Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Configuring HP-UX Bastille: Interview
Bastille Configuration Questions and Explanations for HP-UX
Appendix B964
Some questions have two levels of explanatory text, which you
can adjust with the Explain Less/More button.
Current support information for HP-UX Bastille is provided on the
HP-UX Bastille product page at http://software.hp.com
HP-UX Bastille has the potential to make changes which will affect
the functionality of other software. If you experience problems after
applying Bastille changes to your machine, be sure to inform anyone
you ask for help that you have run Bastille on this machine.
Helpful diagnostic tips:
- ‘bastille -r’ will revert your system to a pre-Bastille state.
so you can better track down the cause of the problem
- A list of all actions Bastille has taken is located in.
/var/opt/sec_mgmt/bastille/log/action-log
- If you suspect Bastille, the following files will be
helpful to others in diagnosing your problem:
/var/opt/sec_mgmt/bastille/log/action-log
/var/opt/sec_mgmt/bastille/log/error-log
/etc/opt/sec_mgmt/bastille/config
Available resources include:
- the itrc hp-ux security forum at http://www.itrc.hp.com
- the Bastille discussion group at
bastille-linux-discuss@lists.sourceforge.net.
Patches Q: Should Bastille run Security Patch Check for you? [Y]
Patching known security vulnerabilities is one of the most
important steps in securing a system. Security Patch Check is
a tool which will analyze the software installed on this system. When
Security Patch Check runs, it will report several types of
problems. It will (1) report any patches which are installed on the system
but have had warnings (recalls) issued by HP (2) report any security patches
that have been announced by Hewlett Packard that will fix installed software on
the system, but have not been applied, and (3) report if any currently
installed patches are not in the proper, "configured" state. Security
Patch Check can download an up-to-date catalog from HP with security and
patch-warning information. It can also work through a proxy-type
firewall. This tool will only report patches; it will not indicate
manual actions described in HP Security Bulletins/Advisories.
Also, security patches require vigilance, since new vulnerabilities are
found and fixed on a regular basis. It is recommended that this tool be
run frequently, such as in a cron job each night (A separate question
will cover this). It is also recommended that you subscribe to the HP
Security Bulletin mailing list.
The output of running this tool will be appended to Bastille's generated