diff -urN Bastille.orig/AutomatedBastille Bastille/AutomatedBastille
--- Bastille.orig/AutomatedBastille	2005-04-06 01:18:11.000000000 +0200
+++ Bastille/AutomatedBastille	2014-06-07 13:15:52.877123074 +0200
@@ -80,7 +80,7 @@
 use Curses::Widgets;
 
 # Hardcoded List of configurations -- to be replaced by list read from file
-@list = ("Default_Workstation","Default_Workstation_plus_Firewall","Quit");
+@list = ("WorkstationLax","WorkstationModerate","WorkstationParanoia","ServerLax","ServerModerate","ServerParanoia","Quit");
 
 $window = new Curses;
 
@@ -113,7 +113,7 @@
 endwin;
 			     
 unless ($selection == $#list) { 
-   $file = $list[$selection];
+   $file = $list[$selection].".config";
 }
 else {
    exit 0;
diff -urN Bastille.orig/Bastille/Apache.pm Bastille/Bastille/Apache.pm
--- Bastille.orig/Bastille/Apache.pm	2005-04-11 11:43:51.000000000 +0200
+++ Bastille/Bastille/Apache.pm	2014-06-07 13:15:52.877123074 +0200
@@ -35,7 +35,7 @@
     if ( &getGlobalConfig("Apache","apacheoff") eq "Y" ) {
 
 	&B_log("ACTION","# sub DeactivateApacheServer\n");
-	&B_chkconfig_off ("httpd");
+	&B_chkconfig_off ("apache2");
 	
     }
 }
diff -urN Bastille.orig/Bastille/API.pm Bastille/Bastille/API.pm
--- Bastille.orig/Bastille/API.pm	2006-04-03 15:16:05.000000000 +0200
+++ Bastille/Bastille/API.pm	2014-06-07 13:15:52.879123148 +0200
@@ -461,6 +461,9 @@
 	    }
 	    close(TURBOLINUX_RELEASE);
 	}
+	elsif ( -e "/etc/gentoo-release") {
+	    $distro="GN"; # Rolling releases in Gentoo
+	}
 	else {
 	    # We're either on Mac OS X, HP-UX or an unsupported O/S.
             if ( -x '/usr/bin/uname') {
@@ -567,7 +570,8 @@
 			      "SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1",
 			      "SE9.2","SE9.3","SE10.0",
 			      "SESLES8","SESLES9",
-			      "TB7.0" 
+			      "TB7.0",
+			      "GN"
 			      ],
 
 		  "HP-UX" => [
@@ -2672,6 +2676,15 @@
 	}
 	
     }
+    elsif (&GetDistro =~ /^GN/) {
+	$rcupdate = &getGlobal('BIN', "chkconfig") . " add " . "$startup_script default";
+	if (system($rcupdate) == 0) {
+	    return 1;
+	}
+	else {
+	    return 0;
+	}
+    }
 
     #
     # Run through the init script looking for the chkconfig line...
@@ -2847,6 +2860,16 @@
         }
 
     }
+    elsif (&GetDistro =~ /^GN/) {
+	$rcupdate = &getGlobal('BIN', "chkconfig") . " del $startup_script";
+	if (system($rcupdate) == 0)
+	{
+	    return 1;
+	}
+	else {
+	    return 0;
+	}
+    }
     else {
 
 	    # Run through the init script looking for the chkconfig line...
diff -urN Bastille.orig/Bastille/API.pm.sweth Bastille/Bastille/API.pm.sweth
--- Bastille.orig/Bastille/API.pm.sweth	2005-04-06 01:18:11.000000000 +0200
+++ Bastille/Bastille/API.pm.sweth	2014-06-07 13:15:52.880123189 +0200
@@ -482,6 +482,16 @@
          "log"               => "/usr/adm",
          "httpd.conf"        => "/var/lib/apache/conf/httpd.conf",
          "httpd_access.conf" => "/var/lib/apache/conf/access.conf"
+      },
+      "GN" => {
+         "chattr"            => "/bin/chattr",
+         "floppy"            => "/mnt/floppy",
+         "group"             => "/etc/group",
+         "httpd.conf"        => "/etc/apache2/httpd.conf",
+         "httpd_access.conf" => "/etc/apache2/access.conf",
+         "initd"             => "/etc/init.d",
+         "rcd"               => "/etc/runlevels",
+         "rpm"               => "/usr/bin/rpm"
       }
    );
    foreach my $DISTRO_FILE (keys %{$DISTRO_PATHS{'default'}}) {
diff -urN Bastille.orig/Bastille/Firewall.pm Bastille/Bastille/Firewall.pm
--- Bastille.orig/Bastille/Firewall.pm	2005-04-06 21:30:35.000000000 +0200
+++ Bastille/Bastille/Firewall.pm	2014-06-07 13:15:52.881123225 +0200
@@ -276,10 +276,6 @@
     # only do this if the user answered ipchains questions
     if ( &getGlobalConfig($configPrefix,"ip_intro") eq 'Y' ) {
 
-	# Put the init script in place.
-	&B_place($virgin_init_script,$firewall_init_script);
-	&B_chmod(0500,$firewall_init_script);
-
 	# Put the ipchains script in place.
 	&B_place($virgin_ipchains_script,$firewall_ipchains_script);
 	&B_chmod(0500,$firewall_ipchains_script);
@@ -404,6 +400,13 @@
 	    }
 	    
 	}
+	elsif ( &GetDistro =~ /^GN/ && &getGlobalConfig($configPrefix,"ip_enable_firewall") eq 'Y' ) {
+	    &B_log("ACTION","# Firewall.pm: enabling firewall with distribution B_chkconfig_on\n");
+	    &B_chkconfig_on("bastille-firewall");
+	    if ( -x $firewall_init_script ) {
+	    	`$firewall_init_script start`;
+	    }
+	}
     }
     # end of things to do if ipchains was chosen
     if ( &getGlobalConfig($configPrefix,"ip_intro") eq 'N' ) {
diff -urN Bastille.orig/Bastille/IOLoader.pm Bastille/Bastille/IOLoader.pm
--- Bastille.orig/Bastille/IOLoader.pm	2006-04-03 15:16:13.000000000 +0200
+++ Bastille/Bastille/IOLoader.pm	2014-06-07 13:15:52.882123261 +0200
@@ -213,7 +213,7 @@
 			    # making sure to respect recursively defined macros.
 			    
 			    if ($data =~ /\bLINUX\b/) {
-				my $supported_distros = 'RH MN RHEL RHFC DB SE';
+				my $supported_distros = 'RH MN RHEL RHFC DB SE GN';
 				$data =~ s/\bLINUX\b/$supported_distros/;
 			    }
 			    if ($data =~ /\bRH\b/) {
diff -urN Bastille.orig/Bastille/Logging.pm Bastille/Bastille/Logging.pm
--- Bastille.orig/Bastille/Logging.pm	2005-04-08 06:42:54.000000000 +0200
+++ Bastille/Bastille/Logging.pm	2014-06-07 13:15:52.882123261 +0200
@@ -45,25 +45,30 @@
 	#
         # Also configure the 7th and 8th TTYs for more logging.     
 
-	my $var_log_syslog_lines= <<END_SYSLOG;
+	my $logger, $syslogconf;
+	my $var_log_syslog_lines, $var_log_kernel_lines, $var_log_loginlog_lines, $tty_log_lines;
+
+	if (( -e "/etc/runlevels/default/sysklogd" ) || !(&GetDistro =~/^GN.*/))
+	{
+		$var_log_syslog_lines= <<END_SYSLOG;
 # Log warning and errors to the new file /var/log/syslog
 *.warn;*.err\t/var/log/syslog
 
 END_SYSLOG
 
-        my $var_log_kernel_lines= <<END_KERNEL;
+		$var_log_kernel_lines= <<END_KERNEL;
 # Log all kernel messages to the new file /var/log/kernel
 kern.*\t/var/log/kernel
 
 END_KERNEL
 
-    my $var_log_loginlog_lines = <<END_LOGINLOG;
+		$var_log_loginlog_lines = <<END_LOGINLOG;
 # Log all logins to /var/log/loginlog
 auth.*;user.*;daemon.none\t/var/log/loginlog
 
 END_LOGINLOG
 
-    my $tty_log_lines= <<END_TTY_LOG;
+		$tty_log_lines= <<END_TTY_LOG;
 # Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8)
 
 *.info;mail.none;authpriv.none\t/dev/tty7
@@ -74,24 +79,107 @@
 
 END_TTY_LOG
 
-	my $syslogconf = &getGlobal('FILE','syslog.conf');
+	    my $logger = "syslogd";
+	    if ($logging_host) {
+		&B_append_line("/etc/syslog.conf","\\\@$logging_host","*.warn;*.err\t\@$logging_host\nauthpriv.*;auth.*\t\@$logging_host\n");
+	    }
+
+	}
+	elsif ( -e "/etc/runlevels/default/syslog-ng" )
+	{
+	    $var_log_syslog_lines= <<END_SYSLOG;
+# Log warning and errors to the new file /var/log/syslog
+destination syslog { file("/var/log/syslog"); };
+filter f_syslog { facility(warn, err); };
+log { source(src); filter(f_syslog); destination(syslog); };
+
+END_SYSLOG
+
+	    $var_log_kernel_lines= <<END_KERNEL;
+# Log all kernel messages to the new file /var/log/kernel
+source kernsrc { file("/proc/kmsg"); };
+destination kern { file("/var/log/kernel"); };
+filter f_kern { facility(kern); };
+log { source(kernsrc); filter(f_kern); destination(kern); };
+
+END_KERNEL
+
+	    $var_log_loginlog_lines = <<END_LOGINLOG;
+# Log all logins to /var/log/loginlog
+destination loginlog { file("/var/log/loginlog"); };
+filter f_loginlog { facility(auth, user) and not facility(daemon); };
+log { source(src); filter(f_loginlog); destination(loginlog); };
+
+END_LOGINLOG
+
+	    $tty_log_lines= <<END_TTY_LOG;
+# Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8)
+
+destination tty7 { file("/dev/tty7"); };
+destination tty8 { file("/dev/tty8"); };
+filter f_info { level(info) and not facility(mail, authpriv); };
+filter f_authpriv { facility(authpriv); };
+filter f_warnerr { level(warn, err); };
+filter f_mail { facility(mail); };
+log { source(src); filter(f_info); destination(tty7); };
+log { source(src); filter(f_authpriv); destination(tty7); };
+log { source(src); filter(f_warnerr); destination(tty7); };
+log { source(kernsrc); filter(f_kern); destination(tty7); };
+log { source(src); filter(f_mail); destination(tty8); };
+
+END_TTY_LOG
+
+	    $logger = "syslog-ng";
+	    $syslogconf = "/etc/syslog-ng/syslog-ng.conf";
+      }
+      elsif ( -e "/etc/runlevels/default/metalog" )
+      {
+	    $var_log_syslog_lines= <<END_SYSLOG;
+# Log warning and errors to the new directory /var/log/syslog
+Syslog :
+
+  facility = "warn"
+  facility = "err"
+  logdir = "/var/log/syslog"
+
+END_SYSLOG
+	    # $var_log_kernel_lines is included in metalog default on Gentoo systems.
+
+	    $var_log_loginlog_lines = <<END_LOGINLOG;
+# Log all logins to /var/log/loginlog
+Loginlog :
+  facility = "auth"
+  facility = "user"
+  logdir = "/var/log/loginlog"
+
+END_LOGINLOG
+
+	    $tty_log_lines= <<END_TTY_LOG;
+# Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8)
+
+# BASTILLE TODO: Scripts need to be used to run output to different TTYs.
+END_TTY_LOG
+	    $logger = "metalog";
+	    $syslogconf = "/etc/metalog.conf";
+	}
+
 	&B_append_line($syslogconf,"ADDITIONS","############ BASTILLE ADDITIONS BELOW : ################# \n");
-	
+
 	&B_append_line($syslogconf,'\/var\/log\/syslog',$var_log_syslog_lines);
 	&B_append_line($syslogconf,'\/var\/log\/kernel',$var_log_kernel_lines);
 	&B_append_line($syslogconf,'\/var\/log\/loginlog',$var_log_loginlog_lines);
 	&B_append_line($syslogconf,'\/dev\/tty7',$tty_log_lines);
 	&B_append_line($syslogconf,'\/dev\/tty12',"*.*\t/dev/tty12\n");
+	&B_append_line($syslogconf,"BASTILLE ADDITIONS CONCLUDED","########## BASTILLE ADDITIONS CONCLUDED : ###############\n");
 
-	if ($logging_host) {
-	    &B_append_line($syslogconf,"\\\@$logging_host","*.warn;*.err\t\@$logging_host\nauthpriv.*;auth.*\t\@$logging_host\n");
+	# Metalog uses a directory-tree structure.
+	if($logger ne "metalog")
+	{
+	    &B_create_file("/var/log/syslog");
+	    &B_create_file("/var/log/kernel");
+	    &B_create_file("/var/log/loginlog");
 	}
 
-	&B_append_line($syslogconf,"BASTILLE ADDITIONS CONCLUDED","########## BASTILLE ADDITIONS CONCLUDED : ###############\n");
-
-	&B_create_file("/var/log/syslog");
-	&B_create_file("/var/log/kernel");
-	&B_create_file("/var/log/loginlog");
 
 	#
 	# Configure log rotation for the new log files:
@@ -101,25 +189,38 @@
    
 /var/log/kernel {
     postrotate
-	/usr/bin/killall -HUP syslogd
+	/usr/bin/killall -HUP $logger
     endscript
 }
    
 /var/log/syslog {
     postrotate
-	/usr/bin/killall -HUP syslogd
+	/usr/bin/killall -HUP $logger
     endscript
 }
 
 /var/log/loginlog {
     postrotate
-	/usr/bin/killall -HUP syslogd
+	/usr/bin/killall -HUP $logger
     endscript
 }
 END_NEW_ROT
 
+	my $logrotated;
+	if(&GetDistro =~/^GN.*/)
+	{
+		$logrotated = "/etc/logrotate.d/$logger";
+	}
+	else
+	{
+		$logrotated = "/etc/logrotate.d/syslog";
+	}
 
-        &B_append_line("/etc/logrotate.d/syslog",'\bloginlog\b',$rotation_lines);
+	# Metalog rotates on its own.
+	if($logger ne "metalog")
+	{
+	        &B_append_line($logrotated,'\bloginlog\b',$rotation_lines);
+	}
     
    }
 }
diff -urN Bastille.orig/bastille-firewall.gentoo-init Bastille/bastille-firewall.gentoo-init
--- Bastille.orig/bastille-firewall.gentoo-init	1970-01-01 01:00:00.000000000 +0100
+++ Bastille/bastille-firewall.gentoo-init	2014-06-07 13:15:52.883123307 +0200
@@ -0,0 +1,42 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2         
+# $Header: /var/cvsroot/gentoo-x86/app-admin/bastille/files/bastille-3.0.2-firewall.init,v 1.1 2005/07/31 05:21:10 battousai Exp $
+
+opts="start stop"
+BASTILLEPREFIX="/usr/share/Bastille"
+
+depend() {
+        need logger
+}
+
+start() {
+	# "Borrowed" from the original bastille-firewall init script ((c) P. Watkins)
+	REALSCRIPT=${BASTILLEPREFIX}/bastille-ipchains
+	if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
+	        # We are using Linux 2.3 or newer; use the netfilter script if available
+	        if [ -x ${BASTILLEPREFIX}/bastille-netfilter ]; then
+	                REALSCRIPT=${BASTILLEPREFIX}/bastille-netfilter
+	        fi
+	fi
+	
+        ebegin "Starting bastille-firewall"
+        $REALSCRIPT start
+        eend $? "Failed to start bastille-firewall"
+}
+
+stop() {
+	# "Borrowed" from the original bastille-firewall init script ((c) P. Watkins)
+	REALSCRIPT=${BASTILLEPREFIX}/bastille-ipchains
+	if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
+	        # We are using Linux 2.3 or newer; use the netfilter script if available
+	        if [ -x ${BASTILLEPREFIX}/bastille-netfilter ]; then
+	                REALSCRIPT=${BASTILLEPREFIX}/bastille-netfilter
+	        fi
+	fi
+	
+	ebegin "Stopping bastille-firewall"
+	$REALSCRIPT stop
+	eend $? "Failed to stop bastille-firewall"
+}
+
diff -urN Bastille.orig/bastille-netfilter Bastille/bastille-netfilter
--- Bastille.orig/bastille-netfilter	2005-04-06 01:18:11.000000000 +0200
+++ Bastille/bastille-netfilter	2014-06-07 13:15:52.883123307 +0200
@@ -56,8 +56,42 @@
 fi
 
 if [ ! -f ${CONFIG} ]; then
-	echo "ERROR: unable to read configuration file \"${CONFIG}\""
-	exit 1
+	if [ "$1" == "stop" ]; then
+		echo "INFO: called stop without a configuration file. Emergency firewall clear."
+		
+		# flushing leaves the default input at ${REJECT_METHOD}
+		echo -n "resetting default input rules to accept..."
+		${IPTABLES} -P INPUT ACCEPT
+		echo " done."
+		echo -n "resetting default output rule to accept..."
+		${IPTABLES} -P OUTPUT ACCEPT
+		echo " done."
+		#  We disabled forwarding with the /proc interface, but we
+		#  reset FORWARD to ACCEPT because that;s the normal default
+		echo -n "resetting default forward rule to accept..."
+		${IPTABLES} -P FORWARD ACCEPT
+		echo " done."
+		for chain in INPUT OUTPUT FORWARD ; do
+			echo -n "flushing ${chain} rules..."	
+			${IPTABLES} -F ${chain}
+			echo " done."
+		done
+		for chain in PREROUTING POSTROUTING ; do
+			${IPTABLES} -t nat -F ${chain}
+		done
+		${IPTABLES} -t mangle -F PREROUTING
+		# flush and delete the user-defined chains
+		echo -n "removing user-defined chains..."
+		for chain in PUB_IN PUB_OUT INT_IN INT_OUT PAROLE ; do
+			${IPTABLES} -F ${chain}
+			${IPTABLES} -X ${chain}
+		done
+		echo " done."
+		exit 0
+	else
+		echo "ERROR: unable to read configuration file \"${CONFIG}\""
+		exit 1
+	fi
 fi
 
 # source the configuration file, which will set environment variables
diff -urN Bastille.orig/Install.sh Bastille/Install.sh
--- Bastille.orig/Install.sh	2005-04-18 23:26:39.000000000 +0200
+++ Bastille/Install.sh	2014-06-07 13:16:38.279233102 +0200
@@ -1,107 +1,109 @@
 #!/bin/sh
 
 umask 077
-RPM_BUILD_ROOT=""
 
-mkdir -p $RPM_BUILD_ROOT/usr/sbin
-mkdir -p $RPM_BUILD_ROOT/usr/lib/perl5/site_perl/Curses
-mkdir -p $RPM_BUILD_ROOT/usr/lib/Bastille
-mkdir -p $RPM_BUILD_ROOT/usr/share/Bastille
-mkdir -p $RPM_BUILD_ROOT/usr/share/Bastille/OSMap
-mkdir -p $RPM_BUILD_ROOT/usr/share/Bastille/Questions
-mkdir -p $RPM_BUILD_ROOT/usr/share/Bastille/FKL/configs/
-mkdir -p $RPM_BUILD_ROOT/var/lock/subsys/bastille
+eval `perl -V:version`
+PERLVERSION=${version}
+
+mkdir -p ${DESTDIR}/usr/sbin
+mkdir -p ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}/Curses
+mkdir -p ${DESTDIR}/usr/lib/Bastille
+mkdir -p ${DESTDIR}/usr/share/Bastille
+mkdir -p ${DESTDIR}/usr/share/Bastille/OSMap
+mkdir -p ${DESTDIR}/usr/share/Bastille/Questions
+mkdir -p ${DESTDIR}/usr/share/Bastille/FKL/configs/
+mkdir -p ${DESTDIR}/var/lock/subsys/bastille
  
-cp AutomatedBastille $RPM_BUILD_ROOT/usr/sbin/
-cp BastilleBackEnd $RPM_BUILD_ROOT/usr/sbin
-cp Bastille_Curses.pm $RPM_BUILD_ROOT/usr/lib/perl5/site_perl
-cp Bastille_Tk.pm $RPM_BUILD_ROOT/usr/lib/perl5/site_perl
-cp Curses/Widgets.pm $RPM_BUILD_ROOT/usr/lib/perl5/site_perl/Curses
-cp InteractiveBastille $RPM_BUILD_ROOT/usr/sbin
+cp AutomatedBastille ${DESTDIR}/usr/sbin/
+cp BastilleBackEnd ${DESTDIR}/usr/sbin
+cp Bastille_Curses.pm ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}
+cp Bastille_Tk.pm ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}
+cp Curses/Widgets.pm ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}/Curses
+cp InteractiveBastille ${DESTDIR}/usr/sbin
 # Questions.txt has been replaced by Modules.txt and Questions/
-#cp Questions.txt $RPM_BUILD_ROOT/usr/share/Bastille
-cp Modules.txt $RPM_BUILD_ROOT/usr/share/Bastille
+#cp Questions.txt ${DESTDIR}/usr/share/Bastille
+cp Modules.txt ${DESTDIR}/usr/share/Bastille
 # New Weights file(s).
-cp Weights.txt $RPM_BUILD_ROOT/usr/share/Bastille
+cp Weights.txt ${DESTDIR}/usr/share/Bastille
 # Castle graphic
-cp bastille.jpg $RPM_BUILD_ROOT/usr/share/Bastille/
+cp bastille.jpg ${DESTDIR}/usr/share/Bastille/
 # Javascript file
-cp wz_tooltip.js $RPM_BUILD_ROOT/usr/share/Bastille/
-cp Credits $RPM_BUILD_ROOT/usr/share/Bastille
-cp FKL/configs/fkl_config_redhat.cfg $RPM_BUILD_ROOT/usr/share/Bastille/FKL/configs/
-
-cp RevertBastille $RPM_BUILD_ROOT/usr/sbin
-ln -s $RPM_BUILD_ROOT/usr/sbin/RevertBastille $RPM_BUILD_ROOT/usr/sbin/UndoBastille
-cp bin/bastille $RPM_BUILD_ROOT/usr/sbin
-chmod +x $RPM_BUILD_ROOT/usr/sbin/RevertBastille
-cp bastille-firewall $RPM_BUILD_ROOT/usr/share/Bastille
-cp bastille-firewall-reset $RPM_BUILD_ROOT/usr/share/Bastille
-cp bastille-firewall-schedule $RPM_BUILD_ROOT/usr/share/Bastille
-cp bastille-tmpdir-defense.sh $RPM_BUILD_ROOT/usr/share/Bastille
-cp bastille-tmpdir.csh $RPM_BUILD_ROOT/usr/share/Bastille
-cp bastille-tmpdir.sh $RPM_BUILD_ROOT/usr/share/Bastille
-cp bastille-firewall.cfg $RPM_BUILD_ROOT/usr/share/Bastille
-cp bastille-ipchains $RPM_BUILD_ROOT/usr/share/Bastille
-cp bastille-netfilter $RPM_BUILD_ROOT/usr/share/Bastille
-cp bastille-firewall-early.sh $RPM_BUILD_ROOT/usr/share/Bastille
-cp bastille-firewall-pre-audit.sh $RPM_BUILD_ROOT/usr/share/Bastille
-cp complete.xbm $RPM_BUILD_ROOT/usr/share/Bastille
-cp incomplete.xbm $RPM_BUILD_ROOT/usr/share/Bastille
-cp ifup-local $RPM_BUILD_ROOT/usr/share/Bastille
-
-
-cp hosts.allow $RPM_BUILD_ROOT/usr/share/Bastille
-cp Bastille/AccountSecurity.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/Apache.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/API.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/BootSecurity.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/ConfigureMiscPAM.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/DisableUserTools.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/DNS.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/FilePermissions.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/FTP.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/Firewall.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/HP_API.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/OSX_API.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/LogAPI.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/HP_UX.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/IOLoader.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/Patches.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/Logging.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/MiscellaneousDaemons.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/PatchDownload.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/Printing.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/PSAD.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/RemoteAccess.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/SecureInetd.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/Sendmail.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/TMPDIR.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_AccountSecurity.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_Apache.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_DNS.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_FTP.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_HP_UX.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_MiscellaneousDaemons.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_SecureInetd.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_Sendmail.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_BootSecurity.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_DisableUserTools.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_FilePermissions.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_Logging.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/test_Printing.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/TestAPI.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-cp Bastille/IPFilter.pm $RPM_BUILD_ROOT/usr/lib/Bastille
-
-
-
-cp OSMap/LINUX.bastille $RPM_BUILD_ROOT/usr/share/Bastille/OSMap
-cp OSMap/LINUX.system $RPM_BUILD_ROOT/usr/share/Bastille/OSMap
-cp OSMap/HP-UX.bastille $RPM_BUILD_ROOT/usr/share/Bastille/OSMap
-cp OSMap/HP-UX.system $RPM_BUILD_ROOT/usr/share/Bastille/OSMap
-cp OSMap/HP-UX.service $RPM_BUILD_ROOT/usr/share/Bastille/OSMap
-cp OSMap/OSX.bastille $RPM_BUILD_ROOT/usr/share/Bastille/OSMap
-cp OSMap/OSX.system $RPM_BUILD_ROOT/usr/share/Bastille/OSMap
+cp wz_tooltip.js ${DESTDIR}/usr/share/Bastille/
+cp Credits ${DESTDIR}/usr/share/Bastille
+cp FKL/configs/fkl_config_redhat.cfg ${DESTDIR}/usr/share/Bastille/FKL/configs/
+
+cp RevertBastille ${DESTDIR}/usr/sbin
+ln -s ${DESTDIR}/usr/sbin/RevertBastille ${DESTDIR}/usr/sbin/UndoBastille
+cp bin/bastille ${DESTDIR}/usr/sbin
+chmod +x ${DESTDIR}/usr/sbin/RevertBastille
+cp bastille-firewall ${DESTDIR}/usr/share/Bastille
+cp bastille-firewall-reset ${DESTDIR}/usr/share/Bastille
+cp bastille-firewall-schedule ${DESTDIR}/usr/share/Bastille
+cp bastille-tmpdir-defense.sh ${DESTDIR}/usr/share/Bastille
+cp bastille-tmpdir.csh ${DESTDIR}/usr/share/Bastille
+cp bastille-tmpdir.sh ${DESTDIR}/usr/share/Bastille
+cp bastille-firewall.cfg ${DESTDIR}/usr/share/Bastille
+cp bastille-ipchains ${DESTDIR}/usr/share/Bastille
+cp bastille-netfilter ${DESTDIR}/usr/share/Bastille
+cp bastille-firewall-early.sh ${DESTDIR}/usr/share/Bastille
+cp bastille-firewall-pre-audit.sh ${DESTDIR}/usr/share/Bastille
+cp complete.xbm ${DESTDIR}/usr/share/Bastille
+cp incomplete.xbm ${DESTDIR}/usr/share/Bastille
+cp ifup-local ${DESTDIR}/usr/share/Bastille
+
+
+cp hosts.allow ${DESTDIR}/usr/share/Bastille
+cp Bastille/AccountSecurity.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/Apache.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/API.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/BootSecurity.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/ConfigureMiscPAM.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/DisableUserTools.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/DNS.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/FilePermissions.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/FTP.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/Firewall.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/HP_API.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/OSX_API.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/LogAPI.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/HP_UX.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/IOLoader.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/Patches.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/Logging.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/MiscellaneousDaemons.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/PatchDownload.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/Printing.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/PSAD.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/RemoteAccess.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/SecureInetd.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/Sendmail.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/TMPDIR.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_AccountSecurity.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_Apache.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_DNS.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_FTP.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_HP_UX.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_MiscellaneousDaemons.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_SecureInetd.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_Sendmail.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_BootSecurity.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_DisableUserTools.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_FilePermissions.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_Logging.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/test_Printing.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/TestAPI.pm ${DESTDIR}/usr/lib/Bastille
+cp Bastille/IPFilter.pm ${DESTDIR}/usr/lib/Bastille
+
+
+
+cp OSMap/LINUX.bastille ${DESTDIR}/usr/share/Bastille/OSMap
+cp OSMap/LINUX.system ${DESTDIR}/usr/share/Bastille/OSMap
+cp OSMap/HP-UX.bastille ${DESTDIR}/usr/share/Bastille/OSMap
+cp OSMap/HP-UX.system ${DESTDIR}/usr/share/Bastille/OSMap
+cp OSMap/HP-UX.service ${DESTDIR}/usr/share/Bastille/OSMap
+cp OSMap/OSX.bastille ${DESTDIR}/usr/share/Bastille/OSMap
+cp OSMap/OSX.system ${DESTDIR}/usr/share/Bastille/OSMap
 
 for file in `cat Modules.txt` ; do
-   cp Questions/$file.txt $RPM_BUILD_ROOT/usr/share/Bastille/Questions
+   cp Questions/$file.txt ${DESTDIR}/usr/share/Bastille/Questions
 done
diff -urN Bastille.orig/InteractiveBastille Bastille/InteractiveBastille
--- Bastille.orig/InteractiveBastille	2006-04-03 15:16:23.000000000 +0200
+++ Bastille/InteractiveBastille	2014-06-07 13:15:52.885123358 +0200
@@ -372,17 +372,28 @@
     }
 }
 
+my $interface_available = 0;
 for my $interface_module ("Curses", "Tk") {
-   if ( $Interface eq $interface_module ) {
-      eval "use $interface_module";        
-      if ($@) {                    
-	 	&B_log("ERROR","Could not load the '${interface_module}.pm' interface module." .
-		       "This may be due to an invalid \$DISPLAY setting,".
-		       "or the module not being visible to Perl.\n\n");
-		print '\n';
-	  exit 1;
-      }    
+   eval "use $interface_module";        
+   if ($@) {                    
+	 &B_log("ERROR","Could not load the '${interface_module}.pm' interface module." .
+	       "This may be due to an invalid \$DISPLAY setting,".
+	       "or the module not being visible to Perl.\n\n");
+	 if ( ( $interface_available == 1 ) && ( $interface_module eq "Tk" ) )
+	 {
+	    $Interface = "Curses";
+	 }
    }
+   else
+   {
+        $interface_available = 1;
+   }
+}
+
+if ( $interface_available == 0 )
+{
+    &B_log("ERROR","No suitable interface module found.\n");
+    exit 1;
 }
 
 # KLUDGE: Load the stub...
diff -urN Bastille.orig/OSMap/LINUX.system Bastille/OSMap/LINUX.system
--- Bastille.orig/OSMap/LINUX.system	2006-04-03 15:42:28.000000000 +0200
+++ Bastille/OSMap/LINUX.system	2014-06-07 13:15:52.886123379 +0200
@@ -1,4 +1,5 @@
 bin,XFree86,'/usr/X11R6/bin/XFree86'
+bin,XFree86,'/usr/bin/Xorg',GN
 bin,Xwrapper,'/usr/X11R6/bin/Xwrapper'
 
 bin,accton,'/usr/sbin/accton'
@@ -9,8 +10,10 @@
 bin,bash,'/bin/bash'
 bin,cardctl,'/sbin/cardctl'
 bin,chattr,'/usr/bin/chattr'
+bin,chattr,'/bin/chattr',GN
 bin,chgrp,'/bin/chgrp'
 bin,chkconfig,'/sbin/chkconfig'
+bin,chkconfig,'/sbin/rc-update',GN
 bin,chmod,'/bin/chmod'
 bin,chown,'/bin/chown'
 bin,cksum,'/usr/bin/cksum'
@@ -20,6 +23,7 @@
 bin,diff,'/usr/bin/diff'
 bin,dos,'/usr/bin/dos'
 bin,dump,'/sbin/dump'
+bin,dump,'/usr/sbin/dump',GN
 bin,echo,'/bin/echo'
 bin,grep,'/bin/grep'
 bin,grep,'/usr/bin/grep',SE
@@ -44,12 +48,13 @@
 bin,named-xfer,'/usr/sbin/named-xfer'
 bin,ping,'/bin/ping'
 bin,ping6,'/usr/sbin/ping6',RH7.0,RH7.1,RH7.2,RH7.3,RH8.0,RH9,RHEL2
-bin,ping6,'/bin/ping6',DB,RHEL3,RHFC1,RHFC2,RHFC3,RHFC4,RHFC5,SE9.1,SE9.2,SE9.3,SE10.0,SESLES9
+bin,ping6,'/bin/ping6',DB,RHEL3,RHFC1,RHFC2,RHFC3,RHFC4,RHFC5,SE9.1,SE9.2,SE9.3,SE10.0,SESLES9,GN
 bin,ping6,'/usr/bin/ping6',MN9.2,MN10.0,MN10.1,MN2006.0
 bin,ps,'/bin/ps'
 bin,rcp,'/usr/bin/rcp'
 bin,rdist,'/usr/bin/rdist'
 bin,restore,'/sbin/restore'
+bin,restore,'/usr/sbin/restore',GN
 bin,rexec,'/usr/bin/rexec'
 bin,rexecd,'/usr/sbin/in.rexecd'
 bin,rlogin,'/usr/bin/rlogin'
@@ -57,6 +62,7 @@
 bin,rm,'/bin/rm'
 bin,rmdir,'/bin/rmdir'
 bin,rpm,'/bin/rpm'
+bin,rpm,'/usr/bin/rpm',GN
 bin,rsh,'/usr/bin/rsh'
 bin,rcp,'/usr/bin/rcp'
 bin,rshd,'/usr/sbin/in.rshd'
@@ -65,10 +71,12 @@
 bin,startinnfeed,'/usr/bin/startinnfeed'
 bin,sulogin,'/sbin/sulogin'
 bin,touch,'/bin/touch'
+bin,touch,'/usr/bin/touch',GN
 bin,traceroute,'/usr/sbin/traceroute'
+bin,traceroute,'/usr/bin/traceroute',GN
 
 bin,traceroute6,'/bin/traceroute6'
-bin,traceroute6,'/usr/sbin/traceroute6',RH7.0,RH7.1,RH7.2,RH7.3,RH8.0,RH9,RHEL2,MN9.2,MN10.0,MN10.1,MN2006.0
+bin,traceroute6,'/usr/sbin/traceroute6',RH7.0,RH7.1,RH7.2,RH7.3,RH8.0,RH9,RHEL2,MN9.2,MN10.0,MN10.1,MN2006.0,GN
 bin,traceroute6,'/usr/bin/traceroute6',DB
 
 bin,umount,'/bin/umount'
@@ -82,13 +90,14 @@
 dir,home,'/home'
 
 dir,initd,'/etc/rc.d/init.d'
-dir,initd,'/etc/init.d',DB,SE,SLES
+dir,initd,'/etc/init.d',DB,SE,SLES,GN
 
 dir,log,'/var/log'
 dir,pamd,'/etc/pam.d'
 
 dir,rcd,'/etc/rc.d'
 dir,rcd,'/etc',DB
+dir,rcd,'/etc/runlevels',GN
 
 dir,sbin,'/sbin'
 dir,xinetd.d,'/etc/xinetd.d'
@@ -104,6 +113,7 @@
 file,chkconfig_apmd,'/etc/rc.d/rc3.d/S26apmd'
 file,chkconfig_apmd,'/etc/rc3.d/S26apmd',DB
 file,chkconfig_apmd,'/etc/rc.config',SE
+file,chkconfig_apmd,'/etc/runlevels/default/apmd',GN
 file,initd_apmd,'/etc/init.d/apmd'
 
 file,initd_acpid,'/etc/init.d/acpid'
@@ -114,24 +124,31 @@
 file,chkconfig_dhcpd,'/etc/rc.d/rc3.d/S65dhcpd'
 file,chkconfig_dhcpd,'/etc/rc3.d/S65dhcpd',DB
 file,chkconfig_dhcpd,'/etc/rc.config',SE
+file,chkconfig_dhcpd,'/etc/runlevels/default/dhcpd',GN
 file,initd_dhcpd,'/etc/init.d/dhcpd'
 
 file,chkconfig_gated,'/etc/rc.d/rc3.d/S32gated'
 file,chkconfig_gated,'/etc/rc3.d/S32gated',DB
+file,chkconfig_gated,'/etc/runlevels/default/gated',GN
 file,initd_gated,'/etc/init.d/gated'
 
 file,chkconfig_gpm,'/etc/rc.d/rc3.d/S85gpm'
 file,chkconfig_gpm,'/etc/rc3.d/S20gpm',DB
 file,chkconfig_gpm,'/etc/rc.config',SE
+file,chkconfig_gpm,'/etc/runlevels/default/gpm',GN
 file,initd_gpm,'/etc/init.d/gpm'
 
 file,chkconfig_httpd,'/etc/rc.d/rc3.d/S85httpd'
 file,chkconfig_httpd,'/etc/rc3.d/S91httpd',DB
+file,chkconfig_httpd,'/etc/runlevels/default/apache2',GN
 file,initd_httpd,'/etc/init.d/httpd'
 file,initd_httpd2,'/etc/init.d/httpd2'
+file,initd_httpd,'/etc/init.d/apache2',GN
+file,initd_httpd2,'/etc/init.d/apache2',GN
 
 file,chkconfig_innd,'/etc/rc.d/rc3.d/S95innd'
 file,chkconfig_innd,'/etc/rc3.d/S95innd',DB
+file,chkconfig_innd,'/etc/runlevels/default/innd',GN
 file,initd_innd,'/etc/init.d/innd'
 
 file,chkconfig_kudzu,'/etc/init.d/kudzu'
@@ -139,6 +156,7 @@
 
 file,chkconfig_named,'/etc/rc.d/rc3.d/S55named'
 file,chkconfig_named,'/etc/rc3.d/S15named',DB
+file,chkconfig_named,'/etc/runlevels/default/named',GN
 file,initd_named,'/etc/init.d/named'
 
 file,chkconfig_nfs,'/etc/rc.d/rc3.d/S60nfs'
@@ -149,6 +167,7 @@
 file,chkconfig_pcmcia,'/etc/rc.d/rc3.d/S45pcmcia'
 file,chkconfig_pcmcia,'/etc/rc3.d/S45pcmcia',DB
 file,chkconfig_pcmcia,'/etc/rc.config',SE
+file,chkconfig_pcmcia,'/etc/runlevels/default/pcmcia',GN
 file,initd_pcmcia,'/etc/init.d/pcmcia'
 
 file,initd_mDNSResponder,'/etc/init.d/mDNSResponder'
@@ -163,6 +182,7 @@
 
 file,chkconfig_routed,'/etc/rc.d/rc3.d/S55gated'
 file,chkconfig_routed,'/etc/rc3.d/S55gated',DB
+file,chkconfig_routed,'/etc/runlevels/default/gated',GN
 file,initd_routed,'/etc/init.d/routed'
 
 file,chkconfig_snmpd,'/etc/rc.d/rc3.d/S50snmpd'
@@ -190,20 +210,22 @@
 file,shadow,'/etc/shadow'
 
 file,grub.conf,'/etc/grub.conf'
-file,grub.conf,'/boot/grub/grub.conf',RH9,RHEL,RHFC
+file,grub.conf,'/boot/grub/grub.conf',RH9,RHEL,RHFC,GN
 file,grub.conf,'/boot/grub/menu.lst',SE,MN
 file,hosts.allow,'/etc/hosts.allow'
 file,hosts.deny,'/etc/hosts.deny'
 
 file,httpd,'/usr/sbin/httpd'
 file,httpd,'/usr/sbin/apache',DB
+file,httpd,'/usr/sbin/apache2',GN
 
 file,httpd2,'/usr/sbin/httpd2'
+file,httpd2,'/usr/sbin/apache2',GN
 
 file,httpd.conf,'/etc/httpd/conf/httpd.conf'
 file,httpd.conf,'/etc/apache/httpd.conf',DB
 file,httpd.conf,'/etc/httpd/httpd.conf',SE7.2 SE7.3 SE8.0
-file,httpd.conf,'/etc/apache2/httpd.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES
+file,httpd.conf,'/etc/apache2/httpd.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES,GN
 file,httpd.conf,'/etc/httpd/conf/httpd2.conf',MN10.1
 # SuSE breaks httpd.conf into many files after 8.
 file,listen.conf,'/etc/apache2/listen.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES
@@ -216,6 +238,7 @@
 file,httpd_access.conf,'/etc/httpd/httpd.conf',SE7.2 SE7.3 SE8.0
 file,httpd_access.conf,'/etc/apache2/httpd.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES
 file,httpd_access.conf,'/etc/httpd/conf/commonhttpd.conf',MN10.1
+file,httpd_access.conf,'/etc/apache2/access.conf',GN
 
 file,inetd.conf,'/etc/inetd.conf'
 file,inittab,'/etc/inittab'
diff -urN Bastille.orig/Questions/Apache.txt Bastille/Questions/Apache.txt
--- Bastille.orig/Questions/Apache.txt	2005-08-04 07:07:44.000000000 +0200
+++ Bastille/Questions/Apache.txt	2014-06-07 13:15:52.886123379 +0200
@@ -20,20 +20,20 @@
 PROPER_PARENT: namedoff
 
 LABEL: apacheoff
-SHORT_EXP: "Will you be using the Apache web server immediately? Again,
+SHORT_EXP: "Will you be using the Apache2 web server immediately? Again,
 minimalism is a critical part of a good site security.  If you don't
 need to run a web server, at least not right now, you should deactivate it.
 You can restart the web server later by typing:
 
-      /sbin/chkconfig httpd on
+      /sbin/rc-update add apache2 default
 "
-QUESTION: "Would you like to deactivate the Apache web server? [Y]"
+QUESTION: "Would you like to deactivate the Apache2 web server? [Y]"
 QUESTION_AUDIT: "Is the Apache Web server deactivated?"
 REQUIRE_DISTRO: LINUX DB SE TB
 DEFAULT_ANSWER: Y
 YN_TOGGLE: 1
 REG_EXP: "^Y$|^N$"
-YES_EXP: "Even though you've deactivated the Apache web server, there are
+YES_EXP: "Even though you've deactivated the Apache2 web server, there are
 still a few more questions related to it.  It's good to take the precautions in
 the next steps even if you've turned off the web server, since it might get
 turned on again later."
diff -urN Bastille.orig/Questions/BootSecurity.txt Bastille/Questions/BootSecurity.txt
--- Bastille.orig/Questions/BootSecurity.txt	2005-09-11 10:58:23.000000000 +0200
+++ Bastille/Questions/BootSecurity.txt	2014-06-07 13:15:52.886123379 +0200
@@ -15,7 +15,11 @@
 purpose lab and dual boots, you probably shouldn't choose this option.
 
 Otherwise, this is strongly recommended for general use workstations and
-servers which are not locked away in their own room."
+servers which are not locked away in their own room.
+
+WARNING: If you are currently managing the GRUB prompt manually OR through
+another program, and wish to maintain your current settings, please select
+NO for this prompt."
 QUESTION: "Would you like to password-protect the GRUB prompt? [N]"
 QUESTION_AUDIT: "Is the GRUB prompt password-protected?"
 REQUIRE_DISTRO: LINUX DB SE TB
diff -urN Bastille.orig/Questions/DNS.txt Bastille/Questions/DNS.txt
--- Bastille.orig/Questions/DNS.txt	2005-04-10 00:25:56.000000000 +0200
+++ Bastille/Questions/DNS.txt	2014-06-07 13:15:52.887123400 +0200
@@ -88,7 +88,7 @@
 
 Even if you plan on setting up a name server on this machine, you should
 deactivate it for now until you get the configuration files setup.   You
-can reactivate it then by typing, as root:     /sbin/chkconfig named on  "
+can reactivate it then by typing, as root:     /sbin/rc-update add named default  "
 QUESTION: "Would you like to deactivate named, at least for now? [Y]"
 QUESTION_AUDIT: "Is named deactivated?"
 REQUIRE_DISTRO: LINUX
diff -urN Bastille.orig/Questions/FilePermissions.txt Bastille/Questions/FilePermissions.txt
--- Bastille.orig/Questions/FilePermissions.txt	2005-04-18 18:47:42.000000000 +0200
+++ Bastille/Questions/FilePermissions.txt	2014-06-07 13:15:52.888123422 +0200
@@ -17,7 +17,7 @@
 QUESTION: "Would you like to set more restrictive permissions on the
 administration utilities? [N]"
 QUESTION_AUDIT: "Are more restrictive permissions on the administration utilities set?"
-REQUIRE_DISTRO: RH MN DB SE TB
+REQUIRE_DISTRO: RH MN DB SE TB GN
 YN_TOGGLE: 1
 YES_EXP:
 NO_EXP:
diff -urN Bastille.orig/Questions/Firewall.txt Bastille/Questions/Firewall.txt
--- Bastille.orig/Questions/Firewall.txt	2005-04-10 00:25:56.000000000 +0200
+++ Bastille/Questions/Firewall.txt	2014-06-07 13:15:52.889123445 +0200
@@ -1129,8 +1129,7 @@
 
  Once you have a configuration that will work on your system, you can make it
  run at every normal boot-up by typing
-     /sbin/chkconfig --add bastille-firewall
-     /sbin/chkconfig bastille-firewall reset
+     /sbin/rc-update add bastille-firewall default
 
 If you are confident of your selections, Bastille can start the firewall
 and configure it to run at boot time for you.
diff -urN Bastille.orig/Questions/Logging.txt Bastille/Questions/Logging.txt
--- Bastille.orig/Questions/Logging.txt	2005-08-04 07:07:44.000000000 +0200
+++ Bastille/Questions/Logging.txt	2014-06-07 13:15:52.889123445 +0200
@@ -10,7 +10,7 @@
 a \"risky\" move."
 QUESTION: "Would you like to add additional logging? [Y]"
 QUESTION_AUDIT: "Has additional logging been added?"
-REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB
+REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB GN
 DEFAULT_ANSWER: Y
 YN_TOGGLE: 1
 REG_EXP: "^Y$|^N$"
@@ -33,7 +33,7 @@
 SHORT_EXP: "If you already have a remote logging host, we can set this
 machine to log to it."
 QUESTION: "Do you have a remote logging host? [N]"
-REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB
+REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB GN
 DEFAULT_ANSWER: N
 YN_TOGGLE: 1
 REG_EXP: "^Y$|^N$"
@@ -53,7 +53,7 @@
       poisoning attacks on logging.  You may use a hostname, but it should be
       added to your /etc/hosts file..."
 QUESTION: "What is the IP address of the machine you want to log to? [127.0.0.1]"
-REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB
+REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB GN
 DEFAULT_ANSWER: 127.0.0.1
 YN_TOGGLE: 0
 YES_CHILD: pacct
diff -urN Bastille.orig/Questions/Printing.txt Bastille/Questions/Printing.txt
--- Bastille.orig/Questions/Printing.txt	2005-04-10 00:25:56.000000000 +0200
+++ Bastille/Questions/Printing.txt	2014-06-07 13:15:52.890123470 +0200
@@ -15,12 +15,12 @@
 
  # /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm
 
- # /sbin/chkconfig lpd on
+ # /sbin/rc-update add lpd default
 
 This is only recommended if this machine will not be used for printing
 in the near future.  If you deactivate this, you might want to write
 down the commands above in case you decide to re-enable printing later."
-QUESTION: "Would you like to disable printing? [N]"
+QUESTION: "Would you like to disable LPR/LPRng printing? [N]"
 QUESTION_AUDIT: "Is printing disabled?"
 REQUIRE_DISTRO: LINUX
 DEFAULT_ANSWER: N
@@ -48,12 +48,12 @@
  # /bin/chmod 0755 /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat
  # /bin/chmod 04755 /usr/bin/lppasswd
 
- # /sbin/chkconfig cups on
+ # /sbin/rc-update add cups default
 
 This is only recommended if this machine will not be used for printing
 in the near future.  If you deactivate this, you might want to write
 down the commands above in case you decide to re-enable printing later."
-QUESTION: "Would you like to disable printing? [N]"
+QUESTION: "Would you like to disable CUPS printing? [N]"
 QUESTION_AUDIT: "Is printing disabled?"
 REQUIRE_DISTRO: LINUX
 DEFAULT_ANSWER: N
diff -urN Bastille.orig/Questions/PSAD.txt Bastille/Questions/PSAD.txt
--- Bastille.orig/Questions/PSAD.txt	2005-04-10 00:25:57.000000000 +0200
+++ Bastille/Questions/PSAD.txt	2014-06-07 13:15:52.890123470 +0200
@@ -259,7 +259,7 @@
         /etc/rc.d/init.d/psad stop
 
 Bastille can configure your system to start psad at boot time by executing
-        chkconfig psad on."
+        /sbin/rc-update add psad default  "
 QUESTION: "Should Bastille enable psad at boot time? [N]"
 REQUIRE_DISTRO: LINUX
 YN_TOGGLE: 1
diff -urN Bastille.orig/Questions.txt Bastille/Questions.txt
--- Bastille.orig/Questions.txt	2005-04-06 01:18:11.000000000 +0200
+++ Bastille/Questions.txt	2014-06-07 13:15:52.894123570 +0200
@@ -2975,7 +2975,7 @@
 
 Even if you plan on setting up a name server on this machine, you should
 deactivate it for now until you get the configuration files setup.   You
-can reactivate it then by typing, as root:     /sbin/chkconfig named on  "
+can reactivate it then by typing, as root:     /sbin/rc-update add named default  "
 QUESTION: "Would you like to deactivate named, at least for now? [Y]"
 REQUIRE_DISTRO: LINUX
 REQUIRE_FILE_EXISTS: chkconfig_named
@@ -3014,15 +3014,15 @@
 need to run a web server, at least not right now, you should deactivate it.
 You can restart the web server later by typing:
 
-      /sbin/chkconfig httpd on
+      /sbin/rc-update add apache2 default
 "
-QUESTION: "Would you like to deactivate the Apache web server? [Y]"
+QUESTION: "Would you like to deactivate the Apache2 web server? [Y]"
 REQUIRE_DISTRO: LINUX DB SE TB
 REQUIRE_FILE_EXISTS: chkconfig_httpd
 DEFAULT_ANSWER: Y
 YN_TOGGLE: 1
 REG_EXP: "^Y$|^N$"
-YES_EXP: "Even though you've deactivated the Apache web server, there are
+YES_EXP: "Even though you've deactivated the Apache2 web server, there are
 still a few more questions related to it.  It's good to take the precautions in
 the next steps even if you've turned off the web server, since it might get
 turned on again later."
@@ -3297,7 +3297,7 @@
 
  # /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm
 
- # /sbin/chkconfig lpd on
+ # /sbin/rc-update add lpd default
 
 This is only recommended if this machine will not be used for printing
 in the near future.  If you deactivate this, you might want to write
@@ -3330,7 +3330,7 @@
  # /bin/chmod 0755 /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat
  # /bin/chmod 04755 /usr/bin/lppasswd
 
- # /sbin/chkconfig cups on
+ # /sbin/rc-update add cups default
 
 This is only recommended if this machine will not be used for printing
 in the near future.  If you deactivate this, you might want to write
@@ -5130,8 +5130,7 @@
 
  Once you have a configuration that will work on your system, you can make it
  run at every normal boot-up by typing
-     /sbin/chkconfig --add bastille-firewall
-     /sbin/chkconfig bastille-firewall reset
+     /sbin/rc-update add bastille-firewall default
 
 If you are confident of your selections, Bastille can start the firewall
 and configure it to run at boot time for you.
diff -urN Bastille.orig/ServerLax.config Bastille/ServerLax.config
--- Bastille.orig/ServerLax.config	2005-04-06 01:18:11.000000000 +0200
+++ Bastille/ServerLax.config	2014-06-07 13:15:52.896123619 +0200
@@ -1,138 +1,114 @@
-# Q: Would you like to run the packet filtering script? [N]
-IPChains.ip_intro="N"
-# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
-FilePermissions.generalperms_1.1="N"
-# Q: What security level should we set? [3]
-FilePermissions.security_level="2"
-# Q: Would you like us to modify your file permissions?
-FilePermissions.generalperms_1.2_mandrake="Y"
-# Q: Would you like to disable SUID status for mount/umount?
-FilePermissions.suidmount="N"
-# Q: Would you like to disable SUID status for ping? [Y]
-FilePermissions.suidping="N"
-# Q: Would you like to disable SUID status for dump and restore? [Y]
-FilePermissions.suiddump="Y"
-# Q: Would you like to disable SUID status for cardctl? [Y]
-FilePermissions.suidcard="Y"
-# Q: Would you like to disable SUID status for at? [Y]
-FilePermissions.suidat="N"
-# Q: Would you like to disable SUID status for DOSEMU? [Y]
-FilePermissions.suiddos="Y"
-# Q: Would you like to disable SUID status for news server tools? [Y]
-FilePermissions.suidnews="Y"
-# Q: Would you like to disable SUID status for printing utilities? [N]
-FilePermissions.suidprint="N"
-# Q: Would you like to disable SUID status for the r-tools? [Y]
-FilePermissions.suidrtool="N"
-# Q: Would you like to disable SUID status for usernetctl? [Y]
-FilePermissions.suidusernetctl="N"
-# Q: Would you like to disable SUID status for traceroute? [Y]
-FilePermissions.suidtrace="N"
-# Q: Would you like to set up a second UID 0 account? [N]
-AccountSecurity.secondadmin="N"
-# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
-AccountSecurity.protectrhost="N"
-# Q: Would you like to enforce password aging? [Y]
-AccountSecurity.passwdage="Y"
-# Q: Would you like to create a non-root user account? [N]
-AccountSecurity.createuser="N"
-# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
+# Q:  Would you like to restrict the use of cron to administrative accounts? [Y]
 AccountSecurity.cronuser="N"
-# Q: What umask would you like to set for users on the system? [077]
-AccountSecurity.umask="022"
-# Q: Should we allow root to login on tty's 1-6? [Y]
+# Q:  Would you like to enforce password aging? [Y]
+AccountSecurity.passwdage="Y"
+# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
+AccountSecurity.protectrhost="N"
+# Q:  Should we disallow root login on tty's 1-6? [N]
 AccountSecurity.rootttylogins="Y"
-# Q: Should we allow the PATH to include the current directory? [N]
-AccountSecurity.restrict_path_mdk="Y"
-# Q: Should we deactivate this list of users? [N]
-AccountSecurity.forbiduserview="N"
-# Q: Would you like to password-protect the LILO prompt? [N]
-BootSecurity.protectlilo="N"
-# Q: Would you like to reduce the LILO delay time to zero? [N]
+# Q:  Would you like to disable indexes? [N]
+Apache.apacheindex="N"
+# Q:  Would you like to deactivate the Apache2 web server? [Y]
+Apache.apacheoff="Y"
+# Q:  Would you like to bind the Web server to listen only to the localhost? [N]
+Apache.bindapachelocal="N"
+# Q:  Would you like to bind the web server to a particular interface? [N]
+Apache.bindapachenic="N"
+# Q:  Would you like to disable CGI scripts, at least for now? [Y]
+Apache.cgi="N"
+# Q:  Would you like to deactivate server-side includes? [Y]
+Apache.ssi="Y"
+# Q:  Would you like to deactivate the following of symbolic links? [Y]
+Apache.symlink="N"
+# Q:  Would you like to reduce the LILO delay time to zero? [N]
 BootSecurity.lilodelay="N"
-# Q: Do you ever boot Linux from the hard drive? [Y]
+# Q:  Do you ever boot Linux from the hard drive? [Y]
 BootSecurity.lilosub_drive="N"
-# Q: Would you like to write the LILO changes to a boot floppy? [N]
+# Q:  Would you like to write the LILO changes to a boot floppy? [N]
 BootSecurity.lilosub_floppy="N"
-# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
-BootSecurity.secureinittab="N"
-# Q: Would you like to password protect single-user mode? [Y]
+# Q:  Would you like to password protect single-user mode? [Y]
 BootSecurity.passsum="Y"
-# Q: May we disable Autologin? [Y]
-BootSecurity.disable_autologin="N"
-# Q: Would you like to set a default-deny on TCP Wrappers? [N]
-SecureInetd.tcpd_default_deny="N"
-# Q: May we deactivate telnet? [Y]
-SecureInetd.deactivate_telnet="Y"
-# Q: May we deactivate ftp? [Y]
-SecureInetd.deactivate_ftp="N"
-# Q: Would you like to make "Authorized Use" banners? [Y]
-SecureInetd.banners="Y"
-# Q: Would you like to disable the compiler? [N]
-DisableUserTools.compiler="N"
-# Q: Would you like to put limits on system resource usage? [Y]
-ConfigureMiscPAM.limitsconf="N"
-# Q: Should we restrict console access to a small group of user accounts? [N]
+# Q:  Would you like to password-protect the LILO prompt? [N]
+BootSecurity.protectlilo="N"
+# Q:  Would you like to disable CTRL-ALT-DELETE rebooting? [N]
+BootSecurity.secureinittab="N"
+# Q:  Should we restrict console access to a small group of user accounts? [N]
 ConfigureMiscPAM.consolelogin="N"
-# Q: Would you like to add additional logging? [Y]
+# Q:  Would you like to put limits on system resource usage? [N]
+ConfigureMiscPAM.limitsconf="N"
+# Q:  Would you like to chroot named and set it to run as a non-root user? [N]
+DNS.chrootbind="N"
+# Q:  Would you like to deactivate named, at least for now? [Y]
+DNS.namedoff="Y"
+# Q:  Would you like to disable the gcc and/or g++ compiler? [N]
+DisableUserTools.compiler="N"
+# Q:  Would you like to disable anonymous download? [N]
+FTP.anonftp="N"
+# Q:  Would you like to disable user privileges on the FTP daemon? [N]
+FTP.userftp="N"
+# Q:  Would you like to disable SUID status for XFree86? [N]
+FilePermissions.suidXFree86="N"
+# Q:  Would you like to disable SUID status for at? [Y]
+FilePermissions.suidat="N"
+# Q:  Would you like to disable SUID status for cardctl? [Y]
+FilePermissions.suidcard="Y"
+# Q:  Would you like to disable SUID status for DOSEMU? [Y]
+FilePermissions.suiddos="Y"
+# Q:  Would you like to disable SUID status for dump and restore? [Y]
+FilePermissions.suiddump="Y"
+# Q:  Would you like to disable SUID status for mount/umount?
+FilePermissions.suidmount="N"
+# Q:  Would you like to disable SUID status for news server tools? [Y]
+FilePermissions.suidnews="Y"
+# Q:  Would you like to disable SUID status for ping? [Y]
+FilePermissions.suidping="N"
+# Q:  Would you like to disable SUID status for printing utilities? [N]
+FilePermissions.suidprint="N"
+# Q:  Would you like to disable the r-tools? [Y]
+FilePermissions.suidrtool="N"
+# Q:  Would you like to disable SUID status for traceroute? [Y]
+FilePermissions.suidtrace="N"
+# Q:  Would you like to disable SUID status for usernetctl? [Y]
+FilePermissions.suidusernetctl="N"
+# Q:  Would you like to run the packet filtering script? [N]
+Firewall.ip_intro="N"
+# Q:  Would you like to add additional logging? [Y]
 Logging.morelogging="Y"
-# Q: Do you have a remote logging host? [N]
-Logging.remotelog="N"
-# Q: Would you like to set up process accounting? [N]
+# Q:  Would you like to set up process accounting? [N]
 Logging.pacct="N"
-# Q: Would you like to set up nightly security checks? [N]"
-Logging.security_checks="Y"
-# Q: Would you like to disable apmd? [Y]
+# Q:  Would you like to disable acpid and/or apmd? [Y]
 MiscellaneousDaemons.apmd="Y"
-# Q: Would you like to deactivate NFS and Samba? [Y]
-MiscellaneousDaemons.remotefs="Y"
-# Q: Would you like to disable PCMCIA services? [Y]
-MiscellaneousDaemons.pcmcia="Y"
-# Q: Would you like to disable the DHCP daemon? [Y]
+# Q:  Would you like to disable the DHCP daemon? [Y]
 MiscellaneousDaemons.dhcpd="Y"
-# Q: Would you like to disable GPM? [Y]
+# Q:  Would you like to disable GPM? [Y]
 MiscellaneousDaemons.gpm="N"
-# Q: Would you like to disable the news server daemon? [Y]
+# Q:  Would you like to disable the news server daemon? [Y]
 MiscellaneousDaemons.innd="Y"
-# Q: Would you like to deactivate the routing daemons? [Y]
-MiscellaneousDaemons.routing="Y"
-# Q: Would you like to deactivate NIS server and client programs? [Y]
-MiscellaneousDaemons.nis="Y"
-# Q: Would you like to disable SNMPD? [Y]
+# Q:  Would you like to disable PCMCIA services? [Y]
+MiscellaneousDaemons.pcmcia="Y"
+# Q:  Would you like to deactivate NFS and Samba? [Y]
+MiscellaneousDaemons.remotefs="Y"
+# Q:  Would you like to disable SNMPD? [Y]
 MiscellaneousDaemons.snmpd="Y"
-# Q: Should we disable most chkconfig'd services?
-MiscellaneousDaemons.minimize_chkconfig="N"
-# Q: Do you want to leave sendmail running in daemon mode? [Y]
-Sendmail.sendmaildaemon="N"
-# Q: Would you like to run sendmail via cron to process the queue? [N]
+# Q:  Would you like to disable LPR/LPRng printing? [N]
+Printing.printing="N"
+# Q:  Would you like to disable CUPS printing? [N]
+Printing.printing_cups="N"
+# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
+SecureInetd.banners="Y"
+# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
+SecureInetd.deactivate_ftp="N"
+# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
+SecureInetd.deactivate_telnet="Y"
+# Q:  Who is responsible for granting authorization to use this machine?
+SecureInetd.owner="its owner"
+# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
+SecureInetd.tcpd_default_deny="N"
+# Q:  Would you like to run sendmail via cron to process the queue? [N]
 Sendmail.sendmailcron="Y"
-# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
+# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
+Sendmail.sendmaildaemon="N"
+# Q:  Would you like to disable the VRFY and EXPN sendmail commands? [Y]
 Sendmail.vrfyexpn="Y"
-# Q: Would you like to download and install ssh? [N]
-RemoteAccess.installssh="N"
-# Q: Would you like to chroot named and set it to run as a non-root user? [N]
-DNS.chrootbind="N"
-# Q: Would you like to deactivate named, at least for now? [Y]
-DNS.namedoff="Y"
-# Q: Would you like to deactivate the Apache web server? [Y]
-Apache.apacheoff="Y"
-# Q: Would you like to bind the web server to listen only to the localhost? [N]
-Apache.bindapachelocal="N"
-# Q: Would you like to bind the web server to a particular interface? [N]
-Apache.bindapachenic="N"
-# Q: Would you like to deactivate the following of symbolic links? [Y]
-Apache.symlink="N"
-# Q: Would you like to deactivate server-side includes? [Y]
-Apache.ssi="Y"
-# Q: Would you like to disable CGI scripts, at least for now? [Y]
-Apache.cgi="N"
-# Q: Would you like to disable indexes? [N]
-Apache.apacheindex="N"
-# Q: Would you like to disable printing? [N]
-Printing.printing="N"
-# Q: Would you like to disable user privileges on the FTP daemon? [N]
-FTP.userftp="N"
-# Q: Would you like to disable anonymous download? [N]
-FTP.anonftp="N"
-# Q: Would you like to install TMPDIR/TMP scripts? [N]
+# Q:  Would you like to install TMPDIR/TMP scripts? [N]
 TMPDIR.tmpdir="N"
diff -urN Bastille.orig/ServerModerate.config Bastille/ServerModerate.config
--- Bastille.orig/ServerModerate.config	2005-04-06 01:18:11.000000000 +0200
+++ Bastille/ServerModerate.config	2014-06-07 13:15:52.897123643 +0200
@@ -1,170 +1,152 @@
-# Q: Would you like to run the packet filtering script? [N]
-IPChains.ip_intro="Y"
-# Q: 
-IPChains.ip_detail_level_kludge="Y"
-# Q: Do you need the advanced networking options?
-IPChains.ip_advnetwork="N"
-# Q: DNS Servers: [0.0.0.0/0]
-IPChains.ip_b_dns="0.0.0.0/0"
-# Q: 
-IPChains.ip_b_trustiface="lo"
-# Q: Public interfaces: [eth+ ppp+ slip+]
-IPChains.ip_b_publiciface="eth+ ppp+ slip+"
-# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
-IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
-# Q: UDP services to audit: [31337]
-IPChains.ip_b_udpaudit="31337"
-# Q: TCP service names or port numbers to allow on public interfaces: [ ]
-IPChains.ip_b_publictcp="ssh"
-# Q: Force passive mode? [N]
-IPChains.ip_b_passiveftp="N"
-# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
-IPChains.ip_b_tcpblock="2049 2065:2090 7100"
-# Q: UDP services to block: [2049 6770]
-IPChains.ip_b_udpblock="2049 6770"
-# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
-IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-request"
-# Q: Enable source address verification? [Y]
-IPChains.ip_b_srcaddr="Y"
-# Q: Reject method: [DENY]
-IPChains.ip_b_rejectmethod="REJECT"
-# Q: Interfaces for DHCP queries: [ ]
-IPChains.ip_b_dhcpiface="eth+ ppp+"
-# Q: NTP servers to query: [ ]
-IPChains.ip_b_ntpsrv="eth+ ppp+"
-# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
-FilePermissions.generalperms_1.1="N"
-# Q: What security level should we set? [3]
-FilePermissions.security_level="3"
-# Q: Would you like us to modify your file permissions?
-FilePermissions.generalperms_1.2_mandrake="Y"
-# Q: Would you like to disable SUID status for mount/umount?
-FilePermissions.suidmount="N"
-# Q: Would you like to disable SUID status for ping? [Y]
-FilePermissions.suidping="N"
-# Q: Would you like to disable SUID status for dump and restore? [Y]
-FilePermissions.suiddump="Y"
-# Q: Would you like to disable SUID status for cardctl? [Y]
-FilePermissions.suidcard="Y"
-# Q: Would you like to disable SUID status for at? [Y]
-FilePermissions.suidat="N"
-# Q: Would you like to disable SUID status for DOSEMU? [Y]
-FilePermissions.suiddos="Y"
-# Q: Would you like to disable SUID status for news server tools? [Y]
-FilePermissions.suidnews="Y"
-# Q: Would you like to disable SUID status for printing utilities? [N]
-FilePermissions.suidprint="N"
-# Q: Would you like to disable SUID status for the r-tools? [Y]
-FilePermissions.suidrtool="Y"
-# Q: Would you like to disable SUID status for usernetctl? [Y]
-FilePermissions.suidusernetctl="N"
-# Q: Would you like to disable SUID status for traceroute? [Y]
-FilePermissions.suidtrace="N"
-# Q: Would you like to set up a second UID 0 account? [N]
-AccountSecurity.secondadmin="N"
-# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
-AccountSecurity.protectrhost="Y"
-# Q: Would you like to enforce password aging? [Y]
-AccountSecurity.passwdage="Y"
-# Q: Would you like to create a non-root user account? [N]
-AccountSecurity.createuser="N"
-# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
+# Q:  Would you like to restrict the use of cron to administrative accounts? [Y]
 AccountSecurity.cronuser="N"
-# Q: What umask would you like to set for users on the system? [077]
-AccountSecurity.umask="077"
-# Q: Should we allow root to login on tty's 1-6? [Y]
+# Q:  Would you like to enforce password aging? [Y]
+AccountSecurity.passwdage="Y"
+# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
+AccountSecurity.protectrhost="Y"
+# Q:  Should we disallow root login on tty's 1-6? [N]
 AccountSecurity.rootttylogins="Y"
-# Q: Should we allow the PATH to include the current directory? [N]
-AccountSecurity.restrict_path_mdk="N"
-# Q: Should we deactivate this list of users? [N]
-AccountSecurity.forbiduserview="N"
-# Q: Would you like to password-protect the LILO prompt? [N]
-BootSecurity.protectlilo="N"
-# Q: Would you like to reduce the LILO delay time to zero? [N]
+# Q:  Would you like to disable indexes? [N]
+Apache.apacheindex="N"
+# Q:  Would you like to deactivate the Apache2 web server? [Y]
+Apache.apacheoff="Y"
+# Q:  Would you like to bind the Web server to listen only to the localhost? [N]
+Apache.bindapachelocal="N"
+# Q:  Would you like to bind the web server to a particular interface? [N]
+Apache.bindapachenic="N"
+# Q:  Would you like to disable CGI scripts, at least for now? [Y]
+Apache.cgi="Y"
+# Q:  Would you like to deactivate server-side includes? [Y]
+Apache.ssi="Y"
+# Q:  Would you like to deactivate the following of symbolic links? [Y]
+Apache.symlink="N"
+# Q:  Would you like to reduce the LILO delay time to zero? [N]
 BootSecurity.lilodelay="N"
-# Q: Do you ever boot Linux from the hard drive? [Y]
+# Q:  Do you ever boot Linux from the hard drive? [Y]
 BootSecurity.lilosub_drive="N"
-# Q: Would you like to write the LILO changes to a boot floppy? [N]
+# Q:  Would you like to write the LILO changes to a boot floppy? [N]
 BootSecurity.lilosub_floppy="N"
-# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
-BootSecurity.secureinittab="N"
-# Q: Would you like to password protect single-user mode? [Y]
+# Q:  Would you like to password protect single-user mode? [Y]
 BootSecurity.passsum="Y"
- Q: May we disable Autologin? [Y]
-BootSecurity.disable_autologin="Y"
-# Q: Would you like to set a default-deny on TCP Wrappers? [N]
-SecureInetd.tcpd_default_deny="N"
-# Q: May we deactivate telnet? [Y]
-SecureInetd.deactivate_telnet="Y"
-# Q: May we deactivate ftp? [Y]
-SecureInetd.deactivate_ftp="N"
-# Q: Would you like to make "Authorized Use" banners? [Y]
-SecureInetd.banners="Y"
-# Q: Would you like to disable the compiler? [N]
-DisableUserTools.compiler="N"
-# Q: Would you like to put limits on system resource usage? [Y]
-ConfigureMiscPAM.limitsconf="N"
-# Q: Should we restrict console access to a small group of user accounts? [N]
+# Q:  Would you like to password-protect the LILO prompt? [N]
+BootSecurity.protectlilo="N"
+# Q:  Would you like to disable CTRL-ALT-DELETE rebooting? [N]
+BootSecurity.secureinittab="N"
+# Q:  Should we restrict console access to a small group of user accounts? [N]
 ConfigureMiscPAM.consolelogin="N"
-# Q: Would you like to add additional logging? [Y]
+# Q:  Would you like to put limits on system resource usage? [N]
+ConfigureMiscPAM.limitsconf="N"
+# Q:  Would you like to chroot named and set it to run as a non-root user? [N]
+DNS.chrootbind="N"
+# Q:  Would you like to deactivate named, at least for now? [Y]
+DNS.namedoff="Y"
+# Q:  Would you like to disable the gcc and/or g++ compiler? [N]
+DisableUserTools.compiler="N"
+# Q:  Would you like to disable anonymous download? [N]
+FTP.anonftp="Y"
+# Q:  Would you like to disable user privileges on the FTP daemon? [N]
+FTP.userftp="Y"
+# Q:  Would you like to disable SUID status for XFree86? [N]
+FilePermissions.suidXFree86="N"
+# Q:  Would you like to disable SUID status for at? [Y]
+FilePermissions.suidat="N"
+# Q:  Would you like to disable SUID status for cardctl? [Y]
+FilePermissions.suidcard="Y"
+# Q:  Would you like to disable SUID status for DOSEMU? [Y]
+FilePermissions.suiddos="Y"
+# Q:  Would you like to disable SUID status for dump and restore? [Y]
+FilePermissions.suiddump="Y"
+# Q:  Would you like to disable SUID status for mount/umount?
+FilePermissions.suidmount="N"
+# Q:  Would you like to disable SUID status for news server tools? [Y]
+FilePermissions.suidnews="Y"
+# Q:  Would you like to disable SUID status for ping? [Y]
+FilePermissions.suidping="N"
+# Q:  Would you like to disable SUID status for printing utilities? [N]
+FilePermissions.suidprint="N"
+# Q:  Would you like to disable the r-tools? [Y]
+FilePermissions.suidrtool="Y"
+# Q:  Would you like to disable SUID status for traceroute? [Y]
+FilePermissions.suidtrace="N"
+# Q:  Would you like to disable SUID status for usernetctl? [Y]
+FilePermissions.suidusernetctl="N"
+# Q:  Do you need the advanced networking options?
+Firewall.ip_advnetwork="N"
+# Q:  Interfaces for DHCP queries: [ ]
+Firewall.ip_b_dhcpiface="eth+ ppp+ wlan+ ath+"
+# Q:  DNS Servers: [0.0.0.0/0]
+Firewall.ip_b_dns="0.0.0.0/0"
+# Q:  ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
+Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-request"
+# Q:  ICMP services to audit: [ ]
+Firewall.ip_b_icmpaudit=""
+# Q:  ICMP types to disallow outbound: [destination-unreachable time-exceeded]
+Firewall.ip_b_icmpout="destination-unreachable time-exceeded"
+# Q:  NTP servers to query: [ ]
+Firewall.ip_b_ntpsrv=""
+# Q:  Force passive mode? [N]
+Firewall.ip_b_passiveftp="N"
+# Q:  Public interfaces: [eth+ ppp+ slip+]
+Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+"
+# Q:  TCP service names or port numbers to allow on public interfaces: [ ]
+Firewall.ip_b_publictcp="ssh"
+# Q:  UDP service names or port numbers to allow on public interfaces: [ ]
+Firewall.ip_b_publicudp=""
+# Q:  Reject method: [DENY]
+Firewall.ip_b_rejectmethod="REJECT"
+# Q:  Enable source address verification? [Y]
+Firewall.ip_b_srcaddr="Y"
+# Q:  TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
+Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
+# Q:  TCP services to block: [2049 2065:2090 6000:6020 7100]
+Firewall.ip_b_tcpblock="2049 2065:2090 7100"
+# Q:  UDP services to audit: [31337]
+Firewall.ip_b_udpaudit="31337"
+# Q:  UDP services to block: [2049 6770]
+Firewall.ip_b_udpblock="2049 6770"
+# Q:  Should Bastille run the firewall and enable it at boot time? [N]
+Firewall.ip_enable_firewall="Y"
+# Q:  Would you like to run the packet filtering script? [N]
+Firewall.ip_intro="Y"
+# Q:  Would you like to add additional logging? [Y]
 Logging.morelogging="Y"
-# Q: Do you have a remote logging host? [N]
-Logging.remotelog="N"
-# Q: Would you like to set up process accounting? [N]
+# Q:  Would you like to set up process accounting? [N]
 Logging.pacct="N"
-# Q: Would you like to set up nightly security checks? [N]"
-Logging.security_checks="Y"
-# Q: Would you like to disable apmd? [Y]
+# Q:  Would you like to disable acpid and/or apmd? [Y]
 MiscellaneousDaemons.apmd="Y"
-# Q: Would you like to deactivate NFS and Samba? [Y]
-MiscellaneousDaemons.remotefs="Y"
-# Q: Would you like to disable PCMCIA services? [Y]
-MiscellaneousDaemons.pcmcia="Y"
-# Q: Would you like to disable the DHCP daemon? [Y]
+# Q:  Would you like to disable the DHCP daemon? [Y]
 MiscellaneousDaemons.dhcpd="Y"
-# Q: Would you like to disable GPM? [Y]
+# Q:  Would you like to disable GPM? [Y]
 MiscellaneousDaemons.gpm="Y"
-# Q: Would you like to disable the news server daemon? [Y]
+# Q:  Would you like to disable the news server daemon? [Y]
 MiscellaneousDaemons.innd="Y"
-# Q: Would you like to deactivate the routing daemons? [Y]
-MiscellaneousDaemons.routing="Y"
-# Q: Would you like to deactivate NIS server and client programs? [Y]
-MiscellaneousDaemons.nis="Y"
-# Q: Would you like to disable SNMPD? [Y]
+# Q:  Would you like to disable PCMCIA services? [Y]
+MiscellaneousDaemons.pcmcia="Y"
+# Q:  Would you like to deactivate NFS and Samba? [Y]
+MiscellaneousDaemons.remotefs="Y"
+# Q:  Would you like to disable SNMPD? [Y]
 MiscellaneousDaemons.snmpd="Y"
-# Q: Should we disable most chkconfig'd services?
-MiscellaneousDaemons.minimize_chkconfig="N"
-# Q: Do you want to leave sendmail running in daemon mode? [Y]
-Sendmail.sendmaildaemon="N"
-# Q: Would you like to run sendmail via cron to process the queue? [N]
+# Q:  Would you like to setup psad?
+PSAD.psad_config="N"
+# Q:  Would you like to disable LPR/LPRng printing? [N]
+Printing.printing="N"
+# Q:  Would you like to disable CUPS printing? [N]
+Printing.printing_cups="N"
+# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
+SecureInetd.banners="Y"
+# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
+SecureInetd.deactivate_ftp="N"
+# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
+SecureInetd.deactivate_telnet="Y"
+# Q:  Who is responsible for granting authorization to use this machine?
+SecureInetd.owner="its owner"
+# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
+SecureInetd.tcpd_default_deny="N"
+# Q:  Would you like to run sendmail via cron to process the queue? [N]
 Sendmail.sendmailcron="Y"
-# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
+# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
+Sendmail.sendmaildaemon="N"
+# Q:  Would you like to disable the VRFY and EXPN sendmail commands? [Y]
 Sendmail.vrfyexpn="Y"
-# Q: Would you like to download and install ssh? [N]
-RemoteAccess.installssh="N"
-# Q: Would you like to chroot named and set it to run as a non-root user? [N]
-DNS.chrootbind="N"
-# Q: Would you like to deactivate named, at least for now? [Y]
-DNS.namedoff="Y"
-# Q: Would you like to deactivate the Apache web server? [Y]
-Apache.apacheoff="Y"
-# Q: Would you like to bind the web server to listen only to the localhost? [N]
-Apache.bindapachelocal="N"
-# Q: Would you like to bind the web server to a particular interface? [N]
-Apache.bindapachenic="N"
-# Q: Would you like to deactivate the following of symbolic links? [Y]
-Apache.symlink="N"
-# Q: Would you like to deactivate server-side includes? [Y]
-Apache.ssi="Y"
-# Q: Would you like to disable CGI scripts, at least for now? [Y]
-Apache.cgi="Y"
-# Q: Would you like to disable indexes? [N]
-Apache.apacheindex="N"
-# Q: Would you like to disable printing? [N]
-Printing.printing="N"
-# Q: Would you like to disable user privileges on the FTP daemon? [N]
-FTP.userftp="Y"
-# Q: Would you like to disable anonymous download? [N]
-FTP.anonftp="Y"
-# Q: Would you like to install TMPDIR/TMP scripts? [N]
+# Q:  Would you like to install TMPDIR/TMP scripts? [N]
 TMPDIR.tmpdir="N"
diff -urN Bastille.orig/ServerParanoia.config Bastille/ServerParanoia.config
--- Bastille.orig/ServerParanoia.config	2005-04-06 01:18:11.000000000 +0200
+++ Bastille/ServerParanoia.config	2014-06-07 13:15:52.898123667 +0200
@@ -1,170 +1,152 @@
-# Q: Would you like to run the packet filtering script? [N]
-IPChains.ip_intro="Y"
-# Q: 
-IPChains.ip_detail_level_kludge="Y"
-# Q: Do you need the advanced networking options?
-IPChains.ip_advnetwork="N"
-# Q: DNS Servers: [0.0.0.0/0]
-IPChains.ip_b_dns="0.0.0.0/0"
-# Q: 
-IPChains.ip_b_trustiface="lo"
-# Q: Public interfaces: [eth+ ppp+ slip+]
-IPChains.ip_b_publiciface="eth+ ppp+ slip+"
-# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
-IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
-# Q: UDP services to audit: [31337]
-IPChains.ip_b_udpaudit="31337"
-# Q: TCP service names or port numbers to allow on public interfaces: [ ]
-IPChains.ip_b_publictcp="ssh"
-# Q: Force passive mode? [N]
-IPChains.ip_b_passiveftp="N"
-# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
-IPChains.ip_b_tcpblock="2049 2065:2090 6000:6020 7100"
-# Q: UDP services to block: [2049 6770]
-IPChains.ip_b_udpblock="2049 6770"
-# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
-IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded"
-# Q: Enable source address verification? [Y]
-IPChains.ip_b_srcaddr="Y"
-# Q: Reject method: [DENY]
-IPChains.ip_b_rejectmethod="DENY"
-# Q: Interfaces for DHCP queries: [ ]
-IPChains.ip_b_dhcpiface="eth+"
-# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
-IPChains.ip_b_icmpout="destination-unreachable time-exceeded echo-reply"
-# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
-FilePermissions.generalperms_1.1="N"
-# Q: What security level should we set? [3]
-FilePermissions.security_level="4"
-# Q: Would you like us to modify your file permissions?
-FilePermissions.generalperms_1.2_mandrake="Y"
-# Q: Would you like to disable SUID status for mount/umount?
-FilePermissions.suidmount="Y"
-# Q: Would you like to disable SUID status for ping? [Y]
-FilePermissions.suidping="Y"
-# Q: Would you like to disable SUID status for dump and restore? [Y]
-FilePermissions.suiddump="Y"
-# Q: Would you like to disable SUID status for cardctl? [Y]
-FilePermissions.suidcard="Y"
-# Q: Would you like to disable SUID status for at? [Y]
-FilePermissions.suidat="Y"
-# Q: Would you like to disable SUID status for DOSEMU? [Y]
-FilePermissions.suiddos="Y"
-# Q: Would you like to disable SUID status for news server tools? [Y]
-FilePermissions.suidnews="Y"
-# Q: Would you like to disable SUID status for printing utilities? [N]
-FilePermissions.suidprint="N"
-# Q: Would you like to disable SUID status for the r-tools? [Y]
-FilePermissions.suidrtool="Y"
-# Q: Would you like to disable SUID status for usernetctl? [Y]
-FilePermissions.suidusernetctl="Y"
-# Q: Would you like to disable SUID status for traceroute? [Y]
-FilePermissions.suidtrace="Y"
-# Q: Would you like to set up a second UID 0 account? [N]
-AccountSecurity.secondadmin="N"
-# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
-AccountSecurity.protectrhost="Y"
-# Q: Would you like to enforce password aging? [Y]
-AccountSecurity.passwdage="Y"
-# Q: Would you like to create a non-root user account? [N]
-AccountSecurity.createuser="N"
-# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
+# Q:  Would you like to restrict the use of cron to administrative accounts? [Y]
 AccountSecurity.cronuser="Y"
-# Q: What umask would you like to set for users on the system? [077]
-AccountSecurity.umask="077"
-# Q: Should we allow root to login on tty's 1-6? [Y]
+# Q:  Would you like to enforce password aging? [Y]
+AccountSecurity.passwdage="Y"
+# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
+AccountSecurity.protectrhost="Y"
+# Q:  Should we disallow root login on tty's 1-6? [N]
 AccountSecurity.rootttylogins="N"
-# Q: Should we allow the PATH to include the current directory? [N]
-AccountSecurity.restrict_path_mdk="N"
-# Q: Should we deactivate this list of users? [N]
-AccountSecurity.forbiduserview="Y"
-# Q: Would you like to password-protect the LILO prompt? [N]
-BootSecurity.protectlilo="N"
-# Q: Would you like to reduce the LILO delay time to zero? [N]
+# Q:  Would you like to disable indexes? [N]
+Apache.apacheindex="N"
+# Q:  Would you like to deactivate the Apache2 web server? [Y]
+Apache.apacheoff="Y"
+# Q:  Would you like to bind the Web server to listen only to the localhost? [N]
+Apache.bindapachelocal="N"
+# Q:  Would you like to bind the web server to a particular interface? [N]
+Apache.bindapachenic="N"
+# Q:  Would you like to disable CGI scripts, at least for now? [Y]
+Apache.cgi="Y"
+# Q:  Would you like to deactivate server-side includes? [Y]
+Apache.ssi="Y"
+# Q:  Would you like to deactivate the following of symbolic links? [Y]
+Apache.symlink="Y"
+# Q:  Would you like to reduce the LILO delay time to zero? [N]
 BootSecurity.lilodelay="N"
-# Q: Do you ever boot Linux from the hard drive? [Y]
+# Q:  Do you ever boot Linux from the hard drive? [Y]
 BootSecurity.lilosub_drive="N"
-# Q: Would you like to write the LILO changes to a boot floppy? [N]
+# Q:  Would you like to write the LILO changes to a boot floppy? [N]
 BootSecurity.lilosub_floppy="N"
-# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
-BootSecurity.secureinittab="N"
-# Q: Would you like to password protect single-user mode? [Y]
+# Q:  Would you like to password protect single-user mode? [Y]
 BootSecurity.passsum="Y"
- Q: May we disable Autologin? [Y]
-BootSecurity.disable_autologin="Y"
-# Q: Would you like to set a default-deny on TCP Wrappers? [N]
-SecureInetd.tcpd_default_deny="N"
-# Q: May we deactivate telnet? [Y]
-SecureInetd.deactivate_telnet="Y"
-# Q: May we deactivate ftp? [Y]
-SecureInetd.deactivate_ftp="N"
-# Q: Would you like to make "Authorized Use" banners? [Y]
-SecureInetd.banners="Y"
-# Q: Would you like to disable the compiler? [N]
-DisableUserTools.compiler="N"
-# Q: Would you like to put limits on system resource usage? [Y]
-ConfigureMiscPAM.limitsconf="N"
-# Q: Should we restrict console access to a small group of user accounts? [N]
+# Q:  Would you like to password-protect the LILO prompt? [N]
+BootSecurity.protectlilo="N"
+# Q:  Would you like to disable CTRL-ALT-DELETE rebooting? [N]
+BootSecurity.secureinittab="N"
+# Q:  Should we restrict console access to a small group of user accounts? [N]
 ConfigureMiscPAM.consolelogin="N"
-# Q: Would you like to add additional logging? [Y]
+# Q:  Would you like to put limits on system resource usage? [N]
+ConfigureMiscPAM.limitsconf="N"
+# Q:  Would you like to chroot named and set it to run as a non-root user? [N]
+DNS.chrootbind="N"
+# Q:  Would you like to deactivate named, at least for now? [Y]
+DNS.namedoff="Y"
+# Q:  Would you like to disable the gcc and/or g++ compiler? [N]
+DisableUserTools.compiler="N"
+# Q:  Would you like to disable anonymous download? [N]
+FTP.anonftp="Y"
+# Q:  Would you like to disable user privileges on the FTP daemon? [N]
+FTP.userftp="Y"
+# Q:  Would you like to disable SUID status for XFree86? [N]
+FilePermissions.suidXFree86="N"
+# Q:  Would you like to disable SUID status for at? [Y]
+FilePermissions.suidat="Y"
+# Q:  Would you like to disable SUID status for cardctl? [Y]
+FilePermissions.suidcard="Y"
+# Q:  Would you like to disable SUID status for DOSEMU? [Y]
+FilePermissions.suiddos="Y"
+# Q:  Would you like to disable SUID status for dump and restore? [Y]
+FilePermissions.suiddump="Y"
+# Q:  Would you like to disable SUID status for mount/umount?
+FilePermissions.suidmount="Y"
+# Q:  Would you like to disable SUID status for news server tools? [Y]
+FilePermissions.suidnews="Y"
+# Q:  Would you like to disable SUID status for ping? [Y]
+FilePermissions.suidping="Y"
+# Q:  Would you like to disable SUID status for printing utilities? [N]
+FilePermissions.suidprint="N"
+# Q:  Would you like to disable the r-tools? [Y]
+FilePermissions.suidrtool="Y"
+# Q:  Would you like to disable SUID status for traceroute? [Y]
+FilePermissions.suidtrace="Y"
+# Q:  Would you like to disable SUID status for usernetctl? [Y]
+FilePermissions.suidusernetctl="Y"
+# Q:  Do you need the advanced networking options?
+Firewall.ip_advnetwork="N"
+# Q:  Interfaces for DHCP queries: [ ]
+Firewall.ip_b_dhcpiface="eth+ wlan+ ath+"
+# Q:  DNS Servers: [0.0.0.0/0]
+Firewall.ip_b_dns="0.0.0.0/0"
+# Q:  ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
+Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded"
+# Q:  ICMP services to audit: [ ]
+Firewall.ip_b_icmpaudit=""
+# Q:  ICMP types to disallow outbound: [destination-unreachable time-exceeded]
+Firewall.ip_b_icmpout="destination-unreachable time-exceeded echo-reply"
+# Q:  NTP servers to query: [ ]
+Firewall.ip_b_ntpsrv=""
+# Q:  Force passive mode? [N]
+Firewall.ip_b_passiveftp="N"
+# Q:  Public interfaces: [eth+ ppp+ slip+]
+Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+"
+# Q:  TCP service names or port numbers to allow on public interfaces: [ ]
+Firewall.ip_b_publictcp="ssh"
+# Q:  UDP service names or port numbers to allow on public interfaces: [ ]
+Firewall.ip_b_publicudp=""
+# Q:  Reject method: [DENY]
+Firewall.ip_b_rejectmethod="DENY"
+# Q:  Enable source address verification? [Y]
+Firewall.ip_b_srcaddr="Y"
+# Q:  TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
+Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
+# Q:  TCP services to block: [2049 2065:2090 6000:6020 7100]
+Firewall.ip_b_tcpblock="2049 2065:2090 6000:6020 7100"
+# Q:  UDP services to audit: [31337]
+Firewall.ip_b_udpaudit="31337"
+# Q:  UDP services to block: [2049 6770]
+Firewall.ip_b_udpblock="2049 6770"
+# Q:  Should Bastille run the firewall and enable it at boot time? [N]
+Firewall.ip_enable_firewall="Y"
+# Q:  Would you like to run the packet filtering script? [N]
+Firewall.ip_intro="Y"
+# Q:  Would you like to add additional logging? [Y]
 Logging.morelogging="Y"
-# Q: Do you have a remote logging host? [N]
-Logging.remotelog="N"
-# Q: Would you like to set up process accounting? [N]
+# Q:  Would you like to set up process accounting? [N]
 Logging.pacct="N"
-# Q: Would you like to set up nightly security checks? [N]"
-Logging.security_checks="Y"
-# Q: Would you like to disable apmd? [Y]
+# Q:  Would you like to disable acpid and/or apmd? [Y]
 MiscellaneousDaemons.apmd="Y"
-# Q: Would you like to deactivate NFS and Samba? [Y]
-MiscellaneousDaemons.remotefs="Y"
-# Q: Would you like to disable PCMCIA services? [Y]
-MiscellaneousDaemons.pcmcia="Y"
-# Q: Would you like to disable the DHCP daemon? [Y]
+# Q:  Would you like to disable the DHCP daemon? [Y]
 MiscellaneousDaemons.dhcpd="Y"
-# Q: Would you like to disable GPM? [Y]
+# Q:  Would you like to disable GPM? [Y]
 MiscellaneousDaemons.gpm="Y"
-# Q: Would you like to disable the news server daemon? [Y]
+# Q:  Would you like to disable the news server daemon? [Y]
 MiscellaneousDaemons.innd="Y"
-# Q: Would you like to deactivate the routing daemons? [Y]
-MiscellaneousDaemons.routing="Y"
-# Q: Would you like to deactivate NIS server and client programs? [Y]
-MiscellaneousDaemons.nis="Y"
-# Q: Would you like to disable SNMPD? [Y]
+# Q:  Would you like to disable PCMCIA services? [Y]
+MiscellaneousDaemons.pcmcia="Y"
+# Q:  Would you like to deactivate NFS and Samba? [Y]
+MiscellaneousDaemons.remotefs="Y"
+# Q:  Would you like to disable SNMPD? [Y]
 MiscellaneousDaemons.snmpd="Y"
-# Q: Should we disable most chkconfig'd services?
-MiscellaneousDaemons.minimize_chkconfig="N"
-# Q: Do you want to leave sendmail running in daemon mode? [Y]
-Sendmail.sendmaildaemon="N"
-# Q: Would you like to run sendmail via cron to process the queue? [N]
+# Q:  Would you like to setup psad?
+PSAD.psad_config="N"
+# Q:  Would you like to disable LPR/LPRng printing? [N]
+Printing.printing="Y"
+# Q:  Would you like to disable CUPS printing? [N]
+Printing.printing_cups="N"
+# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
+SecureInetd.banners="Y"
+# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
+SecureInetd.deactivate_ftp="N"
+# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
+SecureInetd.deactivate_telnet="Y"
+# Q:  Who is responsible for granting authorization to use this machine?
+SecureInetd.owner="its owner"
+# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
+SecureInetd.tcpd_default_deny="N"
+# Q:  Would you like to run sendmail via cron to process the queue? [N]
 Sendmail.sendmailcron="Y"
-# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
+# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
+Sendmail.sendmaildaemon="N"
+# Q:  Would you like to disable the VRFY and EXPN sendmail commands? [Y]
 Sendmail.vrfyexpn="Y"
-# Q: Would you like to download and install ssh? [N]
-RemoteAccess.installssh="N"
-# Q: Would you like to chroot named and set it to run as a non-root user? [N]
-DNS.chrootbind="N"
-# Q: Would you like to deactivate named, at least for now? [Y]
-DNS.namedoff="Y"
-# Q: Would you like to deactivate the Apache web server? [Y]
-Apache.apacheoff="Y"
-# Q: Would you like to bind the web server to listen only to the localhost? [N]
-Apache.bindapachelocal="N"
-# Q: Would you like to bind the web server to a particular interface? [N]
-Apache.bindapachenic="N"
-# Q: Would you like to deactivate the following of symbolic links? [Y]
-Apache.symlink="Y"
-# Q: Would you like to deactivate server-side includes? [Y]
-Apache.ssi="Y"
-# Q: Would you like to disable CGI scripts, at least for now? [Y]
-Apache.cgi="Y"
-# Q: Would you like to disable indexes? [N]
-Apache.apacheindex="N"
-# Q: Would you like to disable printing? [N]
-Printing.printing="Y"
-# Q: Would you like to disable user privileges on the FTP daemon? [N]
-FTP.userftp="Y"
-# Q: Would you like to disable anonymous download? [N]
-FTP.anonftp="Y"
-# Q: Would you like to install TMPDIR/TMP scripts? [N]
+# Q:  Would you like to install TMPDIR/TMP scripts? [N]
 TMPDIR.tmpdir="Y"
diff -urN Bastille.orig/WorkstationLax.config Bastille/WorkstationLax.config
--- Bastille.orig/WorkstationLax.config	2005-04-06 01:18:11.000000000 +0200
+++ Bastille/WorkstationLax.config	2014-06-07 13:15:52.898123667 +0200
@@ -1,138 +1,112 @@
-# Q: Would you like to run the packet filtering script? [N]
-IPChains.ip_intro="N"
-# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
-FilePermissions.generalperms_1.1="N"
-# Q: What security level should we set? [3]
-FilePermissions.security_level="2"
-# Q: Would you like us to modify your file permissions?
-FilePermissions.generalperms_1.2_mandrake="Y"
-# Q: Would you like to disable SUID status for mount/umount?
-FilePermissions.suidmount="N"
-# Q: Would you like to disable SUID status for ping? [Y]
-FilePermissions.suidping="N"
-# Q: Would you like to disable SUID status for dump and restore? [Y]
-FilePermissions.suiddump="N"
-# Q: Would you like to disable SUID status for cardctl? [Y]
-FilePermissions.suidcard="N"
-# Q: Would you like to disable SUID status for at? [Y]
-FilePermissions.suidat="N"
-# Q: Would you like to disable SUID status for DOSEMU? [Y]
-FilePermissions.suiddos="Y"
-# Q: Would you like to disable SUID status for news server tools? [Y]
-FilePermissions.suidnews="Y"
-# Q: Would you like to disable SUID status for printing utilities? [N]
-FilePermissions.suidprint="N"
-# Q: Would you like to disable SUID status for the r-tools? [Y]
-FilePermissions.suidrtool="N"
-# Q: Would you like to disable SUID status for usernetctl? [Y]
-FilePermissions.suidusernetctl="N"
-# Q: Would you like to disable SUID status for traceroute? [Y]
-FilePermissions.suidtrace="N"
-# Q: Would you like to set up a second UID 0 account? [N]
-AccountSecurity.secondadmin="N"
-# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
-AccountSecurity.protectrhost="N"
-# Q: Would you like to enforce password aging? [Y]
-AccountSecurity.passwdage="Y"
-# Q: Would you like to create a non-root user account? [N]
-AccountSecurity.createuser="N"
-# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
+# Q:  Would you like to restrict the use of cron to administrative accounts? [Y]
 AccountSecurity.cronuser="N"
-# Q: What umask would you like to set for users on the system? [077]
-AccountSecurity.umask="022"
-# Q: Should we allow root to login on tty's 1-6? [Y]
+# Q:  Would you like to enforce password aging? [Y]
+AccountSecurity.passwdage="Y"
+# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
+AccountSecurity.protectrhost="N"
+# Q:  Should we disallow root login on tty's 1-6? [N]
 AccountSecurity.rootttylogins="Y"
-# Q: Should we allow the PATH to include the current directory? [N]
-AccountSecurity.restrict_path_mdk="Y"
-# Q: Should we deactivate this list of users? [N]
-AccountSecurity.forbiduserview="N"
-# Q: Would you like to password-protect the LILO prompt? [N]
-BootSecurity.protectlilo="N"
-# Q: Would you like to reduce the LILO delay time to zero? [N]
+# Q:  Would you like to disable indexes? [N]
+Apache.apacheindex="N"
+# Q:  Would you like to deactivate the Apache2 web server? [Y]
+Apache.apacheoff="Y"
+# Q:  Would you like to bind the Web server to listen only to the localhost? [N]
+Apache.bindapachelocal="N"
+# Q:  Would you like to bind the web server to a particular interface? [N]
+Apache.bindapachenic="N"
+# Q:  Would you like to disable CGI scripts, at least for now? [Y]
+Apache.cgi="N"
+# Q:  Would you like to deactivate server-side includes? [Y]
+Apache.ssi="Y"
+# Q:  Would you like to deactivate the following of symbolic links? [Y]
+Apache.symlink="N"
+# Q:  Would you like to reduce the LILO delay time to zero? [N]
 BootSecurity.lilodelay="N"
-# Q: Do you ever boot Linux from the hard drive? [Y]
+# Q:  Do you ever boot Linux from the hard drive? [Y]
 BootSecurity.lilosub_drive="N"
-# Q: Would you like to write the LILO changes to a boot floppy? [N]
+# Q:  Would you like to write the LILO changes to a boot floppy? [N]
 BootSecurity.lilosub_floppy="N"
-# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
-BootSecurity.secureinittab="N"
-# Q: Would you like to password protect single-user mode? [Y]
+# Q:  Would you like to password protect single-user mode? [Y]
 BootSecurity.passsum="Y"
-# Q: May we disable Autologin? [Y]
-BootSecurity.disable_autologin="N"
-# Q: Would you like to set a default-deny on TCP Wrappers? [N]
-SecureInetd.tcpd_default_deny="N"
-# Q: May we deactivate telnet? [Y]
-SecureInetd.deactivate_telnet="Y"
-# Q: May we deactivate ftp? [Y]
-SecureInetd.deactivate_ftp="Y"
-# Q: Would you like to make "Authorized Use" banners? [Y]
-SecureInetd.banners="Y"
-# Q: Would you like to disable the compiler? [N]
-DisableUserTools.compiler="N"
-# Q: Would you like to put limits on system resource usage? [Y]
-ConfigureMiscPAM.limitsconf="N"
-# Q: Should we restrict console access to a small group of user accounts? [N]
+# Q:  Would you like to password-protect the LILO prompt? [N]
+BootSecurity.protectlilo="N"
+# Q:  Would you like to disable CTRL-ALT-DELETE rebooting? [N]
+BootSecurity.secureinittab="N"
+# Q:  Should we restrict console access to a small group of user accounts? [N]
 ConfigureMiscPAM.consolelogin="N"
-# Q: Would you like to add additional logging? [Y]
+# Q:  Would you like to put limits on system resource usage? [N]
+ConfigureMiscPAM.limitsconf="N"
+# Q:  Would you like to chroot named and set it to run as a non-root user? [N]
+DNS.chrootbind="N"
+# Q:  Would you like to deactivate named, at least for now? [Y]
+DNS.namedoff="Y"
+# Q:  Would you like to disable the gcc and/or g++ compiler? [N]
+DisableUserTools.compiler="N"
+# Q:  Would you like to disable anonymous download? [N]
+FTP.anonftp="N"
+# Q:  Would you like to disable user privileges on the FTP daemon? [N]
+FTP.userftp="N"
+# Q:  Would you like to disable SUID status for XFree86? [N]
+FilePermissions.suidXFree86="N"
+# Q:  Would you like to disable SUID status for at? [Y]
+FilePermissions.suidat="N"
+# Q:  Would you like to disable SUID status for cardctl? [Y]
+FilePermissions.suidcard="N"
+# Q:  Would you like to disable SUID status for DOSEMU? [Y]
+FilePermissions.suiddos="Y"
+# Q:  Would you like to disable SUID status for dump and restore? [Y]
+FilePermissions.suiddump="N"
+# Q:  Would you like to disable SUID status for mount/umount?
+FilePermissions.suidmount="N"
+# Q:  Would you like to disable SUID status for news server tools? [Y]
+FilePermissions.suidnews="Y"
+# Q:  Would you like to disable SUID status for ping? [Y]
+FilePermissions.suidping="N"
+# Q:  Would you like to disable SUID status for printing utilities? [N]
+FilePermissions.suidprint="N"
+# Q:  Would you like to disable the r-tools? [Y]
+FilePermissions.suidrtool="N"
+# Q:  Would you like to disable SUID status for traceroute? [Y]
+FilePermissions.suidtrace="N"
+# Q:  Would you like to disable SUID status for usernetctl? [Y]
+FilePermissions.suidusernetctl="N"
+# Q:  Would you like to run the packet filtering script? [N]
+Firewall.ip_intro="N"
+# Q:  Would you like to add additional logging? [Y]
 Logging.morelogging="Y"
-# Q: Do you have a remote logging host? [N]
-Logging.remotelog="N"
-# Q: Would you like to set up process accounting? [N]
+# Q:  Would you like to set up process accounting? [N]
 Logging.pacct="N"
-# Q: Would you like to set up nightly security checks? [N]"
-Logging.security_checks="Y"
-# Q: Would you like to disable apmd? [Y]
+# Q:  Would you like to disable acpid and/or apmd? [Y]
 MiscellaneousDaemons.apmd="N"
-# Q: Would you like to deactivate NFS and Samba? [Y]
-MiscellaneousDaemons.remotefs="N"
-# Q: Would you like to disable PCMCIA services? [Y]
-MiscellaneousDaemons.pcmcia="N"
-# Q: Would you like to disable the DHCP daemon? [Y]
+# Q:  Would you like to disable the DHCP daemon? [Y]
 MiscellaneousDaemons.dhcpd="Y"
-# Q: Would you like to disable GPM? [Y]
+# Q:  Would you like to disable GPM? [Y]
 MiscellaneousDaemons.gpm="N"
-# Q: Would you like to disable the news server daemon? [Y]
+# Q:  Would you like to disable the news server daemon? [Y]
 MiscellaneousDaemons.innd="Y"
-# Q: Would you like to deactivate the routing daemons? [Y]
-MiscellaneousDaemons.routing="Y"
-# Q: Would you like to deactivate NIS server and client programs? [Y]
-MiscellaneousDaemons.nis="Y"
-# Q: Would you like to disable SNMPD? [Y]
+# Q:  Would you like to disable PCMCIA services? [Y]
+MiscellaneousDaemons.pcmcia="N"
+# Q:  Would you like to deactivate NFS and Samba? [Y]
+MiscellaneousDaemons.remotefs="N"
+# Q:  Would you like to disable SNMPD? [Y]
 MiscellaneousDaemons.snmpd="Y"
-# Q: Should we disable most chkconfig'd services?
-MiscellaneousDaemons.minimize_chkconfig="N"
-# Q: Do you want to leave sendmail running in daemon mode? [Y]
-Sendmail.sendmaildaemon="Y"
-# Q: Would you like to run sendmail via cron to process the queue? [N]
+# Q:  Would you like to disable LPR/LPRng printing? [N]
+Printing.printing="N"
+# Q:  Would you like to disable CUPS printing? [N]
+Printing.printing_cups="N"
+# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
+SecureInetd.banners="N"
+# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
+SecureInetd.deactivate_ftp="N"
+# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
+SecureInetd.deactivate_telnet="Y"
+# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
+SecureInetd.tcpd_default_deny="N"
+# Q:  Would you like to run sendmail via cron to process the queue? [N]
 Sendmail.sendmailcron="N"
-# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
+# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
+Sendmail.sendmaildaemon="Y"
+# Q:  Would you like to disable the VRFY and EXPN sendmail commands? [Y]
 Sendmail.vrfyexpn="Y"
-# Q: Would you like to download and install ssh? [N]
-RemoteAccess.installssh="N"
-# Q: Would you like to chroot named and set it to run as a non-root user? [N]
-DNS.chrootbind="N"
-# Q: Would you like to deactivate named, at least for now? [Y]
-DNS.namedoff="Y"
-# Q: Would you like to deactivate the Apache web server? [Y]
-Apache.apacheoff="Y"
-# Q: Would you like to bind the web server to listen only to the localhost? [N]
-Apache.bindapachelocal="N"
-# Q: Would you like to bind the web server to a particular interface? [N]
-Apache.bindapachenic="N"
-# Q: Would you like to deactivate the following of symbolic links? [Y]
-Apache.symlink="N"
-# Q: Would you like to deactivate server-side includes? [Y]
-Apache.ssi="Y"
-# Q: Would you like to disable CGI scripts, at least for now? [Y]
-Apache.cgi="N"
-# Q: Would you like to disable indexes? [N]
-Apache.apacheindex="N"
-# Q: Would you like to disable printing? [N]
-Printing.printing="N"
-# Q: Would you like to disable user privileges on the FTP daemon? [N]
-FTP.userftp="N"
-# Q: Would you like to disable anonymous download? [N]
-FTP.anonftp="N"
-# Q: Would you like to install TMPDIR/TMP scripts? [N]
+# Q:  Would you like to install TMPDIR/TMP scripts? [N]
 TMPDIR.tmpdir="N"
diff -urN Bastille.orig/WorkstationModerate.config Bastille/WorkstationModerate.config
--- Bastille.orig/WorkstationModerate.config	2005-04-06 01:18:11.000000000 +0200
+++ Bastille/WorkstationModerate.config	2014-06-07 13:15:52.899123692 +0200
@@ -1,170 +1,152 @@
-# Q: Would you like to run the packet filtering script? [N]
-IPChains.ip_intro="Y"
-# Q: 
-IPChains.ip_detail_level_kludge="Y"
-# Q: Do you need the advanced networking options?
-IPChains.ip_advnetwork="N"
-# Q: DNS Servers: [0.0.0.0/0]
-IPChains.ip_b_dns="0.0.0.0/0"
-# Q: 
-IPChains.ip_b_trustiface="lo"
-# Q: Public interfaces: [eth+ ppp+ slip+]
-IPChains.ip_b_publiciface="eth+ ppp+ slip+"
-# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
-IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
-# Q: UDP services to audit: [31337]
-IPChains.ip_b_udpaudit="31337"
-# Q: TCP service names or port numbers to allow on public interfaces: [ ]
-IPChains.ip_b_publictcp="ssh 80 443 25 21 53"
-# Q: UDP service names or port numbers to allow on public interfaces: [ ]
-IPChains.ip_b_publicudp="53 67 68"
-# Q: Force passive mode? [N]
-IPChains.ip_b_passiveftp="N"
-# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
-IPChains.ip_b_tcpblock="2049 2065:2090 7100"
-# Q: UDP services to block: [2049 6770]
-IPChains.ip_b_udpblock="2049 6770"
-# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
-IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-requested"
-# Q: Enable source address verification? [Y]
-IPChains.ip_b_srcaddr="Y"
-# Q: Reject method: [DENY]
-IPChains.ip_b_rejectmethod="REJECT"
-# Q: Interfaces for DHCP queries: [ ]
-IPChains.ip_b_dhcpiface="eth+"
-# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
-FilePermissions.generalperms_1.1="N"
-# Q: What security level should we set? [3]
-FilePermissions.security_level="3"
-# Q: Would you like us to modify your file permissions?
-FilePermissions.generalperms_1.2_mandrake="Y"
-# Q: Would you like to disable SUID status for mount/umount?
-FilePermissions.suidmount="N"
-# Q: Would you like to disable SUID status for ping? [Y]
-FilePermissions.suidping="N"
-# Q: Would you like to disable SUID status for dump and restore? [Y]
-FilePermissions.suiddump="Y"
-# Q: Would you like to disable SUID status for cardctl? [Y]
-FilePermissions.suidcard="Y"
-# Q: Would you like to disable SUID status for at? [Y]
-FilePermissions.suidat="N"
-# Q: Would you like to disable SUID status for DOSEMU? [Y]
-FilePermissions.suiddos="Y"
-# Q: Would you like to disable SUID status for news server tools? [Y]
-FilePermissions.suidnews="Y"
-# Q: Would you like to disable SUID status for printing utilities? [N]
-FilePermissions.suidprint="N"
-# Q: Would you like to disable SUID status for the r-tools? [Y]
-FilePermissions.suidrtool="Y"
-# Q: Would you like to disable SUID status for usernetctl? [Y]
-FilePermissions.suidusernetctl="N"
-# Q: Would you like to disable SUID status for traceroute? [Y]
-FilePermissions.suidtrace="N"
-# Q: Would you like to set up a second UID 0 account? [N]
-AccountSecurity.secondadmin="N"
-# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
-AccountSecurity.protectrhost="Y"
-# Q: Would you like to enforce password aging? [Y]
-AccountSecurity.passwdage="Y"
-# Q: Would you like to create a non-root user account? [N]
-AccountSecurity.createuser="N"
-# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
+# Q:  Would you like to restrict the use of cron to administrative accounts? [Y]
 AccountSecurity.cronuser="N"
-# Q: What umask would you like to set for users on the system? [077]
-AccountSecurity.umask="077"
-# Q: Should we allow root to login on tty's 1-6? [Y]
+# Q:  Would you like to enforce password aging? [Y]
+AccountSecurity.passwdage="Y"
+# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
+AccountSecurity.protectrhost="Y"
+# Q:  Should we disallow root login on tty's 1-6? [N]
 AccountSecurity.rootttylogins="Y"
-# Q: Should we allow the PATH to include the current directory? [N]
-AccountSecurity.restrict_path_mdk="N"
-# Q: Should we deactivate this list of users? [N]
-AccountSecurity.forbiduserview="N"
-# Q: Would you like to password-protect the LILO prompt? [N]
-BootSecurity.protectlilo="N"
-# Q: Would you like to reduce the LILO delay time to zero? [N]
+# Q:  Would you like to disable indexes? [N]
+Apache.apacheindex="N"
+# Q:  Would you like to deactivate the Apache2 web server? [Y]
+Apache.apacheoff="Y"
+# Q:  Would you like to bind the Web server to listen only to the localhost? [N]
+Apache.bindapachelocal="N"
+# Q:  Would you like to bind the web server to a particular interface? [N]
+Apache.bindapachenic="N"
+# Q:  Would you like to disable CGI scripts, at least for now? [Y]
+Apache.cgi="N"
+# Q:  Would you like to deactivate server-side includes? [Y]
+Apache.ssi="Y"
+# Q:  Would you like to deactivate the following of symbolic links? [Y]
+Apache.symlink="N"
+# Q:  Would you like to reduce the LILO delay time to zero? [N]
 BootSecurity.lilodelay="N"
-# Q: Do you ever boot Linux from the hard drive? [Y]
+# Q:  Do you ever boot Linux from the hard drive? [Y]
 BootSecurity.lilosub_drive="N"
-# Q: Would you like to write the LILO changes to a boot floppy? [N]
+# Q:  Would you like to write the LILO changes to a boot floppy? [N]
 BootSecurity.lilosub_floppy="N"
-# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
-BootSecurity.secureinittab="N"
-# Q: Would you like to password protect single-user mode? [Y]
+# Q:  Would you like to password protect single-user mode? [Y]
 BootSecurity.passsum="Y"
-# Q: May we disable Autologin? [Y]
-BootSecurity.disable_autologin="Y"
-# Q: Would you like to set a default-deny on TCP Wrappers? [N]
-SecureInetd.tcpd_default_deny="N"
-# Q: May we deactivate telnet? [Y]
-SecureInetd.deactivate_telnet="Y"
-# Q: May we deactivate ftp? [Y]
-SecureInetd.deactivate_ftp="Y"
-# Q: Would you like to make "Authorized Use" banners? [Y]
-SecureInetd.banners="Y"
-# Q: Would you like to disable the compiler? [N]
-DisableUserTools.compiler="N"
-# Q: Would you like to put limits on system resource usage? [Y]
-ConfigureMiscPAM.limitsconf="N"
-# Q: Should we restrict console access to a small group of user accounts? [N]
+# Q:  Would you like to password-protect the LILO prompt? [N]
+BootSecurity.protectlilo="N"
+# Q:  Would you like to disable CTRL-ALT-DELETE rebooting? [N]
+BootSecurity.secureinittab="N"
+# Q:  Should we restrict console access to a small group of user accounts? [N]
 ConfigureMiscPAM.consolelogin="N"
-# Q: Would you like to add additional logging? [Y]
+# Q:  Would you like to put limits on system resource usage? [N]
+ConfigureMiscPAM.limitsconf="N"
+# Q:  Would you like to chroot named and set it to run as a non-root user? [N]
+DNS.chrootbind="N"
+# Q:  Would you like to deactivate named, at least for now? [Y]
+DNS.namedoff="Y"
+# Q:  Would you like to disable the gcc and/or g++ compiler? [N]
+DisableUserTools.compiler="N"
+# Q:  Would you like to disable anonymous download? [N]
+FTP.anonftp="Y"
+# Q:  Would you like to disable user privileges on the FTP daemon? [N]
+FTP.userftp="N"
+# Q:  Would you like to disable SUID status for XFree86? [N]
+FilePermissions.suidXFree86="N"
+# Q:  Would you like to disable SUID status for at? [Y]
+FilePermissions.suidat="N"
+# Q:  Would you like to disable SUID status for cardctl? [Y]
+FilePermissions.suidcard="Y"
+# Q:  Would you like to disable SUID status for DOSEMU? [Y]
+FilePermissions.suiddos="Y"
+# Q:  Would you like to disable SUID status for dump and restore? [Y]
+FilePermissions.suiddump="Y"
+# Q:  Would you like to disable SUID status for mount/umount?
+FilePermissions.suidmount="N"
+# Q:  Would you like to disable SUID status for news server tools? [Y]
+FilePermissions.suidnews="Y"
+# Q:  Would you like to disable SUID status for ping? [Y]
+FilePermissions.suidping="N"
+# Q:  Would you like to disable SUID status for printing utilities? [N]
+FilePermissions.suidprint="N"
+# Q:  Would you like to disable the r-tools? [Y]
+FilePermissions.suidrtool="Y"
+# Q:  Would you like to disable SUID status for traceroute? [Y]
+FilePermissions.suidtrace="N"
+# Q:  Would you like to disable SUID status for usernetctl? [Y]
+FilePermissions.suidusernetctl="N"
+# Q:  Do you need the advanced networking options?
+Firewall.ip_advnetwork="N"
+# Q:  Interfaces for DHCP queries: [ ]
+Firewall.ip_b_dhcpiface="eth+ wlan+ ath+"
+# Q:  DNS Servers: [0.0.0.0/0]
+Firewall.ip_b_dns="0.0.0.0/0"
+# Q:  ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
+Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-request"
+# Q:  ICMP services to audit: [ ]
+Firewall.ip_b_icmpaudit=""
+# Q:  ICMP types to disallow outbound: [destination-unreachable time-exceeded]
+Firewall.ip_b_icmpout="destination-unreachable time-exceeded"
+# Q:  NTP servers to query: [ ]
+Firewall.ip_b_ntpsrv=""
+# Q:  Force passive mode? [N]
+Firewall.ip_b_passiveftp="N"
+# Q:  Public interfaces: [eth+ ppp+ slip+]
+Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+"
+# Q:  TCP service names or port numbers to allow on public interfaces: [ ]
+Firewall.ip_b_publictcp="ssh 80 443 25 21 53"
+# Q:  UDP service names or port numbers to allow on public interfaces: [ ]
+Firewall.ip_b_publicudp="53 67 68"
+# Q:  Reject method: [DENY]
+Firewall.ip_b_rejectmethod="REJECT"
+# Q:  Enable source address verification? [Y]
+Firewall.ip_b_srcaddr="Y"
+# Q:  TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
+Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
+# Q:  TCP services to block: [2049 2065:2090 6000:6020 7100]
+Firewall.ip_b_tcpblock="2049 2065:2090 7100"
+# Q:  UDP services to audit: [31337]
+Firewall.ip_b_udpaudit="31337"
+# Q:  UDP services to block: [2049 6770]
+Firewall.ip_b_udpblock="2049 6770"
+# Q:  Should Bastille run the firewall and enable it at boot time? [N]
+Firewall.ip_enable_firewall="Y"
+# Q:  Would you like to run the packet filtering script? [N]
+Firewall.ip_intro="Y"
+# Q:  Would you like to add additional logging? [Y]
 Logging.morelogging="Y"
-# Q: Do you have a remote logging host? [N]
-Logging.remotelog="N"
-# Q: Would you like to set up process accounting? [N]
+# Q:  Would you like to set up process accounting? [N]
 Logging.pacct="N"
-# Q: Would you like to set up nightly security checks? [N]"
-Logging.security_checks="Y"
-# Q: Would you like to disable apmd? [Y]
+# Q:  Would you like to disable acpid and/or apmd? [Y]
 MiscellaneousDaemons.apmd="Y"
-# Q: Would you like to deactivate NFS and Samba? [Y]
-MiscellaneousDaemons.remotefs="Y"
-# Q: Would you like to disable PCMCIA services? [Y]
-MiscellaneousDaemons.pcmcia="N"
-# Q: Would you like to disable the DHCP daemon? [Y]
+# Q:  Would you like to disable the DHCP daemon? [Y]
 MiscellaneousDaemons.dhcpd="Y"
-# Q: Would you like to disable GPM? [Y]
+# Q:  Would you like to disable GPM? [Y]
 MiscellaneousDaemons.gpm="Y"
-# Q: Would you like to disable the news server daemon? [Y]
+# Q:  Would you like to disable the news server daemon? [Y]
 MiscellaneousDaemons.innd="Y"
-# Q: Would you like to deactivate the routing daemons? [Y]
-MiscellaneousDaemons.routing="Y"
-# Q: Would you like to deactivate NIS server and client programs? [Y]
-MiscellaneousDaemons.nis="Y"
-# Q: Would you like to disable SNMPD? [Y]
+# Q:  Would you like to disable PCMCIA services? [Y]
+MiscellaneousDaemons.pcmcia="N"
+# Q:  Would you like to deactivate NFS and Samba? [Y]
+MiscellaneousDaemons.remotefs="Y"
+# Q:  Would you like to disable SNMPD? [Y]
 MiscellaneousDaemons.snmpd="Y"
-# Q: Should we disable most chkconfig'd services?
-MiscellaneousDaemons.minimize_chkconfig="N"
-# Q: Do you want to leave sendmail running in daemon mode? [Y]
-Sendmail.sendmaildaemon="N"
-# Q: Would you like to run sendmail via cron to process the queue? [N]
+# Q:  Would you like to setup psad?
+PSAD.psad_config="N"
+# Q:  Would you like to disable LPR/LPRng printing? [N]
+Printing.printing="N"
+# Q:  Would you like to disable CUPS printing? [N]
+Printing.printing_cups="N"
+# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
+SecureInetd.banners="Y"
+# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
+SecureInetd.deactivate_ftp="Y"
+# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
+SecureInetd.deactivate_telnet="Y"
+# Q:  Who is responsible for granting authorization to use this machine?
+SecureInetd.owner="its owner"
+# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
+SecureInetd.tcpd_default_deny="N"
+# Q:  Would you like to run sendmail via cron to process the queue? [N]
 Sendmail.sendmailcron="Y"
-# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
+# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
+Sendmail.sendmaildaemon="N"
+# Q:  Would you like to disable the VRFY and EXPN sendmail commands? [Y]
 Sendmail.vrfyexpn="Y"
-# Q: Would you like to download and install ssh? [N]
-RemoteAccess.installssh="N"
-# Q: Would you like to chroot named and set it to run as a non-root user? [N]
-DNS.chrootbind="N"
-# Q: Would you like to deactivate named, at least for now? [Y]
-DNS.namedoff="Y"
-# Q: Would you like to deactivate the Apache web server? [Y]
-Apache.apacheoff="Y"
-# Q: Would you like to bind the web server to listen only to the localhost? [N]
-Apache.bindapachelocal="N"
-# Q: Would you like to bind the web server to a particular interface? [N]
-Apache.bindapachenic="N"
-# Q: Would you like to deactivate the following of symbolic links? [Y]
-Apache.symlink="N"
-# Q: Would you like to deactivate server-side includes? [Y]
-Apache.ssi="Y"
-# Q: Would you like to disable CGI scripts, at least for now? [Y]
-Apache.cgi="N"
-# Q: Would you like to disable indexes? [N]
-Apache.apacheindex="N"
-# Q: Would you like to disable printing? [N]
-Printing.printing="N"
-# Q: Would you like to disable user privileges on the FTP daemon? [N]
-FTP.userftp="N"
-# Q: Would you like to disable anonymous download? [N]
-FTP.anonftp="Y"
-# Q: Would you like to install TMPDIR/TMP scripts? [N]
+# Q:  Would you like to install TMPDIR/TMP scripts? [N]
 TMPDIR.tmpdir="Y"
diff -urN Bastille.orig/WorkstationParanoia.config Bastille/WorkstationParanoia.config
--- Bastille.orig/WorkstationParanoia.config	2005-04-06 01:18:11.000000000 +0200
+++ Bastille/WorkstationParanoia.config	2014-06-07 13:15:52.900123716 +0200
@@ -1,172 +1,152 @@
-# Q: Would you like to run the packet filtering script? [N]
-IPChains.ip_intro="Y"
-# Q: 
-IPChains.ip_detail_level_kludge="Y"
-# Q: Do you need the advanced networking options?
-IPChains.ip_advnetwork="N"
-# Q: DNS Servers: [0.0.0.0/0]
-IPChains.ip_b_dns="0.0.0.0/0"
-# Q: 
-IPChains.ip_b_trustiface="lo"
-# Q: Public interfaces: [eth+ ppp+ slip+]
-IPChains.ip_b_publiciface="eth+ ppp+ slip+"
-# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
-IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
-# Q: UDP services to audit: [31337]
-IPChains.ip_b_udpaudit="31337"
-# Q: TCP service names or port numbers to allow on public interfaces: [ ]
-IPChains.ip_b_publictcp="ssh"
-# Q: Force passive mode? [N]
-IPChains.ip_b_passiveftp="N"
-# Q: TCP services to block: [2065:2090 6000:6020 7100]
-IPChains.ip_b_tcpblock="2049 2065:2090 6000:6020 7100"
-# Q: UDP services to block: [2049 6770]
-IPChains.ip_b_udpblock="2049 6770"
-# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
-IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded"
-# Q: Enable source address verification? [Y]
-IPChains.ip_b_srcaddr="Y"
-# Q: Reject method: [DENY]
-IPChains.ip_b_rejectmethod="DENY"
-# Q: Interfaces for DHCP queries: [ ]
-IPChains.ip_b_dhcpiface="eth+"
-# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
-IPChains.ip_b_icmpout="destination-unreachable time-exceeded echo-reply"
-# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
-FilePermissions.generalperms_1.1="N"
-# Q: What security level should we set? [3]
-FilePermissions.security_level="4"
-# Q: Would you like us to modify your file permissions?
-FilePermissions.generalperms_1.2_mandrake="Y"
-# Q: Would you like to disable SUID status for mount/umount?
-FilePermissions.suidmount="Y"
-# Q: Would you like to disable SUID status for ping? [Y]
-FilePermissions.suidping="Y"
-# Q: Would you like to disable SUID status for dump and restore? [Y]
-FilePermissions.suiddump="Y"
-# Q: Would you like to disable SUID status for cardctl? [Y]
-FilePermissions.suidcard="Y"
-# Q: Would you like to disable SUID status for at? [Y]
-FilePermissions.suidat="Y"
-# Q: Would you like to disable SUID status for DOSEMU? [Y]
-FilePermissions.suiddos="Y"
-# Q: Would you like to disable SUID status for news server tools? [Y]
-FilePermissions.suidnews="Y"
-# Q: Would you like to disable SUID status for printing utilities? [N]
-FilePermissions.suidprint="N"
-# Q: Would you like to disable SUID status for the r-tools? [Y]
-FilePermissions.suidrtool="Y"
-# Q: Would you like to disable SUID status for usernetctl? [Y]
-FilePermissions.suidusernetctl="Y"
-# Q: Would you like to disable SUID status for traceroute? [Y]
-FilePermissions.suidtrace="Y"
-# Q: Would you like to set up a second UID 0 account? [N]
-AccountSecurity.secondadmin="N"
-# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
-AccountSecurity.protectrhost="Y"
-# Q: Would you like to enforce password aging? [Y]
-AccountSecurity.passwdage="Y"
-# Q: Would you like to create a non-root user account? [N]
-AccountSecurity.createuser="N"
-# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
+# Q:  Would you like to restrict the use of cron to administrative accounts? [Y]
 AccountSecurity.cronuser="Y"
-# Q: What umask would you like to set for users on the system? [077]
-AccountSecurity.umask="077"
-# Q: Should we allow root to login on tty's 1-6? [Y]
+# Q:  Would you like to enforce password aging? [Y]
+AccountSecurity.passwdage="Y"
+# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
+AccountSecurity.protectrhost="Y"
+# Q:  Should we disallow root login on tty's 1-6? [N]
 AccountSecurity.rootttylogins="N"
-# Q: Should we allow the PATH to include the current directory? [N]
-AccountSecurity.restrict_path_mdk="N"
-# Q: Should we deactivate this list of users? [N]
-AccountSecurity.forbiduserview="Y"
-# Q: Would you like to password-protect the LILO prompt? [N]
-BootSecurity.protectlilo="N"
-# Q: Would you like to reduce the LILO delay time to zero? [N]
+# Q:  Would you like to disable indexes? [N]
+Apache.apacheindex="N"
+# Q:  Would you like to deactivate the Apache2 web server? [Y]
+Apache.apacheoff="Y"
+# Q:  Would you like to bind the Web server to listen only to the localhost? [N]
+Apache.bindapachelocal="N"
+# Q:  Would you like to bind the web server to a particular interface? [N]
+Apache.bindapachenic="N"
+# Q:  Would you like to disable CGI scripts, at least for now? [Y]
+Apache.cgi="Y"
+# Q:  Would you like to deactivate server-side includes? [Y]
+Apache.ssi="Y"
+# Q:  Would you like to deactivate the following of symbolic links? [Y]
+Apache.symlink="Y"
+# Q:  Would you like to reduce the LILO delay time to zero? [N]
 BootSecurity.lilodelay="N"
-# Q: Do you ever boot Linux from the hard drive? [Y]
+# Q:  Do you ever boot Linux from the hard drive? [Y]
 BootSecurity.lilosub_drive="N"
-# Q: Would you like to write the LILO changes to a boot floppy? [N]
+# Q:  Would you like to write the LILO changes to a boot floppy? [N]
 BootSecurity.lilosub_floppy="N"
-# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
-BootSecurity.secureinittab="N"
-# Q: Would you like to password protect single-user mode? [Y]
+# Q:  Would you like to password protect single-user mode? [Y]
 BootSecurity.passsum="Y"
-# Q: May we disable Autologin? [Y]
-BootSecurity.disable_autologin="Y"
-# Q: Would you like to set a default-deny on TCP Wrappers? [N]
-SecureInetd.tcpd_default_deny="N"
-# Q: May we deactivate telnet? [Y]
-SecureInetd.deactivate_telnet="Y"
-# Q: May we deactivate ftp? [Y]
-SecureInetd.deactivate_ftp="Y"
-# Q: Would you like to set sshd to accept connections only from a small list of IP addresses. [N]
-SecureInetd.limit_ssh="N"
-# Q: Would you like to make "Authorized Use" banners? [Y]
-SecureInetd.banners="Y"
-# Q: Would you like to disable the compiler? [N]
-DisableUserTools.compiler="N"
-# Q: Would you like to put limits on system resource usage? [Y]
-ConfigureMiscPAM.limitsconf="N"
-# Q: Should we restrict console access to a small group of user accounts? [N]
+# Q:  Would you like to password-protect the LILO prompt? [N]
+BootSecurity.protectlilo="N"
+# Q:  Would you like to disable CTRL-ALT-DELETE rebooting? [N]
+BootSecurity.secureinittab="N"
+# Q:  Should we restrict console access to a small group of user accounts? [N]
 ConfigureMiscPAM.consolelogin="N"
-# Q: Would you like to add additional logging? [Y]
+# Q:  Would you like to put limits on system resource usage? [N]
+ConfigureMiscPAM.limitsconf="N"
+# Q:  Would you like to chroot named and set it to run as a non-root user? [N]
+DNS.chrootbind="N"
+# Q:  Would you like to deactivate named, at least for now? [Y]
+DNS.namedoff="Y"
+# Q:  Would you like to disable the gcc and/or g++ compiler? [N]
+DisableUserTools.compiler="N"
+# Q:  Would you like to disable anonymous download? [N]
+FTP.anonftp="Y"
+# Q:  Would you like to disable user privileges on the FTP daemon? [N]
+FTP.userftp="Y"
+# Q:  Would you like to disable SUID status for XFree86? [N]
+FilePermissions.suidXFree86="N"
+# Q:  Would you like to disable SUID status for at? [Y]
+FilePermissions.suidat="Y"
+# Q:  Would you like to disable SUID status for cardctl? [Y]
+FilePermissions.suidcard="Y"
+# Q:  Would you like to disable SUID status for DOSEMU? [Y]
+FilePermissions.suiddos="Y"
+# Q:  Would you like to disable SUID status for dump and restore? [Y]
+FilePermissions.suiddump="Y"
+# Q:  Would you like to disable SUID status for mount/umount?
+FilePermissions.suidmount="Y"
+# Q:  Would you like to disable SUID status for news server tools? [Y]
+FilePermissions.suidnews="Y"
+# Q:  Would you like to disable SUID status for ping? [Y]
+FilePermissions.suidping="Y"
+# Q:  Would you like to disable SUID status for printing utilities? [N]
+FilePermissions.suidprint="N"
+# Q:  Would you like to disable the r-tools? [Y]
+FilePermissions.suidrtool="Y"
+# Q:  Would you like to disable SUID status for traceroute? [Y]
+FilePermissions.suidtrace="Y"
+# Q:  Would you like to disable SUID status for usernetctl? [Y]
+FilePermissions.suidusernetctl="Y"
+# Q:  Do you need the advanced networking options?
+Firewall.ip_advnetwork="N"
+# Q:  Interfaces for DHCP queries: [ ]
+Firewall.ip_b_dhcpiface="eth+ wlan+ ath+"
+# Q:  DNS Servers: [0.0.0.0/0]
+Firewall.ip_b_dns="0.0.0.0/0"
+# Q:  ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
+Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded"
+# Q:  ICMP services to audit: [ ]
+Firewall.ip_b_icmpaudit=""
+# Q:  ICMP types to disallow outbound: [destination-unreachable time-exceeded]
+Firewall.ip_b_icmpout="destination-unreachable time-exceeded echo-reply"
+# Q:  NTP servers to query: [ ]
+Firewall.ip_b_ntpsrv=""
+# Q:  Force passive mode? [N]
+Firewall.ip_b_passiveftp="N"
+# Q:  Public interfaces: [eth+ ppp+ slip+]
+Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+"
+# Q:  TCP service names or port numbers to allow on public interfaces: [ ]
+Firewall.ip_b_publictcp="ssh"
+# Q:  UDP service names or port numbers to allow on public interfaces: [ ]
+Firewall.ip_b_publicudp=""
+# Q:  Reject method: [DENY]
+Firewall.ip_b_rejectmethod="DENY"
+# Q:  Enable source address verification? [Y]
+Firewall.ip_b_srcaddr="Y"
+# Q:  TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
+Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
+# Q:  TCP services to block: [2049 2065:2090 6000:6020 7100]
+Firewall.ip_b_tcpblock="2049 2065:2090 6000:6020 7100"
+# Q:  UDP services to audit: [31337]
+Firewall.ip_b_udpaudit="31337"
+# Q:  UDP services to block: [2049 6770]
+Firewall.ip_b_udpblock="2049 6770"
+# Q:  Should Bastille run the firewall and enable it at boot time? [N]
+Firewall.ip_enable_firewall="Y"
+# Q:  Would you like to run the packet filtering script? [N]
+Firewall.ip_intro="Y"
+# Q:  Would you like to add additional logging? [Y]
 Logging.morelogging="Y"
-# Q: Do you have a remote logging host? [N]
-Logging.remotelog="N"
-# Q: Would you like to set up process accounting? [N]
+# Q:  Would you like to set up process accounting? [N]
 Logging.pacct="N"
-# Q: Would you like to set up nightly security checks? [N]"
-Logging.security_checks="Y"
-# Q: Would you like to disable apmd? [Y]
+# Q:  Would you like to disable acpid and/or apmd? [Y]
 MiscellaneousDaemons.apmd="Y"
-# Q: Would you like to deactivate NFS and Samba? [Y]
-MiscellaneousDaemons.remotefs="Y"
-# Q: Would you like to disable PCMCIA services? [Y]
-MiscellaneousDaemons.pcmcia="Y"
-# Q: Would you like to disable the DHCP daemon? [Y]
+# Q:  Would you like to disable the DHCP daemon? [Y]
 MiscellaneousDaemons.dhcpd="Y"
-# Q: Would you like to disable GPM? [Y]
+# Q:  Would you like to disable GPM? [Y]
 MiscellaneousDaemons.gpm="Y"
-# Q: Would you like to disable the news server daemon? [Y]
+# Q:  Would you like to disable the news server daemon? [Y]
 MiscellaneousDaemons.innd="Y"
-# Q: Would you like to deactivate the routing daemons? [Y]
-MiscellaneousDaemons.routing="Y"
-# Q: Would you like to deactivate NIS server and client programs? [Y]
-MiscellaneousDaemons.nis="Y"
-# Q: Would you like to disable SNMPD? [Y]
+# Q:  Would you like to disable PCMCIA services? [Y]
+MiscellaneousDaemons.pcmcia="Y"
+# Q:  Would you like to deactivate NFS and Samba? [Y]
+MiscellaneousDaemons.remotefs="Y"
+# Q:  Would you like to disable SNMPD? [Y]
 MiscellaneousDaemons.snmpd="Y"
-# Q: Should we disable most chkconfig'd services?
-MiscellaneousDaemons.minimize_chkconfig="Y"
-# Q: Do you want to leave sendmail running in daemon mode? [Y]
-Sendmail.sendmaildaemon="N"
-# Q: Would you like to run sendmail via cron to process the queue? [N]
+# Q:  Would you like to setup psad?
+PSAD.psad_config="N"
+# Q:  Would you like to disable LPR/LPRng printing? [N]
+Printing.printing="N"
+# Q:  Would you like to disable CUPS printing? [N]
+Printing.printing_cups="N"
+# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
+SecureInetd.banners="Y"
+# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
+SecureInetd.deactivate_ftp="Y"
+# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
+SecureInetd.deactivate_telnet="Y"
+# Q:  Who is responsible for granting authorization to use this machine?
+SecureInetd.owner="its owner"
+# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
+SecureInetd.tcpd_default_deny="N"
+# Q:  Would you like to run sendmail via cron to process the queue? [N]
 Sendmail.sendmailcron="Y"
-# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
+# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
+Sendmail.sendmaildaemon="N"
+# Q:  Would you like to disable the VRFY and EXPN sendmail commands? [Y]
 Sendmail.vrfyexpn="Y"
-# Q: Would you like to download and install ssh? [N]
-RemoteAccess.installssh="N"
-# Q: Would you like to chroot named and set it to run as a non-root user? [N]
-DNS.chrootbind="N"
-# Q: Would you like to deactivate named, at least for now? [Y]
-DNS.namedoff="Y"
-# Q: Would you like to deactivate the Apache web server? [Y]
-Apache.apacheoff="Y"
-# Q: Would you like to bind the web server to listen only to the localhost? [N]
-Apache.bindapachelocal="N"
-# Q: Would you like to bind the web server to a particular interface? [N]
-Apache.bindapachenic="N"
-# Q: Would you like to deactivate the following of symbolic links? [Y]
-Apache.symlink="Y"
-# Q: Would you like to deactivate server-side includes? [Y]
-Apache.ssi="Y"
-# Q: Would you like to disable CGI scripts, at least for now? [Y]
-Apache.cgi="Y"
-# Q: Would you like to disable indexes? [N]
-Apache.apacheindex="N"
-# Q: Would you like to disable printing? [N]
-Printing.printing="N"
-# Q: Would you like to disable user privileges on the FTP daemon? [N]
-FTP.userftp="Y"
-# Q: Would you like to disable anonymous download? [N]
-FTP.anonftp="Y"
-# Q: Would you like to install TMPDIR/TMP scripts? [N]
+# Q:  Would you like to install TMPDIR/TMP scripts? [N]
 TMPDIR.tmpdir="Y"