HP-UX Reference (11i v2 07/12) - 1M System Administration Commands A-M (vol 3)
b
bastille(1M) bastille(1M)
-f alternate_config_file
Use an alternate config file versus the default location.
-l List applied configuration files. List the configuration files in the configuration file directory that
matches the one last used.
-r Revert Bastille-modified system files to the state they were in before Bastille was run. Note that, if
any changes to the system configuration were made in the interim, those changes should be reviewed
again to make sure they (1) still work, and (2) have not broken the system or compromised its secu-
rity.
-x The default option. Run the Bastille X interface. It is implemented with the Perl/Tk module, which
must be installed separately if it did not come with your version of Perl.
--assess
Run Bastille in assessment-only mode so that it investigates the state of hardening, reports on such
and generates a score. No changes are made to the system. It generates HTML and text reports and
a Bastille configuration file.
For each question, Bastille generates one of the following results:
Yes The associated Bastille lockdown has been applied to the product or service shipped with HP-
UX. Bastille may not always correctly detect the status of products or services that are not
shipped with the HP-UX OE. Also, Bastille may not detect all variations of the possible ways
to disable or enable a service or feature. It will detect if Bastille did so, and will likely detect
configuration made in accepted, standard ways.
No The question configuration has not been applied.
User Action Pending
Bastille had performed a partial configuration; leaving the user with some actions needed to
complete the configuration. These actions are listed in the TODO file listed below.
Inconsistent
Bastille can not tell the status. Usually, this is do to the system being in an inconsistent state.
For example, Bastille would return this status of a service running in the process list, but
configured on disk to be off. Note, there are some cases where inconsistent states that Bastille
can not detect could be created on the system, so if the administrator has made changes to the
system, and needs to rely on Bastille results, the system should be rebooted first to ensure the
configuration is consistent. This caveat does not apply to Bastille initiated actions.
N/A: S/W Not Installed
This indicates that the relevant software is not installed, so there is no need to lock down the
given item, but care should be taken when the software is installed to lock it down at that
point.
Needed S/W Missing
This indicates that the item is not locked down since it needs software that is currently not
available on the system.
Set to value
This indicates a nonboolean setting.
Not Defined
This indicates a nonboolean setting that has not been set yet. Thus the system default settings
apply. In the case of later HP-UX versions, default account security settings are often found in
the /etc/security.dsc file.
See the FILES section for location. The HTML version of the report is shown in a browser if either a
graphical or text browser can be found.
--assessnobrowser
Same as --assess, except that the report is not displayed in a browser.
--os[ version ]
Explicitly set the operating system version while generating a configuration file. By setting the
operating system version, all questions valid for that operating system will be asked and configuration
files can be generated for any version Bastille recognizes. For a complete list of operating system ver-
sions type bastille -x --os.
HP-UX 11i Version 2: December 2007 Update − 2 − Hewlett-Packard Company 97