bastille.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

bastille(1M) bastille(1M)

NAME

bastille - system lockdown tool

SYNOPSIS

Path: /usr/sbin (Linux)

Path: /opt/sec_mgmt/bastille/bin (HP-UX)

bastille [ -b | -c | -x ][-f alternate_conﬁg_ﬁle ]

[ --os [ version ]]

bastille [ -l | -r | --assess | --assessnobrowser ]

DESCRIPTION

Bastille is a system-hardening/lockdown program that enhances the security of a Unix host. It conﬁgures

daemons, system settings and ﬁrewalls to be more secure. It can shut off unneeded services and r-tools

like rcp and rlogin, and helps create "chroot jails" that help limit the vulnerability of common Internet

services, like Web servers and DNS. This tool currently hardens Red Hat 6.0-8.0, Mandrake 6.0-8.1,

HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3. It is currently being tested on Debian, SuSE, and

Turbo Linux.

The utility includes a policy/conﬁguration-selection interface, a conﬁguration engine and a reporting

module. The primary proﬁle-building interface is an X interface via Perl/Tk. There is also a text-based

Perl/Curses interface for Linux. The tool can be used interactively and non-interactively (when the

policy-application engine is used directly). Used interactively, to build system-security conﬁgurations,

Bastille has been designed to explain security issues to system administrators, then let them decide how

to let the tool handle them. This both secures the system and educates the administrator. When the

conﬁguration engine is used directly, the utility is useful for duplicating a security conﬁguration on multi-

ple machines.

When used interactively (bastille, bastille -x,orbastille -c), the user interface guides you through a

series of questions. Each step contains a description of a security decision involved in hardening a Unix

system. Each question describes the cost/beneﬁt of each decision. The Tk interface gives you the option

to skip to another question module and return to the current module later. The X interface provides

"Completed Indicators" to show you which question modules are complete. After you have answered all of

the questions, the interface then provides automated support in performing lockdown steps. After per-

forming the steps Bastille can perform automatically, the utility produces a "to-do" list that describes

remaining actions you must perform manually to ensure the system is secure.

Security hardening can also be performed directly through the conﬁguration engine (bastille -b) using

the default or an alternate conﬁguration (bastille -b -f ﬁle) (see the conﬁg ﬁle in the FILES section

below for the default location). This method is useful for duplicating a particular security conﬁguration

on multiple machines. Before using the conﬁguration engine directly, a conﬁguration ﬁle must be created

by using Bastille interactively. After the conﬁguration ﬁle is created, copy it to the other systems, install

Bastille Unix on those systems, then run the conﬁguration engine on those systems.

Bastille draws from many major reputable sources on Unix Security. The initial development integrated

Jay Beale’s existing O/S hardening experience for Solaris and Linux with most major points from the

SANS’ Securing Linux Step by Step and Kurt Seifried’s Linux Administrator’s Security Guide . Later ver-

sions incorporated suggestions from the HP-UX Bastion Host White-paper , Center for Internet Security,

and other sources.

To ensure that Bastille is used as safely as possible, please:

1) Let the developers know about any impacts you discover which aren’t mentioned in the question text

for possible inclusion in future revisions of the questions text.

2) Test Bastille conﬁgurations in a non-production environment ﬁrst, with the application stack fully

functionally tested after lockdown before deployment in a production environment. The characteri-

zation of consequences is known to be incomplete, especially for general purpose systems.

Options

bastille recognizes the following options

-b Run in batch mode. This option takes the answers that were created interactively and applies them

to the machine.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
bastille(1M) bastille(1M) NAME bastille - system lockdown tool SYNOPSIS Path: /usr/sbin (Linux) Path: /opt/sec_mgmt/bastille/bin (HP-UX) bastille [ -b | -c | -x ] [ -f alternate_config_file ] [ --os [ version ] ] bastille [ -l | -r | --assess | --assessnobrowser ] DESCRIPTION Bastille is a system-hardening/lockdown program that enhances the security of a Unix host. It configures daemons, system settings and firewalls to be more secure.
PAGE 2
bastille(1M) -c bastille(1M) Linux Only. Bring up the text interface of the interactive portion of Bastille. It is implemented with the Perl/Curses module, which must be installed separately if it did not come with your version of Perl. -f alternate_config_file Use an alternate config file versus the default location. A -l List applied configuration files. List the configuration files in the configuration file directory that matches the one last used.
PAGE 3
bastille(1M) bastille(1M) configuration files can be generated for any version Bastille recognizes. For a complete list of operating system versions type bastille -x --os. DIAGNOSTICS $DISPLAY not set, cannot use X interface... You explicitly asked for the X interface using the -x option, but the DISPLAY environment variable was not set. Set the environment variable to the desired display to correct the problem. System is in original state...
PAGE 4
bastille(1M) bastille(1M) /var/log/Bastille/action-log (Linux) /var/opt/sec_mgmt/bastille/log/action-log (HP-UX) The action log contains the specific steps that Bastille took when making changes to the system. /var/log/Bastille/TODO (Linux) /var/opt/sec_mgmt/bastille/TODO.txt (HP-UX) The to-do list contains the actions that remain for you to do to ensure the machine is secure. A /var/log/Bastille/Assessment/assessment-report.html bA /var/log/Bastille/Assessment/assessment-report.