background image

IMPORTANT:

Review these tables carefully. Some locked-down services and protocols might

be used by other applications and have adverse effects on the behavior or functionality of these
applications. You can change these security settings after installing or updating your system.

Table A-2 Host-based Sec10Host, Sec20MngDMZ, and Sec30DMZ security settings

Action

Category

Deny login unless home directory exists
Deny non-root logins if

/etc/nologin

file exists

Set a default path for

su

command

Deny root logins from network

tty

Hide encrypted passwords
Deny

ftp

system account logins

Deny remote X logins

Logins and passwords

Modify ndd settings

1

,

2

Restrict remote access to

swlist

Set default

umask

Enable kernel-based stack execute protection

File system, network, and kernel

Disable

ptydaemon

Disable

pwgrd

Disable

rbootd

Disable NFS client daemons
Disable NFS server
Disable NIS client programs
Disable NIS server programs
Disable SNMPD

Daemons

Disable

bootp

Disable

inetd

built-in services

Disable CDE helper services
Disable

finger

Disable

ident

Disable

klogin

and

kshell

Disable

ntalk

Disable

login

,

shell

, and

exec

services

Disable

swat

Disable

printer

Disable

recserv

Disable

tftp

Disable

time

Disable

uucp

Disable Event Monitoring Services (EMS) network
communication
Enable logging for all

inetd

connections

inetd

services

Run

sendmail

via

cron

to process queue

Stop

sendmail

from running in daemon mode

Disable

vrfy

and

expn

commands

sendmail

Disable HP Apache 2.x Web Server

3

Set up

cron

job to run SWA

1

Other settings

28

Install-Time Security (ITS) using HP-UX Bastille

Summary of Contents for UX Bastille

Page 1: ...HP UX Bastille Version B 3 3 User Guide HP Part Number 5900 0871 Published June 2010 Edition 1 ...

Page 2: ... information contained herein is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein UNIX is a registered trademark of T...

Page 3: ... cause other software to stop working 21 5 3 2 Cannot use X because DISPLAY is not set 22 5 3 3 System is in original state 22 5 3 4 HP UX Bastille must be run as root 22 5 3 5 Problems opening copying or reading files 22 5 3 6 Errors related to individual configuration files 22 5 3 7 HP Secure Shell locks you out of your system immediately when passwords expire 22 5 3 8 HP UX Bastille configures ...

Page 4: ...security levels during installation 30 B Configuring HP UX Bastille for use with Serviceguard 31 B 1 Configuring Sec20MngDMZ or Sec30DMZ security levels 31 B 2 Configuring Sec10Host level 31 C Question modules 33 D Sample weight files 63 D 1 all weight 63 D 2 CIS weight 64 E CIS mapping to HP UX Bastille 67 Index 71 4 Table of Contents ...

Page 5: ...List of Figures 3 1 HP UX Bastille user interface 12 3 2 Standard assessment report 14 3 3 Scored assessment report 15 3 4 Assessment report score 16 A 1 Security software dependencies 30 5 ...

Page 6: ...uestion modules 12 A 1 Security levels 27 A 2 Host based Sec10Host Sec20MngDMZ and Sec30DMZ security settings 28 A 3 Additional Sec20MngDMZ security settings 29 A 4 Additional Sec30DMZ security settings 29 6 List of Tables ...

Page 7: ...nt contributions to the open source Bastille software over many years The original Linux version is now named Bastille Linux to avoid confusion with other cross platform implementations and is not covered by this document 1 1 Features and benefits HP UX Bastille provides the following features and benefits Locks down the system Increases security by configuring daemons and system settings Turns of...

Page 8: ...m en netsys html 1 3 Performance Although HP UX Bastille does not directly affect performance IPFilter settings such as host based firewall can cause a slight decrease in network performance Install Time Security ITS does not affect performance but if the DMZ or MngDMZ security levels are used network performance might slow IPFilter packet filtering 1 4 Support For customers with an HP UX support ...

Page 9: ...lity see Compatibility page 8 1 MB disk space 2 2 Installation HP UX Bastille is included as recommended software on the Operating Environment media and can be installed and run with Ignite UX or Update UX HP UX Bastille is installed by default and a manual installation is only necessary to obtain the latest version from the web To download the latest version of HP UX Bastille see the following we...

Page 10: ...10 ...

Page 11: ...sting security configuration state of an HP UX system by testing the system against each security issue A reporting module creates files that contain an itemized summary of the current security status of the system configuration Files are produced in HTML text and configuration formats The percentage of weight items secured properly is generated This service can be used to audit a large number mac...

Page 12: ...and benefit of each decision Use the Explain More Explain Less button for more or less verbose explanations Not all questions have both long and short answers For a complete list of questions with detailed information about each item see Appendix C page 33 Table 3 1 Question modules Description Question module Installs and configures applications for security bulletin compliance checking Patches P...

Page 13: ...ation file path etc opt sec_mgmt bastille config bastille b Otherwise specify the path to the configuration file explicity with the f option bastille b f file If you are continuing from an HP UX Bastille GUI session that is creating or modifying the configuration file see Creating a security configuration profile page 11 status messages from the configuration process appear in the GUI box 2 Review...

Page 14: ...ng to the question Not Defined A non Boolean setting is defined but is not set The system default settings apply N A S W Not Installed The relevant software is not installed so lock down for this item is not necessary 3 3 1 Using scored reports HP UX Bastille assessment reports can be scored to show the percentage of selected lock down items that are properly secured on the system This provides a ...

Page 15: ...Bastille detects the HPWeights txt file when generating an assessment and adds Weight and Score columns to the report The final score is a percentage calculated from the number of the weighted items that have a result equal to Yes Figure 3 3 Scored assessment report The assessment report contains the following columns in addition to the columns contained in the standard report Weight The weight co...

Page 16: ...ore HP UX Bastille was run use the revert option bastille r IMPORTANT Before using the revert feature read the revert actions script to ensure changes do not disrupt your system This file appears in var opt sec_mgmt bastille revert revert actions If changes were made to the system after HP UX Bastille was run either manually or by other programs review those changes to verify they still work and h...

Page 17: ...fix scripts For more information see bastille_drift 1M 3 6 Locating files This section describes the location of important files The configuration file contains the answers to the most recently saved session etc opt sec_mgmt bastille config The error log contains any errors HP UX Bastille encountered while making changes to the system var opt sec_mgmt bastille log error log The action log contains...

Page 18: ... any configuration drift experienced since the last HP UX Bastille run This file is only created when an earlier HP UX Bastille configuration was applied to the system var opt sec_mgmt bastille log Assessment Drift txt 18 Using HP UX Bastille ...

Page 19: ...cases HP UX Bastille changes are recorded at the file level so the revert actions script only reverts the modified files Other changes can be reverted programmatically even if you made intervening changes in the same file For example the permissions file can be reverted to its original form even if you modified the file To revert changes on a system where HP UX Bastille is removed 1 cd var opt sec...

Page 20: ...20 ...

Page 21: ... configuration During these times HP UX Bastille might not be able to get exclusive access to some of the necessary files If this happens run bastille b when the machine is quiet to reapply the changes Install the latest patches on your system to ensure that it is as secure If current patches are not applied your system can be compromised even though you use this program HP UX uses the Security Pa...

Page 22: ...or HP UX Bastille to make effective changes That the files locations or permissions of the HP UX Bastille installation directories have been changed 5 3 7 HP Secure Shell locks you out of your system immediately when passwords expire You might need PAM patch PHCO_24839 HP UX 11 11 available at the HP IT Resource Center https www2 itrc hp com service patch mainPage do 5 3 8 HP UX Bastille configure...

Page 23: ...ed or monitored If you have purchased a Care Pack service upgrade call 1 800 633 3600 For more information about Care Packs refer to the HP website http www hp com hps In other locations see the Contact HP worldwide in English webpage http welcome hp com country us en wwcontact html 6 1 3 Subscription service HP recommends that you register your product at the Subscriber s Choice for Business webs...

Page 24: ...r qualified command phrase Computer output Text displayed by the computer Ctrl x A key sequence A sequence such as Ctrl x indicates that you must hold down the key labeled Ctrl while you press another key or mouse button ENVIRONMENT VARIABLE The name of an environment variable for example PATH ERROR NAME The name of an error usually returned in the errno variable Key The name of a keyboard key Ret...

Page 25: ...result in data loss data corruption or damage to hardware or software IMPORTANT This alert provides essential information to explain a concept or to complete a task NOTE A note contains additional information to emphasize or supplement important points of the main text 6 3 Typographic conventions 25 ...

Page 26: ...26 ...

Page 27: ...me common clear text services are turned off excluding Telnet and FTP HOST config Sec10Host3 Lock down that allows secure management IPFilter firewall blocks incoming connections except common relatively safe management protocols MANDMZ config Sec20MngDMZ3 Network DMZ lock down IPFilter blocks all incoming connections except HP UX Secure Shell DMZ config Sec30DMZ3 1 Configuration files are install...

Page 28: ...ult umask Enable kernel based stack execute protection File system network and kernel Disable ptydaemon Disable pwgrd Disable rbootd Disable NFS client daemons Disable NFS server Disable NIS client programs Disable NIS server programs Disable SNMPD Daemons Disable bootp Disable inetd built in services Disable CDE helper services Disable finger Disable ident Disable klogin and kshell Disable ntalk ...

Page 29: ...2 2 Additional IPFilter rules may be applied with a custom rules file located at etc opt sec_mgmt bastille ipf customrules 3 HP UX Host IDS is a selectable software bundle and only available for commercial servers 4 Settings applied only if software is installed 5 Manual action may be required to complete configuration For more information see var opt sec_mgmt bastille TODO txt after installation ...

Page 30: ...ecure the system Figure A 1 Security software dependencies A 3 Selecting security levels during installation From the Ignite UX GUI Installation and Configuration dialog box click the System tab The System tab enables you to customize information such as security levels hostname IP address root password and the time zone 1 Click the System tab to select the security level appropriate for your depl...

Page 31: ... the HP UX Bastille etc opt sec_mgmt bastille config configuration file by changing the answer to the question Should Bastille ensure inetd s ident service does not run on this system Change the answer from Y to N SecureInetd deactivate_ident N 2 Apply the configuration file changes If you have not made any configuration changes to the system since the last time HP UX Bastille was used use HP UX B...

Page 32: ...32 ...

Page 33: ...tions Delete the file at deny Create or replace the file at allow with a single entry for user root Set permissions to 0400 Change ownership to root sys AccountSecurity AUTH_MAXTRIES Headline Lock account after too many consecutive authentication failures Default N Description The AUTH_MAXTRIES parameter controls whether an account is locked after too many consecutive authentication failures It do...

Page 34: ...ion allows you to schedule jobs to run automatically at a certain time possibly recurring Administrators can use cron to check the system logs every night at midnight or confirm file integrity every hour However executing jobs later or automatically represents a privilege that can be abused and makes actions slightly harder to track Actions Delete the file cron deny Create or replace the file cron...

Page 35: ...sabling this feature prevents untrusted users from contacting users to solicit credentials or other sensitive data Actions Append the line mesg n to the files profile csh login d profile and d login in etc AccountSecurity MIN_PASSWORD_LENGTH Headline Set the minimum length of new passwords Default 8 Description The MIN_PASSWORD_LENGTH parameter controls the minimum length of new passwords This pol...

Page 36: ... controls the default maximum number of days that passwords are valid For systems running HP UX 11 11and HP UX 11 0 setting this value requires conversion to trusted mode For HP UX 11 22 and later shadowed password conversion is required This parameter applies only to local non root users Actions Sets the parameter PASSWORD_MAXDAYS in the etc default security file AccountSecurity PASSWORD_MINDAYS ...

Page 37: ... path instructs the shell to look in the current directory for an executable This can cause a local command to either override a common administrative command or cause an incorrectly typed command to execute a local command This allows malicious users to plant rogue commands that could potentially run malicious software as root This item removes the current working directory dot from the root path...

Page 38: ...vironment values are not changed The PATH value is not validated This parameter does not apply to a superuser account and is applicable only when the option is not used along with the su command Actions Sets the parameter SU_DEFAULT_PATH in the etc default security file AccountSecurity SU_DEFAULT_PATHyn Headline Set a default path for the su command Default Y Description Set the SU_DEFAULT_PATHyn ...

Page 39: ...its from these files AccountSecurity user_dot_files Headline Remove world write permission from local user account dot files Default Y Description Dot files or those that begin with a are hidden from standard file lists and are often used for configuration The combination of being less visible and being used to change the behavior of the user account means that if an incorrect permission is set pe...

Page 40: ...al web server inside of a chroot ed environment For additional security remove unneeded libraries and compilers that are not used by your Apache server IMPORTANT Manual action is required to complete this configuration See the TODO txt file for details Actions Makes a copy of Apache and related binaries and libraries and places them inside of a chroot jail Apache deactivate_hpws_apache Headline De...

Page 41: ...ns of directories in this way has the potential to break compatibility with some applications and requires testing in your environment Note The changes made by this script are NOT supported by HP They have a low likelihood of breaking things in a single purpose environment but are known to break some applications in very subtle ways in a general purpose environment For example applications which r...

Page 42: ...eting persLabelString Authorized users only All activity may be monitored and reported Create the matching etc dt config Xresources files if not present HP_UX mail_config Headline Allow mailing of your configuration and TODO txt files to HP Default N Description The HP UX Bastille development team would like to know how you use HP UX Bastille Based on how you answer these questions HP can meet you...

Page 43: ...ters are set ip_forward_directed_broadcasts 0 ip_forward_src_routed 0 ip_forwarding 0 ip_ire_gw_probe 0 ip_pmtu_strategy 1 ip_respond_to_echo_broadcast 0 ip_send_redirects 0 ip_send_source_quench 0 tcp_conn_request_max 4096 tcp_syn_rcvd_max 4096 arp_cleanup_interval 60000 ip_respond_to_timestamp 0 ip_respond_to_timestamp_broadcast 0 Otherwise an item is created in the TODO txt file for you to manu...

Page 44: ...are still running Several tools do this including netstat which is included with HP UX and lsof List OpenFiles which is a free downloadable tool The lsof tool provides information about all the processes running on your system If there are processes running that you don t recognize take this opportunity to do some research and learn about them IMPORTANT Manual action required to complete this conf...

Page 45: ...ween two communicating nodes TCP does not offer protections for this case without adding additional layers like IPSec Actions Make TCP ISN RFC 1948 compliant IPFilter block_cfservd Headline BLOCK incoming cfrun requests with IPFilter Default Y Description The cfengine utility provides policy based configuration management for groups of systems and Serviceguard clusters A central policy host acts a...

Page 46: ...eep frags IPFilter block_hpidsagent Headline BLOCK incoming HIDS agent connections with IPFilter Default N Description HP UX HIDS enhances host level security with near realtime automatic monitoring of each configured host for signs of potentially damaging intrusions HIDS contains a System Management GUI that allows the administrator to configure control and monitor the HIDS system and a host base...

Page 47: ...s installed on the system All other incoming traffic is blocked by default To allow additional incoming traffic based on the IP address of the sending host enter specific IP addresses here with an optional netmask Otherwise answer N Actions Enable incoming network traffic for select hosts by adding the following lines to the etc opt ipf ipf conf file when actively managed by HP UX Bastille Allow i...

Page 48: ... allow wbem incoming connections pass in quick proto tcp from any to any port 5989 flags S keep state keep frags IPFilter block_webadmin Headline BLOCK incoming web admin connections with IPFilter Default Y Description Port 1188 is used by web based tools that are replacements for areas of SAM The listener on this port is the HP release of Apache with a custom configuration file that loads only a ...

Page 49: ...ering yes to this question creates and applies firewall rules that Block incoming traffic with ip options set These options are used frequently by attackers and infrequently for any other purpose Apply a custom rule set from etc opt sec_mgmt bastille ipf customrules This file as delivered with HP UX Bastille allows all outgoing connections and keeps track of them so that traffic which corresponds ...

Page 50: ...Actions Provide information on how to get a copy of IPFilter in TODO txt MiscellaneousDaemons configure_ssh Headline Configure the HP UX Secure Shell daemon to use generally accepted defaults Default N Description Secure Shell is one of the most important tools in the administrator security toolkit It enables remote secure login and command execution and can wrap otherwise unauthenticated and non ...

Page 51: ...tion The ptydaemon is used by the shell layers shl software The shl utility is an alternative to job control If no one on your system is going to use shl you can safely turn the ptydaemon off Actions If running stop process ptydaemon Set PTYDAEMON_START 0 in etc rc config d ptydaemon MiscellaneousDaemons disable_pwgrd Headline Disable pwgrd Default N Description The pwgrd utility is the Password a...

Page 52: ...ig d samba MiscellaneousDaemons nfs_core Headline Disable the NFS and RPC infrastructure Default N Description RPC is a traditional part of UNIX used in a variety of UNIX services including NIS NFS and others If you are sure you are not using a service that is affected you may disable RPC RPC has had security issues in the past and by default does not support a strong authentication mechanism If y...

Page 53: ...in etc rc config d TrpDst MiscellaneousDaemons syslog_localonly Headline Restrict the system logging daemon to local connections Default N Description The system logging daemon syslogd listens on network ports to support remote logging facilities Remote logging can be helpful for security reasons because if an attacker gains access to a single machine he can probably modify or delete the logs on t...

Page 54: ...ecurity Patch Check installed so that HP UX Bastille can pre configure cron to run these applications after they are installed NOTE HP recommends SWA SPC uses FTP a clear text unauthenticated protocol Register for notification of all HP security bulletins at http www itrc hp com Click on Maintenance and Support for HP Products then select Support Information Digests Actions Set a daily cron job to...

Page 55: ...O txt file so that you can apply the necessary patches IMPORTANT Manual action required to complete this configuration See TODO txt file for details Actions HP UX Bastille runs SWA or SPC Printing printing Headline Disable printing Default N Description If this machine does not print stop the print scheduler and disable the associated print daemon utilities On Linux this includes the restriction o...

Page 56: ...o discard and chargen in the etc inetd conf file SecureInetd deactivate_dttools Headline Ensure the inetd CDE helper services do not run on this system Default N Description The dtspcd ttdbserver and cmsd services are used by CDE Each service has merits but they are all rarely used and mostly deprecated Actions In the etc inetd conf file comment out the entries for dtspc stream tcp nowait root usr...

Page 57: ...nt out the entry for auth or ident SecureInetd deactivate_ktools Headline Ensure that the inetd klogin and kshell services do not run on this system Default N Description The kshell and klogin services use Kerberos authentication protocols If this machine is not using the Kerberos scheme HP recommends disabling these services Any service or daemon running on the system that is not needed or used s...

Page 58: ... services use the r tools rlogind remshd and rexecd respectively which use IP based authentication This form of authentication can be easily defeated with forging packets that suggest the connecting machine is a trusted host when in fact it may be an arbitrary machine on the network Administrators in the past have found these services useful but many are unaware of the security ramifications of le...

Page 59: ...d configuration data to diskless hosts TFTP is a UDP based file transfer program that provides little security If this machine is not a boot server for diskless host appliances or an Ignite UX server TFTP should be disabled Actions In the etc inetd conf file comment out the entry for tftp SecureInetd deactivate_time Headline Ensure the inetd time service does not run on this system Default N Descr...

Page 60: ...ription Logging connection attempts to inetd services is a good idea The only reason not to do this is the frequency of logging from inetd fills logs more quickly particularly if inetd services are heavily used on this machine Actions In the etc rc config d netdaemons file add the l flag to the INETD_ARGS parameter SecureInetd owner Headline Who is responsible for granting authorization to use thi...

Page 61: ...un a special fetchmail style POP IMAP based retrieval program For example if you read your mail with the Netscape common POP IMAP read functionality turn daemon mode off The only reason to run sendmail in daemon mode is if you run a mail server Actions In the etc rc config d mailservs file set SENDMAIL_SERVER 0 Sendmail vrfyexpn Headline Disable the VRFY and EXPN sendmail commands Default Y Descri...

Page 62: ...62 ...

Page 63: ...AccountSecurity mesgn 1 AccountSecurity restrict_home 1 AccountSecurity root_path 1 AccountSecurity serial_port_login 1 AccountSecurity single_user_password 1 AccountSecurity system_auditing 1 AccountSecurity umask 1 AccountSecurity unowned_files 1 AccountSecurity user_dot_files 1 AccountSecurity user_rc_files 1 Apache chrootapache 1 Apache deactivate_hpws_apache 1 DNS chrootbind 1 FTP ftpbanner 1...

Page 64: ...Inetd deactivate_ident 1 SecureInetd deactivate_ktools 1 SecureInetd deactivate_ntalk 1 SecureInetd deactivate_printer 1 SecureInetd deactivate_recserv 1 SecureInetd deactivate_rquotad 1 SecureInetd deactivate_rtools 1 SecureInetd deactivate_swat 1 SecureInetd deactivate_telnet 1 SecureInetd deactivate_tftp 1 SecureInetd deactivate_time 1 SecureInetd deactivate_uucp 1 SecureInetd ftp_logging 1 Sec...

Page 65: ...ns nis_client 1 MiscellaneousDaemons nis_server 1 MiscellaneousDaemons nisplus_client 1 MiscellaneousDaemons nisplus_server 1 MiscellaneousDaemons nobody_secure_rpc 1 MiscellaneousDaemons other_boot_serv 1 MiscellaneousDaemons snmpd 1 MiscellaneousDaemons syslog_localonly 1 MiscellaneousDaemons xaccess 1 Printing printing 1 SecureInetd banners 1 SecureInetd deactivate_bootp 1 SecureInetd deactivat...

Page 66: ...66 ...

Page 67: ...td deactivate_ktools SecureInetd deactivate_bootp Disable Standard Services 1 2 1 Not Applicable Only enable telnet 1 2 2 Not Applicable Only enable FTP 1 2 3 Not Applicable Only enable rlogin remsh rcp 1 2 4 Not Applicable Only enable TFTP 1 2 5 Not Applicable Only enable printer service 1 2 6 Not Applicable Only enable rquotad 1 2 7 Not Applicable Only enable CDE related daemons 1 2 8 Not Applic...

Page 68: ...quence numbers 1 4 3 HP_UX ndd Additional network parameter modifications 1 4 4 File Directory Permissions Access 1 5 Not Scorable Set Sticky Bit on World Writable Directories 1 5 1 Not Scorable Find unauthorized world writable files and SUID SGID executables 1 5 2 AccountSecurity unowned_files Find unowned files and directories 1 5 3 System Access Authentication and Authorization 1 6 AccountSecur...

Page 69: ...TH AccountSecurity MIN_PASSWORD_LENGTH Set strong password enforcement policies 1 8 4 MiscellaneousDaemons nis_client Verify no legacy entries exist in passwd and group files 1 8 5 AccountSecurity root_path No or group world writable directory in root PATH 1 8 6 AccountSecurity restrict_home User home directories should be mode 750 or more restrictive 1 8 7 AccountSecurity user_dot_files No user d...

Page 70: ...70 ...

Page 71: ...equirements 9 installing 9 ITS 27 K known issues 21 P performance 8 Q question modules 33 R related information 23 removing 19 reporting 13 reverting 16 S scored assessment report 14 security dependencies 30 levels 27 30 support 8 23 T tips diagnostic 21 general use 21 issues and workarounds 21 troubleshooting 21 U using 11 W weight files samples 63 workarounds 21 71 ...

Page 72: ......

Reviews: