topic Re: Cross platform security scoring tool in Operating System - HP-UX

Cross platform security scoring tool

Jeff_Traigle — Thu, 01 Feb 2007 16:19:08 GMT

We've been wanting to standardize on a product for HP-UX and SUSE Linux for more than a year now, but haven't seen a route to take so far. The only tools available seem to be Bastille or the CIS scoring tool.

We've been using the CIS scoring tool on HP-UX, but, until December, they didn't have a version for Linux. After months of delays, they finally do, but it's implemented in Java and it ran like a snail on a trial run I did.

The Linux version of Bastille has the assessment feature available on the current release (3.0) that's supposed to provide a score of some sort. (Haven't tested this yet to see how it performs and what the assessment looks like.) I see that Bastille on software.hp.com is still the 2.0 version, which does not have the assessment feature. Anyone know what the status of getting this feature on HP-UX is?

Any other options you know of that I haven't managed to find?

Re: Cross platform security scoring tool

Jeff_Traigle — Thu, 01 Feb 2007 22:12:58 GMT

Just tested the Bastille assessment and the Linux CIS scoring tool on my temporary SLED 10 system at home. Both ran quickly (less than a minute). The performance issue I saw on SUSE Linux 10.1 system at work with the CIS scoring tool must be specific to that platform.

Anyway, one thing I like about the Bastille report is that it generates both HTML and text versions. The CIS scoring tool only generates an HTML report. With the current CIS scoring tool on HP-UX, we have a script that generates a somewhat parsed diff with the last report generated so our security group can see if a score changes for a system and pinpoint the configuration changes that caused it. I imagine this would be much messier to accomplish with HTML than with straight text.

So I'd still like to know if we can look forward to seeing the latest version of Bastille with the assessment feature in the near future for HP-UX... or other scoring tools that work well on both platforms that generate text reports.

Re: Cross platform security scoring tool

Robert Fritz — Fri, 02 Feb 2007 12:19:02 GMT

Hi Jeff,

The HP-UX version of Bastille 3.0 is completed. Actually, we added some additional GUI/usability/reporting granularity enhancements and a SIM integration as well. I think you'll be pleased.

The s/w will be delivered with HP-UX 11.31, and will be available for 11.23 / 11.11 on the web soon. I'm not sure how long posting the bits will take, but I'd check back in a couple weeks, and then if they're not up, a couple weeks after that.
Hope that helps, and I'd be interested in what you think (I'll monitor this thread for additional posts).

I'm glad you're excited about 3.0, me too :-).

Re: Cross platform security scoring tool

Jeff_Traigle — Wed, 07 Feb 2007 16:06:16 GMT

Hi, Robert. Looks like they got it up there in the past couple of days.

It has me a bit perplexed, however. When I run "bastille --assessnobrowser", I get the report files, but there is no score provided as the Linux version provides. Am I missing something or did the scoring not get implemented in the HP-UX version?

Re: Cross platform security scoring tool

Robert Fritz — Wed, 07 Feb 2007 16:29:32 GMT

Actually, it's in there, just add a scoring file, and the fields all re-appear. At first, we'd had the score appear just as it does on Linux by default, but in our usability feedback, folks were getting confused over the precise meaning of the resultant score.

CIS (and Bastille Linux) currently has a flat weighting, which is a bit odd considering that some configurations have much more security value than others.

Rather than have the default values in HP-UX Bastille display something we thought, frankly, didn't help users understand their security more than just listing the answers, and that our beta testers found confusing, we left that configurable. We have already heard of at least one case where an end-user site preferred their own weighting.

That said, we're gong to spend some time looking at what scoring file we could deliver that would add value.

Re: Cross platform security scoring tool

Steven E. Protter — Wed, 07 Feb 2007 17:27:20 GMT

Shalom,

I've used the Bastille tool on Linux to harden some systems and evaulate them after I tinkered.

I like it and the functionality is worth waiting for on HP-UX (not long).

SEP

Re: Cross platform security scoring tool

Jeff_Traigle — Fri, 15 Jun 2007 13:48:28 GMT

As we're rolling out some 11.23 Itanium systems now, it's time to revisit this and abandon our previous CIS scoring tool that we use on 11.11. (I've already included Bastille as we roll out some SLES systems.) Even though the scoring isn't of much "real" value, it at least gives a number that will appease auditors. Where is the scoring file located? Is there a template somewhere?