A Install-Time Security (ITS) using HP-UX Bastille
Install-Time Security (ITS) adds a security step to the installation or update process. This additional
step allows the HP-UX Bastille security lock-down engine to run during system installation with
one of four configurations ranging from default security to DMZ. ITS includes the following
bundles:
•
Sec00Tools (recommended software bundle)
•
Sec10Host (optional software bundle)
•
Sec20MngDMZ (optional software bundle)
•
Sec30DMZ (optional software bundle)
A.1 Choosing security levels
At cold install or update time, you can choose one of the security levels listed in
Table A-1
. Each
level provides incrementally higher security.
Table A-1 Security levels
Description
Configuration file name
1
Security level
The Install Time Security infrastructure. No security changes.
Not applicable
Sec00Tools
2
Host-based lock down with firewall pre-enablement. Some common
clear-text services are turned off, excluding Telnet and FTP.
HOST.config
Sec10Host
3
Lock down that allows secure management. IPFilter firewall blocks
incoming connections except common, relatively safe, management
protocols.
MANDMZ.config
Sec20MngDMZ
3
Network-DMZ lock down. IPFilter blocks all incoming connections
except HP-UX Secure Shell.
DMZ.config
Sec30DMZ
3
1
Configuration files are installed in
/etc/opt/sec_mgmt/bastille/configs/defaults
.
2
Sec00Tools is installed by default.
3
Sec10Host, Sec20MngDMZ, and Sec30DMZ are selectable.
NOTE:
When you select either the Sec20MngDMZ or Sec30DMZ security level, IPFilter restricts
inbound network connections. For more information on how to add inbound ports to your
/etc/
opt/ipf.customerrules
file, see the HP-UX IPFilter (Version A.03.05.09 and later)
Administrator's Guide and the HP-UX System Administrator's Guide.
Using one of these security levels applies a default security profile, simplifying the lock-down
process. The following tables list the services and protocols affected by each security level.
A.1 Choosing security levels
27
