HPE Community
Operating System - HP-UX
1837184 Members
2682 Online
110114 Solutions
New Discussion

Cross platform security scoring tool

 
Jeff_Traigle
Honored Contributor

‎02-01-2007 08:19 AM

‎02-01-2007 08:19 AM

Cross platform security scoring tool

We've been wanting to standardize on a product for HP-UX and SUSE Linux for more than a year now, but haven't seen a route to take so far. The only tools available seem to be Bastille or the CIS scoring tool.

We've been using the CIS scoring tool on HP-UX, but, until December, they didn't have a version for Linux. After months of delays, they finally do, but it's implemented in Java and it ran like a snail on a trial run I did.

The Linux version of Bastille has the assessment feature available on the current release (3.0) that's supposed to provide a score of some sort. (Haven't tested this yet to see how it performs and what the assessment looks like.) I see that Bastille on software.hp.com is still the 2.0 version, which does not have the assessment feature. Anyone know what the status of getting this feature on HP-UX is?

Any other options you know of that I haven't managed to find?
--
Jeff Traigle
0 Kudos
Reply
6 REPLIES 6
Jeff_Traigle
Honored Contributor

‎02-01-2007 02:12 PM

‎02-01-2007 02:12 PM

Re: Cross platform security scoring tool

Just tested the Bastille assessment and the Linux CIS scoring tool on my temporary SLED 10 system at home. Both ran quickly (less than a minute). The performance issue I saw on SUSE Linux 10.1 system at work with the CIS scoring tool must be specific to that platform.

Anyway, one thing I like about the Bastille report is that it generates both HTML and text versions. The CIS scoring tool only generates an HTML report. With the current CIS scoring tool on HP-UX, we have a script that generates a somewhat parsed diff with the last report generated so our security group can see if a score changes for a system and pinpoint the configuration changes that caused it. I imagine this would be much messier to accomplish with HTML than with straight text.

So I'd still like to know if we can look forward to seeing the latest version of Bastille with the assessment feature in the near future for HP-UX... or other scoring tools that work well on both platforms that generate text reports.
--
Jeff Traigle
0 Kudos
Reply
Robert Fritz
Regular Advisor

‎02-02-2007 04:19 AM

‎02-02-2007 04:19 AM

Re: Cross platform security scoring tool

Hi Jeff,

The HP-UX version of Bastille 3.0 is completed. Actually, we added some additional GUI/usability/reporting granularity enhancements and a SIM integration as well. I think you'll be pleased.

The s/w will be delivered with HP-UX 11.31, and will be available for 11.23 / 11.11 on the web soon. I'm not sure how long posting the bits will take, but I'd check back in a couple weeks, and then if they're not up, a couple weeks after that.
Hope that helps, and I'd be interested in what you think (I'll monitor this thread for additional posts).

I'm glad you're excited about 3.0, me too :-).
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎02-07-2007 08:06 AM

‎02-07-2007 08:06 AM

Re: Cross platform security scoring tool

Hi, Robert. Looks like they got it up there in the past couple of days.

It has me a bit perplexed, however. When I run "bastille --assessnobrowser", I get the report files, but there is no score provided as the Linux version provides. Am I missing something or did the scoring not get implemented in the HP-UX version?
--
Jeff Traigle
0 Kudos
Reply
Robert Fritz
Regular Advisor

‎02-07-2007 08:29 AM

‎02-07-2007 08:29 AM

Re: Cross platform security scoring tool

Actually, it's in there, just add a scoring file, and the fields all re-appear. At first, we'd had the score appear just as it does on Linux by default, but in our usability feedback, folks were getting confused over the precise meaning of the resultant score.

CIS (and Bastille Linux) currently has a flat weighting, which is a bit odd considering that some configurations have much more security value than others.

Rather than have the default values in HP-UX Bastille display something we thought, frankly, didn't help users understand their security more than just listing the answers, and that our beta testers found confusing, we left that configurable. We have already heard of at least one case where an end-user site preferred their own weighting.

That said, we're gong to spend some time looking at what scoring file we could deliver that would add value.

Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎02-07-2007 09:27 AM

‎02-07-2007 09:27 AM

Re: Cross platform security scoring tool

Shalom,

I've used the Bastille tool on Linux to harden some systems and evaulate them after I tinkered.

I like it and the functionality is worth waiting for on HP-UX (not long).

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎06-15-2007 06:48 AM

‎06-15-2007 06:48 AM

Re: Cross platform security scoring tool

As we're rolling out some 11.23 Itanium systems now, it's time to revisit this and abandon our previous CIS scoring tool that we use on 11.11. (I've already included Bastille as we roll out some SLES systems.) Even though the scoring isn't of much "real" value, it at least gives a number that will appease auditors. Where is the scoring file located? Is there a template somewhere?
--
Jeff Traigle
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.