Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
HP-UX Bastille
Chapter 8 821
Configuring Bastille
Once you have installed Bastille you may configure it to lock down your
system in one of the following ways:
• If you chose one of the predefined install-time modules (Table 8-5 on
page 817) during installation with Ignite-UX or Update-UX, it was
installed and applied during the system reboot. Go to “Applying
Bastille” on page 828 to review the log files and perform any
necessary manual operations.
• In the /etc/opt/sec_mgmt/bastille directory, you can copy one of
the predefined configuration files (see “Predefined Configuration
Files” on page 817) to the config file. Go to “Applying Bastille” on
page 828 to install it.
Table 8-8 DMZ.config: Additional Security Settings
Category Actions
Includes all security settings from HOST.config (Table 8-6) and
MANDMZ.config (Table 8-7)
IPFilter
a
Additions:
• Block all traffic except Secure Shell, adding
blocking for:
— incoming HIDS agent connections
bc
— incoming WBEM connections
d
— incoming web admin connections
— incoming web admin autostart
connections
a. IPFilter rules are applied via a custom rules file located at
/etc/opt/sec_mgmt/bastille/ipf.customrules
b. Settings only applied if software is installed
c. HIDS is a selectable software bundle
d. WBEM is required for several HP management applications
including ServiceControl Manager and Partition Manager