HP-UX 11i Version 2 June 2007 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v2 Foundation OE LTU

171

172

173

174

175

176

177

178

179

180

Security

HP-UX Bastille

Chapter 8

178

HP-UX Bastille

HP-UX Bastille is a security hardening/lockdown tool which can be used to enhance the

security of the HP-UX operating system. It provides customized lockdown on a

system-by-system basis by encoding functionality similar to the Bastion Host and other

hardening/lockdown checklists.

Bastille was originally developed by the open source community for use on Linux

systems. HP added HP-UX-specific content to create HP-UX Bastille, and also

contributed significant quality improvements and functional content to the community

at large.

This tool, along with Install-Time Security (ITS) and Security Patch Check (SPC),

introduces new, out-of-the-box security functionality.

Summary of Change

HP-UX Bastille, version 3.0.x, includes the following enhancements:

• New enhancements:

A new feature called bastille_drift analysis (Bastille 3.0) is able to report when

system's hardening/lockdown configuration no longer matches policy (Bastille config

applied). New enhancements also include Bastille questions (hardening features).

• New capabilities:

— Easily tell whether any system's hardening configuration remains consistent

with what was applied without risking system changes. Previously, would have

to re-run Bastille config and risk breaking system if change had been intentional

(impractical on production systems).

— Detect if unintentional side effect of system config activities (e.g. installing new

software or patches) loosened hardening configuration.

— Bastille provides html and text reports that document the security state of a

system with respect to the configuration that Bastille performs. These reports

can be used to facilitate security-compliance-audit reporting.

• New Features and Benefits:

— Drift report: Visibility into undone hardening, to allow planned response without

risking unexpected system breakage. Assist with regulatory/SOX compliance.

— Tested System Insight Manager CMS Policy: Pre-built HP Systems Insight

Management (SIM) server Central Management Server (CMS)-hardened

configuration.

— Acceptance of ICMP echo (ping) requests in Sec20MngDMZ level, which allows for

greater compatibility with management frameworks discovery / monitoring.

In addition, the bundle name has changed from B6849AA to HPUXBastille.