Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

961

962

963

964

965

966

967

968

969

970

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B966

If this machine is behind a proxy-type

firewall, security patch check needs to be configured to traverse

that firewall. For example, the proxy might be specified as

"http://myproxy.mynet.com:8088" If this machine can ftp directly to

the Internet without a proxy, answer no to this question.

Patches Q: Please enter the URL for the web proxy. []

To use the auto-download feature of Security Patch Check

from behind a proxy type firewall, Security Patch Check needs to be

configured to traverse that firewall.

The URL for the proxy must be in the form

<protocol of firewall>://address:port

For example:

http://myproxy.mynet.com:8088

A web proxy generally uses the http protocol. This answer should

correspond closely to settings one would make in a web browser

to point to a proxy server, but use the above syntax.

If you asked Bastille to run Security Patch Check itself and/or in cron,

it will use this proxy value.

File Permissions Q: Should Bastille scan for world-writable directories? [N]

Bastille can scan your system for world-writeable directories,

including base OS, 3rd party applications, and user directories.

Bastille will then create a script which you can edit to suit your needs

and then run to tighten these permissions.

Changing the permissions of directories in this way has the potential to

break compatibility with some applications and requires testing in

your environment.

Note: The changes made by this script are NOT supported by HP. They have

a low likelihood of breaking things in a single purpose environment, but

are known to break some applications in very subtle ways in a general purpose

environment. Here are some examples of known issues:

- /tmp and /var/tmp sticky bit: applications which rely on unique

process id's in /tmp when run by different users may break when the process

id's are recycled (cleaning tmp directories regularly may alleviate this

problem)

- Log directories (most of which are named with the word "log" in them):

Programs which are run by different users but create and/or write logs in

a common directory may fail to log actions. This includes GUI error logs

in some versions of HP-UX diagnostic tools.