Re: HP-UX Bastille 2.1 released!

Keith Buck · ‎04-21-2003

The latest release of HP-UX Bastille includes the following:

- Nearly twice the number of HP-UX questions from version 2.0, including explanations of all default inetd services, password policy configuration, and ipfilter firewall setup.

- Basic ipfilter setup allows outgoing connections and their responses, and helps configure certain types of incoming connections. Rules can be added or modified using
/etc/opt/sec_mgmt/bastille/ipf.customrules
Thanks Craig Rantz for his helpful discussion and examples as we started designing this! The Bastille ipfilter configuration is designed to be fairly simple and give a basic working configuration, but flexible enough to tweak for yourself. Let us know how well this fits your needs.

- Automatically reads in answers from your previous run of Bastille for questions that didn't change.

- Reworked Trusted systems section to allow more flexibility on password policies, expired accounts, etc. Will only set password policies if you request it. (Gino Castaldi asked for this here on the itrc forums. Thanks!) Bastille also determines based on your OS and answers whether conversion to trusted mode is necessary.

- Significant compatibility testing with other HP products and improved explanations of compatibility consequences. Please continue to let us know if you find any compatibility issues that are missed in the documentation.

- Tests for relevance before asking a question--will only ask questions for which Bastille can make your system more secure. (GUI is essentially a 'preview mode', explaining in English the actions it would take if you answered yes to the given question and applied the config to the system. Let us know how well this fits your needs!) This also makes it significantly faster to further secure a partially locked-down system, since there are fewer questions to answer.

- --os option to ask ALL questions relevant to a given operating system version. (skips the relevance tests and asks everything.) This allows you to create a standard config on one system, and move it to any other system of the correct OS and apply it without needing a GUI on the locked-down machine. You can also use this to see what questions would be asked by Bastille Linux for a given distribution, if you want to :)

- Bastille Linux Curses interface is unavailable on HP-UX, sorry.

- -l option to list which configs were last applied to the system

Hope you like it!

Ramkumar Devanathan · ‎04-21-2003

luv it... wherefrom to download this depot? any HP internal sites???

- ramd.

HPE Software Rocks!

Keith Buck · ‎04-21-2003

Sorry...forgot the URL!

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

Patrick Wallek · ‎04-21-2003

I have checked here:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

But it says it is version B.2.01. I don't see version 2.1 yet. Where do we get it from? When will it be on the web site?

Keith Buck · ‎04-21-2003

Bastille 2.1 has version string B.02.01.00. Sorry for the confusion. It's available now!

Patrick Wallek · ‎04-21-2003

Thanks Keith! Got it downloaded and look forward to playing with it.

(No points here please)

Jim Hendrick · ‎08-08-2003

Nice tool.....

Too bad it won't install on HP-UX 11i without ridiculous gyrations.

- dependencies before it will install at all. What would be so hard to write this as a shell script, so a default install of the OS would allow it to work? Oh, excuse me, it wouldn't be able to have a pretty GUI then, now would it?

I actually saw one of the bastille developers post in another forum something to the effect of "why would you want a paper that told you what bastille was doing instead of just being able to click 'go'"

boy, talk about without a clue...

This utility has:

- unclear documentation of *what* those dependencies are (install Perl "Tk" module... there are about 50 of them...)
- no way to run it wihout t

Not to complain too much here, but I seriously think it would be much better to offer a white paper *along with* the tool that explains what the tool is looking for. (I really have a problem with "click here to make your system secure" from a vendor that ships it insecure to begin with...)

hopefully someone with actually think about these comments...

not that that is likely

(but I feel better :-)

Jim

Steven E. Protter · ‎08-08-2003

I've installed and run this on several systems without incident.

If by gyrations you mean pre-requisites need to be installed, welcome to Systems Administration. Thats the way it goes with many installations.

I think its a fine product. A belated thanks for letting us know about it.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Mark Greene_1 · ‎08-08-2003

I'll be installing this on an rp5410 next week or the week after (depending on when it arrives). I'll report back here how it goes.

mark

the future will be a lot like now, only later

George_Dodds · ‎08-08-2003

Just installed Bastille for the first time on my L2000 11i test box without any hassle.

I had to upgrade the version of Perl but that was straight forward as well.

From first impressions it looks good, simple to use and explains what it's doing.

Cheers

George

Keith Buck · ‎08-08-2003

Jim,

Looks like I should have included the direct dependency link in my post:

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL

We'll look into how to make the dependency info more clear. Anyway, if you install that, you should be fine. This version of Perl is also included on recent 11i media.

We're going to make some printable documentation available too. My question here was meant to ask what *kind* of documentation is most useful, and the responses I got were very helpful.

In the meantime, you may find it helpful to look at this file:
/etc/opt/sec_mgmt/bastille/Questions.txt

It contains all the Bastille GUI text, in a format that is fairly readable using "more" or 'vi'. It also contains Linux questions and I should warn you that it's quite lengthy (but informative, I hope)

If you have any more enhancement requests, please let us know (in order of your priority). We take these kinds of request seriously and prioritize them carefully.

Thanks everyone for your input!

-Keith

John Diamant · ‎08-11-2003

Jim,

Sorry to hear about your frustrating experience with Bastille pre-requisites. Hopefully other responses have addressed these concerns.

Regarding your comment: '(I really have a problem with "click here to make your system secure" from a vendor that ships it insecure to begin with...)'

I understand your concern if that's how you view HP-UX defaults.

I think we're addressing your concern with functionality we've announced recently and are releasing with 11i v2 called Install-Time Security. This allows administrators to select at install-time whether they want the system installed with services turned off, IPFilter firewall blocking everything but ssh, etc (basically applying most Bastille lockdowns), or install with services enabled as they are now or somewhere in between. We give customers this choice because we've heard from different customers that they want services on by default (e.g. work out-of-the-box) and others like you that want the system security-optimized by default. So, you can install a system with aggressive lockdown applied at install-time and open up only what you want using this new install-time mechanism.

Also, even at the granularity of individual Bastille lockdown questions, we share your concern. Our philosophy with HP-UX is that Bastille only addresses security/functionality/usability *tradeoffs*. Where no tradeoff exists, and there's no good reason for something to be enabled (e.g. less secure configuration with no justifiable tradeoff), instead of adding the question/configuration to Bastille, we treat it as a defect in the default configuration and work to get the default configuration changed. You can see the nature of each tradeoff in the Questions.txt file Keith referenced or by running Bastille interactively.

The problem with turning everything off by default is that while it optimizes security, it does so at the expense of other characteristics, and different customers favor different combinations.

W.C. Epperson · ‎08-12-2003

John,

Thank YOU for a well reasoned response to the customer's issues. It's good to know that the Bastille folks at HP feed back to the default configurators and try to get gratuitously promiscuous stuff changed.

And of course, "click here to secure your system coming from [those] who ship it insecure" is a canard, anyway. If HP shipped it totally locked down, the same folks who couldn't install and configure Bastille effectively would be unable to get anything to work to start with....

I'm the Chief of Systems Engineering here, have been an HP server customer for 20 years, since the early 3000s, and I've done my share of HP-baiting. But I've been pleased with the Bastille port.

Best regards.

"I have great faith in fools; self-confidence, my friends call it." --Poe

Tim D Fulford · ‎08-12-2003

Hi

Great news. I hope to play with this soon...

I'm really replying to get this thread into my profile so I can refere to it latter.

Cheers

Tim

-

Steven Sim Kok Leong · ‎08-13-2003

Hi,

Wonderful! Will this be in tune with CIS benchmarks for HP-UX?

Thanks. Regards.

Steven Sim Kok Leong

Keith Buck · ‎08-13-2003

Steven,

There is substantial overlap between the CIS benchmark and Bastille, and there are several key differences.

Overlap:
- Most of the hardening content/advise in Bastille is also in CIS, and vice versa.
- The CIS HP-UX benchmark in some cases tells you how to use Bastille to perform the given hardening step (i.e. conversion to trusted mode)
- Both will run security_patch_check to find missing patches, both do inetd service audits, both disable several network daemons, etc.

Differences:
- The CIS benchmark has a testing tool, while Bastille is a hardening tool. The CIS testing tool is not designed to distribute configurations to multiple systems, while Bastille is not designed to give you a report of your current status.
- Bastille is supported by HP; with an HP-UX support contract you can call the response center for help. HP has done extensive interoperability testing to ensure that HP-UX components work appropriately or the tradeoff is mentioned in the Bastille question. The CIS benchmark is not supported, and includes some configuration items which are not supported by HP. Thus, if you decide to make any of these configuration changes, keep track of them carefully so they can be reverted if something breaks.
- Bastille configures a host-based firewall (ipfilter), while CIS calls this as a 'level 2 benchmark'
- We determined that some of the items in the CIS benchmark did not have significant enough security benefit to include them in Bastille (compared to other content options, such as tcpwrappers/inetd.sec when we had a full host-based firewall). Some of the items were very complex to get right (i.e. secure ntp configuration) and we have those on our 'futures' list.
- The CIS tool gives you a simplified numeric "score". This may be misinterpreted to imply something about how secure your system is. It is actually a measure of the percentage of actions that CIS recommends that you have taken (not weighted by the security risks associated with a given action). So, it's quite possible to have a gaping security hole and still score a 10 on the CIS benchmark. Bastille explains each tradeoff individually and makes no attempt at a scalar representation of your choices. (therefore you can't give you managers a simple score)
- The CIS benchmark is primarily a document (with cut-and-pasteable shell code) while Bastille is primarily a tool (with lots of documentation in a GUI that walks you through choices step-by-step to create your text-based config file)

Maybe that's a little more detail than you wanted, but I hope it's helpful.

-Keith

Steven Sim Kok Leong · ‎08-14-2003

Hi Keith,

That's very valuable insight. I wish I could give you 50 points.

Thanks! Regards.

Steven Sim Kok Leong

Keith Buck · ‎08-14-2003

Steven,

Glad it helped. Maybe if you ask your question in a different post I can paste in my answer and you can give me points. Just kidding :)

On the subject of points, I've been pretty generous in this thread...I didn't actually ask a question so I figure any response is a good answer. The reason I didn't give you 10 on your first is because I misclicked...and I figured 5 for a second response was plenty.

hmmm, 50 points would get me a hat :)

Thanks!

-Keith

Donny Jekels · ‎08-14-2003

Thank you Keith!

Downloaded it and look forward to playing with it. will keep you posted.

"Vision, is the art of seeing the invisible"

Brian Markus · ‎08-17-2003

Great post! I've used the older version in the past; I can't wait to see what the new version can do. I have a box I was planning to lock down tomorrow, this is amazing timing.

-Brian.

When a sys-admin say's maybe, they don't mean 'yes'!

Michael Tully · ‎08-17-2003

Hi Keith,

Some large improvements over the last version. Thanks very much for including the ideas from ITRC members.

Cheers
Michael

Anyone for a Mutiny ?

Keith Buck · ‎08-18-2003

Brian,

We actually released this version in April (and that's the date of the original post). Thanks go to Jim for bumping the thread back up to the top! Seems many people missed it the first time around.

Michael,

Glad to see you like the new features. Based on initial downloads, it looked like either everyone was satisfied with the first version, or no one noticed the new release. We were thinking 2x hardening content was significant :)

-Keith

Ravi_8 · ‎08-18-2003

Hi,

it's a nice tool, running without any hassle on my servers

never give up

Steven E. Protter · ‎08-18-2003

I've run through Bastille a few times.

I like the basic ipfilter config, but it would be nice if there were questions that would let you leave port 80 open.

Its also not intuitive how to leave X-Windows connections working after going through th survey.

I also think its better to put ftp and dns in chroot jail and dns started by a secondary user manually, but that just an opinion.

I do recommend doing the questionaire with no distractions and plenty of time. Reading the questions carefully and thinking about them helps you come out with a secure system that works the way you expect it to.

This release is a good incremental improvement and as noted earlier, I highly recommend it.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Keith Buck · ‎08-18-2003

Steven,

We've got ipfilter (optionally) allowing port 80 on our long list of futures, and will add your input to its priority. Hopefully in the meantime it was straightforward to add that rule to your /etc/opt/sec_mgmt/bastille/ipf.customrules file.

As for X traffic, I highly recommend using secure shell tunneling. This way, all of your x traffic goes through port 22 and is automatically authenticated and encrypted (and optionally compressed for fast CPU and low bandwidth networks). This should work out-of-the-box with the most recent version of HP-UX Secure Shell and a secure shell client with Xforwarding turned on (and an x server, of course)

As for the Bastille setup of ipfilter, outbound connections and stateful returns are allowed by default (without customizing the rules). So, outgoing X is allowed, and incoming X is allowed only if it's part of a stateful outgoing connection...which is just what a secure shell tunnel will do.

Hope that helps.

-Keith

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: HP-UX Bastille 2.1 released!

HP-UX Bastille 2.1 released!