HP-UX Bastille Version B.3.
© Copyright 2010 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 About this product..........................................................................................................7 1.1 Features and benefits.........................................................................................................................7 1.2 Compatibility....................................................................................................................................8 1.3 Performance....................................................
A Install-Time Security (ITS) using HP-UX Bastille..........................................................27 A.1 Choosing security levels.................................................................................................................27 A.2 Choosing security dependencies....................................................................................................30 A.3 Selecting security levels during installation.......................................................................
List of Figures 3-1 3-2 3-3 3-4 A-1 HP-UX Bastille user interface........................................................................................................12 Standard assessment report..........................................................................................................14 Scored assessment report..............................................................................................................15 Assessment report score............................................
List of Tables 3-1 A-1 A-2 A-3 A-4 6 Question modules.........................................................................................................................12 Security levels................................................................................................................................27 Host-based Sec10Host, Sec20MngDMZ, and Sec30DMZ security settings..................................28 Additional Sec20MngDMZ security settings.............................................
1 About this product HP-UX Bastille is a system hardening and reporting program that enhances the security of the HP-UX operating system by consolidating essential hardening and lock-down checklists from industry and government security organizations, and making them accessible to administrators in an easy to use package. The HP-UX Bastille GUI interface guides users through creating a custom security configuration profile.
• Install-time Security (ITS) for Ignite-UX and Update-UX — Applies predefined HP-UX Bastille security configuration profile during first system boot — Enables out-of-the-box security by avoiding any vulnerability window after initial install 1.2 Compatibility There are no differences between the Intel Itanium-based and PA-RISC implementation. Some products depend on services, system settings, or network ports that HP-UX Bastille secures.
2 Installing HP-UX Bastille 2.1 Installation requirements The following prerequisites are required to install HP-UX Bastille: • Root access • Perl dependencies: — HP-compiled version of Perl D.5.8.0.D or later — Perl/Tk version 8.00.23 or later Perl is available for download at: https://www.hp.com/go/perl • • For operating system compatibility, see “Compatibility” (page 8). 1 MB disk space 2.
3 Using HP-UX Bastille HP-UX Bastille provides three main services: • Creating a security configuration profile for a system An X Window GUI user interface presents a series of questions that explain a security issue and describe the resulting action needed to lock down the HP-UX system. Each question also describes the high-level cost and benefit of each decision. The user decides how HP-UX Bastille handles the issues during lock down.
If the PATH environment variable has not been updated, use: # /opt/sec_mgmt/bastille/bin/bastille Figure 3-1 shows the main screen of the HP-UX Bastille user interface. Figure 3-1 HP-UX Bastille user interface 4. Answer the questions that appear on screen. The questions are categorized by function. Check marks are used as completion indicators to track your progress through the program. Only questions that apply to your operating system and relate to installed tools appear.
Table 3-1 Question modules (continued) 5. Question module Description HP-UX Configures security services that are unique to the HP-UX platform IPFilter Creates an IPFilter-based firewall After you answer all the questions, the Save/Apply button appears. If you want to proceed to configuring the system, click the Save/Apply button to save and apply your configuration. HP-UX Bastille applies the changes as described in “Configuring a system” (page 13).
/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report.html /var/opt/sec_mgmt/bastille/log/Assessment/assessment-report.txt /var/opt/sec_mgmt/bastille/log/Assessment/assessment-report-log.txt Figure 3-2 Standard assessment report For each question, the standard report lists one of the following results: Yes The associated HP-UX Bastille lock down is applied to the product or service shipped with HP-UX. The status of products or services that are not shipped with the HP-UX OE is not always detected.
Enable scored reports by creating the /etc/opt/sec_mgmt/bastille/HPWeights.txt file, and populating it with an entry for each HP-UX Bastille lock-down item to be considered in the final score. The HPWeights.txt file format is similar to an HP-UX Bastille configuration file, except only entries for items to be scored are present, and the item value is always set to "1". HP-UX Bastille detects the HPWeights.txt file when generating an assessment, and adds Weight and Score columns to the report.
Figure 3-4 Assessment report score The percentage of weight items secured properly is displayed at the end of the .txt report and in the header row of the .html report. For example, see Figure 3-4 Sample weight files that match the default configuration files are provided in /etc/opt/ sec_mgmt/bastille/configs/defaults. This directory also includes the template file all.weight which contains all possible HP-UX question items as selected. For sample files, see Appendix D (page 63). 3.
IMPORTANT: When reverting to the configuration prior to the use of HP-UX Bastille, security configuration changes are undone temporarily. Other manual configuration changes or additional software installed after HP-UX Bastille was initially run might require a manual merge of configuration settings. 3.5 Monitoring drift The bastille_drift program creates HP-UX Bastille configuration baselines and compares the current state of the system to a saved baseline.
The Drift file contains information about any configuration drift experienced since the last HP-UX Bastille run. This file is only created when an earlier HP-UX Bastille configuration was applied to the system. /var/opt/sec_mgmt/bastille/log/Assessment/Drift.
4 Removing HP-UX Bastille Use the swremove command to remove HP-UX Bastille from an HP-UX machine. When HP-UX Bastille is removed, the system does not revert to the state it was in before HP-UX Bastille was installed. HP-UX Bastille removal leaves behind the revert-actions script. This script enables the administrator to revert the configuration files that HP-UX Bastille modified without an HP-UX Bastille installation.
5 Troubleshooting 5.1 Diagnostic tips When troubleshooting issues with HP-UX, remember these tips: • To revert changes: # bastille -r • To list the current config file: # bastille -l • • Locate the list of all actions performed by HP-UX Bastille at /var/opt/sec_mgmt/ bastille/log/action-log Use the following files to help diagnose problems: — /var/opt/sec_mgmt/bastille/log/action-log — /var/opt/sec_mgmt/bastille/log/error-log — /etc/opt/sec_mgmt/bastille/config 5.
5.3.2 Cannot use X because $DISPLAY is not set You request the X interface, but the $DISPLAY environment variable is not set. Set the environment variable to the desired display to correct the problem. 5.3.3 System is in original state You attempt to revert changes with the -r option, but there are no changes to revert. 5.3.4 HP-UX Bastille must be run as root HP-UX Bastille must be run as the root user because the changes affect system files. 5.3.
6 Support and other resources 6.1 Contacting HP 6.1.1 Before you contact HP Be sure to have the following information available before you contact HP: • Technical support registration number (if applicable) • Product serial number • Product identification number • Applicable error message • Add-on boards or hardware • Third-party hardware or software • Operating system type and revision level 6.1.
• bastille_drift(1M) in HP-UX 11i v3 Reference 1M System at: http://docs.hp.com/en/hpuxman_pages.html The HP-UX Security Forum is offered through the HP IT Resource Center (ITRC) at: ITRC Forums Security Product specifications and download: http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA. For more information about HP-UX Bastille compatibility with Serviceguard, see the Serviceguard documentation available at: http://www.hp.com/go/hpux-serviceguard-docs.
CAUTION A caution calls attention to important information that if not understood or followed will result in data loss, data corruption, or damage to hardware or software. IMPORTANT This alert provides essential information to explain a concept or to complete a task. NOTE A note contains additional information to emphasize or supplement important points of the main text. 6.
A Install-Time Security (ITS) using HP-UX Bastille Install-Time Security (ITS) adds a security step to the installation or update process. This additional step allows the HP-UX Bastille security lock-down engine to run during system installation with one of four configurations ranging from default security to DMZ.
IMPORTANT: Review these tables carefully. Some locked-down services and protocols might be used by other applications and have adverse effects on the behavior or functionality of these applications. You can change these security settings after installing or updating your system.
1 2 Manual action may be required to complete configuration. For more information, see /etc/opt/sec_mgmt/ bastille/TODO.txt after update or installation. The following ndd changes are made: ip_forward_directed_broadcasts=0 ip_forward_src_routed=0 ip_forwarding=0 ip_ire_gw_probe=0 ip_pmtu_strategy=1 ip_send_source_quench=0 tcp_conn_request_max=4096 tcp_syn_rcvd_max=1000 3 Settings applied only if software is installed.
A.2 Choosing security dependencies The Sec00Tools security level is installed by default but does not implement any security changes when you install or update HP-UX Bastille. The Sec00Tools security level has the following benefits: • Ensures that the required software is installed. • Contains the prebuilt configuration files that are used to create a security level. • Can be used as a template to create a custom security configuration.
B Configuring HP-UX Bastille for use with Serviceguard B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels Serviceguard uses dynamic ports. To enable operation, the possible-SG port range must be opened. Opening the port range is not consistent with the security goals of Sec20MngDMZ MANDMZ.config and Sec30DMZ DMZ.config because multiple services (including applications similar to rcp), might also listen to this same port range.
C Question modules AccountSecurity.ABORT_LOGIN_ON_MISSING_HOMEDIR Headline Default Description Actions Do not allow logins unless the home directory exists. N The ABORT_LOGIN_ON_MISSING_HOMEDIR parameter controls login behavior if a user's home directory does not exist. Set ABORT_LOGIN_ON_MISSING_HOMEDIR=1 in /etc/security. AccountSecurity.atuser Headline Default Description Actions Restrict the use of at to administrative accounts.
Default Description Actions N HP-UX Bastille can restrict root from logging into a tty over the network. This forces administrators to log in first as a non-root user, then su to become root. Root logins are still permitted on the console and through services that do not use tty's like HP-UX Secure Shell. Create or replace the file /etc/securetty with the single entry console. AccountSecurity.crontabs_file Headline Default Description Ensure the crontab files are only accessible by root.
Description Actions HP-UX stores the encrypted password string for each user in the /etc/passwd file. These encrypted strings are viewable by anyone with access to the /etc/ file system, typically all users. Using the encrypted string, an attacker can find valid passwords for your system. Convert system to trusted mode or use shadowed passwords (dependent on OS version). AccountSecurity.lock_account_nopasswd Headline Default Description Actions Lock the local accounts with no password.
AccountSecurity.NUMBER_OF_LOGINS_ALLOWEDyn Headline Default Description Actions Set a maximum number of logins per user. N Sets the NUMBER_OF_LOGINS_ALLOWEDyn parameter. None. AccountSecurity.PASSWORD_HISTORY_DEPTH Headline Default Description Actions Set the password history depth. 3 The PASSWORD_HISTORY_DEPTH parameter controls the password history depth. A new password is checked against the number of most recently used passwords stored in password history for a particular user.
Description Actions This parameter controls the default number of days before password expiration that a user is warned that the password must be changed. For systems running HP-UX 11.11 and HP-UX 11.0, setting this value requires conversion to trusted mode. For HP-UX 11.22 and later, shadowed password conversion is required. This parameter applies only to local non-root users. Sets the parameter PASSWORD_WARNDAYS in the /etc/default/security file. AccountSecurity.
Actions has physical access to the machine and enough time, there is very little you can do to prevent unauthorized access. This may be more problematic when an authorized administrator can't remember the password. Note: For HP-UX 11.22 and prior, this requires conversion to trusted mode. HP-UX Bastille will automatically do the conversion if you select this option. Trusted mode is incompatible with LDAP-UX client services prior to version 3.
Actions configuring a umask for all of the user shells, HP-UX 11.22 and later have an option in the /etc/default/security file to set the default system umask. This parameter controls umask(2) of all sessions initiated with pam_unix(5) which can then be overridden by the shell. NOTE: If your system is converted to trusted mode, this parameter will be overridden by the trusted system default umask, which is 077. Set the selected umask in all known shell startup scripts. AccountSecurity.
Apache.chrootapache Headline Default Description Applies chroot to your HP Web Services Apache Server. N The HP Web Services versions of the Apache web server for HP-UX is available free for download at www.hp.com/go/softwaredepot. A chroot script is built into the distribution. This script makes a copy of Apache and related binaries and libraries and places them inside of a chroot jail. This allows Apache to run with limited file system access.
is listening to untrusted data as much as possible. This is especially true of network daemons, such as bind. If a vulnerability is found in the daemon, then a chroot jail contains any intrusions. Only a root process can break out of a chroot jail. HP-UX Bastille ensures that "named" is not running as root.
Default Description Actions N The ftpusers file allows the administrator to set accounts that shall not be allowed to log in through the ftpd. Default system users should not be allowed access to the system through the ftpd because it sends the username and password in clear text over the network. HP-UX Bastille disallows ftp logins to a WU-FTPD server from the following users: root, daemon, bin, sys, adm, uucp, lp, nuucp, hpdb, and guest.
• arp_cleanup_interval–60000 • ip_forward_directed_broadcasts–0 • ip_forward_src_routed–0 • ip_forwarding–0 • ip_ire_gw_probe–0 • ip_pmtu_strategy–1 • ip_respond_to_echo_broadcast–0 • ip_respond_to_timestamp–0 • ip_respond_to_timestamp_broadcast–0 • ip_send_redirects–0 • ip_send_source_quench–0 • tcp_conn_request_max–4096 • tcp_syn_rcvd_max–4096 For more information on each of these parameters, run ndd -h NOTE: If you already have some non-default, non-HP-UX Bastille settings in effect, you must merge the s
Actions Adds a summary description of HP security and services to the TODO.txt file for user reference. HP_UX.restrict_swacls Headline Default Description Actions Restrict remote access to swlist. N The swagentd daemon allows remote access to list and install software on your system. This feature is convenient for remote administration. Security Patch Check can use this to query remote machines.
Default Description Actions Y A common way to gain privileged access is to provide some type of out-of-bounds input that is not checked by a program. This input can be used to overflow the stack in a way that leaves some cleverly written instructions stored in a place that will be executed by the program. The HP-UX kernel is able to disallow execution of commands from the stack. This contains many of these types of attacks, making them ineffective.
Actions Enable incoming network traffic for this service by adding the following lines to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX Bastille: # do allow DNSquery incoming connections pass in quick proto udp from any to any port = domain keep state" IPFilter.block_hpidsadmin Headline Default Description BLOCK incoming connections to the HIDS GUI with IPFilter.
• • Actions can result in attacks that go undetected and reports of many false alerts. HIDS will work but your system may still be vulnerable. Prevent the onset of attacks. If your system is vulnerable to attacks, those vulnerabilities will remain even after HIDS is installed. Find static security flaws on a system. For example, if the password file contained an illegitimate account before HIDS was installed, that illegitimate account remains a vulnerability even after HIDS is installed and operational.
Actions is the best way to do it. You should only block Secure Shell access if you have an alternate, secure method to manage your machine (such as physical access to the console or a secure terminal server) or if you do not use Secure Shell. Otherwise, answer no to this question. Enable incoming network traffic for this service by adding the following lines to the /etc/opt/ipf/ipf.
configured. HP-UX Bastille cannot detect whether the rule-set is appropriate for your needs. HP-UX Bastille can create a very basic firewall configuration. WARNING! Firewalls are designed to keep people out of your machine. Therefore, the features in this section have the ability to keep you out too. Blocked communication can include traffic from management applications like Serviceguard, System Insight Manager, OpenView, System Management Homepage, and others.
Block anything you are not asked about explicitly, including all incoming traffic. If this is the first time you are using HP-UX Bastille to configure your firewall, you will be asked about several service specific options if the applicable software appears to be installed. If you have already configured a firewall using HP-UX Bastille, you will only be asked about protocols which are currently allowed by the HP-UX Bastille configuration. IMPORTANT: Manual action required to complete this configuration.
Description Actions The HP-UX diagnostics daemon can listen on a network port. The diagnostics GUI can be run remotely for administrators and support personnel to find and fix hardware problems. Later versions of this daemon have the option to only listen to local UNIX domain sockets. This way, the GUI can still be run locally to diagnose hardware problems, but it does not allow a network attacker to take advantage of any vulnerabilities that might be found in the future. Stop the diagnostics daemon.
Actions If running, stop process rbootd. Set START_RBOOTD=0 in /etc/rc.config.d/netdaemons. MiscellaneousDaemons.disable_smbclient Headline Default Description Actions Disable the HP-UX CIFS client. Y CIFS can be used to share files and other resources between computers. The CIFS product suite integrates HP-UX with Microsoft Windows environments by providing remote file sharing, printer access and authentication services between HP-UX and Windows systems. If running. stop process cifsclient.
Description The simple network management protocol (SNMP) aids in the management of machines over the network. This can be a powerful method of monitoring and administering a set of networked machines. If you use network management software to maintain the computers on your network, you should audit the way in which SNMP is used by that software. • Use SNMPv3 wherever possible. • Set restrictive access control lists. • Block SNMP traffic at your firewall. • Disable the SNMP daemons.
sometimes configured to provide network services to other systems. Disable these services unless you know of a specific reason to leave them enabled. Actions Kill processes: mrouted, rwhod, rarpd, rdpd, snapdaemon Set MROUTED=0 in /etc/rc.config.d/netdaemons Set RWHOD=0 in /etc/rc.config.d/netdaemons Set RARPD=0 in /etc/rc.config.d/netconf Set RDPD=0 in /etc/rc.config.d/netconf Set START_SNAPLUS=0 in /etc/rc.config.d/snaplus2 Patches.
which analyze the software installed on the system. HP-UX Bastille runs SWA version C.01.01 or later. Otherwise, SPC is used to create a security-compliance report. The security compliance report lists: • Installed patches that have warnings (recalls) issued by HP. • Security patches announced by HP that will fix installed software but have not been applied. • Currently installed patches not properly configured. • Software that needs to be removed or updated to comply with a bulletin.
Default Description Actions Y The bootpd daemon implements three functions; a DHCP server, an Internet Boot Protocol (BOOTP) server, and a DHCP/BOOTP relay agent. If this system is not a BOOTP/DHCP server or a DHCP/BOOTP relay agent, HP recommends disabling this service. Comment out the entry for bootp in the /etc/inetd.conf file. SecureInetd.deactivate_builtin Headline Default Description Ensure that the inetd built-in services do not run on this system.
Description Actions FTP is a legacy protocol. It is a clear-text protocol, like Telnet, and allows an attacker to eavesdrop on sessions and steal passwords. This also allows an attacker to take over an FTP session, using a clear-text-takeover tool like Hunt or Ettercap. It can make effective firewalling difficult because of the way FTP requires many ports to stay open. Every major FTP daemon has had a long history of security vulnerability.
SecureInetd.deactivate_recserv Headline Default Description Actions Ensure the inetd recserv service does not run on this system. N HP SharedX Receiver Service receives shared windows from another machine in X without explicitly performing any xhost command. This service is required for MPower remote windows. If you use MPower, leave this service running on your system. The SharedX Receiver Service is an automated wrapper around the xhost command.
protocol. Any data transferred, including passwords, can be monitored by anyone else on your network even if you use a switching router. Switches were designed for performance, not security and can be made to broadcast. Other networks can monitor this information too if the Telnet session crosses multiple LANs. There are also other more active attacks. For example, anyone who can eavesdrop can usually take over your Telnet session using a tool like Hunt or Ettercap.
Description Actions Logging FTP connection and command activity is recommended. The only reason not to do this is the frequency of logging from FTP fills logs more quickly, particularly if FTP services are heavily used on this machine. In the /etc/inetd.conf file, add the -l flag to the entry for ftpd. SecureInetd.inetd_general Headline Default Description Reminder to disable unneeded inetd services in the TODO.txt file. N Disable unneeded inetd services.
NOTE: While processing the mail queue, sendmail does not accept inbound connections. NOTE: Actions The 15 minute interval can be changed later. See crontab(1). Set a cron job to run /usr/sbin/sendmail -q every 15 minutes. Sendmail.sendmaildaemon Headline Default Description Actions Stop sendmail from running in daemon mode. Y To send and receive mail, sendmail does not need to be running in daemon mode. Unless you have a constant network connection, you cannot run sendmail in daemon mode.
D Sample weight files D.1 all.weight The weight file below is located in /etc/opt/sec_mgmt/bastille/configs/defaults. This template file contains all possible HP-UX question items as selected. AccountSecurity.ABORT_LOGIN_ON_MISSING_HOMEDIR=1 AccountSecurity.AUTH_MAXTRIES=1 AccountSecurity.MIN_PASSWORD_LENGTH=1 AccountSecurity.NOLOGIN=1 AccountSecurity.NUMBER_OF_LOGINS_ALLOWED=1 AccountSecurity.PASSWORD_HISTORY_DEPTH=1 AccountSecurity.PASSWORD_MAXDAYS=1 AccountSecurity.PASSWORD_MINDAYS=1 AccountSecurity.
MiscellaneousDaemons.disable_bind=1 MiscellaneousDaemons.disable_ptydaemon=1 MiscellaneousDaemons.disable_pwgrd=1 MiscellaneousDaemons.disable_rbootd=1 MiscellaneousDaemons.disable_smbclient=1 MiscellaneousDaemons.disable_smbserver=1 MiscellaneousDaemons.nfs_client=1 MiscellaneousDaemons.nfs_core=1 MiscellaneousDaemons.nfs_server=1 MiscellaneousDaemons.nis_client=1 MiscellaneousDaemons.nis_server=1 MiscellaneousDaemons.nisplus_client=1 MiscellaneousDaemons.nisplus_server=1 MiscellaneousDaemons.
AccountSecurity.restrict_home=1 AccountSecurity.root_path=1 AccountSecurity.serial_port_login=1 AccountSecurity.system_auditing=1 AccountSecurity.umask=1 AccountSecurity.unowned_files=1 AccountSecurity.user_dot_files=1 AccountSecurity.user_rc_files=1 Apache.deactivate_hpws_apache=1 FTP.ftpbanner=1 FTP.ftpusers=1 HP_UX.gui_banner=1 HP_UX.ndd=1 HP_UX.screensaver_timeout=1 HP_UX.stack_execute=1 HP_UX.tcp_isn=1 MiscellaneousDaemons.configure_ssh=1 MiscellaneousDaemons.disable_bind=1 MiscellaneousDaemons.
E CIS mapping to HP-UX Bastille CIS Level 1 benchmark for HP-UX 11i (v1.5.0) CIS ID CIS benchmark section 1.1 Mapping to HP-UX Bastille HP-UX Bastille lock down items Patches and Additional Software 1.1.1 Apply latest OS patches Not Scorable 1.1.2 Install and configure SSH MiscellaneousDaemons.configure_ssh 1.1.3 Install and Run Bastille Not Scorable 1.2 Minimize inetd network services 1.2.1 Disable Standard Services SecureInetd.deactivate_builtin SecureInetd.deactivate_finger SecureInetd.
CIS Level 1 benchmark for HP-UX 11i (v1.5.0) Mapping to HP-UX Bastille 1.3.7 Disable other standard boot services MiscellaneousDaemons.disable_rbootd MiscellaneousDaemons.nfs_server MiscellaneousDaemons.nfs_client MiscellaneousDaemons.disable_ptydaemon Apache.deactivate_hpws_apache MiscellaneousDaemons.snmpd MiscellaneousDaemons.nfs_core MiscellaneousDaemons.other_boot_serv MiscellaneousDaemons.disable_smbclient MiscellaneousDaemons.disable_smbserver MiscellaneousDaemons.disable_bind 1.3.
CIS Level 1 benchmark for HP-UX 11i (v1.5.0) Mapping to HP-UX Bastille 1.7.1 Enable kernel-level auditing AccountSecurity.system_auditing 1.7.2 Enable logging from inetd SecureInetd.log_inetd 1.7.3 Turn on additional logging for FTP daemon SecureInetd.ftp_logging 1.8 User Accounts and Environment 1.8.1 Block system accounts 1.8.2 Verify that there are no accounts with empty password fields AccountSecurity.lock_account_nopasswd 1.8.
Index A W assessing, 11 weight files samples, 63 workarounds, 21 C compatibility, 8 configuration batch mode, 13 creating, 11 replicating, 11 Serviceguard, 31 D drift, 17 F features, 7 file locations, 17 I installation requirements, 9 installing, 9 ITS, 27 K known issues, 21 P performance, 8 Q question modules, 33 R related information, 23 removing, 19 reporting, 13 reverting, 16 S scored assessment report, 14 security dependencies, 30 levels, 27, 30 support, 8, 23 T tips diagnostic, 21 general
