HPE Community
Operating System - HP-UX
1830234 Members
2392 Online
109999 Solutions
New Discussion

HPUX Bastion Host Hardening Script

 
James Beamish-White
Trusted Contributor

‎10-11-2001 05:43 AM

‎10-11-2001 05:43 AM

HPUX Bastion Host Hardening Script

Hi all,

I am working on writing a script to relatively automate the process for hardening an HP box as suggested by the Bastion Host document. Then I thought that maybe someone has already done it.... anybody?

If not, would anyone like to a) help out in writing the script (I recognise I am only *so* good at scripting), or b) receive a copy of this script once it's completed?

James
GARDENOFEDEN> create light
0 Kudos
Reply
10 REPLIES 10
harry d brown jr
Honored Contributor

‎10-11-2001 05:51 AM

‎10-11-2001 05:51 AM

Re: HPUX Bastion Host Hardening Script

That's a rather hefty task, because hardening, making it a bastian host, usually requires you to NOT install NFS and some other network type components at the point of cold-installation. I've built over a dozen of these bastian servers (we converted all of our virtual vaults to bastian hosts), and what we did, was to build one, and then do a make recovery on the rest (most of our Virtual Vaults were mostly identical). None of our bastian servers have inetd running, and they are surrounded by cisco pix's and Raptor firewalls, as well as port filtering routers.
Live Free or Die
0 Kudos
Reply
James Beamish-White
Trusted Contributor

‎10-11-2001 05:58 AM

‎10-11-2001 05:58 AM

Re: HPUX Bastion Host Hardening Script

To explain myself further, I was planning on making this script from after the point of installing security patches. A question/answer script to check if the system requires inetd or just removal of services.

I have moved to several companies where I need to do hardening inistally before starting to make make_recovery. I would prefer not to do it all manually all the time ;-)

James
GARDENOFEDEN> create light
0 Kudos
Reply
linuxfan
Honored Contributor

‎10-11-2001 06:01 AM

‎10-11-2001 06:01 AM

Re: HPUX Bastion Host Hardening Script

Hi,


At the present time, there are no scripts that i am aware of, that does this completely. THere are couple of good articles which lead you through it.

In fact HP is coordinating this with (Jay Beale's bastille linux ( http://www.bastille-linux.org ) to come up with something similar for HP) but there is nothing out there right now.

Here are couple of links though

http://www.hp.com/products1/unix/operating/hpux11i/alwayssecure.html

http://people.hp.se/stevesk/bastion11.html

-HTH
Ramesh
They think they know but don't. At least I know I don't know - Socrates
0 Kudos
Reply
linuxfan
Honored Contributor

‎10-11-2001 06:03 AM

‎10-11-2001 06:03 AM

Re: HPUX Bastion Host Hardening Script

Hi,

This is what i was talking about.


http://www.bastille-linux.org/press-release-1.2.html

-Regards
Ramesh
They think they know but don't. At least I know I don't know - Socrates
0 Kudos
Reply
Curtis Larson_1
Valued Contributor

‎10-11-2001 06:46 AM

‎10-11-2001 06:46 AM

Re: HPUX Bastion Host Hardening Script

I found the armor tool to have some interesting feature that you might be able to make use of

http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0xd5dcf841489fd4118fef0090279cd0f9,00.html
0 Kudos
Reply
Bernie Vande Griend
Respected Contributor

‎10-11-2001 07:09 AM

‎10-11-2001 07:09 AM

Re: HPUX Bastion Host Hardening Script

Writing an all purpose bastion script may be difficult as same things depend on an individual's server's purpose. However, I think that a lot of items that are done after the OS install can be scripted. If you do not want to wait for the above to happen, I would gladly help in this effort as it is on my "to-do list" anyway. Let me know.
Ye who thinks he has a lot to say, probably shouldn't.
0 Kudos
Reply
James Beamish-White
Trusted Contributor

‎10-12-2001 12:39 AM

‎10-12-2001 12:39 AM

Re: HPUX Bastion Host Hardening Script

Attached is my first cut of the script. The next things I plan to do:

* Try and remember how to add user choice to options.
* Script removal of services in /etc/inetd.conf, and restart of inetd
* Do a check to ensure an admin type user is set up so they can still access the box if they use ssh or telnet.

Note that I haven't even run this script yet, so it might not work ;-)

James
GARDENOFEDEN> create light
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎10-12-2001 05:36 AM

‎10-12-2001 05:36 AM

Re: HPUX Bastion Host Hardening Script

James,

If I get some time next week, I'll help you out on this, as I now see you have an excellent foundation to build upon. One of the important things, in my opinion (all two cents worth), is that products like nfs, if not being used, should have all the binaries deleted from the system. Thus making a hackers job just that more difficult.

I can be reached at hbrown@paychex.com

thanks,

hdb
Live Free or Die
0 Kudos
Reply
David Lodge
Trusted Contributor

‎10-15-2001 08:39 AM

‎10-15-2001 08:39 AM

Re: HPUX Bastion Host Hardening Script

Feel free to give me a shout if you need some help with the scripting side... I started to do something similar for building a HP-UX 11.00 to our building standards. (fenrir@ntlworld.com)

A point for things like inetd - it is easier to provide a file rather than to try and edit it on the fly...

dave
0 Kudos
Reply
Keith Buck
Respected Contributor

‎12-06-2001 02:38 PM

‎12-06-2001 02:38 PM

Re: HPUX Bastion Host Hardening Script

Hi.

I thought you'd like to know that development of Bastille for HP-UX is underway and the current code is all available using the instructions at:

http://sourceforge.net/cvs/?group_id=403

Also, you can subscribe to the developer's list at

http://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss

I would love to hear your comments about the current status and directions you'd like to see us take. Also, anyone interested in contributing code, check out what you think still needs to be added!

-Keith
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.