|
» |
|
|
|
HP-UX Bastille (HPUXBastille) is included as recommended software on the
Operating Environment media and can be installed and run with Ignite-UX
or Update-UX, (see “Predefined Security Levels”). HP-UX Bastille is a security hardening and lockdown tool that
can be used to enhance security of the HP-UX operating system. It
provides customized lockdown on a system-by-system basis by encoding
functionality similar to Bastion Host and other hardening and lockdown
checklists. | | | | | NOTE: For more information about HP-UX Bastille, refer to the HP-UX 11i v3 Release Notes and the HP-UX System Administrator’s
Guide. | | | | |
Predefined Security Levels | |
At cold-install or update-time, you can choose one of the security
levels listed in Table 3-2, with
each one providing incrementally higher security. Table 3-2 Predefined Security Configuration Security Level | Configuration File Name[1] | Description |
---|
Sec00Tools[2] | Not applicable | The install-time security infrastructure; no security
changes. | Sec10Host[3] | HOST.config | Host-based lockdown: firewall
pre-enablement; some common clear-text services turned off, excluding
Telnet and FTP. | Sec20MngDMZ[3] | MANDMZ.config | Lockdown while allowing secure management: IPFilter
firewall blocks incoming connections except common, relatively safe,
management protocols. | Sec30DMZ[3] | DMZ.config | Network-DMZ Lockdown: IPFilter blocks all incoming connections
except HP-UX Secure Shell. |
| | | | | NOTE: When you select either the Sec30DMZ, or MngDMZ security level, IPFilter will restrict inbound
network connections. For more information on how to add inbound ports
to your /etc/opt/ipf.customerrules file, refer
to the HP-UX IPFilter (Version A.03.05.09 and later) Administrator's
Guide and the HP-UX System Administrator’s
Guide. | | | | |
Selecting Your Security Levels at Install TimeDuring installation, you can configure
your security levels by navigating to the System tab
from the Ignite-UX Graphical User Interface Installation and Configuration
dialog box. The System tab allows you to configure information unique
to your system such as security levels, hostname, IP address, root
password, and the time zone. For ease of use, HP recommends using the System tab to select the security level appropriate for your deployment
as described below. Do one of the following: If you are using the Ignite-UX GUI, navigate to the System tab (from the Ignite-UX Installation
and Configuration dialog box) and select Security
Choices. If you are using the Ignite Install HP-UX
Wizard, navigate to the Additional Software screen and select Security Choices.
The four security levels appear. By default, Sec00Tools is selected. Select the security level appropriate for your deployment.
See “Predefined Security Levels” for
more information. Select OK.
Serviceguard Configuration (post-installation) to Enable Use
with Security Levels | |
Configuring Sec20MngDMZ or Sec30DMZ for Use with ServiceguardServiceguard uses dynamic ports. To enable operation, the possible-SG
port range must be opened. Opening the port range is not consistent
with the security goals of Sec20MngDMZ (MANDMZ.config) and Sec30DMZ (DMZ.config) since multiple services (including other rpc-like
applications), may also listen to this same port range. The firewall,
however, will still provide security benefits consistent with the
Serviceguard security deployment model as described in the Securing Serviceguard document at: http://docs.hp.com/ Before you open the Serviceguard port range make sure you review
the required IPFilter-SG rules, which are documented in the HP-UX IPFilter (Version A.03.05.09 and later) Administrator's Guide at: http://docs.hp.com/en/B9901-90021/B9901-90021.pdf When the Serviceguard security patch of 2004 is installed, Serviceguard
requires one additional service, identd. Enable
it by following the steps below. Edit the HP-UX Bastille /etc/opt/sec_mgmt/bastille/config configuration file by changing the answer to the question: Should Bastille ensure inetd's ident service
does not run on this system? Change the answer from Y to N as follows: SecureInetd.deactivate_ident="N" Apply the configuration file changes. You can update
your system configuration manually or use HP-UX Bastille to update
your system configuration. The former will require fewer steps on
systems that have been manually configured, after a user has configured
the system using the Bastille tool, and the latter will require fewer
steps on systems that had not been manually configured, after a user
has configured the system using the Bastille tool. Do one of the following: Manually update the system configuration: Edit the /etc/inetd.conf file by uncommenting (remove the #) the
following line: #auth stream tcp6 wait bin /usr/lbin/identd
identd Force inetd to reread the configuration
by running the following command: # inetd -c Use HP-UX Bastille to update the configuration: Revert
to the previous HP-UX Bastille configuration; then apply the new HP-UX
Bastille configuration. # bastille -r # bastille -b
Configuring HP-UX Bastille Sec10HostTo configure the HP-UX Bastille Sec10 Host, refer to the Securing Serviceguard document at: http://docs.hp.com/ Security Choice Dependencies | |
The Sec00Tools security level is
installed by default on your system. Although Sec00Tools does not implement any security changes at cold-install- or update-time,
it does ensure that the required software (Figure 3-1) is installed. The Sec00Tools security level contains the pre-built configuration files that you
can use to create a security level or you can use it as a template
to create a custom security configuration. The Sec00Tools security level also ensures that the software needed by those security
levels is present. Alternately, you can lock down your system using one of the
following selectable security levels at cold-install- or update-time: Sec10Host, Sec20MngDMZ, and Sec30DMZ are dependent on Sec00Tools. Secured Services and Protocols | |
Each security level provides incrementally higher security
by locking down various protocols and services. HP-UX Bastille uses
a series of questions to determine which services and protocols to
secure. Using one of the security levels applies a default security
profile, simplifying the lockdown process. The following tables detail the services and protocols affected
by the security levels, listed in Table 3-2, if you choose to apply one at cold-install-
or update-time: Table 3-3 lists the security settings for Sec10Host.
These settings also apply to Sec20MngDMZ and Sec30DMZ. Table 3-4 lists the security settings applied with Sec20MngDMZ, in addition to the settings in Table 3-3. Table 3-5 lists the security settings applied with Sec30DMZ, in addition to the settings in Table 3-3 and Table 3-4.
Table 3-3 Host-based Sec10Host Install-time Security
Settings[1] Category | Actions |
---|
Logins and Passwords | Deny login unless home directory exists | Deny non-root logins if /etc/nologin file exists | Set a default path for su command | Disable root logins from network tty | Hide encrypted passwords | Disallow ftpd system account logins | Disable remote X logins |
| File System, Network, and Kernel | Modify ndd settings [2],[3] | Restrict remote access to swlist | Set default umask | Enable kernel-based stack execute protection |
| Daemons | Disable ptydaemon | Disable pwgrd | Disable rbootd | Disable NFS client daemons | Disable NFS server | Disable NIS client programs | Disable NIS server programs | Disable SNMPD |
| inetd Services | Deactivate bootp | Deactivate inetd’s built-in
services | Deactivate CDE helper services | Deactivate finger | Deactivate ident | Deactivate klogin and kshell | Deactivate ntalk | Deactivate login, shell, and exec services | Deactivate swat | Deactivate printer | Deactivate recserv | Deactivate tftp | Deactivate time | Deactivate uucp | Deactivates Event Monitoring Services (EMS) network communication | Enable logging for all inetd connections |
| sendmail | Run sendmail via cron to process queue | Stop sendmail from running in daemon mode | Disable vrfy and expn commands |
| Other Settings | Deactivate HP Apache 2.x Web Server[4] | Set up cron job to run Software Assistant[2] |
|
Table 3-4 Additional Sec20MngDMZ Install-time Security Settings[1] Category | Actions |
---|
inetd Services | Includes all disabled inetdservices in Table 3-3 and: Deactivate ftp | Deactivate telnet | Restrict syslog daemon to local connections |
| IPFilter Configuration[2] | Block incoming DNS query connections | Block incoming HIDS administration connections[3],[4] | Configure IPFilter to allow outbound traffic, block incoming
traffic with IP options set, and all other traffic except for HP-UX
Secure Shell, HIDS agent, WBEM, web admin and web admin autostart[5], ICMP echo. |
|
Table 3-5 Additional Sec30DMZ Install-time Security Settings[1] Category | Actions |
---|
IPFilter Configuration[2] | Includes all IPFilter
settings in Table 3-4 and: Block incoming HIDS agent connections[3],[4] | Block incoming WBEM connections[5] | Block incoming web admin connections | Block incoming web admin autostart connections | Block all traffic except HP-UX Secure Shell | Block ICMP echo |
|
|