topic Re: Bastille Setup in Operating System - HP-UX

Bastille Setup

MikeL_4 — Fri, 29 Oct 2004 07:59:53 GMT

I have installed Bastille on our WEB servers within our DMZ. This is preventing me from doing the required Xwindow session to my workstation to run the configuration.

Is there any way to do this via command line ?

# perl D.5.8.0.B Perl Programming Language
perl.Perl5 D.5.8.0.B Perl for HP-UX
# Bastille B.02.01.01 HP-UX Security Hardening Tool
Bastille.BASTILLE B.02.01.01 HP-UX Security Hardening Tool

Re: Bastille Setup

Steven E. Protter — Fri, 29 Oct 2004 08:06:07 GMT

No, you need X windows access to run Bastille.

It says so in the documentation.

I would suggest you configure a laptop with X emulation and plug it into the DMZ. If the HP-9000 server has a graphics card and monitor, you can run cde at the console and do it right on the server.

Alternatively, you can have the necessary ports openned on the firewall only to and from the IP address you normally run your X emmulation software on.

SEP

Re: Bastille Setup

Gratien D'haese_2 — Fri, 29 Oct 2004 08:16:33 GMT

or, you configure bastille on another (similar) system and do the batch mode (-b option) configuration in the DMZ zone.

Simple and secure,
Gratien

Re: Bastille Setup

Simon Hargrave — Fri, 29 Oct 2004 08:41:13 GMT

Presumably your web servers have ssh installed, and you can ssh to them from your private LAN?

If so then you can configure ssh to tunnel the X-windows traffic back to your local X workstation.

Assuming your web server is not running an X server, the following procedure will work.

From the X Workstation: -

xhost +
ssh webserver1 -R 6000:localhost:6000
(authenticate yourself)
export DISPLAY=localhost:0
bastille

This will setup a tunnel, via your ssh connection, that will redirect all port 6000 traffic on the webserver to port 6000 on your workstation. Therefore DISPLAY=localhost:0 indirectly sends the X traffic to your workstation.

If the web server already uses port 6000 for an XWindows head, you can use a different port, eg: -

ssh webserver1 -R 6001:localhost:6000
(authenticate)
export DISPLAY=localhost:1

etc.

Re: Bastille Setup

Keith Buck — Mon, 01 Nov 2004 13:12:17 GMT

There are other options too:

1. X11Forwarding is recommended if you want to run the GUI on a remote server.

ssh -X root@server

2. The --os option may be used to create a "full" config for a given OS. This lessens the need to have a "similar" non-DMZ server, and you can copy the config out there and apply it with bastille -b. Although the Linux package is not supported by HP, this option can even be used on Linux to create an HP-UX config that can then be
copied over to your server.

3. It is possible to tweak the config manually using an editor. However, I highly recommend creating your first config with the GUI. The explanations of the question are intended to be educational and help you understand the tradeoffs that you are making.

Check out
/opt/sec_mgmt/bastille/docs/user_guide.txt
for some more details.

Hope that helps.

-Keith

Re: Bastille Setup

MikeL_4 — Tue, 02 Nov 2004 10:42:10 GMT

Thanks