HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Bastille and Protected System Web Server?
Operating System - HP-UX
1839195
Members
2536
Online
110137
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2007 02:02 PM
12-06-2007 02:02 PM
Bastille and Protected System Web Server?
We're going to setup a web server running 11v3 IA64. This is going to host our mid-tier app that accesses a backend db server.
This box is going to be accessed on our intranet as well as the internet.
Can someone tell me what the dirrernces are between Bastille and Protected System Web Server? I can across these in the sw download section.
We're going to need to harden our system but I am not familiar with these are what is required for initial Os install.
This box is going to be accessed on our intranet as well as the internet.
Can someone tell me what the dirrernces are between Bastille and Protected System Web Server? I can across these in the sw download section.
We're going to need to harden our system but I am not familiar with these are what is required for initial Os install.
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-06-2007 03:39 PM
12-06-2007 03:39 PM
Re: Bastille and Protected System Web Server?
Bastille is a tool for generic system hardening at a basic-to-intermediate level.
Protected System Web Server (PS-Webserver) is a specific package for advanced-level hardening of a web server running Apache, Tomcat, CGI programs and/or Web proxies. To successfully use it, you should become familiar with the Security Containment and RBAC features of the operating system (optional in 11i v2, included in 11iv3 and mandatory with PS-Webserver).
If you're intending to use PS-Webserver, read the documentation and prepare to spend significant time in planning your setup. To get the most out of the compartmentalization scheme, you must understand in detail how the requests flow from one component of your web application to another, so that you can define the appropriate compartments and access rules for each component.
PS-Webserver is *not* a magic wand that makes your system secure: it is a kit of professional power tools that allows you to build a very secure web server... or to shoot yourself in the foot with a high-caliber slug.
If you don't understand _and plan for_ the requirements of the PS-Webserver, you may end up doing the equivalent of "chmod 777" to make the application work. Of course, this negates all the additional protection a properly configured PS-Webserver might offer.
You'll want your application designed so that the requests coming from the client-side compartments are as well-defined and restricted as possible. The idea of the compartmentalization is to severely limit the things the intruder can do *when* one compartment is compromised.
For example, the static content of your webpages (images, stylesheets etc.) should be placed so that the primary Apache compartment has no write access to it.
If an intruder gains access to the Apache compartment (by some new Apache exploit, for example), he/she still has no way to deface your web site, even if he/she uses further exploits to gain root access within the compartment... and the presence of root-level processes in the Apache compartment is a good condition for triggering an automatic intrusion alarm.
Disclaimer: I have not used the PS-Webserver, but a quick look through the administration manual in docs.hp.com suggests it has many of the features of the VirtualVault HP-UX 11.04, a special high-security version of 11.00. I maintained some VirtualVault servers for several years, through two major software upgrades.
MK
Protected System Web Server (PS-Webserver) is a specific package for advanced-level hardening of a web server running Apache, Tomcat, CGI programs and/or Web proxies. To successfully use it, you should become familiar with the Security Containment and RBAC features of the operating system (optional in 11i v2, included in 11iv3 and mandatory with PS-Webserver).
If you're intending to use PS-Webserver, read the documentation and prepare to spend significant time in planning your setup. To get the most out of the compartmentalization scheme, you must understand in detail how the requests flow from one component of your web application to another, so that you can define the appropriate compartments and access rules for each component.
PS-Webserver is *not* a magic wand that makes your system secure: it is a kit of professional power tools that allows you to build a very secure web server... or to shoot yourself in the foot with a high-caliber slug.
If you don't understand _and plan for_ the requirements of the PS-Webserver, you may end up doing the equivalent of "chmod 777" to make the application work. Of course, this negates all the additional protection a properly configured PS-Webserver might offer.
You'll want your application designed so that the requests coming from the client-side compartments are as well-defined and restricted as possible. The idea of the compartmentalization is to severely limit the things the intruder can do *when* one compartment is compromised.
For example, the static content of your webpages (images, stylesheets etc.) should be placed so that the primary Apache compartment has no write access to it.
If an intruder gains access to the Apache compartment (by some new Apache exploit, for example), he/she still has no way to deface your web site, even if he/she uses further exploits to gain root access within the compartment... and the presence of root-level processes in the Apache compartment is a good condition for triggering an automatic intrusion alarm.
Disclaimer: I have not used the PS-Webserver, but a quick look through the administration manual in docs.hp.com suggests it has many of the features of the VirtualVault HP-UX 11.04, a special high-security version of 11.00. I maintained some VirtualVault servers for several years, through two major software upgrades.
MK
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2007 08:43 AM
12-17-2007 08:43 AM
Re: Bastille and Protected System Web Server?
Bastille is a general purpose hardening tool with a GUI question/answer format that walks you through the hardening process including tradeoffs. You should be able to safely (i.e. no application breakages) use Bastille just by erring on the conservative side and answering "No" to not make the system more secure.
If I remember correctly, PS-Webserver uses the Bastille backend to do many of the required hardening steps specific to a webserver, and adds some layers on top of that.
Hope that helps.
-Keith
If I remember correctly, PS-Webserver uses the Bastille backend to do many of the required hardening steps specific to a webserver, and adds some layers on top of that.
Hope that helps.
-Keith
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP