HP-UX Reference (11i v2 07/12) - 1M System Administration Commands A-M (vol 3)
b
bastille(1M) bastille(1M)
NAME
bastille - system lockdown tool
SYNOPSIS
Path (Linux): /usr/sbin
Path (HP-UX): /opt/sec_mgmt/bastille/bin
bastille [-b|-c|-x][-f alternate_config_file][--os [version]]
bastille [-l|-r|--assess|--assessnobrowser]
DESCRIPTION
Bastille is a system-hardening/lockdown program that enhances the security of a Unix host. It configures
daemons, system settings and firewalls to be more secure. It can shut off unneeded services and r-tools like
rcp and rlogin, and helps create "chroot jails" that help limit the vulnerability of common Internet ser-
vices, like Web servers and DNS. This tool currently hardens Red Hat 6.0-8.0, Mandrake 6.0-8.1, HP-UX
11i v1, HP-UX 11i v2, and HP-UX 11i v3. It is currently being tested on Debian, SuSE, and Turbo Linux.
The utility includes a policy/configuration-selection interface, a configuration engine and a reporting
module. The primary profile-building interface is an X interface via Perl/Tk. There is also a text-based
Perl/Curses interface for Linux. The tool can be used interactively and noninteractively (when the policy-
application engine is used directly). Used interactively, to build system-security configurations, Bastille has
been designed to explain security issues to system administrators, then let them decide how to let the tool
handle them. This both secures the system and educates the administrator. When the configuration
engine is used directly, the utility is useful for duplicating a security configuration on multiple machines.
When used interactively (bastille, bastille -x,orbastille -c), the user interface guides you through a
series of questions. Each step contains a description of a security decision involved in hardening a Unix
system. Each question describes the cost/benefit of each decision. The Tk interface gives you the option to
skip to another question module and return to the current module later. The X interface provides "Com-
pleted Indicators" to show you which question modules are complete. After you have answered all of the
questions, the interface then provides automated support in performing lockdown steps. After performing
the steps Bastille can perform automatically, the utility produces a "to-do" list that describes remaining
actions you must perform manually to ensure the system is secure.
Security hardening can also be performed directly through the configuration engine (bastille -b) using the
default or an alternate configuration (bastille -b -f file) (see the config file in the FILES section below for
the default location). This method is useful for duplicating a particular security configuration on multiple
machines. Before using the configuration engine directly, a configuration file must be created by using Bas-
tille interactively. After the configuration file is created, copy it to the other systems, install Bastille Unix
on those systems, then run the configuration engine on those systems.
Bastille draws from many major reputable sources on Unix Security. The initial development integrated
Jay Beale’s existing O/S hardening experience for Solaris and Linux with most major points from the SANS’
Securing Linux Step by Step and Kurt Seifried’s Linux Administrator’s Security Guide. Later versions
incorporated suggestions from the HP-UX Bastion Host White-paper, Center for Internet Security, and
other sources.
To ensure that Bastille is used as safely as possible, please:
1) Let the developers know about any impacts you discover which aren’t mentioned in the question text
for possible inclusion in future revisions of the questions text.
2) Test Bastille configurations in a nonproduction environment first, with the application stack fully func-
tionally tested after lockdown before deployment in a production environment. The characterization
of consequences is known to be incomplete, especially for general purpose systems.
Options
bastille recognizes the following options
-b Run in batch mode. This option takes the answers that were created interactively and applies them to
the machine.
-c Linux Only. Bring up the text interface of the interactive portion of Bastille. It is implemented with
the Perl/Curses module, which must be installed separately if it did not come with your version of
Perl.
96 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: December 2007 Update