Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
HP-UX Bastille
Chapter 8816
For previous HP-UX 11.x and 11i releases, Bastille is also available from
the HP Software Depot, at http://www.software.hp.com/.
Additional Software
If you install from an Operating Environment medium, the default
Bastille installation automatically includes Bastille, Perl, Security Patch
Check, IPFilter, and Secure Shell.
If you downloaded from the HP Software Depot, you may need to
download the other four packages as well. Bastille requires Perl version
5.6.1.E or newer.
Security Considerations
CAUTION If the target system has been compromised (the root user account has
been broken into), Bastille cannot correct it. You must correct it first by
reinstalling HP-UX from a local disk or booting from read-only media
(such as a CD or DVD) and testing the system to find and fix
compromised files while running a trusted boot image.
IMPORTANT If you install Bastille while installing or updating the HP-UX operating
system, specifying a predefined Bastille security level (see “Predefined
Configuration Files” on page 817), you should disconnect your system
from all networks and perform the operation from local media.
IMPORTANT Bastille’s interactive configuration uses the X Window System’s
Graphical User Interface (GUI), which is a clear-text, unauthenticated
protocol and inherently insecure. Therefore, the interactive configuration
should not be used if the system being locked down (target) is not trusted
or the network between the administrator’s system and the target
system is not secure.
A trusted system is one that has not been compromised (see the Caution
above). A trusted network is one that has secure communications
between systems, as with Secure Shell.