Managing Systems and Workgroups: A Guide for HP-UX System Administrators

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

991

992

993

994

995

996

997

998

999

1000

Conﬁguring HP-UX Bastille: Interview

Bastille Conﬁguration Questions and Explanations for HP-UX

Appendix B 993

DNS query connections should only be allowed on DNS

servers. If this machine is a DNS server for other machines, then you

should answer "No" to this question. Otherwise, you should block

DNS queries by answering "Yes".

IPFilter Q: Do you want to BLOCK incoming DNS zone transfers with IPFilter?

[Y]

DNS zone transfer connections should only be allowed on master DNS

servers. If this machine is a DNS server for other machines and has slave

DNS servers which need to be able to do zone transfers, you should

should answer "No" to this question. Otherwise, you should answer "Yes".

IPFilter Q: Would you like information on how to get a copy of IPFilter? [Y]

Firewalls generally make up the first line of defense in any

network security architecture. IPFilter is a free host-based firewall

which is supported and available for HP-UX. Using IPFilter, you can

write rules which allow only approved inbound and outbound network traffic

to pass through your firewall. This can dramatically improve your system's

overall resistance to network attacks by limiting the number of ways your

system could be attacked in the first place. Note that it can take significant

of work and expertise to properly configure and maintain firewall rules, and the

installation process loads a kernel module and requires a reboot.

If you re-run Bastille after installing IPFilter, Bastille will assist

you with your IPFilter configuration.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,

see TODO list for details)

End Screen Are you ﬁnished making changes to your Bastille conﬁguration? []

Completing the configuration portion of Bastille will not apply

changes to your system. You will be asked if you would like to save

the configuration changes you have made, which will not affect yoursystem in any

way except to write out the Bastille config file.

You will then be asked if you would like to apply the configuration to

your system. At no point will you be forced to make the configuration

apply to your system.

If you should choose to apply the configuration to your system then

Bastille will make changes to your system and create a TODO list in

/var/opt/sec_mgmt/bastille/TODO.txt of remaining steps which you should do to

secure your system, based on your answers to the questions.

After you have run the Bastille backend, you should review the list

and make the necessary changes to your system. You should also

look at the Error log created in /var/opt/sec_mgmt/bastille/log/error-log

to make sure that Bastille did not fail unexpectedly in any of its tasks.

Answer NO if you want to go back and make changes to the configuration!