HPE Community
Operating System - HP-UX
1847413 Members
2970 Online
110264 Solutions
New Discussion

HP-UX Bastille or TCB Trusted mode?

 
SOLVED
Go to solution
Dacosta
Occasional Contributor

‎09-19-2006 04:34 AM

‎09-19-2006 04:34 AM

HP-UX Bastille or TCB Trusted mode?

In my enviroment, I need to assure my HP-UX. I have many options, but I find the HP-UX Bastille scripts or "upgrade" my system to Trusted Mode. In both scenes, I add security in passwords (/etc/passwd), add auditing and other security things.
The question is: I can use Bastille or use Trusted-mode or use Bastille in Trusted mode? they are excluding?
0 Kudos
Reply
4 REPLIES 4
Mel Burslan
Honored Contributor

‎09-19-2006 05:21 AM

‎09-19-2006 05:21 AM

Solution

Re: HP-UX Bastille or TCB Trusted mode?

Bastille is completely locked down version of HPUX. Best use of bastille servers are the servers at the edge of your corporate network, like mail relays or web servers which are directly facing the big, bad internet. Bastille servers are usually used in daemon driven mode. Interactive access to bastille servers are discouraged and usually not allowed to prevent unauthorized accidental access from unwanted people.

Trusted computing on the other hand is a way of enabling more security features on your hpux server, making it easier to audit. I am not sure if a trusted server is mutually exclusive from a bastion server. But if you are talking about securing a server that many people log in and out every day, TCB (trusted computing) server is the way to go. If you are going to need a server to handle your company web site, facing internet everyday but interactive access will be few and far between, use bastion servers.

Hope this helps
________________________________
UNIX because I majored in cryptology...
Reply
Bill Hassell
Honored Contributor

‎09-19-2006 09:44 AM

‎09-19-2006 09:44 AM

Re: HP-UX Bastille or TCB Trusted mode?

A Trusted system handles internal security only -- things like password rules, login rules, etc. Bastille is a system-wide lockdown which includes a few items for the internal machine but mostly deals with network access. Trusted gives you a single environment whereas Bastille allows you to pick and choose the elements you want to secure. It will recommend Trusted or shadowed mode, but you can choose to ignore any or all of the Bastille directives.

If you have to secure your system, download the security_patch_check script from software.hp.com. Run the program to get a listing of problems, fix them all, then convert to Trusted, and run Bastille. Now start testing to see if some application fails due to high security.


Bill Hassell, sysadmin
Reply
Steven E. Protter
Exalted Contributor

‎09-19-2006 10:49 AM

‎09-19-2006 10:49 AM

Re: HP-UX Bastille or TCB Trusted mode?

Shalom,

I recommend both approaches.

Note that Bastille makes your system more efficient because it stops vulnerable and little used daemons from running.

Bastille is not required to bring a system to trusted mode.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Robert Fritz
Regular Advisor

‎09-20-2006 04:30 AM

‎09-20-2006 04:30 AM

Re: HP-UX Bastille or TCB Trusted mode?

Hi there,

I'm on the HP-UX Bastille team, and I'd like to add a couple clarifications, if I may. Bastille is a security-configuration engine. It allows you to either use the GUI to interactively and selectively configure your system to be more secure. Alternatively, HP ships some "canned" security profiles with 11.23, that you can select at installation time (see HP-UX Install and Update Guide for reference). One of the many things Bastille can do is enable Trusted Mode, which gives you access to some better account-security policy settings on 11.11 and early 11.23 releases. In later 11.23 OEUR's and in upcoming 11.31 (see 11.31 press release), most of the settings that required Trusted Mode... no longer do... and since Trusted Mode does have some (minor) PAM support issues, I'd recommend only using Trusted Mode on 11.11 and pre OEUR 0505 11.23.

All that said, if you use Bastille... it will just figure out your best settings / conversion options based on the policies you set :-).

Also note that security is not just for servers on the edge of your network. There are a growing number of studies that show the threat is on the inside as well, so lock-down is important throughout your enterprise. See interesting stats from McAfee as quoted from Bruce Schneier:
* One in five workers (21%) let family and friends use company laptops and PCs to access the Internet.
* More than half (51%) connect their own devices or gadgets to their work PC.
* A quarter of these do so every day.
* Around 60% admit to storing personal content on their work PC.
* One in ten confessed to downloading content at work they shouldn't.
* Two thirds (62%) admitted they have a very limited knowledge of IT Security.
* More than half (51%) had no idea how to update the anti-virus protection on their company PC.
* Five percent say they have accessed areas of their IT system they shouldn't have.
http://www.schneier.com/blog/archives/2005/12/insider_threat.html
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.