Re: HP-UX Bastille - lockdown/hardening tool

Keith Buck · ‎05-23-2002

I have seen several messages on the security forum asking how to properly secure an HP-UX box. Well, HP-UX Bastille is a tool that will walk you through that process.

Most of the actions are completely automated and all actions are optional (so you don't over-secure your box to the point that it's unusable). It will even help you configure Security Patch Check. The tool is the same codebase as the popular Linux tool, but has a lot of added HP-UX specific functionality (and without Linux specific functionality)

A Beta version of this tool is available *right now* and the HP-UX Bastille Development team is very interested in your feedback before our release.

We're currently coordinating with the Linux Bastille team, and I'll post a stable URL when we have one. In the meantime, if you'd like to take it for a spin, just send email to

bastille-feedback@fc.hp.com

with "send me bastille" in the subject line.

We want to know:

1. is this tool useful (somewhat, very, not at all)
2. what does it do well?
3. what is it missing?
- critical functionality
- would be nice to see in the future
4. what do you think about HP participating in the open source process? Would you be willing to help?

You can either send feedback to the email address above or post it here. (I can only assign points if you post it here, of course)

Thanks!

the HP-UX Bastille Development team

Victor_5 · ‎05-23-2002

It is definitely a good news, actually, I have been looking for this kind of tools for a couple of weeks, I perfer HP's although there are some thire party's available. I have sent the message to your mentioned email address, waiting for your feedback, I will give you further info once I get a chance to do an evaluation on my box. Thanks!

Mark Greene_1 · ‎05-23-2002

The timing on this is great. We have an L2000 going live in 2 weeks, so I just requested a copy. Will post feedback after I've played with it a bit.

mark

the future will be a lot like now, only later

Keith Buck · ‎05-23-2002

Victor,

Which 3rd party tools have you looked at? How does Bastille compare for your needs?

Thanks

Mark Greene_1 · ‎05-23-2002

How large is the download supposed to be? The saved file got to 100%, and then kept downloading. I canceled after it got over 8mb. I was doing the download to my win98 pc over a T1 connection to the net.

mark

the future will be a lot like now, only later

Keith Buck · ‎05-23-2002

The gzip'ed version is about 5MB, while the unzipped version is about 9MB. Some browsers unzip for you before they save, so I'm not sure which value your progress indicator is referring to.

Pete Randall · ‎05-23-2002

Keith,

Timely - thanks. I'll be cruising it around soon and let you know what I find.

Pete

Pete

Craig Rants · ‎05-23-2002

1. is this tool useful (somewhat, very, not at all) Yes, this is a very useful tool. I have been heavy into Unix security for a while and this covers alot of items.
2. what does it do well? It explains the reason for the changes and the affects that changes make to your system very well.
3. what is it missing? The TODO list should include more information such as using IPF_9000, IDS, Trusted Computing Base info...
- critical functionality?
- would be nice to see in the future? Installation options for other security tools
4. what do you think about HP participating in the open source process? Would you be willing to help? I think it is very important that HP participates in the open source process. I would be willing to help althought I don't do a whole lot of programming so...

Great Start!

Craig

"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut

Keith Buck · ‎05-23-2002

Craig said:

I think it is very important that HP participates in the open source process. I would be willing to help althought I don't do a whole lot of programming so...

Actually, the most important part is writing relevant, useful questions which explain the tradeoffs of each action. From there, the basic steps to implement that action are required, and then implementation and testing.

If you're really interested, you can help even if you're not a programmer.

John Payne_2 · ‎05-23-2002

I think this tool will be very nice. The only thing that I do not like about it is that I had perl v 5.05 installed, and it did not like it. I had to upgrade to a newer version. (Just a pain. Not a problem.) Also, it told me that I was downloading the .gz version of the file, but when I got it to my system, the file was not compressed. I had to drop the .gz extension and just install.

This tool is useful. It had several suggestions for hardening that I had not thought of when I hardened our image.

It doesn't seem to be missing much. I really like how everything you enter in and everything it does is logged. It is really nice to have the output if you need it.

I think HP should participate in the open source process. This will help HPUX pick up things it needs faster. We would be willing to help.

We are a University. (Education.)

Hope it helps

John

Spoon!!!!

Pete Randall · ‎05-23-2002

1. is this tool useful (somewhat, very, not at all)
I found it very useful.
2. what does it do well?
It explains the reasoning behind each of the hardening suggestions quite well.
3. what is it missing?
- critical functionality
none that I'm aware of
- would be nice to see in the future
none that I'm aware of
4. what do you think about HP participating in the open source process?
Great
Would you be willing to help?
If I could

Pete

Keith Buck · ‎05-23-2002

FYI - the reason for the dependency on Perl 5.6.1 is because that is what Perl/Tk requires.

Pete Randall · ‎05-23-2002

Keith,

As John noted, the .gz version of the file appears not to be zipped. At least gunzip certainly didn't think it was. However, swinstall was perfectly happy to install it with the .gz extension. Just minor nit-picking - not with the product but with the install instructions.

Thanks again,
Pete

Pete

John Payne_2 · ‎05-23-2002

Bastille trys to talk you shutting down pretty much every service in /etc/inetd.conf. Whether or not you agree to shut services down (or after you refuse to shut off), it should also make a suggestion to restrict these services via the /var/adm/inetd.sec file. You wouldn't necessarily have to figure out how to get Bastille to edit the file, just explain how it inetd.conf works and ask if the user wants to set it in the TODO file. That way, newbie systems guys (or gals) understand how that works and can still get some level of restriction if they leave the services open, and not assume things...

Also, it would be nice if one decides to keep things like ftp open, that it asks if you want to set an ftp umask (i.e. ftp -l -u 002 for the entry for ftp.) That way, if they leave ftp open, the files are protected by whatever umask the user wants, just like you recommend for the regular umask.

Hope it helps

John

Spoon!!!!

dirk dierickx · ‎05-24-2002

1. is this tool useful (somewhat, very, not at all)

bastille was one of those tools i missed most on hpux. (with regard to security)
no need to say i find it very usefull.

4. what do you think about HP participating in the open source process? Would you be willing to help?

i think hp is doing great open source work. bastille is not the only project they are working on. but i see there is still lot of room for improvement on some other projects.
i would certainly like to help, isn't that what 'being open' is all about.

> We're currently coordinating with the Linux Bastille team, and I'll post a stable URL when we have one. In the meantime, if you'd like to take it for a spin, just send email to bastille-feedback@fc.hp.com

bastille linux 2.0-beta with HPUX support is available from the bastille site already:
http://www.bastille-linux.org/

Keith Buck · ‎05-24-2002

As Dirk mentioned, you can now download HP-UX Bastille 2.0 (Beta) from the Bastille Linux website. http://www.bastille-linux.org

Deshpande Prashant · ‎05-24-2002

Hi
I'm hoping this will be a really useful tool.

I'm trying to install it and got error while installing it, for Perl_TK.
I do have Perl 5.6.1 installed on system.
How do I overcome this.

Thanks.
Prashatn.

Take it as it comes.

Bill McNAMARA_1 · ‎05-24-2002

Keith, are you going to put your money on it?!

give us a URL to break into!

Later,
Bill

It works for me (tm)

Keith Buck · ‎05-24-2002

In response to John Payne's comments:

I have added information about inetd.sec/tcpwrappers (not yet in the Beta version) in the TODO list if the user wants the reminder about securing inetd services.

ftpd has a default umask of 027. This results in reasonably secure permissions to begin with. It's likely that if we added the option to change this, people might actually change it to be less secure.

Thanks for the input!

Steven Sim Kok Leong · ‎05-24-2002

Hi,

I have found the CIS Security benchmark for HP-UX a very decent and detailed resource for manual hardening of HP-UX (up to HP-UX 11i i.e. talks about disabling executable stack etc).

http://www.cisecurity.org/bench_HPUX.html

It could serve as one source of reference for additional hardenings that may be worth automating in HP-UX Bastille

Hope this helps. Regards.

Steven Sim Kok Leong

Santosh Nair_1 · ‎05-25-2002

I had been looking for the HPUX Bastille to come out for quite some time...its great to hear that it will be released soon. Feeback will be coming on Tuesday when I get a chance to load it. Thanks for the heads up.

-Santosh

Life is what's happening while you're busy making other plans

Michael Tully · ‎05-26-2002

Prashant,

You *need* to install the B.5.6.1.C version of perl from http://www.software.hp.com
The existing version 5.6.1 on it's own will not work. The version from the porting centre will not work either. The link to the perl depot software is in Keith's email which you would have received. I had the same problem and this is how it was solved.

Cheers
~Michael~

Anyone for a Mutiny ?

Keith Buck · ‎05-27-2002

In response to Craig (and Bill's!) comments, I have added another question and TODO text which explains that Bastille is only part of an overall security solution and gives pointers to other tools available from HP (IDS/9000, AAA server, etc.) I also beefed up the IPFilter section to remind people to make sure that it is configured.

In response to Steven's comments: Yes, we have looked at the CIS benchmark for candidates for inclusion into Bastille. Using Bastille can raise your CIS score substantially. (try it and let us know what you find!) Hopefully we will be including more of these items in the future. Any indications as to which of those items would be most important to you would be helpful.

When deciding upon the most important things to do first, we looked at the HP-UX Bastion Host whitepaper, Bastille Linux, and several customers' hardening scripts/procedures. If any of you have a step in your hardening procedure that is still missing, let us know.
If you'd like to see it go into Bastille sooner, you can provide us with a well-written explanation of the trade-offs (like Bastille questions today) and/or a step-by-step procedure to automate it (run this command, append a line to this file, etc.) That way it will be ready to include in Bastille quickly and you will be helping HP to serve your needs better through the open source process.

Wodisch · ‎05-27-2002

Hello Keith,

first, thanks for your work on this!
Then, since I was not able to install it on a local system here (back from Qatar at 6:30am, 1 hour travel from the airport, first meeting at 10:00am = hav had no time, yet), a few questions:
- do you have (and maintain) a list of "least privileges" for directories/devices/files?
- do you describe only the basic operationg system, or even some (all?) of the OpenView tools (other HP products)?
- does it include all the details usually given by Bill Hassell on this topic?
- does it use "ssh" and "scp" (or "rsync" over "ssh") instead of "telnet" and "ftp"?
- will this be "recommended" or even be "supported" by HP?

Regards,
Wodisch

Gino Castoldi_2 · ‎05-28-2002

Hi Keith,

Since locking down a server is a time consuming process, something like this can only help. Sounds like the same thing they have for Sun Solaris (YASSP, etc).

Hopefully since this is a HP product it will be able to "handle" the full suite (or most of them anyway) of OpenView products.

HTH, Gino.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: HP-UX Bastille - lockdown/hardening tool

HP-UX Bastille - lockdown/hardening tool