Contact Us Contact Us

HP-UX Bastille

  Software Depot
Electronic download
Frequently asked questions
Product details & specifications
Installation
  1. Download Bastille. The tool is free but you must register to download the depot.
  2. The HP-packaged Perl must be installed before Bastille can be run. Use the command swlist -l product perl to verify the correct version of Perl is installed. For Bastille version 3.0 or later, Perl version D.5.8.0.D or later is required. If you need to install Perl, it is available from Software Depot here.
  3. Login as root.
  4. Start an interactive installation session:
    swinstall -s <path_to_depot>
    -or-
    Install from the command line:
    swinstall -s <path_to_depot> HPUXBastille (Bastille v3.1.01)

    Note: replace <path_to_depot> with the path name of the location of the downloaded file.

Installing Bastille does not cause the tool to make changes to the system. See "using the tool" for information on how to run Bastille.

configuration

  • No manual configuration is needed.

using the tool

  • using the tool to lock-down a system
    • Step 1: Change to root user since Bastille needs to change system configuration and settings. If not running Bastille locally, you may elect to tunnel the traffic over SSH or IPSec to limit network exposure, or use a more complete desktop-sharing solution that addresses attacks from local users as well as remote.
    • Step 2: First time users must run Bastille interactively to create a configuration profile. The tool updates the PATH environment variable when installed, so if you have logged out then back in after installing, type bastille to start the tool. If your PATH has not been updated, type /opt/sec_mgmt/bastille/bin/bastille to start the tool.
    • Step 3: Answer the questions. The questions are categorized by function, and you will only be asked the ones that apply to your operating system that relate to tools that are installed, and are not yet configured securely.
    • Step 4: After answering all the questions, you may go to the "End-Screen" module and select Save/Apply to apply the configuration, or save your work with the File:Save dialog. To apply the changes to the system, Bastille applies the changes it can do automatically then it creates a "to do" list of actions the user must manually apply to the system.
    • Step 5: Review the log files.
      • Read /var/opt/sec_mgmt/bastille/log/error-log to see whether any errors were encountered during execution
      • (optional) Read /var/opt/sec_mgmt/bastille/log/action-log for the specific actions Bastille performed when making changes to the system
    • Step 6: Perform the items listed in the "to do" list located in /var/opt/sec_mgmt/bastille/TODO.txt. These actions must be performed to complete Bastille's lock down process.
    • Step 7: (Optional step) Use the "revert" option (bastille -r) to return the security configuration to the state before Bastille was run. The revert process will create /var/opt/sec_mgmt/bastille/TOREVERT.txt if there are any manual actions that must be performed by the user to return the system to the pre-Bastille state. It is important to perform the actions listed in the file to complete the revert process.

  • using the tool to determine security-configuration state of a system
    • Run "bastille --assess" to report on the status of the system, or run "bastille_drift" to determine the system configuration drift since the last saved baseline was created.
Installation Overview
Select