HP-UX Bastille Version B.3.3.01 Release Notes Abstract This document provides information about new and changed features for HP-UX Bastille Version B.3.3.01. This document is intended for anyone who installs and uses HP-UX Bastille. The information in this document assumes that you have experience with administering an HP-UX operating system.
© Copyright 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 About this product......................................................................................4 1.1 Features and benefits...........................................................................................................4 1.2 Support.............................................................................................................................5 2 New features in this release.........................................................................6 2.
1 About this product HP-UX Bastille is a system hardening and reporting program that enhances the security of the HP-UX operating system by consolidating essential hardening and lock-down checklists from industry and government security organizations, and making them accessible to administrators in an easy to use package. The HP-UX Bastille GUI interface guides users through creating a custom security configuration profile.
• • Integrates with HP Systems Insight Manager (SIM) ◦ Locks down and reporting available from SIM menus ◦ SIM.config pretested configuration for SIM server lock down Install-time Security (ITS) for Ignite-UX and Update-UX ◦ Applies predefined HP-UX Bastille security configuration profile during first system boot ◦ Enables out-of-the-box security by avoiding any vulnerability window after initial install 1.
2 New features in this release 2.1 Support for HP-UX SRP version A.03.00 HP-UX SRP provides isolated operating environments (containers) within a single instance of the HP-UX 11i v3 operating system (SRP host). HP-UX Bastille can be used to lock down the HP-UX SRP host operating system and HP-UX SRP containers running under the host, but with a subset of its normal collection of security lockdown items.
• IPFilter.block_netrange • IPFilter.block_ping • IPFilter.block_SecureShell • IPFilter.block_wbem • IPFilter.block_webadmin • IPFilter.configure_ipfilter • IPFilter.install_ipfilter • IPFilter.configure_ipfilter • MiscellaneousDaemons.diagnosti:qcs_localonly • MiscellaneousDaemons.syslog_localonly • MiscellaneousDaemons.nfs_server • Patches.spc_cron_run • Patches.spc_cron_time • Patches.spc_proxy_yn • Patches.spc_run 2.1 Support for HP-UX SRP version A.03.
3 Installing HP-UX Bastille HP-UX Bastille is included as recommended software on the Operating Environment media and can be installed and run with Ignite-UX or Update-UX. HP-UX Bastille is installed by default, and a manual installation is only necessary to obtain the latest version from the web. For more information on installing HP-UX Bastille, see the HP-UX Bastille User Guide at http://www.hp.com/go/ hpux-security-docs.
4 Known issues and workarounds 4.1 Changes made by HP-UX Bastille might cause other software to stop working To revert the system to the state it was in before you ran HP-UX Bastille: # bastille -r 4.2 Cannot use X because $DISPLAY is not set The user requests the X interface, but the $DISPLAY environment variable is not set. Set the environment variable to the desired display to correct the problem. 4.
4.10 Rerun HP-UX Bastille after installing new software or applying new patches Installing new software or applying new patches might change the system state. On HP-UX, if vendor-specific fix scripts are run with swverify using either the -x fix=true option or the -F option, then HP-UX Bastille should be rerun. 4.
5 Support and other resources 5.1 Contacting HP 5.1.1 Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Product serial number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level 5.1.
HP-UX Bastille manpages: • bastille(1M) in HP-UX 11i v3 Reference 1M System at: http://docs.hp.com/en/hpuxman_pages.html • bastille_drift(1M) in HP-UX 11i v3 Reference 1M System at: http://docs.hp.com/en/hpuxman_pages.html The HP-UX Security Forum is offered through the HP IT Resource Center (ITRC) at: ITRC Forums Security Product specifications and download: http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA.
WARNING A warning calls attention to important information that if not understood or followed will result in personal injury or nonrecoverable system problems. CAUTION A caution calls attention to important information that if not understood or followed will result in data loss, data corruption, or damage to hardware or software. IMPORTANT This alert provides essential information to explain a concept or to complete a task.
A CIS mapping to HP-UX Bastille CIS CIS ID Mapping to HP-UX Bastille CIS benchmark section HP-UX Bastille lock down items 1.1 Patches and Additional Software 1.1.1 Apply latest OS patches Not Scorable 1.1.2 Install and configure SSH MiscellaneousDaemons.configure_ssh 1.1.3 Install and Run Bastille Not Scorable 1.2 Minimize inetd network services 1.2.1 Disable Standard Services SecureInetd.deactivate_builtin SecureInetd.deactivate_finger SecureInetd.deactivate_ident SecureInetd.
CIS Level 1 benchmark for HP-UX 11i (v1.5.0) Mapping to HP-UX Bastille 1.3.7 Disable other standard boot services MiscellaneousDaemons.disable_rbootd MiscellaneousDaemons.nfs_server MiscellaneousDaemons.nfs_client MiscellaneousDaemons.disable_ptydaemon Apache.deactivate_hpws_apache MiscellaneousDaemons.snmpd MiscellaneousDaemons.nfs_core MiscellaneousDaemons.other_boot_serv MiscellaneousDaemons.disable_smbclient MiscellaneousDaemons.disable_smbserver MiscellaneousDaemons.disable_bind 1.3.
CIS Level 1 benchmark for HP-UX 11i (v1.5.0) Mapping to HP-UX Bastille 1.7.1 Enable kernel-level auditing AccountSecurity.system_auditing 1.7.2 Enable logging from inetd SecureInetd.log_inetd 1.7.3 Turn on additional logging for FTP daemon SecureInetd.ftp_logging 1.8 1.8.1 Block system accounts 1.8.2 Verify that there are no accounts with empty password fields AccountSecurity.lock_account_nopasswd 1.8.3 Set account expiration parameters on active accounts AccountSecurity.
