HP UX Bastille, UX Bastille B.3.3 User Manual

HP-UX Bastille Version B.3.3 User Guide

HP Part Number: 5900-0871
Published: June 2010
Edition: 1

© Copyright 2010 Hewlett-Packard Development Company, L.P.

Confidential computersoftware. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial

Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under

vendor's standardcommercial license.The informationcontained hereinis subject to change without notice. The only warranties forHP products

and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as

constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. UNIX is a registered

trademark of The Open Group.

Trademark Acknowledgments

UNIX® is a registered trademark of The Open Group.

Intel® Itanium® is a trademark of Intel Corporation in the U.S. and other countries.

Table of Contents

1 About this product..........................................................................................................7

1.1 Features and benefits.........................................................................................................................7

1.2 Compatibility....................................................................................................................................8

1.3 Performance.......................................................................................................................................8

1.4 Support..............................................................................................................................................8

2 Installing HP-UX Bastille.................................................................................................9

2.1 Installation requirements..................................................................................................................9

2.2 Installation.........................................................................................................................................9

3 Using HP-UX Bastille....................................................................................................11

3.1 Creating a security configuration profile........................................................................................11

3.2 Configuring a system......................................................................................................................13

3.3 Assessing a system..........................................................................................................................13

3.3.1 Using scored reports ...............................................................................................................14

3.4 Reverting.........................................................................................................................................16

3.5 Monitoring drift...............................................................................................................................17

3.6 Locating files ...................................................................................................................................17

4 Removing HP-UX Bastille..............................................................................................19

5 Troubleshooting............................................................................................................21

5.1 Diagnostic tips.................................................................................................................................21

5.2 General use tips...............................................................................................................................21

5.3 Known issues and workarounds.....................................................................................................21

5.3.1 Changes made by HP-UX Bastille might cause other software to stop working...................21

5.3.2 Cannot use X because $DISPLAY is not set............................................................................22

5.3.3 System is in original state........................................................................................................22

5.3.4 HP-UX Bastille must be run as root........................................................................................22

5.3.5 Problems opening, copying, or reading files..........................................................................22

5.3.6 Errors related to individual configuration files......................................................................22

5.3.7 HP Secure Shell locks you out of your system immediately when passwords expire...........22

5.3.8 HP-UX Bastille configures a firewall using IPFilter................................................................22

5.3.9 Security Patch Check...............................................................................................................22

5.3.10 Rerun HP-UX Bastille after installing new software or applying new patches....................22

6 Support and other resources.......................................................................................23

6.1 Contacting HP.................................................................................................................................23

6.1.1 Before you contact HP.............................................................................................................23

6.1.2 HP contact information...........................................................................................................23

6.1.3 Subscription service.................................................................................................................23

6.1.4 Documentation feedback.........................................................................................................23

6.2 Related information.........................................................................................................................23

6.3 Typographic conventions................................................................................................................24

Table of Contents 3

A Install-Time Security (ITS) using HP-UX Bastille..........................................................27

A.1 Choosing security levels.................................................................................................................27

A.2 Choosing security dependencies....................................................................................................30

A.3 Selecting security levels during installation...................................................................................30

B Configuring HP-UX Bastille for use with Serviceguard.............................................31

B.1 Configuring Sec20MngDMZ or Sec30DMZ security levels............................................................31

B.2 Configuring Sec10Host level...........................................................................................................31

C Question modules........................................................................................................33

D Sample weight files......................................................................................................63

D.1 all.weight........................................................................................................................................63

D.2 CIS.weight......................................................................................................................................64

E CIS mapping to HP-UX Bastille...................................................................................67

Index.................................................................................................................................71

4 Table of Contents

List of Figures

3-1 HP-UX Bastille user interface........................................................................................................12

3-2 Standard assessment report..........................................................................................................14

3-3 Scored assessment report..............................................................................................................15

3-4 Assessment report score................................................................................................................16

A-1 Security software dependencies....................................................................................................30

5

List of Tables

3-1 Question modules.........................................................................................................................12

A-1 Security levels................................................................................................................................27

A-2 Host-based Sec10Host, Sec20MngDMZ, and Sec30DMZ security settings..................................28

A-3 Additional Sec20MngDMZ security settings................................................................................29

A-4 Additional Sec30DMZ security settings........................................................................................29

6 List of Tables

1 About this product

HP-UX Bastille is a system hardening and reporting program that enhances the security of the
HP-UX operating system by consolidating essential hardening and lock-down checklists from
industry and government security organizations, and making them accessible to administrators
in an easy to use package. The HP-UX Bastille GUI interface guides users through creating a
custom security configuration profile. The policy configuration engine hardens HP-UX to
specification by locking down each selected security item. Security items include:

• Configuring daemons, services, firewalls, and client software to use more secure settings

• Disabling unused or unneeded inetd services

• Creating chroot jails for commonly used server programs

• Assessing the current HP-UX system against all relevant lock-down items with the reporting

feature

• Applying saved configuration profiles to multiple similar machines with a command-line

batch mode

These HP-UX Bastille features ease compliance with regulatory requirements and
industry-consensus security benchmarks like the Center for Internet Security (CIS) benchmark.
HP-UX Bastille also facilitates internal and external security audits.

NOTE: HP-UX Bastille is built from the open-source, cross-platform software program Bastille.

HP made significant contributions to the open-source Bastille software over many years. The
original Linux version is now named Bastille-Linux to avoid confusion with other cross-platform
implementations, and is not covered by this document.

1.1 Features and benefits

HP-UX Bastille provides the following features and benefits:

• Locks down the system

— Increases security by configuring daemons and system settings
— Turns off unnecessary services such as pwgrd
— Assists with creation of chroot jails to partially limit the vulnerability of common

internet services such as web servers and DNS
— Configures automatic runs of Software Assistant (SWA) or Security Patch Check
— Configures an IPFilter-based firewall

• Provides an interactive, wizard-style GUI interface

— Guides users to optimize the trade off between security, usability, and functionality
— Explanatory text helps less experienced administrators make appropriate security

decisions

• Reports security configuration state

— Generates reports in HTML, text, and config file format
— Establishes a baseline for comparison to later configuration differences with the

bastille_drift command

• Returns the security configuration to the state before HP-UX Bastille was run with the revert

-r feature.
— Provides a safety net in case of unexpected incompatible changes when hardening

running systems

• Integrates with HP Systems Insight Manager (SIM)

— Locks down and reporting available from SIM menus
— SIM.config pretested configuration for SIM server lock down

1.1 Features and benefits 7

• Install-time Security (ITS) for Ignite-UX and Update-UX

— Applies predefined HP-UX Bastille security configuration profile during first system

boot

— Enables out-of-the-box security by avoiding any vulnerability window after initial install

1.2 Compatibility

There are no differences between the Intel Itanium-based and PA-RISC implementation. Some
products depend on services, system settings, or network ports that HP-UX Bastille secures. In
cases where products depend on out-of-the-box settings that HP-UX Bastille might change,
dependencies are documented.

HP-UX Bastille is available for the following operating systems:

• HP-UX 11i v1 (11.11)

• HP-UX 11i v2 (11.23)

• HP-UX 11i v3 (11.31)

NOTE: HP-UX Bastille for 11i v1 is still supported, but no longer being developed.

For more information about HP-UX Bastille compatibility with Serviceguard, see Appendix B

(page 31) and the Serviceguard documentation available at http://docs.hp.com/en/netsys.html.

1.3 Performance

Although HP-UX Bastille does not directly affect performance, IPFilter settings such as host-based
firewall can cause a slight decrease in network performance. Install Time Security (ITS) does not
affect performance, but if the DMZ or MngDMZ security levels are used, network performance
might slow IPFilter packet filtering.

1.4 Support

For customers with an HP-UX support agreement, technical support is available through the HP
World Wide Response Centers at www.hp.com/support. Support is also offered through the IT
Resource Center at www.itrc.hp.com.

For the HP-UX discussion forum, from the ITRC home page click Forums→HP-UX→Security.
Or, the direct link is ITRC Forums Security.

If you find a security vulnerability associated with HP-UX Bastille, report it at:

http://welcome.hp.com/country/us/en/sftware_security.html.

HP-UX Bastille makes changes that can potentially affect the functionality of other software. If
you experience problems after applying HP-UX Bastille changes to your system, be sure your
support contact knows that you run HP-UX Bastille on your system.

8 About this product

2 Installing HP-UX Bastille

2.1 Installation requirements

The following prerequisites are required to install HP-UX Bastille:

• Root access

• Perl dependencies:

— HP-compiled version of Perl D.5.8.0.D or later
— Perl/Tk version 8.00.23 or later

Perl is available for download at:

https://www.hp.com/go/perl

• For operating system compatibility, see “Compatibility” (page 8).

• 1 MB disk space

2.2 Installation

HP-UX Bastille is included as recommended software on the Operating Environment media and
can be installed and run with Ignite-UX or Update-UX. HP-UX Bastille is installed by default,
and a manual installation is only necessary to obtain the latest version from the web.

To download the latest version of HP-UX Bastille, see the following website:

http://www.hp.com/go/bastille

Installation command:

# swinstall -s <path to depot> HPUXBastille

2.1 Installation requirements 9

10

3 Using HP-UX Bastille

HP-UX Bastille provides three main services:

• Creating a security configuration profile for a system

An X Window GUI user interface presents a series of questions that explain a security issue
and describe the resulting action needed to lock down the HP-UX system. Each question
also describes the high-level cost and benefit of each decision. The user decides how HP-UX
Bastille handles the issues during lock down. After answering all questions, HP-UX Bastille
presents the option to save the security configuration profile information in a default
configuration file, and use the configuration file to lock down the system. Alternatively, the
user can choose to save the security configuration profile in a custom-named configuration
file without continuing to lock down the system.

• Configuring a system (hardening/lock down)

Reading from a configuration file, the HP-UX Bastille configuration-policy engine
automatically completes each lock-down step and produces a list of the remaining actions
that the user must manually perform to complete the lock-down process. Log files are
produced to record all actions taken and any errors encountered during the configuration
process. The configuration service is invoked either during the interactive session to create
a configuration file (see above), or from the command line using the batch-mode option.

The command-line mode is useful for replicating a security configuration to multiple
machines, or when using one of the predefined configuration files supplied with HP-UX
Bastille. In these cases, an alternative configuration file is specified by using the -f option.

• Assessing a system

HP-UX Bastille assesses the existing security configuration state of an HP-UX system by
testing the system against each security issue. A reporting module creates files that contain
an itemized summary of the current security status of the system configuration. Files are
produced in HTML, text, and configuration formats. The percentage of weight items secured
properly is generated. This service can be used to audit a large number machines that have
the same operating system and applications installed. Scored assessment reports can be used
to select only a subset of the security issues.

The most common use of HP-UX Bastille is on a single machine, using the GUI interface to
create and apply a customized security configuration profile in the same session. Only the
default configuration file is used. If modifications are required later, the HP-UX Bastille GUI
interface is invoked again to make changes and apply them in the same session.

If multiple machines or configuration files must be managed, the creation and application
of security configuration profiles are usually independent operations and scripted. In that
case, non-interactive command-line options may be more useful when configuring a system.
For example, with a set of similar HP-UX servers, a single initial "golden" configuration file
can be created on one machine with the GUI interface, then copied and applied to all the
other machines with the batch-mode option. Similarly, if multiple configuration files are
needed, then scripts using the -f option are frequently used.

3.1 Creating a security configuration profile

1. Change to root user.

2. If using a remote X server, ensure that it is running, and that the local $DISPLAY variable
is set correctly. Test using xterm or xclock.

3. Start HP-UX Bastille. If HP-UX Bastille is installed, the PATH environment variable has been
updated. In this case, use:

# bastille

3.1 Creating a security configuration profile 11

If the PATH environment variable has not been updated, use:

# /opt/sec_mgmt/bastille/bin/bastille

Figure 3-1 shows the main screen of the HP-UX Bastille user interface.

Figure 3-1 HP-UX Bastille user interface

4. Answer the questions that appear on screen. The questions are categorized by function.
Check marks are used as completion indicators to track your progress through the program.
Only questions that apply to your operating system and relate to installed tools appear.

Each question explains a security issue and describes the resulting action needed to lock
down the HP-UX system. Each question also describes the high-level cost and benefit of
each decision.

Use the Explain More/Explain Less button for more or less verbose explanations. Not all
questions have both long and short answers. For a complete list of questions with detailed
information about each item, see Appendix C (page 33).

Table 3-1 Question modules

DescriptionQuestion module

Installs and configures applications for security bulletin compliance checkingPatches

Performs SUID and other permission tuningFilePermissions

Configures login settings and access to cron

AcountSecurity

Disables unrequired inetd services

Secureinetd

Turns off services that are often unrequired or a security riskMiscellaneousDaemons

Disables or configures mail securitySendmail

Disables or configures DNS securityDNS

Configures Apache web server securityApache

Configures FTP securityFTP

12 Using HP-UX Bastille

Table 3-1 Question modules (continued)

DescriptionQuestion module

Configures security services that are unique to the HP-UX platformHP-UX

Creates an IPFilter-based firewallIPFilter

5. After you answer all the questions, the Save/Apply button appears. If you want to proceed
to configuring the system, click the Save/Apply button to save and apply your configuration.
HP-UX Bastille applies the changes as described in “Configuring a system” (page 13).

NOTE: You can use the menu bar to save or load a configuration file at any time during

the process. However, your configuration file contains additional questions that might be
irrelevant to the target system unless the file is saved with the Save/Apply button. This
button is at the end of the question list and only available after all the questions are complete.

The Save/Apply mechanism always saves a copy in the default location /etc/opt/
sec_mgmt/bastille/config. To save your configuration file in the location of your
choice, use the menu bar File item.

3.2 Configuring a system

1. Depending on the mode you are using:

• If you are running HP-UX Bastille in batch mode to make configuration changes:

— If you are using the default configuration file path /etc/opt/sec_mgmt/

bastille/config:

# bastille -b

— Otherwise, specify the path to the configuration file explicity with the -f option:

# bastille -b -f file

• If you are continuing from an HP-UX Bastille GUI session that is creating or modifying

the configuration file (see “Creating a security configuration profile” (page 11)), status
messages from the configuration process appear in the GUI box.

2. Review log files. To view the logs in real time:

# tail -f <log file>

The action log contains the steps performed when the system was changed. It is only created
if the changes are applied to the system. Action log files appear in /var/opt/sec_mgmt/
bastille/log/action-log.

The error log contains any errors encountered when the system was changed. It is only
created if errors occur during execution. Error log files appear in /var/opt/sec_mgmt/
bastille/log/error-log.

3. Complete the items in the TODO.txt file. This list is located in /var/opt/sec_mgmt/
bastille/TODO.txt.

NOTE: Changes must be applied to the system to create the TODO.txt file.

The configuration is secure after the items in the TODO.txt file are completed.

3.3 Assessing a system

HP-UX Bastille can assess the status of a system with the --assess or --assessnobrowser
options. The --assess option displays the report in a local browser.

The --assessnobrowser option saves the report in the following file locations:

3.2 Configuring a system 13

/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report.html

/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report.txt

/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report-log.txt

Figure 3-2 Standard assessment report

For each question, the standard report lists one of the following results:
Yes The associated HP-UX Bastille lock down is applied to the

product or service shipped with HP-UX. The status of
products or services that are not shipped with the HP-UX OE
is not always detected. HP-UX Bastille might not detect all
variations of ways to disable or enable a service or feature.
Accepted standard configurations are detected.

No The configuration for the corresponding question is not

applied.

<Set to value> Displays the non-Boolean setting corresponding to the

question.

Not Defined A non-Boolean setting is defined, but is not set. The system

default settings apply.

N/A: S/W Not Installed The relevant software is not installed, so lock down for this

item is not necessary.

3.3.1 Using scored reports

HP-UX Bastille assessment reports can be scored to show the percentage of selected lock-down
items that are properly secured on the system. This provides a single indicator to judge the initial
security configuration state of a system, or to gauge the hardening progress when incrementally
aligning a system to a security configuration goal.

For example, a weights file can be prepared to select only HP-UX Bastille lock-down items that
match equivalent items in an industry-consensus security benchmark. By reviewing scored
reports using this file on all similar HP-UX servers in the datacenter, a systems manager can
evaluate the resources required to bring these servers into compliance with the benchmark.

14 Using HP-UX Bastille

Enable scored reports by creating the /etc/opt/sec_mgmt/bastille/HPWeights.txt file,
and populating it with an entry for each HP-UX Bastille lock-down item to be considered in the
final score. The HPWeights.txt file format is similar to an HP-UX Bastille configuration file,
except only entries for items to be scored are present, and the item value is always set to "1".

HP-UX Bastille detects the HPWeights.txt file when generating an assessment, and adds
Weight and Score columns to the report. The final score is a percentage calculated from the
number of the weighted items that have a result equal to "Yes".

Figure 3-3 Scored assessment report

The assessment report contains the following columns in addition to the columns contained in
the standard report:

Weight The weight column indicates the item was selected in the weights file.

Score The score column displays a 1.00 if the item was both weighted and secured properly.

3.3 Assessing a system 15

Figure 3-4 Assessment report score

The percentage of weight items secured properly is displayed at the end of the .txt report and
in the header row of the .html report. For example, see Figure 3-4

Sample weight files that match the default configuration files are provided in /etc/opt/

sec_mgmt/bastille/configs/defaults. This directory also includes the template file
all.weight which contains all possible HP-UX question items as selected. For sample files,

see Appendix D (page 63).

3.4 Reverting

If you want to revert the system files to the state they were in before HP-UX Bastille was run,
use the revert option:

# bastille -r

IMPORTANT: Before using the revert feature, read the revert-actions script to ensure

changes do not disrupt your system. This file appears in /var/opt/sec_mgmt/bastille/
revert/revert-actions.

If changes were made to the system after HP-UX Bastille was run, either manually or by other
programs, review those changes to verify they still work and have not broken the system or
compromised its security. Certain firewall options and reverting the system can make a system
less secure.

After running the revert option, look at the TOREVERT.txt file to ensure that the tasks needed
to finalize the revert process are complete. The file is located in /var/opt/sec_mgmt/
bastille/TOREVERT.txt.

16 Using HP-UX Bastille

IMPORTANT: When reverting to the configuration prior to the use of HP-UX Bastille, security

configuration changesare undone temporarily. Other manual configuration changes or additional
software installed after HP-UX Bastille was initially run might require a manual merge of
configuration settings.

3.5 Monitoring drift

The bastille_drift program creates HP-UX Bastille configuration baselines and compares
the current state of the system to a saved baseline. This enables the user to compare changes, if
any, against a saved baseline.

NOTE: When first run successfully, HP-UX Bastille automatically saves a baseline in the default

location /var/opt/sec_mgmt/bastille/baselines.

You can use HP-UX Bastille to monitor drift as follows:

• To save a baseline:

# bastille_drift --save_baseline baseline

• To compare the current state of the system to a saved baseline:

# bastille_drift --from_baseline baseline

Run the bastille_drift utility when new software or patches are installed to check for
changes in the system. The bastille_drift utility also identifies system changes when
swverify is run using -x fix=true or the -F option for vendor-specific fix scripts.

For more information, see bastille_drift(1M).

3.6 Locating files

This section describes the location of important files.

The configuration file contains the answers to the most recently saved session.

/etc/opt/sec_mgmt/bastille/config

The error log contains any errors HP-UX Bastille encountered while making changes to the
system.

/var/opt/sec_mgmt/bastille/log/error-log

The action log contains the specific steps that HP-UX Bastille performed when making changes
to the system.

/var/opt/sec_mgmt/bastille/log/action-log

The TODO.txt file list contains the tasks the must be completed to ensure the system is secure.

/var/opt/sec_mgmt/bastille/TODO.txt

The revert-actions script is part of the revert feature. It returns the changed files to the state
they were in before HP-UX Bastille was run.

/var/opt/sec_mgmt/bastille/revert/revert-actions

The TOREVERT.txt file contains the tasks that must be completed to finish reverting the machine
to the state it was in before HP-UX Bastille was run.

/var/opt/sec_mgmt/bastille/TOREVERT.txt

The assessment reports are available as HTML, text, and a configuration file.

/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report.html

/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report.txt

/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report-log.txt

3.5 Monitoring drift 17

The Drift file contains information about any configuration drift experienced since the last
HP-UX Bastille run. This file is only created when an earlier HP-UX Bastille configuration was
applied to the system.

/var/opt/sec_mgmt/bastille/log/Assessment/Drift.txt

18 Using HP-UX Bastille

4 Removing HP-UX Bastille

Use the swremove command to remove HP-UX Bastille from an HP-UX machine. When HP-UX
Bastille is removed, the system does not revert to the state it was in before HP-UX Bastille was
installed. HP-UX Bastille removal leaves behind the revert-actions script. This script enables
the administrator to revert the configuration files that HP-UX Bastille modified without an HP-UX
Bastille installation. In most cases, HP-UX Bastille changes are recorded at the file level, so the
revert-actions script only reverts the modified files. Other changes can be reverted
programmatically, even if you made intervening changes in the same file. For example, the
permissions file can be reverted to its original form even if you modified the file.

To revert changes on a system where HP-UX Bastille is removed:

1. # cd /var/opt/sec_mgmt/bastille/revert/

2. # chmod 0500 revert-actions

3. # ./revert-actions

4. # mv revert-actions revert-actions.last

5. Check for a TOREVERT.txt file.

/var/opt/sec_mgmt/bastille/TOREVERT.txt

If the file exists, complete the actions listed.

19

20

5 Troubleshooting

5.1 Diagnostic tips

When troubleshooting issues with HP-UX, remember these tips:

• To revert changes:

# bastille -r

• To list the current config file:

# bastille -l

• Locate the list of all actions performed by HP-UX Bastille at /var/opt/sec_mgmt/

bastille/log/action-log

• Use the following files to help diagnose problems:

— /var/opt/sec_mgmt/bastille/log/action-log
— /var/opt/sec_mgmt/bastille/log/error-log
— /etc/opt/sec_mgmt/bastille/config

5.2 General use tips

• Changes made by HP-UX Bastille can potentially to cause other software to stop working.

HP recommendsmaking changes in a non-production environment. Fully test all production
applications after HP-UX Bastille is applied before putting the systems into production.

• On HP-UX systems, do not run HP-UX Bastille during a Software Distributor operation

such as swinstall and swremove because file-lock errors might occur.

• On HP-UX machines, do not run HP-UX Bastille during heavy use of the system, or when

running applications that modify the system configuration. During these times, HP-UX
Bastille might not be able to get exclusive access to some of the necessary files. If this happens,
run bastille -b when the machine is quiet to reapply the changes.

• Install the latest patches on your system to ensure that it is as secure. If current patches are

not applied, your system can be compromised even though you use this program. HP-UX
uses the Security Patch Check tool to help with this process. HP-UX Bastille will help with
the installation of the Security Patch Check tool.

NOTE: Because some patches and software can return settings to default values, rerun

HP-UX Bastille to maintain system security.

• Rerun HP-UX Bastille:

— When new software is installed
— When the OS is revised
— When patches are installed
— When system customizations are made that might affect security
— On HP-UX if swverify is used with the -x fix=true option or the -F option to run

vendor-specific fix scripts

5.3 Known issues and workarounds

5.3.1 Changes made by HP-UX Bastille might cause other software to stop working

To revert the system to the state it was in before you ran HP-UX Bastille:

# bastille -r

This command also confirms that the problem is eliminated.

5.1 Diagnostic tips 21

5.3.2 Cannot use X because $DISPLAY is not set

You request the X interface, but the $DISPLAY environment variable is not set. Set the environment
variable to the desired display to correct the problem.

5.3.3 System is in original state

You attempt to revert changes with the -r option, but there are no changes to revert.

5.3.4 HP-UX Bastille must be run as root

HP-UX Bastille must be run as the root user because the changes affect system files.

5.3.5 Problems opening, copying, or reading files

Error messages citing problems performing these operations are usually related to NFS file
systems that do not trust the root user on the local machine. Consult the options section in the
fstab(4) manpage for details.

5.3.6 Errors related to individual configuration files

Errors about individual configuration files indicate:

• That a system is too heavily modified for HP-UX Bastille to make effective changes.

• That the files, locations, or permissions of the HP-UX Bastille installation directories have

been changed.

5.3.7 HP Secure Shell locks you out of your system immediately when passwords
expire

You might need PAM patch: PHCO_24839 (HP-UX 11.11) available atthe HP IT Resource Center:

https://www2.itrc.hp.com/service/patch/mainPage.do

5.3.8 HP-UX Bastille configures a firewall using IPFilter

The most common conflicts are with firewalls. When a network service is not working, and it is
not turned off by HP-UX Bastille, verify the firewall rules pass the ports needed. For more
information, see ipfstat(8) and ipmon(8).

5.3.9 Security Patch Check

Security Patch Check is being deprecated in favor of SWA.

5.3.10 Rerun HP-UX Bastille after installing new software or applying new patches

Installing new software or applying new patches might change the system state. On HP-UX, if
vendor-specific fix scripts are run with swverify using either the -x fix=true option or the

-F option, then rerun HP-UX Bastille.

22 Troubleshooting