HP-UX Reference (11i v3 07/02) - 1M System Administration Commands A-M (vol 3)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

bastille(1M) bastille(1M)

NAME

bastille - system lockdown tool

SYNOPSIS

Path: /usr/sbin (Linux)

Path: /opt/sec_mgmt/bastille/bin (HP-UX)

bastille [ -b | -c | -x ][-f alternate_conﬁg_ﬁle ]

[ --os [ version ]]

bastille [ -l | -r | --assess | --assessnobrowser ]

DESCRIPTION

Bastille is a system-hardening/lockdown program that enhances the security of a Unix host. It conﬁgures

daemons, system settings and ﬁrewalls to be more secure. It can shut off unneeded services and r-tools like

rcp and rlogin, and helps create "chroot jails" that help limit the vulnerability of common Internet ser-

vices, like Web servers and DNS. This tool currently hardens Red Hat 6.0-8.0, Mandrake 6.0-8.1, HP-UX

11i v1, HP-UX 11i v2, and HP-UX 11i v3. It is currently being tested on Debian, SuSE, and Turbo Linux.

The utility includes a policy/conﬁguration-selection interface, a conﬁguration engine and a reporting

module. The primary proﬁle-building interface is an X interface via Perl/Tk. There is also a text-based

Perl/Curses interface for Linux. The tool can be used interactively and non-interactively (when the

policy-application engine is used directly). Used interactively, to build system-security conﬁgurations, Bas-

tille has been designed to explain security issues to system administrators, then let them decide how to let

the tool handle them. This both secures the system and educates the administrator. When the

conﬁguration engine is used directly, the utility is useful for duplicating a security conﬁguration on multiple

machines.

When used interactively (bastille, bastille -x,orbastille -c), the user interface guides you through a

series of questions. Each step contains a description of a security decision involved in hardening a Unix

system. Each question describes the cost/beneﬁt of each decision. The Tk interface gives you the option to

skip to another question module and return to the current module later. The X interface provides "Com-

pleted Indicators" to show you which question modules are complete. After you have answered all of the

questions, the interface then provides automated support in performing lockdown steps. After performing

the steps Bastille can perform automatically, the utility produces a "to-do" list that describes remaining

actions you must perform manually to ensure their system is secure.

Security hardening can also be performed directly through the conﬁguration engine (bastille -b) using the

default or an alternate conﬁguration (bastille -b -f ﬁle) (see the conﬁg ﬁle in the FILES section below for

the default location). This method is useful for duplicating a particular security conﬁguration on multiple

machines. Before using the conﬁguration engine directly, a conﬁguration ﬁle must be created by using Bas-

tille interactively. After the conﬁguration ﬁle is created, copy it to the other systems, install Bastille Unix

on those systems, then run the conﬁguration engine on those systems.

Bastille draws from many major reputable sources on Unix Security. The initial development integrated

Jay Beale’s existing O/S hardening experience for Solaris and Linux with most major points from the SANS’

Securing Linux Step by Step and Kurt Seifried’s Linux Administrator’s Security Guide. Later versions

incorporated suggestions from the HP-UX Bastion Host White-paper, Center for Internet Security, and

other sources.

To ensure that Bastille is used as safely as possible, please:

1) Let the developers know about any impacts you discover which aren’t mentioned in the question text

for possible inclusion in future revisions of the questions text.

2) Test Bastille conﬁgurations in a non-production environment ﬁrst, with the application stack fully

functionally tested after lockdown before deployment in a production environment. The characteriza-

tion of consequences is known to be incomplete, especially for general purpose systems.

Options

bastille recognizes the following options

-b Run in batch mode. This option takes the answers that were created interactively and applies them to

the machine.

-c Linux Only. Bring up the text interface of the interactive portion of Bastille. It is implemented with

the Perl/Curses module, which must be installed separately if it did not come with your version of

HP-UX 11i Version 3: February 2007 − 1 − Hewlett-Packard Company 73