HPE Community
Operating System - HP-UX
1836286 Members
2537 Online
110098 Solutions
New Discussion

suggestion needed

 
SOLVED
Go to solution
Crystal_1
Frequent Advisor

‎06-07-2002 07:10 AM

‎06-07-2002 07:10 AM

suggestion needed

Hi,

I just got a big project which requires me review all unix server security, more than couple hundred, including HP-UX machines...

I am thinking if I could use an automated tool to handle all the review. I know HP-UX Bastille and other benchmark mentioned in the forum might be helpful. However, because the business environment, I could not just simply run this tool and re-harden boxes without the sign-off from clients...

What I am thinkg is that if there is a complete shell script that I can run to generate a security assessment report. The script can check all the security vulnerabilities...In fact this is similar with other prodcuts, such as benchmark...

I haven't used any product to do similar work. I don't have enough confidence about it...

Please feel free to talk about your ideas...

Tx, Crystal
0 Kudos
Reply
12 REPLIES 12
Craig Rants
Honored Contributor

‎06-07-2002 07:14 AM

‎06-07-2002 07:14 AM

Re: suggestion needed

If you want, I'll send you a shell script that I wrote to check the security of our boxes. It is pretty complete, not fancy like Bastille, but...

I must add that not one tool will give you a complete security solution. Experience and vigilance are your best friend in the security world.

Also, if I had one tool and only one tool, it would be IPF/9000. It is product B9901AA on App CD 1. 11x only.

Let me know,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎06-07-2002 07:14 AM

‎06-07-2002 07:14 AM

Re: suggestion needed

Crystal,

That's exactly what Bastille does. You don't have to change anything and it writes out a report of recommendations. It's perfect for your needs.

Pete

Pete
0 Kudos
Reply
Crystal_1
Frequent Advisor

‎06-07-2002 07:43 AM

‎06-07-2002 07:43 AM

Re: suggestion needed

Craig,

Sure, please email me at crystal.mo@intria.com
Thanks...

As to Bastille, I did install it on one machine. I got couple concerns here:

1. After I answer all questions, it asks me if I want to implement it now by clicking 'yes' or 'no'. I don't want to apply it and choose no. I can't get out of the window and any report... Maybe I am not familiar with the usage...

2. The Bastille is still being developed and it requires perl installed. I can ensure the program codes don't have bugs or will bring other security issues in...

Crystal
0 Kudos
Reply
Keith Buck
Respected Contributor

‎06-07-2002 11:16 AM

‎06-07-2002 11:16 AM

Re: suggestion needed

Crystal,

The Bastille user interface will tell you about a lot of security issues and what to do about them. Applying the changes you request will then make changes to the system.

Bastille is not designed as a vulnerability assessment tool, which would detect and report potential security problems. It happens to do some of that as a result of recommending hardening steps that might be applicable, but errs on the side of suggesting the security change if you might need it, rather than verifying that a vulnerability does indeed exist.

Some options are:
Craig's script (which I have seen as well)
CIS scanner (does a fairly nice report and does not make any changes)
Tiger (can contain a lot of noise about things you don't need to worry about, and is a little out-of-date, but still fairly easy to use)
There are several commercial scanners available, depending on your budget.


Now, once you have a report and have permission to make some of the changes, Bastille can certainly help. Using it, you can ensure that changes are made consistently across all machines as well as understand better the tradeoffs of each action.

As far as bugs in Bastille, we have not had any bug reports since we started the Beta. All of the feedback we have received has been suggestions for content improvement (which is, of course, what we hoped for)

Bastille does not do any communication with other processes, and can only be run by root. Anything which can be done with Bastille can be done manually without it. In the field of security, there are no guarantees, but the risk of Bastille adding any security issues to your system is quite low.

Hope that clarifies things. Thanks for your feedback!

-Keith
Reply
Nick Wickens
Respected Contributor

‎06-07-2002 12:57 PM

‎06-07-2002 12:57 PM

Re: suggestion needed

Our external auditors used a rather extensive script to produce masses of problems (sorry ..challenges !) for me in a large security report. I do have a copy on file but its probably copywrite to them (although its just standard scripting).

Check their site at http://www.sekchek.com - The download of the script seems to be free.
Hats ? We don't need no stinkin' hats !!
Reply
Crystal_1
Frequent Advisor

‎06-12-2002 04:32 AM

‎06-12-2002 04:32 AM

Re: suggestion needed

Craig,

I have been waiting for your response so long. Could you please give me a shout and email me the script you wrote as a reference?

Tx, Crystal
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎06-12-2002 04:36 AM

‎06-12-2002 04:36 AM

Re: suggestion needed

Crystal,

One more suggestion:

Refer to the following thread:
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x96b70bce6f33d6118fff0090279cd0f9,00.html

It may not seem to apply at first, but keep reading, I'm sure you'll discover its pertinence.

Enjoy the forums,
Pete

Pete
0 Kudos
Reply
Roberto Severo
Advisor

‎06-20-2002 06:57 PM

‎06-20-2002 06:57 PM

Re: suggestion needed

Hi Crystal,

You should try Saint. It's a vulnerability assessment tool.
It's pretty cool...

http://www.wwdsi.com/saint/
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎06-20-2002 10:36 PM

‎06-20-2002 10:36 PM

Solution

Re: suggestion needed

Hi,

Nessus is the ultimate opensource scanner if you want to audit your system across the network with the latest vulnerability checks.

http://www.nessus.org

Because of its opensource and the huge pool of volunteers writing vulnerability checks for it (the scripting language to write vulnerability check is pretty easy to use), vulnerability checks always come available extremely quickly once a vulnerability is known, unlke many other similar software.

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
Billy_9
New Member

‎07-31-2002 04:22 AM

‎07-31-2002 04:22 AM

Re: suggestion needed

Hi Crystal

In my browsing for a similar tool that will help with security reporting I found an awesome team that could help you out. I don't think they charge, as yet.

Send a mail to info@AzureIQ.com
0 Kudos
Reply
V. V. Ravi Kumar_1
Respected Contributor

‎07-31-2002 05:00 AM

‎07-31-2002 05:00 AM

Re: suggestion needed

hi,
visit the website centre for internet security
www.cisecurity.org.
there u can download tools to assess ur system security and genrate some reports. download the document hpux benchmark from there.

regds
Never Say No
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎07-31-2002 06:26 AM

‎07-31-2002 06:26 AM

Re: suggestion needed

Crystal,

There is a feature in your profile that allows you to find previous Questions you have posted, which makes it easier to take care of this:

This member has assigned points to 55 of 122 responses to his/her questions.

http://forums.itrc.hp.com/cm/TopSolutions/1,,CA749589!1!questions,00.html

live free or die
harry


Live Free or Die
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.