Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX 11i v3 Installation and Update Guide: HP Integrity Server Blades, HP Integrity Servers, and HP 9000 Servers > Chapter 3 Choosing an Installation Method

Security Considerations

» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

HP-UX Bastille (HPUXBastille) is included as recommended software on the Operating Environment media and can be installed and run with Ignite-UX or Update-UX, (see “Predefined Security Levels”).

HP-UX Bastille is a security hardening and lockdown tool that can be used to enhance security of the HP-UX operating system. It provides customized lockdown on a system-by-system basis by encoding functionality similar to Bastion Host and other hardening and lockdown checklists.

NOTE: For more information about HP-UX Bastille, refer to the HP-UX 11i v3 Release Notes and the HP-UX System Administrator’s Guide.

Predefined Security Levels

At cold-install or update-time, you can choose one of the security levels listed in Table 3-2, with each one providing incrementally higher security.

Table 3-2 Predefined Security Configuration

Security Level

Configuration File Name[1]

Description

Sec00Tools[2]

Not applicableThe install-time security infrastructure; no security changes.

Sec10Host[3]

HOST.config

Host-based lockdown: firewall pre-enablement; some common clear-text services turned off, excluding Telnet and FTP.

Sec20MngDMZ[3]

MANDMZ.config

Lockdown while allowing secure management: IPFilter firewall blocks incoming connections except common, relatively safe, management protocols.

Sec30DMZ[3]

DMZ.config

Network-DMZ Lockdown: IPFilter blocks all incoming connections except HP-UX Secure Shell.

[1] Configuration files are installed to /etc/opt/sec_mgmt/bastille/configs/defaults

[2] Sec00Tools is installed by default.

[3] Sec10Host, Sec20MngDMZ, and Sec30DMZ are selectable.

 

NOTE: When you select either the Sec30DMZ, or MngDMZ security level, IPFilter will restrict inbound network connections. For more information on how to add inbound ports to your /etc/opt/ipf.customerrules file, refer to the HP-UX IPFilter (Version A.03.05.09 and later) Administrator's Guide and the HP-UX System Administrator’s Guide.

Selecting Your Security Levels at Install Time

During installation, you can configure your security levels by navigating to the System tab from the Ignite-UX Graphical User Interface Installation and Configuration dialog box. The System tab allows you to configure information unique to your system such as security levels, hostname, IP address, root password, and the time zone.

For ease of use, HP recommends using the System tab to select the security level appropriate for your deployment as described below.

  1. Do one of the following:

    • If you are using the Ignite-UX GUI, navigate to the System tab (from the Ignite-UX Installation and Configuration dialog box) and select Security Choices.

    • If you are using the Ignite Install HP-UX Wizard, navigate to the Additional Software screen and select Security Choices.

    The four security levels appear. By default, Sec00Tools is selected.

  2. Select the security level appropriate for your deployment. See “Predefined Security Levels” for more information.

  3. Select OK.

Serviceguard Configuration (post-installation) to Enable Use with Security Levels

Configuring Sec20MngDMZ or Sec30DMZ for Use with Serviceguard

Serviceguard uses dynamic ports. To enable operation, the possible-SG port range must be opened. Opening the port range is not consistent with the security goals of Sec20MngDMZ (MANDMZ.config) and Sec30DMZ (DMZ.config) since multiple services (including other rpc-like applications), may also listen to this same port range. The firewall, however, will still provide security benefits consistent with the Serviceguard security deployment model as described in the Securing Serviceguard document at:

http://docs.hp.com/

Before you open the Serviceguard port range make sure you review the required IPFilter-SG rules, which are documented in the HP-UX IPFilter (Version A.03.05.09 and later) Administrator's Guide at:

http://docs.hp.com/en/B9901-90021/B9901-90021.pdf

When the Serviceguard security patch of 2004 is installed, Serviceguard requires one additional service, identd. Enable it by following the steps below.

  1. Edit the HP-UX Bastille /etc/opt/sec_mgmt/bastille/config configuration file by changing the answer to the question:

    Should Bastille ensure inetd's ident service does not run on this system?

  2. Change the answer from Y to N as follows:

    SecureInetd.deactivate_ident="N"

  3. Apply the configuration file changes. You can update your system configuration manually or use HP-UX Bastille to update your system configuration. The former will require fewer steps on systems that have been manually configured, after a user has configured the system using the Bastille tool, and the latter will require fewer steps on systems that had not been manually configured, after a user has configured the system using the Bastille tool.

  4. Do one of the following:

    • Manually update the system configuration: Edit the /etc/inetd.conf file by uncommenting (remove the #) the following line:

      #auth stream tcp6 wait bin /usr/lbin/identd identd

      Force inetd to reread the configuration by running the following command:

      # inetd -c

    • Use HP-UX Bastille to update the configuration: Revert to the previous HP-UX Bastille configuration; then apply the new HP-UX Bastille configuration.

      # bastille -r

      # bastille -b

Configuring HP-UX Bastille Sec10Host

To configure the HP-UX Bastille Sec10 Host, refer to the Securing Serviceguard document at:

http://docs.hp.com/

CAUTION: When reverting to the configuration prior to the use of HP-UX Bastille, note these precautions:
  • Security configuration changes will be undone temporarily.

  • Other manual configuration changes or additional software installed since HP-UX Bastille was initially run may result in HP-UX Bastille requiring a manual merge of configuration settings.

  • Refer to the Bastille question text in the HP-UX System Administrator’s Guide or in the Bastille GUI for detail on the precise interactions.

Security Choice Dependencies

The Sec00Tools security level is installed by default on your system. Although Sec00Tools does not implement any security changes at cold-install- or update-time, it does ensure that the required software (Figure 3-1) is installed. The Sec00Tools security level contains the pre-built configuration files that you can use to create a security level or you can use it as a template to create a custom security configuration. The Sec00Tools security level also ensures that the software needed by those security levels is present.

Alternately, you can lock down your system using one of the following selectable security levels at cold-install- or update-time:

  • Sec10Host

  • Sec20MngDMZ

  • Sec30DMZ

Sec10Host, Sec20MngDMZ, and Sec30DMZ are dependent on Sec00Tools.

Figure 3-1 Install-time Security Software Dependencies

Install-time Security Software Dependencies

Secured Services and Protocols

Each security level provides incrementally higher security by locking down various protocols and services. HP-UX Bastille uses a series of questions to determine which services and protocols to secure. Using one of the security levels applies a default security profile, simplifying the lockdown process.

The following tables detail the services and protocols affected by the security levels, listed in Table 3-2, if you choose to apply one at cold-install- or update-time:

  • Table 3-3 lists the security settings for Sec10Host. These settings also apply to Sec20MngDMZ and Sec30DMZ.

  • Table 3-4 lists the security settings applied with Sec20MngDMZ, in addition to the settings in Table 3-3.

  • Table 3-5 lists the security settings applied with Sec30DMZ, in addition to the settings in Table 3-3 and Table 3-4.

IMPORTANT: Review these tables carefully. Some of the locked down services and protocols may be used by other applications, and may have adverse effects on the behavior or functionality of these applications. For example, HP Systems Insight Manager and ParMgr rely on WBEM to communicate between hosts; Sec30DMZ blocks all incoming WBEM connections via IPFilter, though local and outbound communication is not blocked. In addition, some third-party installation scripts may not correctly handle the more conservative umask value of 027 set by the security levels.

You can change the security settings configured at cold-install- or update-time by running HP-UX Bastille after installing or updating your system. For more information about using HP-UX Bastille, refer to HP-UX System Administrator’s Guide, or the HP-UX Bastille User’s Guide located on your system at: /opt/sec_mgmt/bastille/docs/user_guide.txt

Table 3-3 Host-based Sec10Host Install-time Security Settings[1]

Category

Actions

Logins and Passwords

Deny login unless home directory exists
Deny non-root logins if /etc/nologin file exists
Set a default path for su command
Disable root logins from network tty
Hide encrypted passwords
Disallow ftpd system account logins
Disable remote X logins

File System, Network, and Kernel

Modify ndd settings [2],[3]
Restrict remote access to swlist
Set default umask
Enable kernel-based stack execute protection

Daemons

Disable ptydaemon
Disable pwgrd
Disable rbootd
Disable NFS client daemons
Disable NFS server
Disable NIS client programs
Disable NIS server programs
Disable SNMPD

inetd Services

Deactivate bootp
Deactivate inetd’s built-in services
Deactivate CDE helper services
Deactivate finger
Deactivate ident
Deactivate klogin and kshell
Deactivate ntalk
Deactivate login, shell, and exec services
Deactivate swat
Deactivate printer
Deactivate recserv
Deactivate tftp
Deactivate time
Deactivate uucp
Deactivates Event Monitoring Services (EMS) network communication
Enable logging for all inetd connections

sendmail

Run sendmail via cron to process queue
Stop sendmail from running in daemon mode
Disable vrfy and expn commands

Other Settings

Deactivate HP Apache 2.x Web Server[4]
Set up cron job to run Software Assistant[2]

[1] Security settings listed here also apply to Sec20MngDMZ and Sec30DMZ

[2] Manual action may be required to complete configuration. Refer to /etc/opt/sec_mgmt/bastille/TODO.txt for more information, after install or update.

[3] The following ndd changes will be made:

ip_forward_directed_broadcasts=0
ip_forward_src_routed=0
ip_forwarding=0
ip_ire_gw_probe=0
ip_pmtu_strategy=1
ip_send_source_quench=0
tcp_conn_request_max=4096
tcp_syn_rcvd_max=1000

[4] Settings applied only if software is installed

 

Table 3-4 Additional Sec20MngDMZ Install-time Security Settings[1]

Category

Actions

inetd Services

Includes all disabled inetdservices in Table 3-3 and:

Deactivate ftp
Deactivate telnet
Restrict syslog daemon to local connections

IPFilter Configuration[2]

Block incoming DNS query connections
Block incoming HIDS administration connections[3],[4]
Configure IPFilter to allow outbound traffic, block incoming traffic with IP options set, and all other traffic except for HP-UX Secure Shell, HIDS agent, WBEM, web admin and web admin autostart[5], ICMP echo.

[1] Applies all security configuration settings in Table 3-3

[2] Additional IPFilter rules may be applied via a custom rules file located at /etc/opt/sec_mgmt/bastille/ipf.customrules

[3] HP-UX Host IDS is a selectable software bundle and only available for commercial servers

[4] Settings applied only if software is installed

[5] Manual action may be required to complete configuration. Refer to /var/opt/sec_mgmt/bastille/TODO.txt for more information, after install or update.

 

Table 3-5 Additional Sec30DMZ Install-time Security Settings[1]

Category

Actions

IPFilter Configuration[2]

Includes all IPFilter settings in Table 3-4 and:

Block incoming HIDS agent connections[3],[4]
Block incoming WBEM connections[5]
Block incoming web admin connections
Block incoming web admin autostart connections
Block all traffic except HP-UX Secure Shell
Block ICMP echo

[1] Applies all security configuration settings in Table 3-3 and Table 3-4

[2] Additional IPFilter rules may be applied via a custom rules file located at /etc/opt/sec_mgmt/bastille/ipf.customrules

[3] Settings applied only if software is installed

[4] HP-UX Host IDS is a selectable software bundle and only available for commercial servers

[5] WBEM is required for several HP management applications including HP Systems Insight Manager and ParMgr

 

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2000-2008 Hewlett-Packard Development Company, L.P.