--- bastille-3.0.9.orig/bastille-firewall +++ bastille-3.0.9/bastille-firewall @@ -46,25 +46,29 @@ # ipchains compatibility module if you're using a 2.4 kernel REALSCRIPT=/sbin/bastille-ipchains PATH=/sbin:/bin:/usr/sbin:/usr/bin +LOCKDIR=/var/lock/bastille +# If using subsys: +# LOCKDIR=/var/lock/subsys +LOCKFILE=${LOCKDIR}/bastille-firewall # exit function to be called in place of regular Bourne exit clean_exit() { - rmdir /var/lock/bastille-firewall 2>/dev/null + rmdir ${LOCKDIR} 2>/dev/null exit $1 } [ ! -d /var/lock ] && mkdir -m 0755 /var/lock -mkdir -m 0700 /var/lock/bastille-firewall 2>/dev/null +mkdir -m 0700 ${LOCKDIR} 2>/dev/null if [ $? -ne 0 ]; then if [ -n "${BASTILLE_FWALL_QUIET_FAIL}" ]; then exit 0; fi echo "ERROR: bastille-firewall currently being reset or lock is stuck." - echo "To un-stick, remove the directory /var/lock/bastille-firewall" + echo "To un-stick, remove the directory ${LOCKDIR}" exit 1 fi -if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then +if [ -n "$(uname -r | awk -F. ' $1$2 > 22 {print}')" ]; then # We are using Linux 2.3 or newer; use the netfilter script if available if [ -x /sbin/bastille-netfilter ]; then REALSCRIPT=/sbin/bastille-netfilter @@ -82,10 +86,10 @@ # Use "subsys" locks to indicate our status case "$1" in start|restart|reload) - if [ $bretval -eq 0 ]; then touch /var/lock/subsys/bastille-firewall; fi + if [ $bretval -eq 0 ]; then touch ${LOCKFILE}; fi ;; stop) - rm -f /var/lock/subsys/bastille-firewall + rm -f ${LOCKFILE} ;; esac --- bastille-3.0.9.orig/bastille-tmpdir-defense.sh +++ bastille-3.0.9/bastille-tmpdir-defense.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # bastille-tmpdir-defense.sh # --- bastille-3.0.9.orig/README +++ bastille-3.0.9/README @@ -24,7 +24,7 @@ Red Hat, Mandrake and SuSE, this involves installing the RPM. On Debian, you should use apt-get or download the deb package. On Gentoo, please use emerge. Finally, on HP-UX, please use your vendor supplied package. See -www.bastille-linux.org for more information. +www.bastille-unix.org for more information. To run: --- bastille-3.0.9.orig/RevertBastille +++ bastille-3.0.9/RevertBastille @@ -114,6 +114,22 @@ &B_log("ERROR","Failed to run revert script.\n"); } else { + if(&GetDistro =~ "^DB" && -x "/usr/sbin/dpkg-statoverride" ){ + # We have to revert the overrides, if any + open (REV, "<$revert_script") || die "Could not open $revert_script: +!"; + while ( $line = ) { + chomp $line; + if ( $line =~ /\/bin\/(chmod|chown)\s+(\d+)\s+(.*)$/ ) { + my $file = $3; + @override = ("/usr/sbin/dpkg-statoverride", "--remove", "$file"); + if ( system(@override) != 0 ) { + print "ERROR removing override! Tried: ".join(" ", @override)."\n"; + } + } + } + } + # move script to ensure we don't run it again unless(rename("$revert_script", "${revert_script}.last")){ &B_log("WARNING","Failed to move revert script out of the way.\n"); --- bastille-3.0.9.orig/README.1st +++ bastille-3.0.9/README.1st @@ -1,7 +1,7 @@ This is the source tarball-specific README. This tarball should really be used only by developers trying to hack or create a new build rpm/deb/pkg/foo. Please use your distribution-specific method otherwise, as described at -www.bastille-linux.org. +www.bastille-unix.org. The Install.pl script is there to move stuff to the right locations, as the rpm build script already does. @@ -9,6 +9,6 @@ To get involved in Bastille Linux development, e-mail me at - jay@bastille-linux.org + jay@bastille-unix.org - jjb --- bastille-3.0.9.orig/Credits +++ bastille-3.0.9/Credits @@ -12,7 +12,7 @@ and many other contributors whose names can be found at: - www.bastille-linux.org/credits.html + www.bastille-unix.org/credits.html We are indebted to the following for support and help: --- bastille-3.0.9.orig/bastille-tmpdir.sh +++ bastille-3.0.9/bastille-tmpdir.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # bastille-tmpdir.sh # --- bastille-3.0.9.orig/bastille-firewall-reset +++ bastille-3.0.9/bastille-firewall-reset @@ -22,7 +22,7 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA PATH=/sbin:/bin:/usr/sbin:/usr/bin -INITBASEDIR=/etc/rc.d/init.d +INITBASEDIR=/etc/init.d # find our runlevel number RUNLEVEL=`runlevel | sed 's:[^0-9]::g'` --- bastille-3.0.9.orig/bastille-ipchains +++ bastille-3.0.9/bastille-ipchains @@ -126,9 +126,13 @@ # looks like an IP address, use it as-is ntp_server_addrs="${ntp_server_addrs} ${ip}" else - # use 'host' t resolve address - ip=`host ${n} 2>/dev/null| awk '/ has address / { print $4 }' | head -1` - ntp_server_addrs="${ntp_server_addrs} ${ip}" + # use 'host' (bind9 or host) to resolve address + ip=`host ${n} 2>/dev/null| awk '{ print $NF }' | egrep '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1` + if [ -n "${ip}" ] ; then + echo "Unable to resolve host ${n} please use IP addresses instead of names for NTP_SERVERS" + else + ntp_server_addrs="${ntp_server_addrs} ${ip}" + fi fi done --- bastille-3.0.9.orig/Questions.txt +++ bastille-3.0.9/Questions.txt @@ -175,7 +175,10 @@ executable by users other than root. These utilities (which include linuxconf, fsck, ifconfig, runlevel and portmap) are ones that most users should never have a need to access. This option will increase your system security, but -there's a chance it will inconvenience your users." +there's a chance it will inconvenience your users. + +Note: This might unexpectly break some software, for example the Amanda +backup system is known to break due to this changes." QUESTION: "Would you like to set more restrictive permissions on the administration utilities? [N]" REQUIRE_DISTRO: RH MN DB SE TB @@ -333,7 +336,7 @@ If you answer \"Yes\" and then realize later that you do need SUID permissions on a specific program, you can always turn it back on later with chmod u+s ." QUESTION: -REQUIRE_DISTRO: LINUX DB SE TB OSX +REQUIRE_DISTRO: LINUX SE TB OSX YN_TOGGLE: 0 YES_EXP: NO_EXP: @@ -348,7 +351,7 @@ still allow anyone with the root password to mount and unmount drives." REQUIRE_IS_SUID: mount umount smbmnt QUESTION: "Would you like to disable SUID status for mount/umount?" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB YN_TOGGLE: 1 DEFAULT_ANSWER: Y REG_EXP: "^Y$|^N$" @@ -366,7 +369,7 @@ for networking the host, who normally has root access, we recommend disabling SUID status for it." QUESTION: "Would you like to disable SUID status for ping? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB OSX +REQUIRE_DISTRO: LINUX SE TB OSX REQUIRE_IS_SUID: ping ping6 DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -385,7 +388,7 @@ access granted by the administrator. It's extremely unlikely that there will be any problems with disabling SUID for dump and restore." QUESTION: "Would you like to disable SUID status for dump and restore? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB OSX +REQUIRE_DISTRO: LINUX SE TB OSX REQUIRE_IS_SUID: dump restore DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -404,7 +407,7 @@ notebook computer, then you probably don't have any PCMCIA devices, and you should definitely disable this." QUESTION: "Would you like to disable SUID status for cardctl? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_IS_SUID: cardctl DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -422,7 +425,7 @@ can be found in cron (and removing cron is not practical) so there is no need to retain privileged access for \"at\"." QUESTION: "Would you like to disable SUID status for at? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB OSX +REQUIRE_DISTRO: LINUX SE TB OSX REQUIRE_IS_SUID: at DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -439,7 +442,7 @@ area of security problems. We recommend that only root have access to this type of application, unless your users have a pressing need for it." QUESTION: "Would you like to disable SUID status for DOSEMU? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_IS_SUID: dos DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -455,7 +458,7 @@ server. For this reason, we'd like to disable SUID status for the INN news server tools inndstart and startinnfeed." QUESTION: "Would you like to disable SUID status for news server tools? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_IS_SUID: inndstart startinnfeed DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -474,7 +477,7 @@ we'll ask about disabling printing entirely including stopping the print scheduler." QUESTION: "Would you like to disable SUID status for printing utilities? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_IS_SUID: lpr lpq lprm DEFAULT_ANSWER: N YN_TOGGLE: 1 @@ -529,7 +532,7 @@ them when needed. This will disable the \"client\" side of these tools, so that people cannot use them to connect to other machines." QUESTION: "Would you like to disable the r-tools? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB OSX +REQUIRE_DISTRO: LINUX SE TB OSX REQUIRE_IS_SUID: rcp rlogin rsh rdist rexec DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -545,7 +548,7 @@ network interfaces. In general, there's no reason for anyone other than the system administrator to control network interfaces." QUESTION: "Would you like to disable SUID status for usernetctl? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_IS_SUID: usernetctl DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -563,7 +566,7 @@ debug network connections, you can leave the SUID bit on traceroute. Otherwise, you should disable it." QUESTION: "Would you like to disable SUID status for traceroute? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB OSX +REQUIRE_DISTRO: LINUX SE TB OSX REQUIRE_IS_SUID: traceroute traceroute6 DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -647,7 +650,7 @@ crackers access to the machine. This option will disable the use of those r-tools both from your machine and as a means of logging into your machine." QUESTION: "Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB OSX +REQUIRE_DISTRO: LINUX SE TB OSX REQUIRE_FILE_EXISTS: rsh DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -674,7 +677,7 @@ 180 days, if the password has not been changed, the account will be temporarily disabled. We would make this change in /etc/login.defs." QUESTION: "Would you like to enforce password aging? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: Y YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -704,7 +707,7 @@ allowed to use cron." QUESTION: "Would you like to restrict the use of cron to administrative accounts? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB OSX +REQUIRE_DISTRO: LINUX SE TB OSX DEFAULT_ANSWER: Y YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -724,7 +727,7 @@ is if you are sure that you have already set one." QUESTION: "Do you want to set the default umask? [Y]" DEFAULT_ANSWER: 077 -REQUIRE_DISTRO: LINUX HP-UX DB SE TB OSX +REQUIRE_DISTRO: LINUX HP-UX SE TB OSX DEFAULT_ANSWER: Y YN_TOGGLE: 1 YES_EXP: @@ -769,7 +772,7 @@ will be overridden by the trusted system default umask, which is 077." QUESTION: "What umask would you like to set for users on the system? [077]" DEFAULT_ANSWER: 077 -REQUIRE_DISTRO: LINUX HP-UX DB SE TB OSX +REQUIRE_DISTRO: LINUX HP-UX SE TB OSX YN_TOGGLE: 0 YES_EXP: NO_EXP: @@ -1282,7 +1285,7 @@ from logging in directly. He has to steal a second account's password to make use of the root password via the ttys." QUESTION: "Should we disallow root login on tty's 1-6? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: N YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -1356,7 +1359,7 @@ Otherwise, this is strongly recommended for general use workstations and servers which are not locked away in their own room." QUESTION: "Would you like to password-protect the GRUB prompt? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: grub.conf DEFAULT_ANSWER: N YN_TOGGLE: 1 @@ -1375,7 +1378,7 @@ WARNING: Please do not make this the root password for this computer, as the GRUB password will be stored unencrypted on the machine." QUESTION: "Enter GRUB password, please. []" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: grub.conf DEFAULT_ANSWER: YN_TOGGLE: 0 @@ -1399,7 +1402,7 @@ Otherwise, this is strongly recommended for general use workstations and servers which are not locked away in their own room." QUESTION: "Would you like to password-protect the LILO prompt? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: lilo.conf DEFAULT_ANSWER: N YN_TOGGLE: 1 @@ -1418,7 +1421,7 @@ WARNING: Please do not make this the root password for this computer, as the LILO password will be stored unencrypted on the machine." QUESTION: "Enter LILO password, please. []" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: lilo.conf DEFAULT_ANSWER: YN_TOGGLE: 0 @@ -1434,7 +1437,7 @@ machines will allow an attacker to place keystrokes into the keyboard buffer before he or she reaches the LILO prompt." QUESTION: "Would you like to reduce the LILO delay time to zero? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: lilo.conf DEFAULT_ANSWER: N YN_TOGGLE: 1 @@ -1451,7 +1454,7 @@ Do you boot from your hard drive? That is, is LILO installed on your hard drive?" QUESTION: "Do you ever boot Linux from the hard drive? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: lilo.conf DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -1465,7 +1468,7 @@ LABEL: lilosub_floppy SHORT_EXP: "If you have a Linux boot floppy, either for normal booting or for emergency use, you should also write these LILO changes to that floppy. If you do not already have a customized Linux boot floppy, or if you did not choose to make any changes to your LILO configuration, you should answer \"no\" here." QUESTION: "Would you like to write the LILO changes to a boot floppy? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: lilo.conf DEFAULT_ANSWER: N YN_TOGGLE: 1 @@ -1486,7 +1489,7 @@ fd1 floppy drive " QUESTION: "Floppy drive device name: [fd0]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: lilo.conf DEFAULT_ANSWER: fd0 YN_TOGGLE: 0 @@ -1520,7 +1523,7 @@ here, since having to repair/ignore the damage and wait for file system checks may slow the attacker down." QUESTION: "Would you like to disable CTRL-ALT-DELETE rebooting? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: N YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -1545,7 +1548,7 @@ We HIGHLY recommend that you password protect single user mode." QUESTION: "Would you like to password protect single-user mode? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB OSX +REQUIRE_DISTRO: LINUX SE TB OSX DEFAULT_ANSWER: Y YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -1616,7 +1619,7 @@ /etc/hosts.allow. All other wrappers-based programs, like sshd, will obey the default-deny." QUESTION: "Would you like to set a default-deny on TCP Wrappers and xinetd? [N]" -REQUIRE_DISTRO: LINUX DB SE TB OSX +REQUIRE_DISTRO: LINUX SE TB OSX DEFAULT_ANSWER: N YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -1652,7 +1655,7 @@ NOTE: Deactivating the telnetd service will not affect your telnet client." QUESTION: "Should Bastille ensure the telnet service does not run on this system? [y]" -REQUIRE_DISTRO: LINUX HP-UX DB SE TB +REQUIRE_DISTRO: LINUX HP-UX SE TB DEFAULT_ANSWER: Y YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -1678,7 +1681,7 @@ NOTE: Answering \"yes\" to this question will also prevent the use of this machine as an anonymous ftp server." QUESTION: "Should Bastille ensure inetd's FTP service does not run on this system? [y]" -REQUIRE_DISTRO: LINUX HP-UX DB SE TB +REQUIRE_DISTRO: LINUX HP-UX SE TB DEFAULT_ANSWER: Y YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -1944,7 +1947,7 @@ messages which you may then later edit. This is sort of like an \"anti-welcome mat\" for your computer." QUESTION: "Would you like to display \"Authorized Use\" messages at log-in time? [Y]" -REQUIRE_DISTRO: LINUX HP-UX DB SE TB OSX +REQUIRE_DISTRO: LINUX HP-UX SE TB OSX DEFAULT_ANSWER: Y YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -1975,7 +1978,7 @@ machine. Please type in the name of the company, person, or other organization who owns or is responsible for this machine." QUESTION: "Who is responsible for granting authorization to use this machine?" -REQUIRE_DISTRO: LINUX HP-UX DB SE TB OSX +REQUIRE_DISTRO: LINUX HP-UX SE TB OSX DEFAULT_ANSWER: "its owner" YN_TOGGLE: 0 YES_CHILD: log_inetd @@ -2039,7 +2042,7 @@ users by disabling the compiler. If you do chose to disable it, we'll do so by only allowing root access to the compiler." QUESTION: "Would you like to disable the gcc compiler? [N]" -REQUIRE_DISTRO: LINUX DB SE TB OSX +REQUIRE_DISTRO: LINUX SE TB OSX REQUIRE_FILE_EXISTS: gcc DEFAULT_ANSWER: N YN_TOGGLE: 1 @@ -2084,9 +2087,12 @@ be more than enough for normal system usage, and is not enough to bring down your machine. (Linux only) -All of these values can be edited later." +All of these values can be edited later. + +Note: This might unexpectly break some software, for example the Amanda +backup system is known to break due to this changes." QUESTION: "Would you like to put limits on system resource usage? [N]" -REQUIRE_DISTRO: LINUX DB SE TB OSX +REQUIRE_DISTRO: LINUX SE TB OSX DEFAULT_ANSWER: N YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -2103,7 +2109,7 @@ can disable this special access entirely, but a more flexible option is to restrict console access to a small group of trusted user accounts." QUESTION: "Should we restrict console access to a small group of user accounts? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: N YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -2118,7 +2124,7 @@ SHORT_EXP: "Please enter in the account names that should be able to login via the console, placing a space between each name." QUESTION: "Which accounts should be able to login at console? [root]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: root YN_TOGGLE: 0 YES_CHILD: morelogging @@ -2137,7 +2143,7 @@ logging will not change the existing log files at all, so this is by no means a \"risky\" move." QUESTION: "Would you like to add additional logging? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: Y YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -2160,7 +2166,7 @@ SHORT_EXP: "If you already have a remote logging host, we can set this machine to log to it." QUESTION: "Do you have a remote logging host? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: N YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -2180,7 +2186,7 @@ poisoning attacks on logging. You may use a hostname, but it should be added to your /etc/hosts file..." QUESTION: "What is the IP address of the machine you want to log to? [127.0.0.1]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: 127.0.0.1 YN_TOGGLE: 0 YES_CHILD: pacct @@ -2198,7 +2204,7 @@ As this is rather disk and CPU intensive, please choose NO unless you have carefully considered this option." QUESTION: "Would you like to set up process accounting? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: accton DEFAULT_ANSWER: N YN_TOGGLE: 1 @@ -2225,7 +2231,7 @@ section will require careful attention, but if you have doubts, you should be able to safely select the default value in most cases." QUESTION: -REQUIRE_DISTRO: LINUX HP-UX DB SE TB OSX +REQUIRE_DISTRO: LINUX HP-UX SE TB OSX YN_TOGGLE: 0 YES_EXP: NO_EXP: @@ -2237,7 +2243,7 @@ SHORT_EXP: "apmd is used to monitor battery power and is used almost exclusively by notebook/laptop computers." QUESTION: "Would you like to disable apmd? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: chkconfig_apmd DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -2265,7 +2271,7 @@ probably best to deactivate them until you can investigate whether or not you need them and how to best secure them." QUESTION: "Would you like to deactivate NFS and Samba? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: chkconfig_nfs DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -2349,7 +2355,7 @@ devices. If this machine has no PCMCIA ports, you should be able to disable PCMCIA services without any problems." QUESTION: "Would you like to disable PCMCIA services? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: chkconfig_pcmcia DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -2367,7 +2373,7 @@ should deactivate the DHCP daemon. Deactivating the daemon will not prevent you from running DHCP as a client." QUESTION: "Would you like to disable the DHCP daemon? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: chkconfig_dhcpd DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -2383,7 +2389,7 @@ text mode. If you will be using this machine in console mode and will want mouse support, leave GPM on." QUESTION: "Would you like to disable GPM? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: chkconfig_gpm DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -2403,7 +2409,7 @@ of disk space, processor power, bandwidth and maintenance. In all but the rarest of cases, you should disable the news server daemon." QUESTION: "Would you like to disable the news server daemon? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: chkconfig_innd DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -2427,7 +2433,7 @@ using routed, you should leave this on, then migrate to gated manually later. (Bastille will not enable gated for you.)" QUESTION: "Would you like to deactivate routed? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: chkconfig_routed DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -2446,7 +2452,7 @@ disable routing protocols. If this machine is acting as a router, then you should leave gated on." QUESTION: "Would you like to deactivate gated? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: chkconfig_gated DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -2479,7 +2485,7 @@ We recommend that you deactivate NIS server programs. Alternatives include NIS+, LDAP, and Kerberos." QUESTION: "Would you like to deactivate NIS server programs? [Y]" -REQUIRE_DISTRO: LINUX HP-UX DB SE TB +REQUIRE_DISTRO: LINUX HP-UX SE TB REQUIRE_FILE_EXISTS: ypserv DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -2518,7 +2524,7 @@ We recommend that you deactivate NIS client programs. Alternatives include NIS+, LDAP, and Kerberos" QUESTION: "Would you like to deactivate NIS client programs? [Y]" -REQUIRE_DISTRO: LINUX HP-UX DB SE TB +REQUIRE_DISTRO: LINUX HP-UX SE TB DEFAULT_ANSWER: Y YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -2549,7 +2555,7 @@ Network management software, such as HP Openview, which relies on SNMP" QUESTION: "Would you like to disable SNMPD? [Y]" -REQUIRE_DISTRO: LINUX HP-UX DB SE TB +REQUIRE_DISTRO: LINUX HP-UX SE TB DEFAULT_ANSWER: Y YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -2823,7 +2829,7 @@ POP/IMAP read functionality. The only reason to run sendmail in daemon mode is if you are running a mail server." QUESTION: "Do you want to stop sendmail from running in daemon mode? [Y]" -REQUIRE_DISTRO: LINUX HP-UX DB SE TB +REQUIRE_DISTRO: LINUX HP-UX SE TB REQUIRE_FILE_EXISTS: sysconfig_sendmail DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -2850,7 +2856,7 @@ NOTE: The 15 minute interval can be easily changed later, see crontab(1)." QUESTION: "Would you like to run sendmail via cron to process the queue? [N]" -REQUIRE_DISTRO: LINUX HP-UX DB SE TB +REQUIRE_DISTRO: LINUX HP-UX SE TB REQUIRE_FILE_EXISTS: sysconfig_sendmail DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -2874,7 +2880,7 @@ (2) you are using them to debug your own mail server, or (3) the very small chance that some software you use relies on this." QUESTION: "Would you like to disable the VRFY and EXPN sendmail commands? [Y]" -REQUIRE_DISTRO: LINUX HP-UX DB SE TB +REQUIRE_DISTRO: LINUX HP-UX SE TB REQUIRE_FILE_EXISTS: sendmail.cf DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -2975,7 +2981,10 @@ Even if you plan on setting up a name server on this machine, you should deactivate it for now until you get the configuration files setup. You -can reactivate it then by typing, as root: /sbin/chkconfig named on " +can reactivate it then by typing, as root: + +# /usr/sbin/update-rc.d bind start 55 3 . +" QUESTION: "Would you like to deactivate named, at least for now? [Y]" REQUIRE_DISTRO: LINUX REQUIRE_FILE_EXISTS: chkconfig_named @@ -3014,10 +3023,10 @@ need to run a web server, at least not right now, you should deactivate it. You can restart the web server later by typing: - /sbin/chkconfig httpd on +# /usr/sbin/update-rc.d apache start 91 3 . " QUESTION: "Would you like to deactivate the Apache web server? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: chkconfig_httpd DEFAULT_ANSWER: Y YN_TOGGLE: 1 @@ -3053,8 +3062,8 @@ it doesn't represent as great a risk if it isn't set to allow connections from the entire internet." QUESTION: "Would you like to bind the web server to listen only to the localhost? [N]" -REQUIRE_DISTRO: LINUX DB SE TB -REQUIRE_FILE_EXISTS: httpd +REQUIRE_DISTRO: LINUX SE TB +REQUIRE_FILE_EXISTS: apache DEFAULT_ANSWER: N YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -3072,8 +3081,8 @@ web server. This is highly recommended if you're building an internal-only web server." QUESTION: "Would you like to bind the web server to a particular interface? [N]" -REQUIRE_DISTRO: LINUX DB SE TB -REQUIRE_FILE_EXISTS: httpd +REQUIRE_DISTRO: LINUX SE TB +REQUIRE_FILE_EXISTS: apache DEFAULT_ANSWER: N YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -3092,8 +3101,8 @@ or 10.0.0.1:8080" QUESTION: "Address to bind the web server to? [127.0.0.1]" -REQUIRE_DISTRO: LINUX DB SE TB -REQUIRE_FILE_EXISTS: httpd +REQUIRE_DISTRO: LINUX SE TB +REQUIRE_FILE_EXISTS: apache YN_TOGGLE: 0 DEFAULT_ANSWER: 127.0.0.1 YES_CHILD: generalweb @@ -3114,8 +3123,8 @@ under which any user on the system can instruct the server to execute arbitrary code for anyone who comes to the site, via CGI scripts." QUESTION: -REQUIRE_DISTRO: LINUX DB SE TB -REQUIRE_FILE_EXISTS: httpd +REQUIRE_DISTRO: LINUX SE TB +REQUIRE_FILE_EXISTS: apache YN_TOGGLE: 0 YES_EXP: NO_EXP: @@ -3137,8 +3146,8 @@ vulnerability in Apache could be exploited to alter world writeable files on the system." QUESTION: "Would you like to deactivate the following of symbolic links? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB -REQUIRE_FILE_EXISTS: httpd +REQUIRE_DISTRO: LINUX SE TB +REQUIRE_FILE_EXISTS: apache DEFAULT_ANSWER: Y YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -3155,8 +3164,8 @@ web pages, but they represent a security risk you may not want to take until you better understand the Apache web server." QUESTION: "Would you like to deactivate server-side includes? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB -REQUIRE_FILE_EXISTS: httpd +REQUIRE_DISTRO: LINUX SE TB +REQUIRE_FILE_EXISTS: apache DEFAULT_ANSWER: Y YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -3181,8 +3190,8 @@ dangerous, but they need to be very carefully controlled by people who understand the dangers." QUESTION: "Would you like to disable CGI scripts, at least for now? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB -REQUIRE_FILE_EXISTS: httpd +REQUIRE_DISTRO: LINUX SE TB +REQUIRE_FILE_EXISTS: apache DEFAULT_ANSWER: Y YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -3208,8 +3217,8 @@ breaking the most obvious rule of web site creation, \"don't put any sensitive files in a web directory with world readable permissions!\" " QUESTION: "Would you like to disable indexes? [N]" -REQUIRE_DISTRO: LINUX DB SE TB -REQUIRE_FILE_EXISTS: httpd +REQUIRE_DISTRO: LINUX SE TB +REQUIRE_FILE_EXISTS: apache DEFAULT_ANSWER: N YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -3247,7 +3256,7 @@ The apache server, httpd, is given access to several compilers and system libraries so that it can process cgi's, login attempts, etc... One way to lessen the risk presented by this special status is to lock the daemon -(httpd) into a \"chroot jail.\" In this case, the daemon has access to +(apache) into a \"chroot jail.\" In this case, the daemon has access to only a small segment of the file system, a directory created specifically for the purpose of giving the daemon access to only the files it needs. @@ -3295,9 +3304,7 @@ On Linux, you could revert this later by typing: - # /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm - - # /sbin/chkconfig lpd on +# /usr/sbin/update-rc.d lpd start 55 3 . This is only recommended if this machine will not be used for printing in the near future. If you deactivate this, you might want to write @@ -3406,7 +3413,7 @@ " REQUIRE_FILE_EXISTS: ftpaccess QUESTION: -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB YN_TOGGLE: 0 YES_EXP: NO_EXP: @@ -3443,7 +3450,7 @@ If this is a 3 account server, that kind of user education may be quite possible." QUESTION: "Would you like to disable user privileges on the FTP daemon? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: ftpaccess DEFAULT_ANSWER: N YN_TOGGLE: 1 @@ -3461,7 +3468,7 @@ secure Apache web server. Any files that you want accessible to the world can be placed on an easy-to-configure web server." QUESTION: "Would you like to disable anonymous download? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB REQUIRE_FILE_EXISTS: ftpaccess DEFAULT_ANSWER: N YN_TOGGLE: 1 @@ -4014,7 +4021,7 @@ This script supports both kernel 2.2 (ipchains) and 2.4 (iptables if available, otherwise ipchains)." QUESTION: "Would you like to run the packet filtering script? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: End_Screen DEFAULT_ANSWER: N YN_TOGGLE: 1 @@ -4027,7 +4034,7 @@ LABEL: ip_detail_level_kludge QUESTION: -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_exp_type DEFAULT_ANSWER: Y YN_TOGGLE: 0 @@ -4056,7 +4063,7 @@ Unless you really understand networking, you should ask for more information on most of the options in this script." QUESTION: -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB YN_TOGGLE: 0 YES_EXP: NO_EXP: @@ -4073,7 +4080,7 @@ If this is a server that deals with multiple interfaces or provides IP Masquerading/NAT service, then you do need the advanced networking options." QUESTION: "Do you need the advanced networking options?" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_dns YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" @@ -4108,7 +4115,7 @@ What you answer is important if you use kernel 2.2/ipchains, but makes no difference if you use kernel 2.4 and iptables." QUESTION: "DNS servers: [0.0.0.0/0]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_trustiface DEFAULT_ANSWER: 0.0.0.0/0 CONFIRM_TEXT: " \nY" @@ -4132,7 +4139,7 @@ List the interface names of all interfaces you want to have unrestricted access to this machine. You should at least trust \"lo\", the \"loopback\" interface." QUESTION: "Trusted interface names: [lo]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_publiciface DEFAULT_ANSWER: lo CONFIRM_TEXT: " \nY" @@ -4154,7 +4161,7 @@ Using the \"+\" suffix allows you to configure more interfaces (for instance, more PPP dialup entries) without having to modify the firewall script. " QUESTION: "Public interfaces: [eth+ ppp+ slip+]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_internaliface DEFAULT_ANSWER: eth+ ppp+ slip+ YN_TOGGLE: 0 @@ -4178,7 +4185,7 @@ Normal workstations should leave this as the empty default. " QUESTION: "Internal interfaces: [ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_tcpaudit DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -4202,7 +4209,7 @@ attempts to several services, although you may not have them installed or enabled. " QUESTION: "TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_udpaudit DEFAULT_ANSWER: telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh CONFIRM_TEXT: " \nY" @@ -4226,7 +4233,7 @@ While attackers probing for Back Orifice may not pose a threat to your Linux system, logging their attempts helps identify the \"bad guys\" " QUESTION: "UDP services to audit: [31337]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_icmpaudit DEFAULT_ANSWER: 31337 CONFIRM_TEXT: " \nY" @@ -4243,7 +4250,7 @@ as types, not numbers. One example is \"echo-request\" which is used by Microsoft ping and tracert [sic] clients." QUESTION: "ICMP services to audit: [ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_publictcp DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -4276,7 +4283,7 @@ Not doing so means you will be able to access the service locally, but \"public\" hosts will not." QUESTION: "TCP service names or port numbers to allow on public interfaces:[ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_publicudp DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -4293,7 +4300,7 @@ services available, but if you're running caching or real DNS servers, you will need to enable domain (port 53)." QUESTION: "UDP service names or port numbers to allow on public interfaces:[ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_internaltcp DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -4322,7 +4329,7 @@ case you would set this value to \"smtp imap\". This does not affect IP Masquerading's ability to let masq'ed users access any services on outside/Internet hosts. " QUESTION: "TCP service names or port numbers to allow on private interfaces: [ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_internaludp DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -4344,7 +4351,7 @@ As with internal TCP. You do not need to enable domain service if the internal clients are using IP Masq to query outside DNS servers. " QUESTION: "UDP service names or port numbers to allow on private interfaces: [ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_passiveftp DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -4379,7 +4386,7 @@ What you answer is important if you use kernel 2.2/ipchains, but makes no difference if you use kernel 2.4 and iptables." QUESTION: "Force passive mode? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: N CONFIRM_TEXT: " \nY" YN_TOGGLE: 1 @@ -4409,7 +4416,7 @@ What you answer is important if you use kernel 2.2/ipchains, but makes no difference if you use kernel 2.4 and iptables." QUESTION: "TCP services to block: [2049 2065:2090 6000:6020 7100]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_udpblock DEFAULT_ANSWER: 2049 2065:2090 6000:6020 7100 CONFIRM_TEXT: " \nY" @@ -4430,7 +4437,7 @@ What you answer is important if you use kernel 2.2/ipchains, but makes no difference if you use kernel 2.4 and iptables." QUESTION: "UDP services to block: [2049 6770]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_icmpallowed DEFAULT_ANSWER: 2049 6770 CONFIRM_TEXT: " \nY" @@ -4443,11 +4450,13 @@ LABEL: ip_s_icmpallowed SHORT_EXP: "Specify the ICMP allowed types. The default suggestion allows you to -probe other hosts with ping and traceroute. Minimally you will need to allow +probe other hosts with ping and traceroute but will not allow other hosts +to probe you using ping. Minimally you will need to allow \"destination-unreachable\"." LONG_EXP: "Specify the ICMP allowed types. The default suggestion allows you to probe other hosts with ping and traceroute. Minimally you will need to allow -\"destination-unreachable\". +\"destination-unreachable\". If you also want to be probed, you will also need +to allow \"echo-request\". \"destination-unreachable\" lets other machines' servers tell your system when things aren't right; don't disable this unless you really know what you're @@ -4455,7 +4464,7 @@ able to use ping and traceroute to debug issues on the \"public\" networks. " QUESTION: "ICMP allowed types: [destination-unreachable echo-reply time-exceeded]" SKIP_CHILD: ip_s_srcaddr -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: destination-unreachable echo-reply time-exceeded CONFIRM_TEXT: " \nY" YN_TOGGLE: 0 @@ -4475,7 +4484,7 @@ This is a standard, and highly recommended, precaution. " QUESTION: "Enable source address verification? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: Y CONFIRM_TEXT: " \nY" YN_TOGGLE: 1 @@ -4504,7 +4513,7 @@ Note this expects _network_ addresses (either with 0's on the end or with explicit netmasks), _not_ interface names. " QUESTION: "Masqueraded networks: [ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_kernelmasq DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -4522,7 +4531,7 @@ name should have the usual prefix, e.g. \"raudio\" will cause the script to load the \"ip_masq_raudio\" module." QUESTION: "Kernel modules to masquerade: [ftp raudio vdolive]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_rejectmethod DEFAULT_ANSWER: ftp raudio vdolive CONFIRM_TEXT: " \nY" @@ -4549,7 +4558,7 @@ There's no definite right answer here. With DENY, your machine will be less visible, especially if using kernel 2.4/iptables. " QUESTION: "Reject method: [DENY]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_dhcpiface DEFAULT_ANSWER: DENY CONFIRM_TEXT: " \nY" @@ -4570,7 +4579,7 @@ What you answer is important if you use kernel 2.2/ipchains, but makes no difference if you use kernel 2.4 and iptables." QUESTION: "Interfaces for DHCP queries: [ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_ntpsrv DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -4599,7 +4608,7 @@ What you answer is important if you use kernel 2.2/ipchains, but makes no difference if you use kernel 2.4 and iptables." QUESTION: "NTP servers to query: [ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_s_icmpout DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -4621,7 +4630,7 @@ \"destination-unreachable\" is (ab)used by the traceroute program to check routing to individual hosts. " QUESTION: "ICMP types to disallow outbound: [destination-unreachable time-exceeded]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_enable_firewall DEFAULT_ANSWER: destination-unreachable time-exceeded CONFIRM_TEXT: " \nY" @@ -4664,7 +4673,7 @@ What you answer is important if you use kernel 2.2/ipchains, but makes no difference if you use kernel 2.4 and iptables." QUESTION: "DNS Servers: [0.0.0.0/0]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_trustiface DEFAULT_ANSWER: 0.0.0.0/0 CONFIRM_TEXT: " \nY" @@ -4677,7 +4686,7 @@ LABEL: ip_b_trustiface DEFAULT_ANSWER: lo -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_publiciface CONFIRM_TEXT: " \nY" YN_TOGGLE: 0 @@ -4698,7 +4707,7 @@ Using the \"+\" suffix allows you to configure more interfaces (for instance, more PPP dialup entries) without having to modify the firewall script. " QUESTION: "Public interfaces: [eth+ ppp+ slip+]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_internaliface DEFAULT_ANSWER: eth+ ppp+ slip+ CONFIRM_TEXT: " \nY" @@ -4712,7 +4721,7 @@ LABEL: ip_b_internaliface DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_tcpaudit YN_TOGGLE: 0 YES_EXP: @@ -4734,7 +4743,7 @@ attempts to several services, although you may not have them installed or enabled. " QUESTION: "TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_udpaudit DEFAULT_ANSWER: telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh CONFIRM_TEXT: " \nY" @@ -4758,7 +4767,7 @@ While attackers probing for Back Orifice may not pose a threat to your Linux system, logging their attempts helps identify the \"bad guys\" " QUESTION: "UDP services to audit: [31337]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_icmpaudit DEFAULT_ANSWER: 31337 CONFIRM_TEXT: " \nY" @@ -4775,7 +4784,7 @@ as types, not numbers. One example is \"echo-request\" which is used by Microsoft ping and tracert [sic] clients." QUESTION: "ICMP services to audit: [ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_publictcp DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -4808,7 +4817,7 @@ Not doing so means you will be able to access the service locally, but \"public\" hosts will not." QUESTION: "TCP service names or port numbers to allow on public interfaces: [ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_publicudp DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -4825,7 +4834,7 @@ services available, but if you're running caching or real DNS servers, you will need to enable domain (port 53)." QUESTION: "UDP service names or port numbers to allow on public interfaces: [ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_passiveftp DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -4839,7 +4848,7 @@ LABEL: ip_b_internaltcp DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_internaludp YN_TOGGLE: 0 YES_EXP: @@ -4851,7 +4860,7 @@ LABEL: ip_b_internaludp DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_passiveftp YN_TOGGLE: 0 YES_EXP: @@ -4887,7 +4896,7 @@ What you answer is important if you use kernel 2.2/ipchains, but makes no difference if you use kernel 2.4 and iptables." QUESTION: "Force passive mode? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: N CONFIRM_TEXT: " \nY" YN_TOGGLE: 1 @@ -4921,7 +4930,7 @@ difference if you use kernel 2.4 and iptables." QUESTION: "TCP services to block: [2049 2065:2090 6000:6020 7100]" DEFAULT_ANSWER: 2049 2065:2090 6000:6020 7100 -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_udpblock CONFIRM_TEXT: " \nY" YN_TOGGLE: 0 @@ -4941,7 +4950,7 @@ What you answer is important if you use kernel 2.2/ipchains, but makes no difference if you use kernel 2.4 and iptables." QUESTION: "UDP services to block: [2049 6770]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_icmpallowed DEFAULT_ANSWER: 2049 6770 CONFIRM_TEXT: " \nY" @@ -4954,18 +4963,23 @@ LABEL: ip_b_icmpallowed SHORT_EXP: "Specify the ICMP allowed types. The default suggestion allows you to -probe other hosts with ping and traceroute. Minimally you will need to allow -\"destination-unreachable\"." +probe other hosts with ping and traceroute but will not allow other hosts +to probe you using ping. Minimally you will need to allow +\"destination-unreachable\"." If you also want to be probed, you will also need +to allow \"echo-request\". LONG_EXP: "Specify the ICMP allowed types. The default suggestion allows you to -probe other hosts with ping and traceroute. Minimally you will need to allow -\"destination-unreachable\". +probe other hosts with ping and traceroute but will not allow other hosts +to probe you using ping. Minimally you will need to allow +\"destination-unreachable\". If you also want to be probed, you will also need +to allow \"echo-request\". + \"destination-unreachable\" lets other machines' servers tell your system when things aren't right; don't disable this unless you really know what you're getting into. If you don't allow \"echo-reply\" and \"time-exceeded\", you won't be able to use ping and traceroute to debug issues on the \"public\" networks. " QUESTION: "ICMP allowed types: [destination-unreachable echo-reply time-exceeded]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_srcaddr DEFAULT_ANSWER: destination-unreachable echo-reply time-exceeded CONFIRM_TEXT: " \nY" @@ -4986,7 +5000,7 @@ This is a standard, and highly recommended, precaution. " QUESTION: "Enable source address verification? [Y]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB DEFAULT_ANSWER: Y CONFIRM_TEXT: " \nY" YN_TOGGLE: 1 @@ -4999,7 +5013,7 @@ LABEL: ip_b_ipmasq DEFAULT_ANSWER: -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_kernelmasq CONFIRM_TEXT: " \nY" YN_TOGGLE: 0 @@ -5011,7 +5025,7 @@ LABEL: ip_b_kernelmasq DEFAULT_ANSWER: ftp raudio vdolive -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_rejectmethod CONFIRM_TEXT: " \nY" YN_TOGGLE: 0 @@ -5037,7 +5051,7 @@ _completely_ invisible, even if you choose \"DENY\", but with \"DENY\" and _no_ public services, you will not be visible to casual probes. " QUESTION: "Reject method: [DENY]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_dhcpiface DEFAULT_ANSWER: DENY CONFIRM_TEXT: " \nY" @@ -5058,7 +5072,7 @@ What you answer is important if you use kernel 2.2/ipchains, but makes no difference if you use kernel 2.4 and iptables." QUESTION: "Interfaces for DHCP queries: [ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_ntpsrv DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -5087,7 +5101,7 @@ What you answer is important if you use kernel 2.2/ipchains, but makes no difference if you use kernel 2.4 and iptables." QUESTION: "NTP servers to query: [ ]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_b_icmpout DEFAULT_ANSWER: CONFIRM_TEXT: " \nY" @@ -5109,7 +5123,7 @@ \"destination-unreachable\" is (ab)used by the traceroute program to check routing to individual hosts. " QUESTION: "ICMP types to disallow outbound: [destination-unreachable time-exceeded]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB SKIP_CHILD: ip_enable_firewall DEFAULT_ANSWER: destination-unreachable time-exceeded CONFIRM_TEXT: " \nY" @@ -5121,17 +5135,19 @@ PROPER_PARENT: ip_b_ntpsrv LABEL: ip_enable_firewall -SHORT_EXP: "The firewall is controlled by /etc/rc.d/init.d/bastille-firewall. The +SHORT_EXP: "The firewall is controlled by /etc/init.d/bastille-firewall. The configuration file is /etc/Bastille/bastille-firewall.cfg, which you may modify. After it has been installed, you can then test the firewall by using - /etc/rc.d/init.d/bastille-firewall start + /etc/init.d/bastille-firewall start and (to remove all firewall rules) - /etc/rc.d/init.d/bastille-firewall stop + /etc/init.d/bastille-firewall stop Once you have a configuration that will work on your system, you can make it run at every normal boot-up by typing - /sbin/chkconfig --add bastille-firewall - /sbin/chkconfig bastille-firewall reset + +# /usr/sbin/update-rc.d bastille-firewall start 40 S . stop 89 0 6 . + +# /etc/init.d/bastille-firewall start If you are confident of your selections, Bastille can start the firewall and configure it to run at boot time for you. @@ -5139,7 +5155,7 @@ ** It is strongly recommended that you answer N if you are not logged in to the system's console, as your network access my be blocked by the firewall. **" QUESTION: "Should Bastille run the firewall and enable it at boot time? [N]" -REQUIRE_DISTRO: LINUX DB SE TB +REQUIRE_DISTRO: LINUX SE TB YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" YES_EXP: @@ -5404,15 +5420,21 @@ LABEL: psad_enable_at_boot SHORT_EXP: "The Port Scan Attack Detector is controlled by a standard Sys V style -init script, /etc/rc.d/init.d/psad. To start the psad daemons, simply execute - /etc/rc.d/init.d/psad start +init script, /etc/init.d/psad. To start the psad daemons, simply execute + + /etc/init.d/psad start + and to stop psad, execute - /etc/rc.d/init.d/psad stop + + /etc/init.d/psad stop Bastille can configure your system to start psad at boot time by executing - chkconfig psad on." + +# /usr/sbin/update-rc.d psad defaults +" QUESTION: "Should Bastille enable psad at boot time? [N]" REQUIRE_DISTRO: LINUX +REQUIRE_FILE_EXISTS: psad YN_TOGGLE: 1 REG_EXP: "^Y$|^N$" YES_EXP: --- bastille-3.0.9.orig/bastille-netfilter +++ bastille-3.0.9/bastille-netfilter @@ -68,6 +68,12 @@ exit 1 fi +# Check if the kernel is module-based +MODULES_DEP=/lib/modules/`uname -r`/modules.dep +MODULAR_KERNEL="no" +if [ -e "$MODULES_DEP" ] ; then + MODULAR_KERNEL="yes" +fi # # Computed values @@ -152,6 +158,7 @@ # Function to load/unload NAT kernel modules do_masq_mods() { + [ "$MODULAR_KERNEL" = "no" ] && return # args: $1 = "load" or "unload" # # find the currently loaded modules @@ -185,7 +192,7 @@ fi done if [ $MOD_LOADED = "N" ]; then - insmod "ip_nat_${normal_mod}" || echo "Error loading ip_nat_${normal_mod} module" + modprobe "ip_nat_${normal_mod}" || echo "Error loading ip_nat_${normal_mod} module" fi # try to load any _conntrack variants modprobe "ip_nat_${normal_mod}_conntrack" 2>/dev/null @@ -206,7 +213,7 @@ ipchains -F ${c} 2>/dev/null done ipchains -X 2>/dev/null - rmmod ipchains 2>/dev/null + [ "$MODULAR_KERNEL" = "yes" ] && rmmod ipchains 2>/dev/null # # For Red Hat users, let's ensure that its firewalls are disabled rhtest_ipchains=`chkconfig --list ipchains 2>/dev/null | grep :on` @@ -222,7 +229,7 @@ fi # # Make sure the iptables/netfilter kernel module is loaded - modprobe ip_tables + [ "$MODULAR_KERNEL" = "yes" ] && modprobe ip_tables # # Clean up the default chains # @@ -269,9 +276,9 @@ include_supplemental early # enable stateful rules - modprobe ip_conntrack - modprobe ip_conntrack_ftp - modprobe ipt_LOG + [ "$MODULAR_KERNEL" = "yes" ] && modprobe ip_conntrack + [ "$MODULAR_KERNEL" = "yes" ] && modprobe ip_conntrack_ftp + [ "$MODULAR_KERNEL" = "yes" ] && modprobe ipt_LOG # from the ipchains HOWTO if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then @@ -358,9 +365,11 @@ #do_masq_mods unload # if [ -n "${IP_MASQ_NETWORK}" ]; then - echo -n "Loading NAT modules..." - modprobe iptable_nat - echo " done." + if [ "$MODULAR_KERNEL" = "yes" ] ; then + echo -n "Loading NAT modules..." + modprobe iptable_nat + echo " done." + fi echo -n "Setting up masquerading rules..." # since we've set the default forwarding policy to # reject, we can enable forwarding now --- bastille-3.0.9.orig/InteractiveBastille +++ bastille-3.0.9/InteractiveBastille @@ -379,7 +379,10 @@ &B_log("ERROR","Could not load the '${interface_module}.pm' interface module." . "This may be due to an invalid \$DISPLAY setting,". "or the module not being visible to Perl.\n\n"); + "Please refer to the usage message for other ways to". + "run Bastille.\n\n"; print '\n'; + &showUsage(); exit 1; } } @@ -433,7 +436,7 @@ } else { - $SUPPORT_INFO = " Please address bug reports and suggestions to jay\@bastille-linux.org\n" . + $SUPPORT_INFO = " Please address bug reports and suggestions to jay\@bastille-unix.org\n" . " Bugs in the Tk user interface are the fault of allenp\@nwlink.com.\n"; } @@ -501,7 +504,7 @@ " Within each of the three major areas, use the arrow keys to scroll\n" . " text or switch buttons.\n" . "\n" . - " Please address bug reports and suggestions to jay\@bastille-linux.org\n" . + " Please address bug reports and suggestions to jay\@bastille-unix.org\n" . "\n"; $InterfaceEndScreenDescription = "We will now implement the choices you have made here.\n\n" . --- bastille-3.0.9.orig/Bastille/API.pm +++ bastille-3.0.9/Bastille/API.pm @@ -148,6 +148,7 @@ use Cwd; use Bastille::HP_API; use Bastille::OSX_API; +use Bastille::Debian_API; use Bastille::LogAPI; use File::Path; use File::Basename; @@ -177,7 +178,7 @@ B_load_ipf_rules B_deactivate_inetd_service getSupportedOSHash B_set_rc B_get_rc B_chrootHPapache B_userdel B_groupdel B_removeuserfromgroup - $GLOBAL_OS + $GLOBAL_OS $WARN_OS $GLOBAL_LOGONLY $GLOBAL_VERBOSE $GLOBAL_DEBUG $GLOBAL_AUDITONLY $GLOBAL_AUDIT_NO_BROWSER $errorFlag %GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE %GLOBAL_BDIR %GLOBAL_BFILE @@ -295,7 +296,7 @@ sub PrepareToRun { # Make sure we're root! - if ( $> != 0 ) { + if ( $EUID != 0 ) { &B_log("ERROR","Bastille Back-End must run as root!\n"); exit(1); } @@ -358,7 +359,8 @@ $distro="MN$1"; } else { - print STDERR "$err Couldn't determine Mandrake/Mandriva version! Setting to 10.1!\n"; + print STDERR "$err Couldn't determine Mandrake/Mandriva version! Setting to 10.1!\n" if ! defined $WARN_OS; + $WARN_OS = "yes"; $distro="MN10.1"; } @@ -368,7 +370,8 @@ open(IMMUNIX_RELEASE,"/etc/immunix-release"); $release=; unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) { - print STDERR "$err Couldn't determine Immunix version! Setting to 6.2!\n"; + print STDERR "$err Couldn't determine Immunix version! Setting to 6.2!\n" if ! defined $WARN_OS; + $WARN_OS = "yes"; $distro="RH6.2"; } else { @@ -384,7 +387,8 @@ $distro = "RHFC$1"; } else { - print STDERR "$err Could not determine Fedora version! Setting to Fedora Core 5\n"; + print STDERR "$err Could not determine Fedora version! Setting to Fedora Core 5\n" if ! defined $WARN_OS; + $WARN_OS = "yes"; $distro='RHFC5'; } } @@ -409,24 +413,27 @@ $distro='RHEL3AS'; } else { - print STDERR "$err Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS.\n"; + print STDERR "$err Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS.\n" if ! defined $WARN_OS; + $WARN_OS = "yes"; $distro='RHEL4AS'; } } else { # JJB/HP - Should this be B_log? - print STDERR "$err Couldn't determine Red Hat version! Setting to 9!\n"; + print STDERR "$err Couldn't determine Red Hat version! Setting to 9!\n" if ! defined $WARN_OS; + $WARN_OS = "yes"; $distro="RH9"; } close(REDHAT_RELEASE); } elsif ( -e "/etc/debian_version" ) { - $stable="3.0"; #Change this when Debian stable changes + $stable="5.0"; #Change this when Debian stable changes open(*DEBIAN_RELEASE,"/etc/debian_version"); $release=; unless ($release =~ /^(\d+\.\d+\w*)/) { - print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n"; + print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n" if ! defined $WARN_OS; + $WARN_OS = "yes"; $distro="DB$stable"; } else { @@ -444,7 +451,8 @@ $distro="SESLES$1"; } else { - print STDERR "$err Couldn't determine SuSE version! Setting to 7.2!\n"; + print STDERR "$err Couldn't determine SuSE version! Setting to 7.2!\n" if ! defined $WARN_OS; + $WARN_OS = "yes"; $distro="SE7.2"; } close(SUSE_RELEASE); @@ -453,7 +461,8 @@ open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release"); $release=; unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) { - print STDERR "$err Couldn't determine TurboLinux version! Setting to 7.0!\n"; + print STDERR "$err Couldn't determine TurboLinux version! Setting to 7.0!\n" if ! defined $WARN_OS; + $WARN_OS = "yes"; $distro="TB7.0"; } else { @@ -468,7 +477,8 @@ $release=`/usr/bin/uname -sr`; } else { - print STDERR "$err Could not determine operating system version!\n"; + print STDERR "$err Could not determine operating system version!\n" if ! defined $WARN_OS; + $WARN_OS = "yes"; $distro="unknown"; } @@ -552,7 +562,7 @@ sub getSupportedOSHash () { my %osHash = ("LINUX" => [ - "DB2.2", "DB3.0", + "DB2.2", "DB3.0", "DB3.1", "DB4.0", "DB4.1", "DB5.0", "RH6.0","RH6.1","RH6.2","RH7.0", "RH7.1","RH7.2","RH7.3","RH8.0", "RH9", @@ -2420,6 +2430,12 @@ if(&GetDistro =~ "^HP-UX"){ &B_swmodify($file); } + if(&GetDistro =~ "^DB"){ + # If the distribution is Debian, use dpkg-statoverride + # to add the changes to the override list so + # that dpkg preserves the mode change on package upgrades + B_statoverride($file); + } # making changes revert-able &B_revert_log(&getGlobal('BIN', "chmod") . " $old_perm $file\n"); } @@ -2487,6 +2503,12 @@ if(&GetDistro =~ "^HP-UX"){ &B_swmodify($file); } + if(&GetDistro =~ "^DB"){ + # If the distribution is Debian, use dpkg-statoverride + # to add the changes to the override list so + # that dpkg preserves the mode change on package upgrades + B_statoverride($file); + } # making ownership change revert-able &B_revert_log(&getGlobal('BIN', "chown") . " $oldown $file\n"); } @@ -2554,6 +2576,12 @@ if(&GetDistro =~ "^HP-UX"){ &B_swmodify($file); } + if(&GetDistro =~ "^DB"){ + # If the distribution is Debian, use dpkg-statoverride + # to add the changes to the override list so + # that dpkg preserves the mode change on package upgrades + B_statoverride($file); + } &B_revert_log(&getGlobal('BIN', "chgrp") . " $oldgown $file\n"); } } @@ -2643,17 +2671,35 @@ &B_log("ACTION","# chkconfig_on enabling $startup_script\n"); - # In Debian system there is no chkconfig script, run levels are checked - # one by one (jfs) + # In Debian system there is no chkconfig script, runlevels are checked + # one by one. + # TODO: this code is not correct since the start/stop order is hardcoded + # it might be reasonable to try to retrieve chkconfig information and, + # if not available, use sensible defaults. Notice, however, that + # both Psad and bastille-firewall are pre-set in Debian (the init.d + # script and rc links are there already) so we will not call this code + # from Bastille/Firewall.pm or Bastille/PSAD.pm + # (jfs) if (&GetDistro =~/^DB.*/) { $filetolink = &getGlobal('DIR', "initd") . "/$startup_script"; if (-x $filetolink) { - foreach my $level ("0","1","2","3","4","5","6" ) { + foreach my $level ( "0","1","6" ) { my $link = ''; - $link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script"; + while ( $link = glob(&getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/*" . "$startup_script") ) { + unlink ($link); + } + $link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K$stop_order" . "$startup_script"; $retval=symlink($filetolink,$link); } + foreach my $level ( "2","3","4","5" ) { + my $link = ''; + while ( $link = glob(&getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/*" . "$startup_script") ) { + unlink ($link); + } + $link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/S$start_order" . "$startup_script"; + $retval=symlink($filetolink,$link); + } } return $retval; } @@ -2818,18 +2864,21 @@ # Three ways to do this in Debian: # 1.- have the initd script set to 600 mode # 2.- Remove the links in rcd (re-installing the package - # will break it) + # will break it if we remove all of them) # 3.- Use update-rc.d --remove (same as 2.) # (jfs) &B_chmod(0600,$filetolink); $retval=6; - # The second option - #foreach my $level ("0","1","2","3","4","5","6" ) { - #my $link = ''; - #$link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script"; - #unlink($link); - #} + # The second option, we only remove the S links, + # Debian will not recreate them if there are still K + # links around. + foreach my $level ( "S", "0","1","2","3","4","5","6" ) { + my $link = ''; + while ( $link = glob(&getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/S*" . "$startup_script") ) { + unlink($link); + } + } } } @@ -3307,11 +3356,12 @@ alarm 0; # turn off alarm immediately after getting line # there is a response + $response =~ s/^\s+//; # Strip off initial whitespace if( lc( $response ) eq "accept" ) { my $touch = &getGlobal('BIN', "touch"); my $retVal = system("$touch $nodisclaim_file"); if( $retVal != 0 ) { - &ErrorLog ( &getGlobal('ERROR','disclaimer')); + &B_log("ERROR",'disclaimer'); } # if else { print("This disclaimer will not appear again on this machine.\n" . --- bastille-3.0.9.orig/Bastille/TMPDIR.pm +++ bastille-3.0.9/Bastille/TMPDIR.pm @@ -37,13 +37,17 @@ if (&getGlobalConfig("TMPDIR","tmpdir") eq 'Y' ) { # Bourne/BASH unless ( -e $final_bash_script ) { - &B_place($virgin_bash_script,$final_bash_script); - &B_chmod(0755,$final_bash_script); + if ( -d "/etc/profile.d/" ) { + &B_place($virgin_bash_script,$final_bash_script); + &B_chmod(0755,$final_bash_script); + } } # CSH/TCSH ... unless ( -e $final_csh_script ) { - &B_place($virgin_csh_script,$final_csh_script); - &B_chmod(0755,$final_csh_script); + if ( -d "/etc/profile.d/" ) { + &B_place($virgin_csh_script,$final_csh_script); + &B_chmod(0755,$final_csh_script); + } } # 'tmpwatch' defense unless ( -e $final_defense_script ) { --- bastille-3.0.9.orig/Bastille/Debian_API.pm +++ bastille-3.0.9/Bastille/Debian_API.pm @@ -0,0 +1,62 @@ +# Copyright 2006 Javier Fernandez-Sanguino +# This file contains all of the Debian-unique subroutines +# $Id: $ + +#################################################################### +# +# This module makes up the Debian specific API routines. +# +#################################################################### +# +# Subroutine Listing: +# +# &B_statoverride($): Takes a file name and adds it current +# permissions to the dpkg-statoverride list +# +##################################################################### + + +################################################################### +# &B_statoverride($file); +# This subroutine is called after a file is modified (user, group +# or permission ownership changes. It will add the current permissions and +# owner to the dpkg-statoverride lists so that the changes are preserved on +# package upgrades. +# +# Returns: 0 if statoverride was succesfully called (or was not called) +# 1 if the called of dpkg-statoverride returned an error +# +################################################################## +sub B_statoverride ($) { + my $file = $_[0]; + + # If the distribution is not Debian or there is no binary do nothing + return 0 if &GetDistro !~ "^DB" || ! -e "/usr/sbin/dpkg-statoverride" ; + + # If the file does not exist return + return 0 if ! -e $file ; + # If the file is a symlink return + # TODO - to cater for the alternatives' subsystem we would need to + # dereference the file it points to and apply dpkg-statoverride there + return 0 if -l $file ; + + # Get the current stats of the file + my $uid= (stat($file))[4]; + my $gid= (stat($file))[5]; + my $perm = (stat($file))[2]; + my $perm_formatted = sprintf("%05lo", $perm); + $perm_formatted =~ s/^1//; + + + my @override = ("/usr/sbin/dpkg-statoverride", "--force", "--add", "#$uid", "#$gid", "$perm_formatted", "$file"); + &B_log("ACTION","Setting permissions with dpkg-statoverride:". + join(" ", @override)."\n"); + if ( system (@override) != 0 ) { + &B_log("ERROR","Couldn't set a dpkg-statoverride for $file: $?\n"); + return 1; + } + return 0; +} + + +1; --- bastille-3.0.9.orig/Bastille/SecureInetd.pm +++ bastille-3.0.9/Bastille/SecureInetd.pm @@ -122,6 +122,8 @@ in.fingerd : ALL : DENY # Allow ssh -- the administrator should consider tightening this down sshd : ALL : ALLOW +# prevent issues with local services +ALL: LOCAL, 127.0.0.1 # but everything else is denied & reported with safe_finger ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port Denial noted %d-%h" root) & : DENY '; @@ -228,6 +230,10 @@ # Bastille modifications made below... +# Allow local communication to make local services (like FAM or +# printer services) work +ALL: LOCAL, 127.0.0.1 + # Let everyone ssh here. sshd: $ssh_allowed_hosts : ALLOW --- bastille-3.0.9.orig/Bastille/Firewall.pm +++ bastille-3.0.9/Bastille/Firewall.pm @@ -390,9 +390,12 @@ if ( $? ne 0 ) { &B_log("ERROR","# Firewall.pm: error $? invoking \"$firewall_init_script\"\n"); } else { - # since it started OK, lets' enable it at boot time - &B_log("ACTION","# Firewall.pm: enabling firewall with B_chkconfig_on\n"); - &B_chkconfig_on("bastille-firewall"); + if ( $distro !~ /^DB/ ) { + # since it started OK, lets' enable it at boot time + # since it started OK, lets' enable it at boot time + &B_log("ACTION","# Firewall.pm: enabling firewall with B_chkconfig_on\n"); + &B_chkconfig_on("bastille-firewall"); + } } } # firewall is executable # } else { --- bastille-3.0.9.orig/Bastille/IOLoader.pm +++ bastille-3.0.9/Bastille/IOLoader.pm @@ -247,7 +247,7 @@ $data =~ s/\bMN\b/$supported_versions/; } if ($data =~ /\bDB\b/) { - my $supported_versions = 'DB2.2 DB3.0'; + my $supported_versions = 'DB2.2 DB3.0 DB3.1 DB4.0 DB4.1 DB5.0'; $data =~ s/\bDB\b/$supported_versions/; } if ($data =~ /\bSE\b/) { --- bastille-3.0.9.orig/Bastille/API.pm.sweth +++ bastille-3.0.9/Bastille/API.pm.sweth @@ -2,6 +2,17 @@ # Licensed under the GNU General Public License package Bastille::API; +# Libraries for the Backup_file routine: Cwd and File::Path +use Cwd; +use Bastille::HP_API; +use Bastille::OSX_API; +use Bastille::Debian_API; +# The old LogAPI is still needed for the calls to B_log used +# in some programs +use Bastille::LogAPI; +use File::Path; +use File::Basename; + ## TO DO: # @@ -157,6 +168,7 @@ B_append_line B_insert_line B_prepend_line B_replace_line B_hash_comment_line B_hash_uncomment_line B_delete_line B_create_file B_create_dir B_delete_file B_chmod B_chown B_chgrp B_chkconfig_off + B_chkconfig_on B_cp B_place B_mknod B_init_file $GLOBAL_PREFIX $GLOBAL_LOGONLY $GLOBAL_DISTRO %GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE %GLOBAL_MISC @@ -359,6 +371,12 @@ 'file' => '/etc/slackware-version', 'regex' => '^(\d\w*(\.\d\w*)+)', 'default' => '7.0.0' + }, + { + 'distro' => 'DB', + 'file' => '/etc/debian_version', + 'regex' => '^(\d+\.\d+\w*)', + 'default' => '5.0' } ], 'SunOS' => [ @@ -469,6 +487,41 @@ "RH6.2" => { "accton" => '/sbin/accton' }, + "DB3.0" => { + "floppy" => "/floppy", + "httpd.conf" => "/etc/apache/httpd.conf", + "httpd_access.conf" => "/etc/apache/access.conf", + "initd" => "/etc/init.d", + "rcd" => "/etc/" + }, + "DB3.1" => { + "floppy" => "/floppy", + "httpd.conf" => "/etc/apache/httpd.conf", + "httpd_access.conf" => "/etc/apache/access.conf", + "initd" => "/etc/init.d", + "rcd" => "/etc/" + }, + "DB4.0" => { + "floppy" => "/floppy", + "httpd.conf" => "/etc/apache/httpd.conf", + "httpd_access.conf" => "/etc/apache/access.conf", + "initd" => "/etc/init.d", + "rcd" => "/etc/" + }, + "DB4.1" => { + "floppy" => "/floppy", + "httpd.conf" => "/etc/apache/httpd.conf", + "httpd_access.conf" => "/etc/apache/access.conf", + "initd" => "/etc/init.d", + "rcd" => "/etc/" + }, + "DB5.0" => { + "floppy" => "/floppy", + "httpd.conf" => "/etc/apache/httpd.conf", + "httpd_access.conf" => "/etc/apache/access.conf", + "initd" => "/etc/init.d", + "rcd" => "/etc/" + }, "SO2.6" => { }, "SO7" => { @@ -1702,6 +1755,12 @@ &ActionLog( "#ERROR: couldn't change ownership to $newown on file $original_file\n"); &ErrorLog("#ERROR: couldn't change ownership to $newown on file $original_file\n"); }; + if(&GetDistro =~ "^DB"){ +# If the distribution is Debian, use dpkg-statoverride +# to add the changes to the override list so +# that dpkg preserves the mode change on package upgrades + B_statoverride($file); + } } else { &ActionLog("#ERROR: chown: File $original_file doesn't exist!\n"); &ErrorLog("#ERROR: chown: File $original_file doesn't exist!\n"); @@ -1754,6 +1813,12 @@ &ActionLog("#ERROR: couldn't change ownership to $newgown on file $original_file\n"); &ErrorLog("#ERROR: couldn't change ownership to $newgown on file $original_file\n"); }; + if(&GetDistro =~ "^DB"){ +# If the distribution is Debian, use dpkg-statoverride +# to add the changes to the override list so +# that dpkg preserves the mode change on package upgrades + B_statoverride($file); + } } else { &ActionLog( "#ERROR: chgrp: File $original_file doesn't exist!\n"); &ErrorLog("#ERROR: chgrp: File $original_file doesn't exist!\n"); @@ -1853,7 +1918,7 @@ ########################################################################### -# &B_chkconfig_off ($deamon_name) deletes the symbolic links that are +# &B_chkconfig_off ($daemon_name) deletes the symbolic links that are # named in the "# chkconfig: ___ _ _ " portion of the init.d files. We # need this utility, in place of the distro's chkconfig, because of both # our need to add undo functionality and our need to harden distros that @@ -1892,7 +1957,7 @@ unless ($return) { &ActionLog("Didn't chkconfig_off $startup_script because we couldn't open " . $GLOBAL_DIR{"initd"} . "/$startup_script\n"); } else { - + READ_LOOP: while (my $line=) { @@ -1908,13 +1973,19 @@ }; close CHKCONFIG; - # If we never found a chkconfig line, can we just run through all 5 - # rcX.d dirs from 1 to 5...? + # If we never found a chkconfig line, as will happen in Debian-derived + # distributions then just run can we just run through all 5 + # rcX.d dirs from 1 to 5... and remove the 'S' calls + + # Note: We have to be careful not to remove all the links, but just + # the S links. Debian packaging system will not recreate the S links + # when the package is upgraded if there are still K + # links around. - # unless ( $start_order and $stop_order ) { - # @runlevels=("1","2","3","4","5"); - # $start_order = "*"; $stop_order="*"; - # }; + unless ( $start_order and $stop_order ) { + @runlevels=("1","2","3","4","5"); + $start_order = "*"; $stop_order="*"; + }; # Now, run through removing symlinks... @@ -2138,4 +2209,193 @@ $return; }; +########################################################################### +# &B_chkconfig_on ($daemon_name) creates the symbolic links that are +# named in the "# chkconfig: ___ _ _ " portion of the init.d files. We +# need this utility, in place of the distro's chkconfig, because of both +# our need to add revert functionality and our need to harden distros that +# are not mounted on /. +# +# It uses the following global variables to find the links and the init +# scripts, respectively: +# +# $GLOBAL_DIR{"rcd"} -- directory where the rc_.d subdirs can be found +# $GLOBAL_DIR{"initd"} -- directory the rc_.d directories link to +# +# Here an example of where you might use this: +# +# You'd like to tell the system to run the firewall at boot: +# B_chkconfig_on("bastille-firewall") +# +########################################################################### + +# PW: Blech. Copied B_chkconfig_off() and changed a few things, +# then changed a few more things.... + +sub B_chkconfig_on { + + my $startup_script=$_[0]; + my $retval=1; + + my $chkconfig_line; + my ($runlevelinfo,@runlevels); + my ($start_order,$stop_order,$filetolink); + + &ActionLog("# chkconfig_on enabling $startup_script\n"); + + # In Debian system there is no chkconfig script, runlevels are checked + # one by one. + # TODO: this code is not correct since the start/stop order is hardcoded + # it might be reasonable to try to retrieve chkconfig information and, + # if not available, use sensible defaults. Notice, however, that + # both Psad and bastille-firewall are pre-set in Debian (the init.d + # script and rc links are there already) so we will not call this code + # from Bastille/Firewall.pm or Bastille/PSAD.pm + # (jfs) + if (&GetDistro =~/^DB.*/) { + $filetolink = $GLOBAL_DIR{"initd"} . "/$startup_script"; + if (-x $filetolink) + { + foreach my $level ( "0","1","6" ) { + my $link = ''; + while ( $link = $GLOBAL_DIR{"rcd"} . "/rc" . "$level" . ".d/*" . "$startup_script" ) { + unlink ($link); + } + $link = $GLOBAL_DIR{"rcd"} . "/rc" . "$level" . ".d/K$stop_order" . "$startup_script"; + $retval=symlink($filetolink,$link); + } + foreach my $level ( "2","3","4","5" ) { + my $link = ''; + while ( $link = $GLOBAL_DIR{"rcd"} . "/rc" . "$level" . ".d/*" . "$startup_script" ) { + unlink ($link); + } + $link = $GLOBAL_DIR{"rcd"} . "/rc" . "$level" . ".d/S$start_order" . "$startup_script"; + $retval=symlink($filetolink,$link); + } + } + return $retval; + } + # + # On SUSE, chkconfig-based rc scripts have been replaced with a whole different + # system. chkconfig on SUSE is actually a shell script that does some stuff and then + # calls insserv, their replacement. + # + + if (&GetDistro =~ /^SE/) { + if (system("chkconfig $startup_script on") == 0) { + return 1; + } + else { + return 0; + } + + } + + # + # Run through the init script looking for the chkconfig line... + # + $retval = open CHKCONFIG, $GLOBAL_DIR{"initd"} . "/$startup_script"; + unless ($retval) { + &ActionLog("# Didn't chkconfig_on $startup_script because we couldn't open " . $GLOBAL_DIR{"initd"} . "/$startup_script\n"); + } + else { + + READ_LOOP: + while (my $line=) { + + # We're looking for lines like this one: + # # chkconfig: 2345 10 90 + # OR this + # # chkconfig: - 10 90 + + if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) { + $runlevelinfo = $1; + $start_order = $2; + $stop_order = $3; + # handle a run levels arg of '-' + if ( $runlevelinfo eq '-' ) { + &ActionLog("chkconfig_on saw '-' for run levels for \"$startup_script\", is defaulting to levels 3,4,5\n"); + $runlevelinfo = '345'; + } + @runlevels = split(//,$runlevelinfo); + # make sure the orders have 2 digits + $start_order =~ s/^(\d)$/0$1/; + $stop_order =~ s/^(\d)$/0$1/; + last READ_LOOP; + } + } + close CHKCONFIG; + + # Do we have what we need? + if ( (scalar(@runlevels) < 1) || (! $start_order =~ /^\d{2}$/) || (! $stop_order =~ /^\d{2}$/) ) { + # problem + &ErrorLog("# B_chkconfig_on $startup_script failed -- no valid run level/start/stop info found\n"); + return(-1); + } + + # Now, run through creating symlinks... + &ActionLog("# chkconfig_on will use run levels ".join(",",@runlevels)." for \"$startup_script\" with S order $start_order and K order $stop_order\n"); + + $retval=0; + # BUG: we really ought to readdir() on $GLOBAL_DIR{"rcd"} to get all levels + foreach my $level ( "0","1","2","3","4","5","6" ) { + my $link = ''; + # we make K links in run levels not specified in the chkconfig line + $link = $GLOBAL_DIR{"rcd"} . "/rc" . $level . ".d/K$stop_order" . $startup_script; + my $klink = $link; + # now we see if this is a specified run level; if so, make an S link + foreach my $markedlevel ( @runlevels ) { + if ( $level == $markedlevel) { + $link = $GLOBAL_DIR{"rcd"} . "/rc" . $level . ".d/S$start_order" . $startup_script; + } + } + my $target = $GLOBAL_DIR{"initd"} ."/" . $startup_script; + my $local_return; + + if ( (-e "$klink") && ($klink ne $link) ) { + # there's a K link, but this level needs an S link + unless ($GLOBAL_LOGONLY) { + $local_return = unlink("$klink"); + if ( ! local_return ) { + # unlinking old, bad $klink failed + &ErrorLog("Unlinking $klink failed\n"); + } else { + &ActionLog("Removed link $klink\n"); + # If we removed the link, add a link command to the revert file + &B_init_file ("removed-symlinks"); + + open REMOVED_SYMLINKS,">>" . $GLOBAL_BFILE{"removed-symlinks"}; + print REMOVED_SYMLINKS "ln -s $target $link\n"; + close REMOVED_SYMLINKS; + } # close what to do if unlink works + } # if not GLOBAL_LOGONLY + } # if $klink exists and ne $link + + # OK, we've disposed of any old K links, make what we need + if ( (! ( -e "$link" )) && ($link ne '') ) { + # link doesn't exist and the start/stop number is OK; make it + unless ($GLOBAL_LOGONLY) { + # create the link + $local_return = &B_symlink($target,$link); + if ($local_return) { + $retval++; + &ActionLog("Created link $link\n"); + } else { + &ErrorLog("Couldn't create $link when trying to chkconfig on $startup_script\n"); + } + } + + } # link doesn't exist + } # foreach level + + } + + if ($retval < @runlevels) { + $retval=0; + } + + $retval; + +} 1; + --- bastille-3.0.9.orig/bin/bastille +++ bastille-3.0.9/bin/bastille @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # for "what": # "@(#) Bastille version: 2.2.0" # Copyright (C) 2001-2003 Hewlett Packard Company @@ -95,12 +95,13 @@ do if /usr/bin/diff $last_config $config_cursor >/dev/null 2>&1 then - match="$match $config_cursor\n" + match="$match $config_cursor" fi done if [ -n "$match" ]; then echo "The last bastille run corresponds to the following profiles:" echo "$match" + echo else cat >&2 << EOF NOTE: The last config file, @@ -115,7 +116,8 @@ fi else - echo "NOTE: The system is in its pre-bastilled state.\n" + echo "NOTE: The system is in its pre-bastilled state." + echo fi } @@ -178,6 +180,7 @@ options_left=""; #options to pass to the perl script runcmd="${CURRENT_PERL_PATH}/perl $scripts_location/InteractiveBastille" # The command that will eventually be run needx='yes' # Determines if we need to search for the Tk libraries + [ -z "$DISPLAY" ] && needx='no' # Do not use X if DISPLAY is unset optarg='no' # Used to flag options that have an argument for current_option in $@ do @@ -339,7 +342,9 @@ $ERRSPACES override Bastille's search path by setting the $ERRSPACES \$CORRECT_PERL_PATH environment variable to the directory $ERRSPACES that the desired perl binary is located in. - +$ERRSPACES If you don't want to use the default X11 interface then +$ERRSPACES run 'bastille -c'. For more information on available interfaces +$ERRSPACES see bastille(1m) or run 'bastille -h' EOF fi --- bastille-3.0.9.orig/debian/Bastille-doc.files +++ bastille-3.0.9/debian/Bastille-doc.files @@ -0,0 +1,2 @@ +#DOCS# + --- bastille-3.0.9.orig/debian/bastille-firewall +++ bastille-3.0.9/debian/bastille-firewall @@ -0,0 +1,135 @@ +#!/bin/bash +# +### BEGIN INIT INFO +# Provides: bastille-firewall +# Required-Start: $network +# Required-Stop: $network +# Default-Start: S +# Default-Stop: 0 6 +# Short-Description: Load/unload ipchains rulesets +# Description: A firewall/packet-filter script for Linux systems +# that allows the machine to be used as a gateway system +### END INIT INFO +# +# chkconfig: 2345 5 98 +# +# $Id: bastille-firewall,v 1.6 2002/02/24 17:19:14 peterw Exp $ +# Copyright (c) 1999-2002 Peter Watkins +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Thanks to David Ranch, Brad A, Don G, and others for their suggestions +# +# This script is designed to be used as a SysV-style init script. +# +# It should be run with a "start" argument +# 1) as an rc?.d "S" script, _before_ the "network" script +# [copy this to /etc/rc.d/init.d/bastille-firewall (or your equivalent of +# /etc/rc.d/init.d) and run 'chkconfig -add bastille-firewall' ] +# 2) any time an interface is brought up or changed, e.g. +# establishing a PPP conection or renewing a DHCP lease +# [copy 'bastille-firewall-reset', 'bastille-firewall-schedule' +# and 'ifup-local' to /sbin/] +# +# Normally you Do Not _Ever_ Want to run this with a "stop" argument! +# +# Note that running this with "stop" will disable the firewall and open +# your system to all network traffic; if you make changes to these rules, +# apply them by running the script again with a "start" argument. +# +# ** As of 0.99-beta1, this script merely kicks off the real script, +# either /sbin/bastille-ipchains or /sbin/bastille-netfilter + +# Default is to use the 'ipchains' script, which will load the +# ipchains compatibility module if you're using a 2.4 kernel +REALSCRIPT=/sbin/bastille-ipchains +PATH=/sbin:/bin:/usr/sbin:/usr/bin +CFG=/etc/Bastille/bastille-firewall.cfg + +# Do not run if there is no configuration file +if [ ! -f "$CFG" ] ; then + case "$1" in + start|restart|reload|force-reload) + echo "WARNING: Bastille-firewall is not configured yet" + echo "Please create $CFG to enable it." + echo "(HINT: use InteractiveBastille)" + ;; + esac + exit 0 +fi + +# exit function to be called in place of regular Bourne exit +clean_exit() +{ + rmdir /var/lock/bastille-firewall 2>/dev/null + exit $1 +} + +[ ! -d /var/lock ] && mkdir -m 0755 /var/lock + +mkdir -m 0700 /var/lock/bastille-firewall 2>/dev/null +if [ $? -ne 0 ]; then + if [ -n "${BASTILLE_FWALL_QUIET_FAIL}" ]; then exit 0; fi + echo "ERROR: bastille-firewall currently being reset or lock is stuck." + echo "To un-stick, remove the directory /var/lock/bastille-firewall" + exit 1 +fi + +if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then + # We are using Linux 2.3 or newer; use the netfilter script if available + if [ -x /sbin/bastille-netfilter ]; then + REALSCRIPT=/sbin/bastille-netfilter + fi +fi + +if [ ! -x ${REALSCRIPT} ]; then + echo "ERROR: \"${REALSCRIPT}\" not available!" + clean_exit 1 +fi + + +# Use "bastille" locks to indicate our status +case "$1" in + start) + echo -n "Starting Bastille firewall.." + ${REALSCRIPT} "$1" + bretval=$? + if [ $bretval -eq 0 ]; then + touch /var/lock/bastille/bastille-firewall + echo "done." + else + echo "FAILED." + fi + ;; + stop) + echo -n "Stopping Bastille firewall.." + ${REALSCRIPT} "$1" + bretval=$? + if [ $bretval -eq 0 ]; then + echo "done." + else + echo "FAILED." + fi + rm -f /var/lock/bastille/bastille-firewall + ;; + restart|reload|force-reload) + $0 start + sleep 1 + $0 stop + bretval=$? + ;; + *) + echo "Usage: $0 {start|stop|restart|reload|force-reload}" + exit 1 + ;; +esac + +clean_exit $bretval + --- bastille-3.0.9.orig/debian/postrm +++ bastille-3.0.9/debian/postrm @@ -0,0 +1,38 @@ +#! /bin/sh +# postrm script for bastille +# +# see: dh_installdeb(1) + +set -e + +case "$1" in + purge) + [ -f /usr/share/Bastille/.nodisclaimer ] && \ + rm -f /usr/share/Bastille/.nodisclaimer + # Clean a few directories + for dir in /var/log/Bastille/ /var/lock/bastille/ + do + if [ -d "$dir" ]; then + find "$dir" \( -type f -o -type l \) -exec rm -f {} \; + fi + done + # Clean only the files we know that we produce + for file in /etc/Bastille/bastille-firewall-early.sh \ + /etc/Bastille/bastille-firewall.cfg \ + /etc/Bastille/config + do + [ -f "$file" ] && rm -f $file + done + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) +# Do nothing + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 0 +esac + +#DEBHELPER# + +exit 0 --- bastille-3.0.9.orig/debian/manpages +++ bastille-3.0.9/debian/manpages @@ -0,0 +1,7 @@ +debian/AutomatedBastille.8 +debian/BastilleBackEnd.8 +debian/BastilleChooser.8 +debian/InteractiveBastille.8 +debian/RevertBastille.8 +debian/bastille.7 +docs/bastille.1m --- bastille-3.0.9.orig/debian/lintian.override +++ bastille-3.0.9/debian/lintian.override @@ -0,0 +1,20 @@ +bastille source: source-contains-CVS-dir Bastille/CVS +bastille source: source-contains-CVS-dir CVS +bastille source: source-contains-CVS-dir Curses/CVS +bastille source: source-contains-CVS-dir docs/CVS +bastille source: source-contains-CVS-dir firewall/CVS +bastille source: source-contains-CVS-dir psad/CVS +bastille source: source-contains-CVS-dir psad/Psad.pm/CVS +bastille source: source-contains-CVS-dir psad/Unix-Syslog-0.98/CVS +bastille source: source-contains-CVS-dir psad/whois-4.5.29/CVS +bastille source: source-contains-CVS-dir psad/whois-4.5.29/debian/CVS +bastille source: source-contains-CVS-dir psad/whois-4.5.29/po/CVS +bastille source: source-contains-CVS-dir psad/whois-4.5.6/CVS +bastille source: source-contains-CVS-dir psad/whois-4.5.6/debian/CVS +bastille source: source-contains-CVS-dir psad/whois-4.5.6/po/CVS +bastille source: source-contains-CVS-dir tools/CVS +bastille binary: csh-considered-harmful ./usr/share/Bastille/bastille-tmpdir.csh +bastille binary: csh-script-but-no-c-shell-dep ./usr/share/Bastille/bastille-tmpdir.csh +bastille binary: executable-not-elf-or-script ./usr/share/Bastille/bastille-firewall-early.sh +bastille binary: shell-script-fails-syntax-check ./sbin/bastille-firewall-schedule +bastille binary: shell-script-fails-syntax-check ./usr/share/Bastille/bastille-firewall-schedule --- bastille-3.0.9.orig/debian/TODO +++ bastille-3.0.9/debian/TODO @@ -0,0 +1,25 @@ +TODO file for Bastile: +---------------------- +- Review the Bastille firewall scripts: + - make them work even if the kernel does not use modules + (modprobe calls should not fail, see #362701) + - adjust RedHat specific stuff + +- Review the defintions of the init.d runlevel files in + OSMap/LINUX.system for Debian + +- Create a doc-base entry for the documentation provided by Bastille + (the user_guide.txt file) + +- Add Debian-specific checks (setup exim to only listen on loopback, for + example) + +- Integrate properly with Psad (currently untested, Psad is provided in + its own package to ease upgrades of it independently of Bastille) + +- Create a subsystem to download security updates (for PatchDownload) + + +------------------------------- +Mon, 5 Jun 2006 15:08:23 +0200 +Javier Fernandez-Sanguino --- bastille-3.0.9.orig/debian/bastille.7 +++ bastille-3.0.9/debian/bastille.7 @@ -0,0 +1,99 @@ +.\" Hey, EMACS: -*- nroff -*- +.TH BASTILLE 7 "10th May, 2001" +.SH NAME +Bastille \- programs to harden the security of a UNIX host +.SH SYNOPSIS +.B InteractiveBastille +.br +.B AutomatedBastille +.br +.B BastilleChooser +.br +.B BastilleBackEnd +.br +.B RevertBastille +.SH DESCRIPTION +This manual page documents +.B Bastille +briefly +.PP +This manual page was written for the Debian GNU/Linux distribution +because the original package does not have a manual page. +.PP +.B Bastille +Linux is a security hardening program for Mandrake, +Red Hat, and Debian GNU/Linux. +If run in the preferred Interactive mode (using +.BR InteractiveBastille ), +it can teach you a good deal about +security while enhancing your system's protection against attacks. +If run in the +quicker Automated mode (using +.BR AutomatedBastille ), +it can quickly tighten your machine, but not nearly +as effectively (since user/sysadmin education is an important step!) +.PP +.B Bastille +offers different security profiles which can be selected using +.BR BastilleChooser . +However, note that even if servers and workstations have very different +security levels, general security levels are not as good as security +levels adapted to your own security policy. +.PP +.B Bastille +can secure a number of hosts easily by defining a general +configuration file and running +.B BastilleBackEnd +on each host individually. All security measures defined will be implemented +(if possible) on all of them. +.B Bastille +changes can also be undone by using the +.B RevertBastille +command. + +.SH INTERFACES +There is no \fBbest\fR interface to run \fBBastille\fR. However, each +interface will depend on some specific software which is not provided +by \fBBastille\fR itself. If you want to use \fBBastilleChooser\fR you +will need the Perl GTK modules (in Debian GNU/Linux provided by +the \fBlibgtk-perl\fR package), if you want to use \fBInteractiveBastille\fR +you will need either the Perl's Curses modules (in Debian GNU/Linux +provided by \fBlibcurses-perl\fR) or the TK modules (in Debian +GNU/Linux provided by \fBperl-tk\fR) depending on wether you want +the console (\fB-c\fR) or X (\fB-x\fR) interfaces. + +.SH FILES +.I /etc/Bastille/config +.RS +Configuration file which defines the security measures to be taken, +as selected by the administrator. +.RE +.I /var/log/Bastille/action-log +.br +.I /var/log/Bastille/error-log +.RS +Logs of actions taken. +.RE +.I /var/log/Bastille/undo/ +.RS +Directory containing all information for the undo operation. + + +.SH SEE ALSO +.BR RevertBastille (8), +.BR AutomatedBastille (8), +.BR BastilleBackEnd (8), +.BR InteractiveBastille (8), +.BR BastilleChooser (8). +.br +The programs have more documentation available at +.B /usr/share/doc/bastille +on Debian systems. +.SH AUTHOR +This manual page was written by +Javier Fernandez-Sanguino Pe\[~n]a +for the Debian GNU/Linux system (but may be used on other systems). +.PP +.B Bastille +was primarily written by Jay Beale, and is +licensed under the GNU General Public License --- bastille-3.0.9.orig/debian/dirs +++ bastille-3.0.9/debian/dirs @@ -0,0 +1,17 @@ +etc/Bastille +etc/init.d +sbin/ +usr/sbin +usr/share/man/man1 +usr/share/man/man8 +usr/share/perl5/Curses +usr/lib/Bastille +usr/share/Bastille +usr/share/Bastille/OSMap +usr/share/Bastille/Questions +var/lock/bastille +var/log/Bastille +var/log/Bastille/revert +var/log/Bastille/revert/backup +var/log/Bastille/old-config +var/log/Bastille/Assessment --- bastille-3.0.9.orig/debian/compat +++ bastille-3.0.9/debian/compat @@ -0,0 +1 @@ +5 --- bastille-3.0.9.orig/debian/Bastille-doc.docs +++ bastille-3.0.9/debian/Bastille-doc.docs @@ -0,0 +1,2 @@ +#DOCS# + --- bastille-3.0.9.orig/debian/BastilleChooser.8 +++ bastille-3.0.9/debian/BastilleChooser.8 @@ -0,0 +1,80 @@ +.\" Hey, EMACS: -*- nroff -*- +.TH BASTILLECHOOSER 8 "May 10th, 2001" +.SH NAME +BastilleChooser \- harden a host using predefined profiles +.SH SYNOPSIS +.B BastilleChooser +.SH DESCRIPTION +This manual page briefly documents +.B BastilleChooser . +.PP +This manual page was written for the Debian GNU/Linux distribution +because the original program does not have a manual page. +.PP +.B BastilleChooser +offers a GTK+ GUI to let administrators choose between +different security profiles and +implement them without going through the questions of +.BR InteractiveBastille . +.PP +.B BastilleChooser +asks for the type of host (workstation or server), a security level +(lax, moderate or paranoid), and services to leave enabled on the host. +Using the selected profile, a new configuration is built and +installed on the system. +.PP +Note, however, that even if servers and workstations have very different +security levels, general security levels are not as good as security +levels adapted to your own security policy. + +.SH FILES +.I /usr/share/Bastille/WorkstationLax.config +.br +.I /usr/share/Bastille/WorkstationModerate.config +.br +.I /usr/share/Bastille/WorkstationParanoid.config +.br +.I /usr/share/Bastille/ServerLax.config +.br +.I /usr/share/Bastille/ServerModerate.config +.br +.I /usr/share/Bastille/ServerParanoid.config +.RS +Configuration files which define available profiles. +These are customized using the answers to questions posed by +.B BastilleChooser. +.RE +.I /etc/Bastille/config +.RS +Configuration file which defines all the security measures selected by +the administrator to be enabled. +.RE +.I /var/log/Bastille/action-log +.br +.I /var/log/Bastille/error-log +.RS +Logs that hold information of actions taken on the system. +.RE +.I /var/log/Bastille/undo/ +.RS +Directory holding all information for the undo operation. + + +.SH SEE ALSO +.BR bastille (7), +.BR RevertBastille (8), +.BR AutomatedBastille (8), +.BR BastilleBackEnd (8), +.BR InteractiveBastille (8). +.br +The programs have more documentation available at +.B /usr/share/doc/bastille +on Debian systems. +.SH AUTHOR +This manual page was written by +Javier Fern\['a]ndez-Sanguino Pe\[~n]a +for the Debian GNU/Linux system (but may be used on other systems). +.PP +.B Bastille +was primarily written by Jay Beale, and is +licensed under the GNU General Public License --- bastille-3.0.9.orig/debian/AutomatedBastille.8 +++ bastille-3.0.9/debian/AutomatedBastille.8 @@ -0,0 +1,69 @@ +.\" Hey, EMACS: -*- nroff -*- +.TH AUTOMATEDBASTILLE 8 "May 10th, 2001" +.SH NAME +AutomatedBastille \- automatically install a profiled Bastille configuration +.SH SYNOPSIS +.B AutomatedBastille +.SH DESCRIPTION +This manual page briefly documents +.BR AutomatedBastille . +.PP +This manual page was written for the Debian GNU/Linux distribution +because the original program does not have a manual page. +.PP +.B AutomatedBastille +installs a profile configuration file +and calls +.B BastilleBackEnd +in order to put all the selected security measures +in place. The profile is not adapted to your system; use +.B BastilleChooser +if you wish to do that. +.SH OPTIONS +.B AutomatedBastille +uses the following options: +.TP +.B \-v +Verbose mode. Actions are printed to the logs and to STDOUT. +.TP +.B \-l +Log-only mode. No action is taken; +merely logs what changes would have been made. +.TP +.B \-r PREFIX +All the filenames are prefixed with +.B PREFIX +(/etc/whatever becomes /PREFIX/etc/whatever). This option +could be used to commit changes to NFS filesystems, or file systems with +a different mount point than the current root (/) filesystem. + +.SH FILES +.I /etc/Bastille/config +.RS +Configuration file which defines all the security measures selected by +the administrator to be enabled. +.RE +.I /var/log/Bastille/action-log +.br +.I /var/log/Bastille/error-log +.RS +Logs that hold information of actions taken on the system. + +.SH SEE ALSO +.BR bastille (7), +.BR InteractiveBastille (8), +.BR BastilleBackEnd (8), +.BR RevertBastille (8), +.BR BastilleChooser (8). +.br +The programs have more documentation available at +.B /usr/share/doc/bastille +on Debian systems. +.SH AUTHOR +This manual page was written by +Javier Fern\['a]ndez-Sanguino Pe\[~n]a +for the Debian GNU/Linux system (but may be used on other systems). +.PP +.B Bastille +was primarily written by Jay Beale, and is +licensed under the GNU General Public License --- bastille-3.0.9.orig/debian/copyright +++ bastille-3.0.9/debian/copyright @@ -0,0 +1,27 @@ +This package was debianized by +Javier Fernandez-Sanguino Peña on +Thu, 10 May 2001 11:42:29 +0200. + +It was downloaded from http://bastille-linux.sourceforge.net/ +(homepage of the project is http://www.bastille-unix.org/) + +Upstream Author: + Jon Lasser Lead Coordinator + Jay Beale Lead Developer +(for more see the files Credits) + +Copyright: + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 1, or (at your option) + any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + +This software is distributed under the GNU GPL license, you can find +a copy of it in your Debian system under /usr/share/common-licenses/ + --- bastille-3.0.9.orig/debian/control +++ bastille-3.0.9/debian/control @@ -0,0 +1,31 @@ +Source: bastille +Section: admin +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Javier Fernandez-Sanguino Pen~a +Build-Depends: perl, debhelper +Standards-Version: 3.6.1 +Homepage: http://www.bastille-unix.org/ + +Package: bastille +Architecture: all +Depends: perl, libcurses-perl, ${perl:Depends} +Recommends: whois, psad, bind9-host | host +Suggests: acct, perl-tk (>= 1:800.011) | libgtk-perl +Conflicts: libcurses-widgets-perl +Description: Security hardening tool + Bastille Linux is a security hardening program for GNU/Linux. + It increases the security of the system either by disabling + services (if they are not necessary) or by altering their + configuration. + . + If run in the (recommended) Interactive mode, Bastille + educates the administrator during the hardening process: + in each step of the process, extensive descriptions are + given of what security issues are involved. Each step is + optional. If run in the quicker Automated mode, Bastille + hardens the system according the profile chosen. + . + Bastille Linux works for several Linux distributions. + This package has been specifically modified to work for + Debian GNU/Linux. --- bastille-3.0.9.orig/debian/InteractiveBastille.8 +++ bastille-3.0.9/debian/InteractiveBastille.8 @@ -0,0 +1,88 @@ +.\" Hey, EMACS: -*- nroff -*- +.TH INTERACTIVEBASTILLE 8 "10th May, 2001" +.SH NAME +InteractiveBastille \- bastion a host using Bastille +.SH SYNOPSIS +.B InteractiveBastille +.SH DESCRIPTION +This manual page documents +.B InteractiveBastille +briefly. +.PP +This manual page was written for the Debian GNU/Linux distribution +.PP +.B InteractiveBastille +asks questions to the user in order to define what security measures +must be implemented on the current system. The intention is to both +educate administrators on security and harden the host's security. +The configuration file generated by +.B InteractiveBastille +is then used by +.B BastilleBackEnd +to make the changes to the local system if the administrator agrees +to run the changes. In any case, the same configuration can be used +to harden other (similar) hosts non-interactively using +.BR AutomatedBastille . +.SH OPTIONS +.B InteractiveBastille +uses the following options: +.TP +.B \-x +Use the Perl/Tk (X11) GUI +(In Debian GNU/Linux this requires that the \fBperl-tk\fR package +is installed) +.TP +.B \-c +Use the Curses (non-X11) GUI +(In Debian GNU/Linux this requires that the \fBlibcurses-perl\fR package +is installed) +.TP +.B \-T, +Test mode only, the questions in the database are tested but nothing is done. +.TP +.B \-\-norequires +Ask all questions, even ones that do not apply. +.TP +.B \-v +Verbose mode, actions are printed to the logs and to STDOUT. +.TP +.B \-l +Log-only mode: no action is taken; only logs what changes would have been made. +.TP +.B \-r PREFIX +All the filenames are prefixed with +.B PREFIX +(/etc/whatever becomes /PREFIX/etc/whatever). This option +could be used to commit changes to NFS filesystems, or file systems with +a different mount point than the current root (/) filesystem. + +.SH FILES +.I /etc/Bastille/config +.RS +Configuration file which defines all the security measures selected by +the administrator to be enabled. +.RE +.I /var/log/Bastille/action-log +.br +.I /var/log/Bastille/error-log +.RS +Logs that hold information of actions taken on the system. + +.SH SEE ALSO +.BR bastille (7), +.BR AutomatedBastille (8), +.BR BastilleBackEnd (8). +.BR RevertBastille (8), +.BR BastilleChooser (8). +.br +The programs have more documentation available at +.B /usr/share/doc/bastille +on Debian systems. +.SH AUTHOR +This manual page was written by +Javier Fern\['a]ndez-Sanguino Pe\[~n]a +for the Debian GNU/Linux system (but may be used on other systems). +.PP +.B Bastille +was primarily written by Jay Beale, and is +licensed under the GNU General Public License --- bastille-3.0.9.orig/debian/README.Debian +++ bastille-3.0.9/debian/README.Debian @@ -0,0 +1,115 @@ +Bastille for Debian +---------------------- + +NOTES + +- There is no "best" interface, that's why dependencies are set that way, + read bastille (7) to see which interface best suits you. The bastille + package is prepared so that it will warn the user if he tries to use an + interface that he does not have the needed Perl libraries for. At the + very least, you can use 'BastilleBackEnd' with a predefined configuration + installed in /etc/Bastille. + + This is *not* a Bug, please don't report it as such. + (Many others already did see #112572, #113013, #112626, #210399, #212156...) + + You might encounter this issue, however, if you are installing using + plain 'apt-get'. If you encounter this issue you're all alone, you shouldn't + be using tools you do not understand, consider using 'dselect' or, even, + 'aptitude' or read Bastille's dependency lines. Currently: + + Depends: (...) libcurses-perl + ^^^^^^^^^^^^^^ This one provides the console frontend + Suggests: (...) perl-tk (>= 1:800.011) | libgtk-perl + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + Any of these can be used as a graphical GUI, install + the one you prefer best. + +- In some cases error messages will be seen when applying the Bastille changes + this is because Bastille will print the information to the ErrorLog and to + the console. Make sure to review the /var/log/Bastille/error-log for errors + +- Bastille in Debian will not install Psad (the port-scan attack detector) + but will configure it if available. Psad is provided independently in the + 'psad' package + +- Bastille for Debian will warn when it is running on a non-stable release + (/etc/debian_version is not of a x.x kind but 'unstable', 'testing' or + whatever) but will default to the latest stable release. This is due + to the fact that not all the tests migh have been verified for the unstable + branch and stuff might get broken. However, this is *not* a bug. + If you find any test that does not work with Debian's unstable release + please file a bug against bastille explaining the problem (so it + can be fixed before unstable becomes stable). + +- There have been some reports of bugs when hardening the system and then + using Amanda, please see 'BUGS' for more information. This is *not* + a bug, users should be aware that some restrictions imposed by + hardening the system might make some things break. + (Relevant bugs include #118613 and #155510) + +TODO + +- Figure out how to Bind DNS and automate as already done with other +distros + +- Add more stuff taken from the "Securing Debian Manual" (see +http://www.debian.org/doc/manuals/debian-securing-howto/) + +- Consider using suidregister/suidunregister for removing Setuid bits? + +PENDING REVIEW + +- Check out Tiger for a security audit (no countermeasures) of a + UNIX system the Debian package has add-ons to check security upgrades, + and md5sums of files. See http://packages.debian.org/tiger + + Note: Bastille now includes and --assess function, it does not work yet, + however, in Debian systems. + +- Fix the PatchDownload in order to work correctly and not break +the previous sources (see BUGS) + + +CHANGES + +The Debian version of Bastille features some changes (for in depth +details see diff from http://packages.debian.org/bastille) from the +upstream Bastille version: + +- Manpages for all programs (BastilleChooser, InteractiveBastille, +....) NOTE: bastille now provides a manpage but Debian's are still +kept (since theses programs are still available) + +CHANGES (forwarded upstream) + +- Detection and customisation of Debian systems (some file locations +do change) + +- Under some circumstances, Bastille fails to work due to the PATH not +being set correctly (discovered after running with perl -w). Seems to +be a problem with a library being used by Bastille. Fixed by adding +/bin and /usr/bin to the path. + +- Minor tweaks which I found useful or aesthetic (for example, the +location of the rc.d files which now uses the $GLOBAL_DIR(rcd), etc.) +Perl (-w) warnings are more less frequent, although in my opinion they +should be reduced to 0. + +CHROOTED ENVIRONMENT: + +I tend to test bastille using a chrooted environment. This environment +was created using 'makejail' (see /usr/share/doc/bastille/examples +for a sample makejail configuration). Other good methods to setup +a chrooted environment to do Bastille testing include debootstrap (which +will create a mirror of a reduced Debian installation) + +Even though bastille provides 'log-only', 'debug' and 'verbose' options you +might want to setup such a restricted environment for your own use before +testing Bastille in a production environment. + + +-- + Javier Fernandez-Sanguino Peña + Wed, 28 Jun 2006 18:48:17 +0200 + --- bastille-3.0.9.orig/debian/menu +++ bastille-3.0.9/debian/menu @@ -0,0 +1,4 @@ +?package(bastille):needs="X11" section="Apps/System"\ + title="Bastille" command="/usr/sbin/InteractiveBastille" +?package(bastille):needs="X11" section="Apps/System"\ + title="BastilleChooser" command="/usr/sbin/BastilleChooser" --- bastille-3.0.9.orig/debian/changelog +++ bastille-3.0.9/debian/changelog @@ -0,0 +1,565 @@ +bastille (1:3.0.9-13ubuntu1) precise; urgency=low + + * Apply patch from Marcos Marado resolving + inability to interact with Linux 3.0+. (Closes: #638835) + + -- Daniel T Chen Thu, 27 Oct 2011 17:09:24 -0400 + +bastille (1:3.0.9-13) unstable; urgency=high + + * Bastille/Debian_API.pm: Fix bug in the permissions + definition in the B_statoverride.Also, return inmediately if distribution + is Debian or if dpkg-statoverride is not available. + This bug caused bastille to set 0000 permissions when using + dpkg-statoveride, thus the 'high' urgency. (Closes: #596954, 545052) + * Bastille/API.pm: do not warn multiple times about the OS not being supported, + just send this message to STDERR once. + * Use debhelper compatibility version 5 + * debian/control: Depend on perl instead of on perl5. + * debian/bastille.substvars: removed + + -- Javier Fernandez-Sanguino Pen~a Sun, 19 Sep 2010 14:46:19 +0200 + +bastille (1:3.0.9-12.1) unstable; urgency=low + + * Non-maintainer upload + * Change dependency in init LSB header to use $network rather than + $local_fs to make sure networking is available during boot and to + make the package installation work again (Closes: #563784) + Thanks to Petter Reinholdtsen + + -- Steffen Joeris Sat, 23 Jan 2010 13:08:40 +0100 + +bastille (1:3.0.9-12) unstable; urgency=low + + * Set bin/bastille to be a bash shell since 'set +o privilege' is not + supported by other shells (Closes: #504321) + * Change author's email address in manpages and replace 'a' with '\['a]' to + present an accented character if the locale supports it. + + -- Javier Fernandez-Sanguino Pen~a Sun, 31 May 2009 13:33:41 +0200 + +bastille (1:3.0.9-11) unstable; urgency=low + + * Fix bashims in script (Closes: #530050) + - bin/bastille: replace "\n" in echo with a new echo call so that another + line is printed. + - bastille-tmpdir.sh and bastille-tmpdir-defense.sh : make them bash + scripts. This is not really necessary since the scripts already use /dev/urandom + if available instead of $RANDOM but that way we will not get false positives + for people looking for bashisms. + + -- Javier Fernandez-Sanguino Pen~a Thu, 28 May 2009 01:46:11 +0200 + +bastille (1:3.0.9-10) unstable; urgency=low + + * Update upstream's manpage (doc/bastille.1m) to reflect that it supports + many more Debian versions. + + -- Javier Fernandez-Sanguino Pen~a Sat, 18 Apr 2009 01:51:21 +0200 + +bastille (1:3.0.9-9) unstable; urgency=low + + * Fix Bastille/Debian.pm: replace calls to ActionLog with B_log (Closes: #520435) + + -- Javier Fernandez-Sanguino Pen~a Sat, 21 Mar 2009 23:25:46 +0100 + +bastille (1:3.0.9-8) unstable; urgency=low + + * Upload to unstable, this package has been sitting in experimental + for too long. Time to get wider testing. + * Fix typo in calls to modprobe (Closes: #518251) + * Fix Bastille/API.pm: + - Make the check that determines wether it runs as root or not + work properly + - Replace a call to ErrorLog to a call to B_log + * Update the latest stable version of Debian in Bastille/API.pm + * Add DB4.1 and DB5.0 as supported Debian versions. This is not + fully true, however, as Bastille has not been fully tested in sid or lenny. + It will help people test it out though (Closes: #510884) + * Update Bastille/API.pm.sweth to support Debian even if it's not + currently used: + - include definitions for testing Debian releases + - include the list of Debian releases and the file locations + - adapt chkconfig_off to support Debian + - modify the code so that it uses statoverride + - move chkconfig_on from Bastille/API.pm and adapt it to use + the new functions + + -- Javier Fernandez-Sanguino Pen~a Thu, 05 Mar 2009 22:01:36 +0100 + +bastille (1:3.0.9-7) experimental; urgency=low + + * Remove empty directories from debian/dirs + * Roll over changes from 2.1.1-19: + - Add LSB-formatted headers to the init.d script (Closes: #460860) + - Specify that the init.d file is a bash script (Closes: #464492) + - Update watch file with the one provided by Raphael + Geissert (Closes: #449715) + - Recode copyright to be UTF-8 + + -- Javier Fernandez-Sanguino Pen~a Sun, 24 Feb 2008 23:38:34 +0100 + +bastille (1:3.0.9-6) experimental; urgency=low + + * Change location of the Bastille site in multiple files, it has been + purchased by a domain squatter, see + http://www.bastille-unix.org/press-release-newname.html + Replaced it with bastille-unix.org + * Use Homepage: in the package headers + + -- Javier Fernandez-Sanguino Pen~a Thu, 08 Nov 2007 21:15:17 +0100 + +bastille (1:3.0.9-5) experimental; urgency=low + + * Fix location of INITBASEDIR in bastille-firewall-reset (Closes: #436713) + * Do not try to load/unload modules if the kernel does not support + modules (i.e. modules.dep does not exist) (Closes: #362701, #436713) + + -- Javier Fernandez-Sanguino Pen~a Thu, 09 Aug 2007 20:34:34 +0200 + +bastille (1:3.0.9-4) experimental; urgency=low + + * Update to the latest stable release. + * Change maintainer's email address in debian/control + + -- Javier Fernandez-Sanguino Pen~a Tue, 17 Jul 2007 18:25:51 +0200 + +bastille (1:3.0.9-3) experimental; urgency=low + + * Make Bastille work in new etch systems (Debian 4.0) + * Add binary-arch targets in Makefile, even if not used + + -- Javier Fernandez-Sanguino Pen~a Wed, 1 Nov 2006 13:22:53 +0100 + +bastille (1:3.0.9-2) experimental; urgency=low + + * Simplify the Bastille/Debian_API.pm file + * Update the information in the README.Debian file + + -- Javier Fernandez-Sanguino Pen~a Wed, 28 Jun 2006 02:12:35 +0200 + +bastille (1:3.0.9-1) experimental; urgency=low + + * New upstream release (Closes: #259361, #305969, #320248) + - forward port all the relevant patches from the 2.x releases + - still have to test the new --assess functionality to see how it + applies to Debian and review the OSMap/LINUX.Bastille definitions + - upload to experimental to get some testing + - separate the dpkg-statoverride calls to a separate Debian.pm + library + * Make the package Arch: all (Closes: #357049) + * Patch bastille's TMPDIR.pm so that it does not install profile.d + scripts if the /etc/profile.d directory does not exist (Closes: #350442) + * Use patch from Nicolas Francois to recode manpages to ASCII and avoid + manpage warnings (Closes: #349717) + * Change RS0 in manpage to RS + + -- Javier Fernandez-Sanguino Pen~a Mon, 5 Jun 2006 15:05:11 +0200 + +bastille (1:2.1.1-12) unstable; urgency=low + + * The "closing bugs before I package new upstream version" + * Adjust the grub test so it uses /boot/grub/menu.lst instead of the + /etc/grub.conf file (Closes: #312182) + * Use modprobe instead of insmod to load the ip_nat modules (Closes: + #328870) + * Restrict use of all the fsck tools under /sbin, not just 'fsck' + (Closes: #320662) + * Use dpkg-statoverride in Debian systems to preserve filesystem + changes even on the even of package upgrades (Closes: #182494) + * Use debhelper compatibility version 4 + + -- Javier Fernandez-Sanguino Pen~a Thu, 3 Nov 2005 19:24:20 +0100 + +bastille (1:2.1.1-11) unstable; urgency=low + + * Fixed bastille-firewall to use /var/lock/bastille/bastille-firewall + instead of /var/lock/subsys (Closes: #282419) + + -- Javier Fernandez-Sanguino Pen~a Tue, 23 Nov 2004 11:27:57 +0100 + +bastille (1:2.1.1-10) unstable; urgency=low + + * Improved the description in the control field with the patch + provided by Thomas Hood (Closes: #281170) + + -- Javier Fernandez-Sanguino Pen~a Sun, 14 Nov 2004 12:38:18 +0100 + +bastille (1:2.1.1-9) unstable; urgency=low + + * Have the postrm script behave better when purging (Closes: #280379) + + -- Javier Fernandez-Sanguino Pen~a Sun, 14 Nov 2004 01:15:20 +0100 + +bastille (1:2.1.1-8) unstable; urgency=low + + * Modified bastille so that the user is warned to use 'bastille -c' + if he cannot run the (default) X11 interface due to missing libraries. + Also, if no DISPLAY is defined the Curses interface is used unless + specified differently in the command line. + (Closes: #274464) + * [bastille] moved the root check down so that all users can run 'bastille -h' + * [InteractiveBastille] Print the Usage information if it tries to use + the Curses interface but the libraries are not available. + + -- Javier Fernandez-Sanguino Pen~a Sun, 3 Oct 2004 12:26:17 +0200 + +bastille (1:2.1.1-7) unstable; urgency=low + + * Add support for Debian sarge (DB3.1) (Closes: #263599) + * Quote strings of the menu file + * Fixed PSAD configuration of the EMAIL_ADDRESS (Closes: #236785) + * Allow LOCAL access in /etc/hosts.allow to avoid having issues with + local services (FAM and printer services mostly) + * Modified Questions.txt so that it describes that you need to permit + echo-request if you want incoming ICMP probes (Closes: #232265) + * Start the bastille-firewall at S40 so that it can work when filesystems + are up (i.e. it starts later than lvm or NFS) (Closes: #214744) + * Added lintian.override + + -- Javier Fernandez-Sanguino Pen~a Thu, 5 Aug 2004 15:13:18 +0200 + +bastille (1:2.1.1-6) unstable; urgency=low + + * bastille script now uses bash since it uses 'set +o privileged', I + can't find if this is POSIX so I'm fixing it this way (Closes: #237792) + + -- Javier Fernandez-Sanguino Pen~a Sat, 13 Mar 2004 23:20:55 +0100 + +bastille (1:2.1.1-5) unstable; urgency=low + + * Install Bastille modules in /usr/share/perl5 instead of on /usr/lib/perl5 + * Fixed spelling error in README. + * Make a manpage symlink for UndoBastille. + * Proper copyright in debian/copyright. + * Updated Standards-Version. + + -- Javier Fernandez-Sanguino Pen~a Fri, 23 Jan 2004 18:18:47 +0100 + +bastille (1:2.1.1-4) unstable; urgency=low + + * Added missing GLOBAL definitions (Closes: #225878) + * Clarified (even more) in the README.Debian file why the dependancies + are set the way they are. I'm even placing this element the first + one in the list just for the lazy readers and also copying this + information to the manpages (bastille and InteractiveBastille) + (Closes: #210399, #212156) + * Add a note in the README.Debian about debootstrap (to setup a chroot + test environment, works like a charm) + * Added notes in the Questions.txt regarding how Amanda might break + if the settings are applied, this might avoid people getting bitten + by #118613 and #155510 (but "it's not a bug, it's a feature") + + -- Javier Fernandez-Sanguino Pen~a Fri, 9 Jan 2004 16:12:56 +0100 + +bastille (1:2.1.1-3) unstable; urgency=low + + * Fixed properly API.pm now. + + -- Javier Fernandez-Sanguino Pen~a Tue, 15 Jul 2003 16:10:40 +0200 + +bastille (1:2.1.1-2) unstable; urgency=low + + * Fixed API.pm which made bastille break due to a + syntax error (missing parenthesis) (Closes: #200979) + + -- Javier Fernandez-Sanguino Pen~a Sat, 12 Jul 2003 19:11:48 +0200 + +bastille (1:2.1.1-1) unstable; urgency=low + + * The "It's been a while since I tinkered with Bastille" release + (many of the changes in this package need to be pushed upstream). + * New upstream version. + - This upstream version works properly wrt to syslog settings + (Closes: #158918) + - UndoBastille no longer exists (Closes: #194355) + * Removed the Credits file from /usr/share/bastille (it's already under + the documentation) and replace it with a symlink + * Added the *config files to the examples dir. + * Modified debian/rules to create a symbolic link for UndoBastille since + it's no longer there. Also, the UndoBastille manpage has been modified + to be used for RevertBastille and all manpages point to RevertBastille. + * Added find_bastille_affected_files.pl to the examples. + * Added docs/bastille.1m to the manpages + * Moved the documentation calls in debian/rules to debian/docs so that + it's easier to follow. + * Modified the chroot script for makejail to use coreutils instead of + fileutils. + * Fixed the bastille-ipchains script as described by Henrik Johansson and + have the package recommend bind9-host or host. Notice that I cannot + add a dependancy since not all users will be setting up a local + firewall (Closes: #184767) + * Modified API/Bastille.pm so that chkconfig_off in Debian also removes + the 'S' links. Notice that not _all_ rc files are removed since this + would mean that on upgrade all the files would be recreated. Also + the chkconfig_on code has been modified to work with Debian even if + it's not used (calls to it from Firewall.pm and PSAD.pm have been + disabled since the packages provide already init.d scripts and their + rc.d links) + (Closes: #193906) + * Modified the installation of the bastille-firewall so that it runs on + the system at priority 20 which means that it should be started before + any network services, it is also stopped at level 89. + * Reapplied the changes to Bastille/IOLoader.pm to add new DebugLogs. + * Modified Questions.txt to fit Debian specific stuff. + * Modified docs/bastille.1m to include some of the undocumented options + as well as the Debian-specific information. Also modified all trailing + '.C' to '.B' + * Changed 'LINUX' to refer also to 'DB' + * Added /var/log/Bastille/revert/backup to the directories to remove stuff + from if we purge the package (Closes: #185951) + * Fixed API.pm so that /var/log/Bastille/revert is used instead of + /var/log/Bastillerevert (missing '/') + * Modified Bastille/PSAD.pm so that it does not attempt to install PSAD, + also the location of the PSAD init script has been modified for Debian. + Modified also Questions.txt to add a dependancy for the 'psad' file + so that it will only run if the PSAD package has been installed. + With this changes bastille now configures PSAD properly if available + (Closes: #147153) + + -- Javier Fernandez-Sanguino Pen~a Tue, 24 Jun 2003 10:26:53 +0200 + +bastille (1:2.0.4-3) unstable; urgency=low + + * Changed the Dependancies so that the X interfaces are only installed + if the user asks for them, the curses interface is always installed + now (Closes: #164227) + * Improved the package description (hopefully) following some of the + guidelines on the Developer's Reference, including a Homepage + * Fixed the debian/control file using the patch provided in the + bug report. Thanks to James A. Morrison. (Closes: #184179) + (I still need to write proper manpages for many of the scripts...) + + -- Javier Fernandez-Sanguino Pen~a Tue, 25 Mar 2003 00:09:07 +0100 + +bastille (1:2.0.4-2) unstable; urgency=low + + * Added /var/log/Bastille/Revert and /var/log/Bastille/old-config + to the list of directories to remove (Closes: #182919) + * Changed the init file so it does not offer the HINT if asked to + stop (so that it is not presented when removing/purging the package) + + -- Javier Fernandez-Sanguino Pen~a Sun, 2 Mar 2003 10:29:59 +0100 + +bastille (1:2.0.4-1) unstable; urgency=low + + * New upstream release + * Added proper references to ping6/traceroute6 + * Enabled psad configuration since 'psad' package is now available in Debian + * Fixed Questions.txt for apache configuration (mentioned httpd) + * Added a note on BUGS and on the README.Debian file regarding the Amanda + issues. They are not a bug, they are simply a user's shooting himself on + the foot by retricting too much the system. This is related to bugs + #118613 and #155510. A debconf note might be added if enough users report + this. + * Added a Conflicts to libcurses-widget-perl as a quick way to avoid bug + #164227. The Bastille upstream team will probably need to decide how to + tackle this. + + -- Javier Fernandez-Sanguino Pen~a Sun, 24 Nov 2002 22:52:38 +0100 + +bastille (1:2.0.1-1) unstable; urgency=low + + * New upstream release. + * Now provides a postrm to remove all logs and configuration files placed + by Bastille (could be useful if a user installs Bastille, uses it and + then removes it from the system. Note: in this case the firewall would + not work, of course) + * Removed psad (there's a New Maintainer packaging it, it will be integrated + into Bastille as soon as the package is done). Bastille now Recommends: + psad (should it recommended firewalling code too???) + * IMPROVED: + Added a new debugging option (-d) for those #print statements in API.pm + (should be used by developers to populate other modules) + Changed bastille to provide the -v, -d and -l options to the Backends + Also changed InteractiveBastille to reflect what API.pm says + Questions.txt now includes some information specific to Debian + (chkconfig stuff mostly) + Added a bastille-makejail.py example for 'makejail' to build a + chrooted testing environment (works for me, YMMV) + * FIXED: + InteractiveBastille did not show Usage because GLOBAL_ERROR was not + exported in API.pm *and* because API.pm was not loaded before + showUsage was called + RootTTYLogins fixed to remove *all* ttys, not just tty1-tty6, + tty10-tty60.... + Bastille manpage now properly displays valid options + Some links (called chkconfig) are provided for Debian (need to provide + more by checking which runlevel/number is used by some packages) + * CHANGED: + The init script will not launch if no bastille-firewall.cfg exist + There is no /var/lock/subsys, /var/lock/bastille used instead + * TODO: Port the fixes done to previous versions. + + -- Javier Fernandez-Sanguino Pen~a Mon, 19 Aug 2002 13:21:12 +0200 + +bastille (1:1.3.0-6) unstable; urgency=medium + + * Changed exit 1 to exit 0 in the bastille-firewall script so + installation/postinstallation works ok (Closes: #149424) + + -- Javier Fernandez-Sanguino Pen~a Mon, 10 Jun 2002 14:22:31 +0200 + +bastille (1:1.3.0-5) unstable; urgency=high + + * Changed the init.d script to *not* run if there is no + /etc/Bastille/bastille-firewall.cfg this should work when the + user has answered questions in InteractiveBastille and created + the cfg file. + + * Added a pre-configuration of the firewall just as + bastille-firewall-install does. Instead of changing + Bastille/Firewall.pm to add Debian to the configuration (line 338) + this is IMHO a better approach since changes in the init.d script + or the software does not require re-installation of the firewall. + + * This closes bug #147643 for sid, but woody configuration does + give the user a sense of "false security" since they configure the + firewall but it's not enabled either after installation or on + reboot. + + * Added some missing dirs to debian/dirs + + * Added /etc files to conffiles (Note: the bastille-firewall.cfg + is not since is not provided yet in the package, it is generated + through the Bastille programs) + + -- Javier Fernandez-Sanguino Pen~a Tue, 21 May 2002 11:27:29 +0200 + +bastille (1:1.3.0-4) unstable; urgency=medium + + * Added /var/lock/subsys to debian/dirs so that the firewall + runs nicely. + * Fixed an unreported bug in INCs that prevented it from finding + Bastille_Tk.pm (due to it being moved in 1.3.0-3) + * Edited the psad installation to work non-interactively + (install.debian.pl) + * Removed psad from debian/rules so that it is not activated by Bastille. + This software is not ready for release in Debian + since installation should be done in a separate package + (sorry guys, you will need + to take the source package to make it work) + * Edited InstallBastille to remove DB from the LINUX alias in + order to *not* ask about Psad (in Questions.txt it is linked to LINUX) + + -- Javier Fernandez-Sanguino Pen~a Thu, 16 May 2002 09:52:12 +0200 + +bastille (1:1.3.0-3) unstable; urgency=medium + + * Move /usr/lib/Bastille to /usr/share/perl5/ to comply with the FHS + * Removed creation of /usr/share/Bastille/Psad.pm since it + was not being used. + * Fixed Bastille/Logging.pm (typo, an if was missing) (Closes: #146921) + * Made /usr/share/Bastille/PSAD.pm a symlink to Psad.pm + * Made changes in debian/rules to conform to Debian's Perl policy. + + -- Javier Fernandez-Sanguino Pen~a Tue, 14 May 2002 13:13:28 +0200 + +bastille (1:1.3.0-2) unstable; urgency=low + + * Removed man1 manpages (since they were in the psad directories + debhelper decided to add them too!) (Closes: #141217) + + -- Javier Fernandez-Sanguino Pen~a Fri, 5 Apr 2002 15:33:21 +0200 + +bastille (1:1.3.0-1) unstable; urgency=low + + * New upstream version. + * New upstream version (and if case you wonder: "yes, this package + was also made during my last vacations"). + * The new version provides support for Debian (changes made in previous + releases have been included). This version, however, recognises + '3.0' as a valid release name and supports it along with 2.2 + * Fixed (somewhat) the Questions.txt + * Included DB into the "LINUX" definition in Questions.txt (so that + it shows all the Questions for Debian) + + -- Javier Fernandez-Sanguino Pen~a Fri, 29 Mar 2002 00:26:03 +0100 + +bastille (1:1.2.0-6) unstable; urgency=low + + * Fixed Bastille Firewall.pm and bastille-firewall-reset so proper + substitution is being made for the RC and INIT directories (Closes: 129635) + + -- Javier Fernandez-Sanguino Pen~a Thu, 17 Jan 2002 10:19:24 +0100 + +bastille (1:1.2.0-5) unstable; urgency=low + + * Changed Logging.pm so that it works in Debian properly + noticed that Debian's default behavior already provides for syslog and + kern.log rotationi (Closes: #129480) + + -- Javier Fernandez-Sanguino Pen~a Wed, 16 Jan 2002 14:29:56 +0100 + +bastille (1:1.2.0-4) unstable; urgency=medium + + * Fixed API/Logging.pm (Closes: #123860) + * Removed CVS directory from /usr/share/doc/ (Closes: #123890) + * Fixed typo in README.Debian + * Added proper dependencies for c-shell + * Updated standards version + * Added a if-then clause to remove the chkconfig errors if it + is not available (Closes: #122193) + + -- Javier Fernandez-Sanguino Pen~a Tue, 15 Jan 2002 11:55:20 +0100 + +bastille (1:1.2.0-3) unstable; urgency=high + + * Changed setting of debian version in preparation for upcoming 3.0 + release. Bastille know acknowledges woody existence (Closes: #123809) + + -- Javier Fernandez-Sanguino Pen~a Thu, 13 Dec 2001 14:23:31 +0100 + +bastille (1:1.2.0-2) unstable; urgency=low + + * Fixed Questions.txt so that bastille firewall is disabled in + Debian (will not close 122193 bug, just retitle it and file it as + wishlist) + + -- Javier Fernandez-Sanguino Pen~a Mon, 3 Dec 2001 14:59:57 +0100 + +bastille (1:1.2.0-1) unstable; urgency=low + + * New upstream version + * Fixed Questions.txt so the tempdir feature is disabled in Debian (Closes: #114641) + * Changed message when /etc/debian_version is not from a stable release. + Added information on unstable support in README.Debian (Closes: #115300) + * Applied patch submitted by Era Eriksson for manoages (Closes: #110775) + * More verbose when Curses.pm, Gtk.pm or Tk.pm not found added info + to README.Debian (Closes: #112572, #113013, #112626) + * Added SuSE detection borrowed from Marc's Heuse harden-suse (TODO: + add security hardening done here too...) + * Used epochs since they forced me too with the rcXXX :( + + -- Javier Fernandez-Sanguino Pen~a Mon, 12 Nov 2001 22:49:33 +0100 + +bastille (1.2.0.rc6-3) unstable; urgency=low + + * Fixed final } in AutomatedBastille + + -- Javier Fernandez-Sanguino Pen~a Fri, 14 Sep 2001 23:58:26 +0200 + +bastille (1.2.0.rc6-2) unstable; urgency=low + + * Fixed menu entry (Closes: #110533) + + -- Javier Fernandez-Sanguino Pen~a Wed, 29 Aug 2001 15:50:15 +0200 + +bastille (1.2.0.rc6-1) unstable; urgency=low + + * Initial Release. + * Beta-release for Debian configuration (not thoroughly tested to + see that it works) + * Changed API in order to recognise Debian + * Modified PatchDownload in order to upgrade from security.debian.org + * Added notes regarding process accounting (need to install acctlog) + * Fixed some errors and warnings in the scripts which made them not run correctly + * Wrote manpages for all binaries (InteractiveBastille, AutomatedBastille, + UndoBastille, BastilleBackend, BastilleChooser) and for the package (Bastille) + + -- Javier Fernandez-Sanguino Pen~a Thu, 10 May 2001 11:42:29 +0200 + +Local variables: +mode: debian-changelog +End: --- bastille-3.0.9.orig/debian/watch +++ bastille-3.0.9/debian/watch @@ -0,0 +1,4 @@ +version=3 +opts=uversionmangle=s/\.(bz2|gz)// \ +http://sf.net/bastille-linux/Bastille-(.*)\.tar\.(bz2|gz) debian uupdate + --- bastille-3.0.9.orig/debian/rules +++ bastille-3.0.9/debian/rules @@ -0,0 +1,143 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# GNU copyright 1997 by Joey Hess. +# +# This version is for a hypothetical package that builds an +# architecture-dependant package, as well as an architecture-independent +# package. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# This has to be exported to make some magic below work. +export DH_OPTIONS + +export DESTDIR=`pwd`/debian/bastille + +build: build-stamp +build-stamp: + dh_testdir + + + # Add here commands to compile the package. + #$(MAKE) + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + + # Add here commands to clean up after the build process. + #-$(MAKE) clean + dh_clean + +install: DH_OPTIONS= +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + # There is no Makefile for Bastille... + #$(MAKE) install DESTDIR=${DESTDIR} + # Bastille does this but we do it here anyway + chmod -R og-rwX ${DESTDIR}/var/log/Bastille + install -m 755 bin/bastille ${DESTDIR}/usr/sbin/ + install -m 755 AutomatedBastille ${DESTDIR}/usr/sbin/ + install -m 755 BastilleBackEnd ${DESTDIR}/usr/sbin + install -m 644 Bastille_Curses.pm ${DESTDIR}/usr/share/perl5/ + install -m 644 Bastille_Tk.pm ${DESTDIR}/usr/share/perl5/ + install -m 644 Curses/Widgets.pm ${DESTDIR}/usr/share/perl5/Curses + install -m 644 *.xbm ${DESTDIR}/usr/share/Bastille +# No longer provided +# install -m 644 Default_Workstation ${DESTDIR}/usr/share/Bastille +# install -m 644 Default_Workstation_plus_Firewall ${DESTDIR}/usr/share/Bastille + install -m 755 InteractiveBastille ${DESTDIR}/usr/sbin + install -m 644 Questions.txt ${DESTDIR}/usr/share/Bastille + install -m 644 Questions/* ${DESTDIR}/usr/share/Bastille/Questions/ + install -m 755 RevertBastille ${DESTDIR}/usr/sbin + install -m 755 RevertBastille ${DESTDIR}/usr/sbin + cd ${DESTDIR}/usr/sbin && ln -s RevertBastille UndoBastille +# No longer provided +# install -m 755 UndoBastille ${DESTDIR}/usr/sbin +# install -m 755 bastille ${DESTDIR}/usr/sbin + install -m 755 BastilleChooser ${DESTDIR}/usr/sbin +# Provided in examples +# install -m 644 Workstation*.config ${DESTDIR}/usr/share/Bastille +# install -m 644 Server*.config ${DESTDIR}/usr/share/Bastille +# Provided in docs +# install -m 644 Credits ${DESTDIR}/usr/share/Bastille + cd ${DESTDIR}/usr/share/Bastille && ln -s ../doc/bastille/Credits . + install -m 755 bastille-firewall ${DESTDIR}/usr/share/Bastille + install -m 755 bastille-firewall-reset ${DESTDIR}/usr/share/Bastille + install -m 755 bastille-firewall-schedule ${DESTDIR}/usr/share/Bastille + install -m 755 bastille-tmpdir-defense.sh ${DESTDIR}/usr/share/Bastille + install -m 755 bastille-tmpdir.csh ${DESTDIR}/usr/share/Bastille + install -m 755 bastille-tmpdir.sh ${DESTDIR}/usr/share/Bastille + install -m 644 bastille-firewall.cfg ${DESTDIR}/usr/share/Bastille + install -m 755 bastille-ipchains ${DESTDIR}/usr/share/Bastille + install -m 755 bastille-netfilter ${DESTDIR}/usr/share/Bastille + install -m 755 bastille-firewall-early.sh ${DESTDIR}/usr/share/Bastille + install -m 755 bastille-firewall-pre-audit.sh ${DESTDIR}/usr/share/Bastille + install -m 755 ifup-local ${DESTDIR}/usr/share/Bastille + install -m 644 hosts.allow ${DESTDIR}/usr/share/Bastille + install -m 644 Bastille/*.pm ${DESTDIR}/usr/lib/Bastille + install -m 644 Modules.txt ${DESTDIR}/usr/share/Bastille + install -m 644 Weights.txt ${DESTDIR}/usr/share/Bastille + # Install OS dependant files + install -m 644 OSMap/* ${DESTDIR}/usr/share/Bastille/OSMap/ + # Preconfiguration of the firewall. + # Debian's init.d script will only start it if + # /etc/Bastille/bastille-firewall.cfg + install -m 755 bastille-firewall-reset ${DESTDIR}/sbin + install -m 755 bastille-firewall-schedule ${DESTDIR}/sbin + install -m 755 bastille-ipchains ${DESTDIR}/sbin + install -m 755 bastille-netfilter ${DESTDIR}/sbin + install -m 400 bastille-firewall-early.sh ${DESTDIR}/etc/Bastille/ + +# Build architecture-independent files here. +# Pass -a to all debhelper commands in this target to reduce clutter. +binary-arch: DH_OPTIONS=-a +binary-arch: build install + # Do nothing + +# Build architecture-independent files here. +# Pass -i to all debhelper commands in this target to reduce clutter. +binary-indep: DH_OPTIONS=-i +binary-indep: build install + # Need this version of debhelper for DH_OPTIONS to work. + dh_testdir + dh_testroot +# dh_installdebconf + dh_installdocs + -rm -rf ${DESTDIR}/usr/share/doc/bastille/CVS + dh_installexamples debian/bastille-makejail.py *config \ + find_bastille_affected_files.pl server_configurations.txt \ + mandrake_*.? tools/bastille-firewall-convert.sh + chmod a-x ${DESTDIR}/usr/share/doc/bastille/examples/* + dh_installmenu + dh_installinit --init-script=bastille-firewall -r \ + --update-rcd-params="start 40 S . stop 89 0 6 ." + dh_installcron + dh_installman + # Make a symlink for UndoBastill + cd ${DESTDIR}/usr/share/man/man8/ && ln -s RevertBastille.8.gz UndoBastille.8.gz + dh_installinfo +# I need to write manpages for the following: +# dh_undocumented bastille-firewall-reset.1 bastille-firewall-schedule.1 \ +# bastille-ipchains.1 bastille-netfilter.1 + dh_installchangelogs Changelog + dh_link + dh_strip + dh_compress + dh_fixperms + dh_perl + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep +.PHONY: build clean binary-arch binary install --- bastille-3.0.9.orig/debian/BastilleBackEnd.8 +++ bastille-3.0.9/debian/BastilleBackEnd.8 @@ -0,0 +1,68 @@ +.\" Hey, EMACS: -*- nroff -*- +.TH BASTILLEBACKEND 8 "10th May, 2001" +.SH NAME +BastilleBackEnd \- harden a host +.SH SYNOPSIS +.B BastilleBackEnd +.SH DESCRIPTION +This manual page briefly documents briefly +.B BastilleBackEnd . +.PP +This manual page was written for the Debian GNU/Linux distribution +because the original program does not have a manual page. +.PP +.B BastilleBackEnd +implements all the changes configured previously by using +.B InteractiveBastille +or +.B AutomatedBastille +based on the appropiate configuration file. +.SH OPTIONS +.B BastilleBackEnd +uses the following options: +.TP +.B \-v +Verbose mode. Actions are printed to the logs and to STDOUT. +.TP +.B \-l +Log-only mode. No action is taken; +merely logs what changes would have been made. +.TP +.B \-r PREFIX +All the filenames are prefixed with +.B PREFIX +(/etc/whatever becomes /PREFIX/etc/whatever). This option +could be used to commit changes to NFS filesystems, or file systems with +a different mount point than the current root (/) filesystem. + +.SH FILES +.I /etc/Bastille/config +.RS +Configuration file which defines all the security measures selected by +the administrator to be enabled. +.RE +.I /var/log/Bastille/action-log +.br +.I /var/log/Bastille/error-log +.RS +Logs that hold information of actions taken on the system. +.I /var/log/Bastille/undo/ +.RS +Directory holding all information for the undo operation. + +.SH SEE ALSO +.BR AutomatedBastille (8), +.BR RevertBastille (8). +.BR InteractiveBastille (8). +.br +The programs have more documentation available at +.B /usr/share/doc/bastille +on Debian systems. +.SH AUTHOR +This manual page was written by +Javier Fern\['a]ndez-Sanguino Pe\[~n]a +for the Debian GNU/Linux system (but may be used on other systems). +.PP +.B Bastille +was primarily written by Jay Beale, and is +licensed under the GNU General Public License --- bastille-3.0.9.orig/debian/docs +++ bastille-3.0.9/debian/docs @@ -0,0 +1,11 @@ +Questions.txt +README.1st +Credits +README +BUGS +docs/readme.ftp +docs/readme.automate +docs/readme.interfaces +docs/readme.patch +docs/README +docs/user_guide.txt --- bastille-3.0.9.orig/debian/bastille-makejail.py +++ bastille-3.0.9/debian/bastille-makejail.py @@ -0,0 +1,9 @@ +chroot="/var/chroot/bastille" +forceCopy=["/etc/*","/usr/share/terminfo/l","/usr/share/terminfo/v","/usr/share/terminfo/x"] +preserve=["/etc/Bastille"] +testCommandsInsideJail=["bastille -c"] +processNames=["bastille"] +packages=["bastille","psad","perl","coreutils","textutils","perl-tk"] +blockDepends=["libgtk-perl"] +useDepends=1 +cleanJailFirst=0 --- bastille-3.0.9.orig/debian/RevertBastille.8 +++ bastille-3.0.9/debian/RevertBastille.8 @@ -0,0 +1,49 @@ +.\" Hey, EMACS: -*- nroff -*- +.TH UNDOBASTILLE 8 "May 10th, 2001" +.SH NAME +RevertBastille \- revert changes made by Bastille +.SH SYNOPSIS +.B RevertBastille +.SH DESCRIPTION +This manual page briefly documents +.BR RevertBastille . +.PP +This manual page was written for the Debian GNU/Linux distribution +because the original program does not have a manual page. +.PP +.B RevertBastille +can reverse changes made by other Bastille programs so the filesystem +and programs revert to the situation they were in before running Bastille. + +.SH OPTIONS +.B RevertBastille +takes the same options as Bastille. + +.SH FILES +.I /etc/Bastille/config +.RS +Configuration file which defines all the security measures selected by +the administrator to be enabled. +.RE +.I /var/log/Bastille/revert/ +.RS +Directory holding all information for the revert operation. + +.SH SEE ALSO +.BR bastille (7), +.BR AutomatedBastille (8), +.BR BastilleBackend (8), +.BR InteractiveBastille (8), +.BR BastilleChooser (8). +.br +The programs have more documentation available at +.B /usr/share/doc/bastille +on Debian systems. +.SH AUTHOR +This manual page was written by +Javier Fern\['a]ndez-Sanguino Pe\[~n]a +for the Debian GNU/Linux system (but may be used on other systems). +.PP +.B Bastille +was primarily written by Jay Beale, and is +licensed under the GNU General Public License --- bastille-3.0.9.orig/docs/user_guide.txt +++ bastille-3.0.9/docs/user_guide.txt @@ -63,7 +63,7 @@ Linux: 1. The Bastille Linux home page contains download and installation instructions for Mandrake and Red Hat: - http://bastille-linux.org/#get + http://bastille-unix.org/#get HP-UX (If Perl/Bastille not already installed with OE): 1. Download Perl: --- bastille-3.0.9.orig/docs/bastille.1m +++ bastille-3.0.9/docs/bastille.1m @@ -44,13 +44,14 @@ that help limit the vulnerability of common Internet services, like Web servers and DNS. This tool currently hardens +Debian GNU/Linux 2.2-5.0, Red Hat 6.0-8.0, Mandrake 6.0-8.1, HP-UX 11.00, HP-UX 11i v1, and HP-UX 11i v2. -It is currently being tested on Debian, Suse, and Turbo Linux. +It is currently being tested on Suse and Turbo Linux. .PP The utility includes a user interface and a configuration engine. The primary user interface is an X interface via Perl/Tk. @@ -279,11 +280,20 @@ The To-Do list contains the actions that remain for you to do to ensure the machine is secure. .SH SEE ALSO -perl(1), -fstab(4) +.BR perl(1), +.BR fstab(4), +.BR bastille (7), +.BR InteractiveBastille (8), +.BR BastilleBackEnd (8), +.BR UndoBastille (8), +.BR BastilleChooser (8). +.br +These programs include more documentation available at +.B /usr/share/doc/bastille +on Debian systems. .PP Other useful documentation includes: -.RS0 +.RS .TP .IR "The Linux Security HOWTO" Available at --- bastille-3.0.9.orig/OSMap/LINUX.bastille +++ bastille-3.0.9/OSMap/LINUX.bastille @@ -1,10 +1,10 @@ bdir,QuestionsDir,'/usr/share/Bastille/Questions' -bdir,backup,'/var/log/Bastillerevert/backup' +bdir,backup,'/var/log/Bastille/revert/backup' bdir,config,'/etc/Bastille' bdir,home,'/root/Bastille' bdir,log,'/var/log/Bastille' -bdir,oldconfig,'/var/log/Bastilleoldconfig' -bdir,revert,'/var/log/Bastillerevert' +bdir,oldconfig,'/var/log/Bastille/oldconfig' +bdir,revert,'/var/log/Bastille/revert' bdir,share,'/usr/share/Bastille' @@ -13,22 +13,23 @@ bfile,QuestionsWeights,'/usr/share/Bastille/Weights.txt' bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt' bfile,TODO,'/var/log/Bastille/TODO' -bfile,TOREVERT,'/var/log/Bastillerevert/TOREVERT.txt' +bfile,TOREVERT,'/var/log/Bastille/revert/TOREVERT.txt' bfile,action-log,'/var/log/Bastille/action-log' bfile,complete.xbm,'/usr/share/Bastille/complete.xbm' bfile,config,'/etc/Bastille/config' -bfile,created-dirs,'/var/log/Bastillerevert/revert-created-dirs' -bfile,created-files,'/var/log/Bastillerevert/revert-created-files' -bfile,created-symlinks,'/var/log/Bastillerevert/revert-created-symlinks' +bfile,created-dirs,'/var/log/Bastille/revert/revert-created-dirs' +bfile,created-files,'/var/log/Bastille/revert/revert-created-files' +bfile,created-symlinks,'/var/log/Bastille/revert/revert-created-symlinks' bfile,credits,'/usr/share/Bastille/Credits' bfile,debug-log,'/var/log/Bastille/debug-log' bfile,error-log,'/var/log/Bastille/error-log' -bfile,executed-commands,'/var/log/Bastillerevert/revert-executed-commands' +bfile,executed-commands,'/var/log/Bastille/revert/revert-executed-commands' bfile,incomplete.xbm,'/usr/share/Bastille/incomplete.xbm' bfile,last.config,'/var/log/Bastille/last.config' bfile,lockfile,'/var/lock/subsys/bastille-lock' +bfile,lockfile,'/var/lock/bastille/bastille-lock',DB bfile,nodisclaimer,'/usr/share/Bastille/.nodisclaimer' -bfile,removed-symlinks,'/var/log/Bastillerevert/revert-removed-symlinks' -bfile,revert-actions,'/var/log/Bastillerevert/revert-actions' -bfile,revert-directory-perms.sh,'/var/log/Bastillerevert/revert-directory-perms.sh' -bfile,sum.csv,'/var/log/Bastillerevert/sum.csv' +bfile,removed-symlinks,'/var/log/Bastille/revert/revert-removed-symlinks' +bfile,revert-actions,'/var/log/Bastille/revert/revert-actions' +bfile,revert-directory-perms.sh,'/var/log/Bastille/revert/revert-directory-perms.sh' +bfile,sum.csv,'/var/log/Bastille/revert/sum.csv' --- bastille-3.0.9.orig/OSMap/LINUX.system +++ bastille-3.0.9/OSMap/LINUX.system @@ -10,6 +10,7 @@ bin,cardctl,'/sbin/cardctl' bin,chattr,'/usr/bin/chattr' bin,chgrp,'/bin/chgrp' +# Debian does not have chkconfig bin,chkconfig,'/sbin/chkconfig' bin,chmod,'/bin/chmod' bin,chown,'/bin/chown' @@ -25,6 +26,7 @@ bin,grep,'/usr/bin/grep',SE bin,groupadd,'/usr/sbin/groupadd' bin,inndstart,'/usr/bin/inndstart' +bin,inndstart,'/usr/sbin/inndstart',DB bin,killall,'/usr/bin/killall' bin,lilo,'/sbin/lilo' bin,ln,'/bin/ln' @@ -57,12 +59,14 @@ bin,rm,'/bin/rm' bin,rmdir,'/bin/rmdir' bin,rpm,'/bin/rpm' +bin,rpm,'usr/bin/rpm',DB bin,rsh,'/usr/bin/rsh' bin,rcp,'/usr/bin/rcp' bin,rshd,'/usr/sbin/in.rshd' bin,sendmail,'/usr/sbin/sendmail' bin,smbmnt,'/usr/bin/smbmnt' bin,startinnfeed,'/usr/bin/startinnfeed' +bin,startinnfeed,'/usr/sbin/startinnfeed',DB bin,sulogin,'/sbin/sulogin' bin,touch,'/bin/touch' bin,traceroute,'/usr/sbin/traceroute' @@ -97,6 +101,7 @@ file,accton,'/usr/sbin/accton' file,accton,'/sbin/accton',RH6.2 +# Debian does not provide this file file,banners_makefile,'/usr/share/doc/tcp_wrappers-7.5/Banners.Makefile' file,banners_makefile,'/usr/share/doc/tcp_wrappers-7.6/Banners.Makefile',RH7.2,RHEL2,RHEL3 file,banners_makefile,'/usr/share/doc/packages/tcp_wrappers-7.6/Banners.Makefile',TB7.0 @@ -126,9 +131,12 @@ file,initd_gpm,'/etc/init.d/gpm' file,chkconfig_httpd,'/etc/rc.d/rc3.d/S85httpd' -file,chkconfig_httpd,'/etc/rc3.d/S91httpd',DB +file,chkconfig_httpd,'/etc/rc3.d/S20apache',DB +file,chkconfig_httpd2,'/etc/rc3.d/S91apache2',DB file,initd_httpd,'/etc/init.d/httpd' +file,initd_httpd,'/etc/init.d/apache',DB file,initd_httpd2,'/etc/init.d/httpd2' +file,initd_httpd2,'/etc/init.d/apache2',DB file,chkconfig_innd,'/etc/rc.d/rc3.d/S95innd' file,chkconfig_innd,'/etc/rc3.d/S95innd',DB @@ -138,7 +146,7 @@ file,initd_kudzu,'/etc/init.d/kudzu' file,chkconfig_named,'/etc/rc.d/rc3.d/S55named' -file,chkconfig_named,'/etc/rc3.d/S15named',DB +file,chkconfig_named,'/etc/rc3.d/S15bind',DB file,initd_named,'/etc/init.d/named' file,chkconfig_nfs,'/etc/rc.d/rc3.d/S60nfs' @@ -185,13 +193,14 @@ file,gcc,'/usr/bin/gcc' file,g++,'/usr/bin/g++' file,gdm.conf,/etc/X11/gdm/gdm.conf +file,gdm.conf,/etc/gdm/gdm.conf,DB file,group,'/etc/group' file,passwd,'/etc/passwd' file,shadow,'/etc/shadow' file,grub.conf,'/etc/grub.conf' file,grub.conf,'/boot/grub/grub.conf',RH9,RHEL,RHFC -file,grub.conf,'/boot/grub/menu.lst',SE,MN +file,grub.conf,'/boot/grub/menu.lst',SE,MN,DB file,hosts.allow,'/etc/hosts.allow' file,hosts.deny,'/etc/hosts.deny' @@ -199,6 +208,7 @@ file,httpd,'/usr/sbin/apache',DB file,httpd2,'/usr/sbin/httpd2' +file,httpd2,'/usr/sbin/apache2',DB file,httpd.conf,'/etc/httpd/conf/httpd.conf' file,httpd.conf,'/etc/apache/httpd.conf',DB @@ -231,6 +241,7 @@ file,motd,'/etc/motd' file,mtab,'/etc/mtab' file,named,'/usr/sbin/named' +file,named,'/usr/sbin/bind',DB file,pam_access.conf,'/etc/security/access.conf' file,pamd_passwd,'/etc/pam.d/passwd' file,profile,'/etc/profile' @@ -243,6 +254,7 @@ file,sendmail.cf,'/etc/sendmail.cf' file,sysctl.conf,'/etc/sysctl.conf' file,syslog.conf,'/etc/syslog.conf' +# TODO: Review for Debian file,sysconfig_audit,'/etc/sysconfig/audit' file,sysconfig_named,'/etc/sysconfig/named' file,sysconfig_sendmail,'/etc/sysconfig/sendmail'