HOST.config
Predefined configuration file. See “Predefined
Configuration Files”. - /etc/opt/sec_mgmt/bastille/MANDMZ.config
Predefined configuration file. See “Predefined
Configuration Files”. - /var/opt/sec_mgmt/bastille/log/action-log
Automatic actions that Bastille performed when applying
the current configuration. - /var/opt/sec_mgmt/bastille/log/error-log
Errors that Bastille encountered when applying the current
configuration. - /var/opt/sec_mgmt/bastille/log/level-application-actions
Additional automatic actions that were performed
if Bastille was configured and applied with the Install-Time Security
feature of Ignite-UX/Update-UX. - /var/opt/sec_mgmt/bastille/log/level-application-errors
Additional errors that occurred if Bastille was configured
and applied with the Install-Time Security feature of Ignite-UX/Update-UX. - /var/opt/sec_mgmt/bastille/revert/revert-actions
Automatic actions that Bastille performed to reverse its
lockdown actions. - /var/opt/sec_mgmt/bastille/security_catalog
Catalog used by Security Patch Check when configured by
Bastille. - /var/opt/sec_mgmt/bastille/TODO.txt
Manual actions that need to be performed to complete the
process after Bastille applied the current configuration. - /var/opt/sec_mgmt/bastille/TOREVERT.txt
Manual actions that need to be performed to complete the
process after Bastille reversed its lockdown actions.
|
Printable version
