bastille man page on HP-UX

Man page or keyword search:  
man Server   10987 pages
apropos Keyword Search (all sections)
Output format
HP-UX logo
[printable version]

bastille(1M)							  bastille(1M)

       bastille - system lockdown tool

       Path: /usr/sbin (Linux)

       Path: /opt/sec_mgmt/bastille/bin (HP-UX)

       bastille [ -b | -c | -x ] [ -f alternate_config_file ]
	      [ --os [ version ] ]

       bastille [ -l | -r | --assess | --assessnobrowser ]

       Bastille is a system-hardening/lockdown program that enhances the secu‐
       rity of a Unix host.  It configures daemons, system settings and	 fire‐
       walls to be more secure.	 It can shut off unneeded services and r-tools
       like rcp and rlogin, and helps create "chroot jails"  that  help	 limit
       the  vulnerability  of  common  Internet services, like Web servers and
       DNS.  This tool currently hardens Red Hat  6.0-8.0,  Mandrake  6.0-8.1,
       HP-UX  11i  v1,	HP-UX 11i v2, and HP-UX 11i v3.	 It is currently being
       tested on Debian, SuSE, and Turbo Linux.

       The utility includes a policy/configuration-selection interface, a con‐
       figuration engine and a reporting module.  The primary profile-building
       interface is an X interface via Perl/Tk.	 There is  also	 a  text-based
       Perl/Curses  interface  for  Linux.  The tool can be used interactively
       and non-interactively  (when  the  policy-application  engine  is  used
       directly).   Used  interactively,  to  build system-security configura‐
       tions, Bastille has been designed to explain security issues to	system
       administrators,	then  let them decide how to let the tool handle them.
       This both secures the system and educates the administrator.  When  the
       configuration engine is used directly, the utility is useful for dupli‐
       cating a security configuration on multiple machines.

       When used interactively (bastille, bastille -x, or  bastille  -c),  the
       user  interface	guides	you  through a series of questions.  Each step
       contains a description of a security decision involved in  hardening  a
       Unix  system.   Each  question describes the cost/benefit of each deci‐
       sion.  The Tk interface gives you the option to skip to	another	 ques‐
       tion  module  and  return to the current module later.  The X interface
       provides "Completed Indicators" to show you which question modules  are
       complete.   After you have answered all of the questions, the interface
       then provides automated support in performing  lockdown	steps.	 After
       performing  the	steps  Bastille can perform automatically, the utility
       produces a "to-do" list that describes remaining actions you must  per‐
       form manually to ensure the system is secure.

       Security	 hardening can also be performed directly through the configu‐
       ration engine (bastille -b) using the default or an alternate  configu‐
       ration  (bastille -b -f file) (see the config file in the FILES section
       below for the default location).	 This method is useful for duplicating
       a particular security configuration on multiple machines.  Before using
       the configuration engine directly, a configuration file must be created
       by  using Bastille interactively.  After the configuration file is cre‐
       ated, copy it to the other systems, install Bastille Unix on those sys‐
       tems, then run the configuration engine on those systems.

       Bastille draws from many major reputable sources on Unix Security.  The
       initial development integrated Jay Beale's existing O/S hardening expe‐
       rience  for  Solaris  and  Linux	 with most major points from the SANS'
       Securing Linux Step by Step and Kurt Seifried's	Linux  Administrator's
       Security Guide.	Later versions incorporated suggestions from the HP-UX
       Bastion Host White-paper,  Center  for  Internet	 Security,  and	 other

       To ensure that Bastille is used as safely as possible, please:

	 1) Let	 the  developers  know	about  any  impacts you discover which
	    aren't mentioned in the question text for  possible	 inclusion  in
	    future revisions of the questions text.

	 2) Test  Bastille  configurations  in	a  non-production  environment
	    first, with the application stack fully functionally tested	 after
	    lockdown before deployment in a production environment.  The char‐
	    acterization of consequences is known to be incomplete, especially
	    for general purpose systems.

       bastille recognizes the following options

       -b     Run in batch mode.  This option takes the answers that were cre‐
	      ated interactively and applies them to the machine.

       -c     Linux Only.  Bring up the text interface of the interactive por‐
	      tion  of	Bastille.  It is implemented with the Perl/Curses mod‐
	      ule, which must be installed separately if it did not come  with
	      your version of Perl.

       -f alternate_config_file
	      Use an alternate config file versus the default location.

       -l     List  applied configuration files.  List the configuration files
	      in the configuration file directory that matches	the  one  last

       -r     Revert  Bastille-modified system files to the state they were in
	      before Bastille was run.	Note that, if any changes to the  sys‐
	      tem configuration were made in the interim, those changes should
	      be reviewed again to make sure they (1) still work, and (2) have
	      not broken the system or compromised its security.

       -x     The default option.  Run the Bastille X interface.  It is imple‐
	      mented with the Perl/Tk module, which must  be  installed	 sepa‐
	      rately if it did not come with your version of Perl.

	      Run Bastille in assessment-only mode so that it investigates the
	      state of hardening, reports on such and generates a  score.   No
	      changes  are  made  to  the  system.  It generates HTML and text
	      reports and a Bastille configuration file.

	      For each question,  Bastille  generates  one  of	the  following

	      Yes    The  associated Bastille lockdown has been applied to the
		     product or service shipped with HP-UX.  Bastille may  not
		     always  correctly	detect	the status of products or ser‐
		     vices that are not shipped	 with  the  HP-UX  OE.	 Also,
		     Bastille  may  not	 detect all variations of the possible
		     ways to disable or enable a service or feature.  It  will
		     detect if Bastille did so, and will likely detect config‐
		     uration made in accepted, standard ways.

	      No     The question configuration has not been applied.

	      User Action Pending
		     Bastille had performed a partial  configuration;  leaving
		     the user with some actions needed to complete the config‐
		     uration.  These actions  are  listed  in  the  TODO  file
		     listed below.

		     Bastille can not tell the status.	Usually, this is do to
		     the system being in an inconsistent state.	 For  example,
		     Bastille would return this status of a service running in
		     the process list, but  configured	on  disk  to  be  off.
		     Note, there are some cases where inconsistent states that
		     Bastille can not detect could be created on  the  system,
		     so	 if  the administrator has made changes to the system,
		     and needs to rely on Bastille results, the system	should
		     be	 rebooted first to ensure the configuration is consis‐
		     tent.  This caveat does not apply to  Bastille  initiated

	      N/A: S/W Not Installed
		     This   indicates	that  the  relevant  software  is  not
		     installed, so there is no need to	lock  down  the	 given
		     item,  but	 care  should  be  taken  when the software is
		     installed to lock it down at that point.

	      Needed S/W Missing
		     This indicates that the item is not locked down since  it
		     needs  software  that  is	currently not available on the

	      Set to value
		     This indicates a non-boolean setting.

	      Not Defined
		     This indicates a non-boolean setting that	has  not  been
		     set yet.  Thus the system default settings apply.	In the
		     case of later HP-UX versions,  default  account  security
		     settings are often found in the /etc/security.dsc file.

	      See  the	FILES  section	for location.  The HTML version of the
	      report is shown in a browser  if	either	a  graphical  or  text
	      browser can be found.

	      Same  as	--assess, except that the report is not displayed in a

       --os[ version ]
	      Explicitly set the operating system version while	 generating  a
	      configuration  file.   By	 setting the operating system version,
	      all questions valid for that operating system will be asked  and
	      configuration  files  can	 be generated for any version Bastille
	      recognizes.  For a complete list of  operating  system  versions
	      type bastille -x --os.

       $DISPLAY not set, cannot use X interface...
	      You  explicitly  asked  for the X interface using the -x option,
	      but the DISPLAY environment variable was not set.	 Set the envi‐
	      ronment variable to the desired display to correct the problem.

       System is in original state...
	      You attempted to revert the files that Bastille changes with the
	      -r option, but there were no changes to revert.

       Must run Bastille as root
	      Bastille must run as the root user, since the changes  it	 makes
	      configure the machine.

       Error  messages	that  cite  problems with opening, copying, or reading
       files usually relate to NFS file systems that do	 not  trust  the  root
       user  on	 the  local  machine.  Please see the options parameter in the
       fstab(4) manpage for details.  Errors that  complain  about  individual
       configuration  files  indicate that a system has been too heavily modi‐
       fied for Bastille to make effective changes, or that the	 files,	 loca‐
       tions,  or  permissions	of  the Bastille installation directories have
       been changed.

       If Bastille is unable to complete a lockdown, you should receive errors
       or warnings.  Analyze the errors or warnings to determine if your lock‐
       down was successfully applied.  You may use the --assess option to  aid
       in  this	 diagnostic.   Once  the system state that caused the abort is
       fixed, run bastille again to complete the lockdown.  This  helps	 avoid
       cases  where  an	 incomplete lockdown can contribute to an inconsistent
       system configuration.

   Example 1
       Run the Bastille X interface.  This will create	a  configuration  file
       which can be run either immediately by Bastille after you have answered
       all of the questions, or saved for later use in a config file.  See the
       FILES section below.


   Example 2
       Run  Bastille in batch mode.  This will take the answers that were cre‐
       ated interactively and apply them to the machine.

	      bastille -b

   Example 3
       Perform an audit of the system to determine the state of	 the  security
       settings	 on  it,  and  place  it in the audit log locations (specified

	      bastille --assessnobrowser

	 ·  Perl version 5.8.0 or greater, but recommend 5.8.8 or greater  for
	    best performance

	 ·  Perl/Tk version 8.00.23 or greater

	 ·  Perl/Curses version 1.06 or greater (on Linux only)

       /etc/Bastille/config  (Linux)

       /etc/opt/sec_mgmt/bastille/config  (HP-UX)

		 The  config  file  contains  the answers to the most recently
		 saved session

       /var/log/Bastille/error-log  (Linux)

       /var/opt/sec_mgmt/bastille/log/error-log	 (HP-UX)

		 The error log contains any errors that	 Bastille  encountered
		 while making changes to the system.

       /var/log/Bastille/action-log  (Linux)

       /var/opt/sec_mgmt/bastille/log/action-log  (HP-UX)

		 The action log contains the specific steps that Bastille took
		 when making changes to the system.

       /var/log/Bastille/TODO  (Linux)

       /var/opt/sec_mgmt/bastille/TODO.txt  (HP-UX)

		 The to-do list contains the actions that remain for you to do
		 to ensure the machine is secure.

       /var/log/Bastille/Assessment/assessment-report.html  (Linux)

       /var/log/Bastille/Assessment/assessment-report.txt  (Linux)

       /var/log/Bastille/Assessment/assessment-report-log.txt  (Linux)

       ment-report.html	 (HP-UX)

       ment-report.txt	(HP-UX)

       ment-report-log.txt  (HP-UX)

		 These are the assessment report locations.  They are  format‐
		 ted HTML, text, and a Bastille "config-file" respectively.

       /var/log/Bastille/Assessment/Assessment/Drift.txt  (Linux)

       /var/opt/sec_mgmt/bastille/log/Assessment/Drift.txt  (HP-UX)

		 This  contains	 information about any configuration drift the
		 system had experienced since the  last	 Bastille  run.	  This
		 file  will  only  be  created	when there has been an earlier
		 Bastille-configuration applied to the system.

       perl(1), bastille_drift(1M), fstab(4)

       Here are some other  references	used  during  Bastille's  development.
       Note  that the websites and content are maintained by their domain own‐
       ers.  The domain owners are solely responsible for their own  site  and

       The Linux Security HOWTO
	      Available	 at
	      One of the best references regarding general Linux Security.

       Security Quick-Start HOWTO for Linux
	      Available	    at‐
	      rity-Quickstart-HOWTO/.  This is also a very good starting point
	      for novice users (both to Linux and security).

       The Linux Security Administrator's Guide
	      Available at

       Securing and Optimizing Linux: RedHat Edition
	      Available	 at‐

       Securing Debian Manual
	      Available	      at‐
	      ing-debian-howto.	 It is provided for offline reading in several
	      formats  (Text, HTML and PDF) by installing the harden-doc pack‐
	      age in Debian systems.

			 $Date: 2007/10/19 17:03:41 $		  bastille(1M)

List of man pages available for HP-UX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net