HPE Community
Operating System - HP-UX
1752595 Members
3475 Online
108788 Solutions
New Discussion юеВ

Bastille Setup

 
SOLVED
Go to solution
MikeL_4
Super Advisor

тАО10-29-2004 12:59 AM

тАО10-29-2004 12:59 AM

Bastille Setup

I have installed Bastille on our WEB servers within our DMZ. This is preventing me from doing the required Xwindow session to my workstation to run the configuration.

Is there any way to do this via command line ?

# perl D.5.8.0.B Perl Programming Language
perl.Perl5 D.5.8.0.B Perl for HP-UX
# Bastille B.02.01.01 HP-UX Security Hardening Tool
Bastille.BASTILLE B.02.01.01 HP-UX Security Hardening Tool

0 Kudos
5 REPLIES 5
Steven E. Protter
Exalted Contributor

тАО10-29-2004 01:06 AM

тАО10-29-2004 01:06 AM

Re: Bastille Setup

No, you need X windows access to run Bastille.

It says so in the documentation.

I would suggest you configure a laptop with X emulation and plug it into the DMZ. If the HP-9000 server has a graphics card and monitor, you can run cde at the console and do it right on the server.

Alternatively, you can have the necessary ports openned on the firewall only to and from the IP address you normally run your X emmulation software on.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Gratien D'haese_2
Advisor

тАО10-29-2004 01:16 AM

тАО10-29-2004 01:16 AM

Solution

Re: Bastille Setup

or, you configure bastille on another (similar) system and do the batch mode (-b option) configuration in the DMZ zone.

Simple and secure,
Gratien
0 Kudos
Simon Hargrave
Honored Contributor

тАО10-29-2004 01:41 AM

тАО10-29-2004 01:41 AM

Re: Bastille Setup

Presumably your web servers have ssh installed, and you can ssh to them from your private LAN?

If so then you can configure ssh to tunnel the X-windows traffic back to your local X workstation.

Assuming your web server is not running an X server, the following procedure will work.

From the X Workstation: -

xhost +
ssh webserver1 -R 6000:localhost:6000
(authenticate yourself)
export DISPLAY=localhost:0
bastille

This will setup a tunnel, via your ssh connection, that will redirect all port 6000 traffic on the webserver to port 6000 on your workstation. Therefore DISPLAY=localhost:0 indirectly sends the X traffic to your workstation.

If the web server already uses port 6000 for an XWindows head, you can use a different port, eg: -

ssh webserver1 -R 6001:localhost:6000
(authenticate)
export DISPLAY=localhost:1

etc.
0 Kudos
Keith Buck
Respected Contributor

тАО11-01-2004 05:12 AM

тАО11-01-2004 05:12 AM

Re: Bastille Setup

There are other options too:

1. X11Forwarding is recommended if you want to run the GUI on a remote server.

ssh -X root@server

2. The --os option may be used to create a "full" config for a given OS. This lessens the need to have a "similar" non-DMZ server, and you can copy the config out there and apply it with bastille -b. Although the Linux package is not supported by HP, this option can even be used on Linux to create an HP-UX config that can then be
copied over to your server.

3. It is possible to tweak the config manually using an editor. However, I highly recommend creating your first config with the GUI. The explanations of the question are intended to be educational and help you understand the tradeoffs that you are making.

Check out
/opt/sec_mgmt/bastille/docs/user_guide.txt
for some more details.

Hope that helps.

-Keith
0 Kudos
MikeL_4
Super Advisor

тАО11-02-2004 02:42 AM

тАО11-02-2004 02:42 AM

Re: Bastille Setup

Thanks
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.