Attachment #378422 for bug #431232

View | Details | Raw Unified | Return to bug 431232
Collapse All | Expand All

Lines 80-86 Link Here

(-)Bastille.orig/AutomatedBastille (-2 / +2 lines)
80	use Curses::Widgets;	80	use Curses::Widgets;
81		81
82	# Hardcoded List of configurations -- to be replaced by list read from file	82	# Hardcoded List of configurations -- to be replaced by list read from file
83	@list = ("Default_Workstation","Default_Workstation_plus_Firewall","Quit");	83	@list = ("WorkstationLax","WorkstationModerate","WorkstationParanoia","ServerLax","ServerModerate","ServerParanoia","Quit");
84		84
85	$window = new Curses;	85	$window = new Curses;
86		86
Lines 113-119 Link Here
113	endwin;	113	endwin;
114		114
115	unless ($selection == $#list) {	115	unless ($selection == $#list) {
116	$file = $list[$selection];	116	$file = $list[$selection].".config";
117	}	117	}
118	else {	118	else {
119	exit 0;	119	exit 0;

Lines 35-41 Link Here

(-)Bastille.orig/Bastille/Apache.pm (-1 / +1 lines)
35	if ( &getGlobalConfig("Apache","apacheoff") eq "Y" ) {	35	if ( &getGlobalConfig("Apache","apacheoff") eq "Y" ) {
36		36
37	&B_log("ACTION","# sub DeactivateApacheServer\n");	37	&B_log("ACTION","# sub DeactivateApacheServer\n");
38	&B_chkconfig_off ("httpd");	38	&B_chkconfig_off ("apache2");
39		39
40	}	40	}
41	}	41	}

Lines 461-466 Link Here

(-)Bastille.orig/Bastille/API.pm (-1 / +24 lines)
461	}	461	}
462	close(TURBOLINUX_RELEASE);	462	close(TURBOLINUX_RELEASE);
463	}	463	}
		464	elsif ( -e "/etc/gentoo-release") {
		465	$distro="GN"; # Rolling releases in Gentoo
		466	}
464	else {	467	else {
465	# We're either on Mac OS X, HP-UX or an unsupported O/S.	468	# We're either on Mac OS X, HP-UX or an unsupported O/S.
466	if ( -x '/usr/bin/uname') {	469	if ( -x '/usr/bin/uname') {
Lines 567-573 Link Here
567	"SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1",	570	"SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1",
568	"SE9.2","SE9.3","SE10.0",	571	"SE9.2","SE9.3","SE10.0",
569	"SESLES8","SESLES9",	572	"SESLES8","SESLES9",
570	"TB7.0"	573	"TB7.0",
		574	"GN"
571	],	575	],
572		576
573	"HP-UX" => [	577	"HP-UX" => [
Lines 2672-2677 Link Here
2672	}	2676	}
2673		2677
2674	}	2678	}
		2679	elsif (&GetDistro =~ /^GN/) {
		2680	$rcupdate = &getGlobal('BIN', "chkconfig") . " add " . "$startup_script default";
		2681	if (system($rcupdate) == 0) {
		2682	return 1;
		2683	}
		2684	else {
		2685	return 0;
		2686	}
		2687	}
2675		2688
2676	#	2689	#
2677	# Run through the init script looking for the chkconfig line...	2690	# Run through the init script looking for the chkconfig line...
Lines 2847-2852 Link Here
2847	}	2860	}
2848		2861
2849	}	2862	}
		2863	elsif (&GetDistro =~ /^GN/) {
		2864	$rcupdate = &getGlobal('BIN', "chkconfig") . " del $startup_script";
		2865	if (system($rcupdate) == 0)
		2866	{
		2867	return 1;
		2868	}
		2869	else {
		2870	return 0;
		2871	}
		2872	}
2850	else {	2873	else {
2851		2874
2852	# Run through the init script looking for the chkconfig line...	2875	# Run through the init script looking for the chkconfig line...




         "log"               => "/usr/adm",
         "httpd.conf"        => "/var/lib/apache/conf/httpd.conf",
         "httpd_access.conf" => "/var/lib/apache/conf/access.conf"
      },
      "GN" => {
         "chattr"            => "/bin/chattr",
         "floppy"            => "/mnt/floppy",
         "group"             => "/etc/group",
         "httpd.conf"        => "/etc/apache2/httpd.conf",
         "httpd_access.conf" => "/etc/apache2/access.conf",
         "initd"             => "/etc/init.d",
         "rcd"               => "/etc/runlevels",
         "rpm"               => "/usr/bin/rpm"
      }
   );
   foreach my $DISTRO_FILE (keys %{$DISTRO_PATHS{'default'}}) {




    # only do this if the user answered ipchains questions
    if ( &getGlobalConfig($configPrefix,"ip_intro") eq 'Y' ) {

	# Put the init script in place.
	&B_place($virgin_init_script,$firewall_init_script);
	&B_chmod(0500,$firewall_init_script);

	# Put the ipchains script in place.
	&B_place($virgin_ipchains_script,$firewall_ipchains_script);
	&B_chmod(0500,$firewall_ipchains_script);

	    }
	    
	}
	elsif ( &GetDistro =~ /^GN/ && &getGlobalConfig($configPrefix,"ip_enable_firewall") eq 'Y' ) {
	    &B_log("ACTION","# Firewall.pm: enabling firewall with distribution B_chkconfig_on\n");
	    &B_chkconfig_on("bastille-firewall");
	    if ( -x $firewall_init_script ) {
	    	`$firewall_init_script start`;
	    }
	}
    }
    # end of things to do if ipchains was chosen
    if ( &getGlobalConfig($configPrefix,"ip_intro") eq 'N' ) {

Lines 213-219 Link Here

(-)Bastille.orig/Bastille/IOLoader.pm (-1 / +1 lines)
213	# making sure to respect recursively defined macros.	213	# making sure to respect recursively defined macros.
214		214
215	if ($data =~ /\bLINUX\b/) {	215	if ($data =~ /\bLINUX\b/) {
216	my $supported_distros = 'RH MN RHEL RHFC DB SE';	216	my $supported_distros = 'RH MN RHEL RHFC DB SE GN';
217	$data =~ s/\bLINUX\b/$supported_distros/;	217	$data =~ s/\bLINUX\b/$supported_distros/;
218	}	218	}
219	if ($data =~ /\bRH\b/) {	219	if ($data =~ /\bRH\b/) {




	#
        # Also configure the 7th and 8th TTYs for more logging.     

	my $logger, $syslogconf;
	my $var_log_syslog_lines, $var_log_kernel_lines, $var_log_loginlog_lines, $tty_log_lines;

	if (( -e "/etc/runlevels/default/sysklogd" ) || !(&GetDistro =~/^GN.*/))
	{
		$var_log_syslog_lines= <<END_SYSLOG;
# Log warning and errors to the new file /var/log/syslog
*.warn;*.err\t/var/log/syslog

END_SYSLOG

		$var_log_kernel_lines= <<END_KERNEL;
# Log all kernel messages to the new file /var/log/kernel
kern.*\t/var/log/kernel

END_KERNEL

		$var_log_loginlog_lines = <<END_LOGINLOG;
# Log all logins to /var/log/loginlog
auth.*;user.*;daemon.none\t/var/log/loginlog

END_LOGINLOG

		$tty_log_lines= <<END_TTY_LOG;
# Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8)

*.info;mail.none;authpriv.none\t/dev/tty7


END_TTY_LOG

	    my $logger = "syslogd";
	    if ($logging_host) {
		&B_append_line("/etc/syslog.conf","\\\@$logging_host","*.warn;*.err\t\@$logging_host\nauthpriv.*;auth.*\t\@$logging_host\n");
	    }

	}
	elsif ( -e "/etc/runlevels/default/syslog-ng" )
	{
	    $var_log_syslog_lines= <<END_SYSLOG;
# Log warning and errors to the new file /var/log/syslog
destination syslog { file("/var/log/syslog"); };
filter f_syslog { facility(warn, err); };
log { source(src); filter(f_syslog); destination(syslog); };

END_SYSLOG

	    $var_log_kernel_lines= <<END_KERNEL;
# Log all kernel messages to the new file /var/log/kernel
source kernsrc { file("/proc/kmsg"); };
destination kern { file("/var/log/kernel"); };
filter f_kern { facility(kern); };
log { source(kernsrc); filter(f_kern); destination(kern); };

END_KERNEL

	    $var_log_loginlog_lines = <<END_LOGINLOG;
# Log all logins to /var/log/loginlog
destination loginlog { file("/var/log/loginlog"); };
filter f_loginlog { facility(auth, user) and not facility(daemon); };
log { source(src); filter(f_loginlog); destination(loginlog); };

END_LOGINLOG

	    $tty_log_lines= <<END_TTY_LOG;
# Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8)

destination tty7 { file("/dev/tty7"); };
destination tty8 { file("/dev/tty8"); };
filter f_info { level(info) and not facility(mail, authpriv); };
filter f_authpriv { facility(authpriv); };
filter f_warnerr { level(warn, err); };
filter f_mail { facility(mail); };
log { source(src); filter(f_info); destination(tty7); };
log { source(src); filter(f_authpriv); destination(tty7); };
log { source(src); filter(f_warnerr); destination(tty7); };
log { source(kernsrc); filter(f_kern); destination(tty7); };
log { source(src); filter(f_mail); destination(tty8); };

END_TTY_LOG

	    $logger = "syslog-ng";
	    $syslogconf = "/etc/syslog-ng/syslog-ng.conf";
      }
      elsif ( -e "/etc/runlevels/default/metalog" )
      {
	    $var_log_syslog_lines= <<END_SYSLOG;
# Log warning and errors to the new directory /var/log/syslog
Syslog :

  facility = "warn"
  facility = "err"
  logdir = "/var/log/syslog"

END_SYSLOG
	    # $var_log_kernel_lines is included in metalog default on Gentoo systems.

	    $var_log_loginlog_lines = <<END_LOGINLOG;
# Log all logins to /var/log/loginlog
Loginlog :
  facility = "auth"
  facility = "user"
  logdir = "/var/log/loginlog"

END_LOGINLOG

	    $tty_log_lines= <<END_TTY_LOG;
# Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8)

# BASTILLE TODO: Scripts need to be used to run output to different TTYs.
END_TTY_LOG
	    $logger = "metalog";
	    $syslogconf = "/etc/metalog.conf";
	}

	&B_append_line($syslogconf,"ADDITIONS","############ BASTILLE ADDITIONS BELOW : ################# \n");

	&B_append_line($syslogconf,'\/var\/log\/syslog',$var_log_syslog_lines);
	&B_append_line($syslogconf,'\/var\/log\/kernel',$var_log_kernel_lines);
	&B_append_line($syslogconf,'\/var\/log\/loginlog',$var_log_loginlog_lines);
	&B_append_line($syslogconf,'\/dev\/tty7',$tty_log_lines);
	&B_append_line($syslogconf,'\/dev\/tty12',"*.*\t/dev/tty12\n");
	&B_append_line($syslogconf,"BASTILLE ADDITIONS CONCLUDED","########## BASTILLE ADDITIONS CONCLUDED : ###############\n");

	# Metalog uses a directory-tree structure.
	if($logger ne "metalog")
	{
	    &B_create_file("/var/log/syslog");
	    &B_create_file("/var/log/kernel");
	    &B_create_file("/var/log/loginlog");
	}

	&B_append_line($syslogconf,"BASTILLE ADDITIONS CONCLUDED","########## BASTILLE ADDITIONS CONCLUDED : ###############\n");

	&B_create_file("/var/log/syslog");
	&B_create_file("/var/log/kernel");
	&B_create_file("/var/log/loginlog");

	#
	# Configure log rotation for the new log files:

   
/var/log/kernel {
    postrotate
	/usr/bin/killall -HUP $logger
    endscript
}
   
/var/log/syslog {
    postrotate
	/usr/bin/killall -HUP $logger
    endscript
}

/var/log/loginlog {
    postrotate
	/usr/bin/killall -HUP $logger
    endscript
}
END_NEW_ROT

	my $logrotated;
	if(&GetDistro =~/^GN.*/)
	{
		$logrotated = "/etc/logrotate.d/$logger";
	}
	else
	{
		$logrotated = "/etc/logrotate.d/syslog";
	}

	# Metalog rotates on its own.
	if($logger ne "metalog")
	{
	        &B_append_line($logrotated,'\bloginlog\b',$rotation_lines);
	}
    
   }
}




#!/sbin/runscript
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2         
# $Header: /var/cvsroot/gentoo-x86/app-admin/bastille/files/bastille-3.0.2-firewall.init,v 1.1 2005/07/31 05:21:10 battousai Exp $

opts="start stop"
BASTILLEPREFIX="/usr/share/Bastille"

depend() {
        need logger
}

start() {
	# "Borrowed" from the original bastille-firewall init script ((c) P. Watkins)
	REALSCRIPT=${BASTILLEPREFIX}/bastille-ipchains
	if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
	        # We are using Linux 2.3 or newer; use the netfilter script if available
	        if [ -x ${BASTILLEPREFIX}/bastille-netfilter ]; then
	                REALSCRIPT=${BASTILLEPREFIX}/bastille-netfilter
	        fi
	fi
	
        ebegin "Starting bastille-firewall"
        $REALSCRIPT start
        eend $? "Failed to start bastille-firewall"
}

stop() {
	# "Borrowed" from the original bastille-firewall init script ((c) P. Watkins)
	REALSCRIPT=${BASTILLEPREFIX}/bastille-ipchains
	if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
	        # We are using Linux 2.3 or newer; use the netfilter script if available
	        if [ -x ${BASTILLEPREFIX}/bastille-netfilter ]; then
	                REALSCRIPT=${BASTILLEPREFIX}/bastille-netfilter
	        fi
	fi
	
	ebegin "Stopping bastille-firewall"
	$REALSCRIPT stop
	eend $? "Failed to stop bastille-firewall"
}





fi

if [ ! -f ${CONFIG} ]; then
	if [ "$1" == "stop" ]; then
		echo "INFO: called stop without a configuration file. Emergency firewall clear."
		
		# flushing leaves the default input at ${REJECT_METHOD}
		echo -n "resetting default input rules to accept..."
		${IPTABLES} -P INPUT ACCEPT
		echo " done."
		echo -n "resetting default output rule to accept..."
		${IPTABLES} -P OUTPUT ACCEPT
		echo " done."
		#  We disabled forwarding with the /proc interface, but we
		#  reset FORWARD to ACCEPT because that;s the normal default
		echo -n "resetting default forward rule to accept..."
		${IPTABLES} -P FORWARD ACCEPT
		echo " done."
		for chain in INPUT OUTPUT FORWARD ; do
			echo -n "flushing ${chain} rules..."	
			${IPTABLES} -F ${chain}
			echo " done."
		done
		for chain in PREROUTING POSTROUTING ; do
			${IPTABLES} -t nat -F ${chain}
		done
		${IPTABLES} -t mangle -F PREROUTING
		# flush and delete the user-defined chains
		echo -n "removing user-defined chains..."
		for chain in PUB_IN PUB_OUT INT_IN INT_OUT PAROLE ; do
			${IPTABLES} -F ${chain}
			${IPTABLES} -X ${chain}
		done
		echo " done."
		exit 0
	else
		echo "ERROR: unable to read configuration file \"${CONFIG}\""
		exit 1
	fi
fi

# source the configuration file, which will set environment variables




#!/bin/sh

umask 077
RPM_BUILD_ROOT=""

eval `perl -V:version`
PERLVERSION=${version}

mkdir -p ${DESTDIR}/usr/sbin
mkdir -p ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}/Curses
mkdir -p ${DESTDIR}/usr/lib/Bastille
mkdir -p ${DESTDIR}/usr/share/Bastille
mkdir -p ${DESTDIR}/usr/share/Bastille/OSMap
mkdir -p ${DESTDIR}/usr/share/Bastille/Questions
mkdir -p ${DESTDIR}/usr/share/Bastille/FKL/configs/
mkdir -p ${DESTDIR}/var/lock/subsys/bastille
 
cp AutomatedBastille ${DESTDIR}/usr/sbin/
cp BastilleBackEnd ${DESTDIR}/usr/sbin
cp Bastille_Curses.pm ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}
cp Bastille_Tk.pm ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}
cp Curses/Widgets.pm ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}/Curses
cp InteractiveBastille ${DESTDIR}/usr/sbin
# Questions.txt has been replaced by Modules.txt and Questions/
#cp Questions.txt ${DESTDIR}/usr/share/Bastille
cp Modules.txt ${DESTDIR}/usr/share/Bastille
# New Weights file(s).
cp Weights.txt ${DESTDIR}/usr/share/Bastille
# Castle graphic
cp bastille.jpg ${DESTDIR}/usr/share/Bastille/
# Javascript file
cp wz_tooltip.js ${DESTDIR}/usr/share/Bastille/
cp Credits ${DESTDIR}/usr/share/Bastille
cp FKL/configs/fkl_config_redhat.cfg ${DESTDIR}/usr/share/Bastille/FKL/configs/

cp RevertBastille ${DESTDIR}/usr/sbin
ln -s ${DESTDIR}/usr/sbin/RevertBastille ${DESTDIR}/usr/sbin/UndoBastille
cp bin/bastille ${DESTDIR}/usr/sbin
chmod +x ${DESTDIR}/usr/sbin/RevertBastille
cp bastille-firewall ${DESTDIR}/usr/share/Bastille
cp bastille-firewall-reset ${DESTDIR}/usr/share/Bastille
cp bastille-firewall-schedule ${DESTDIR}/usr/share/Bastille
cp bastille-tmpdir-defense.sh ${DESTDIR}/usr/share/Bastille
cp bastille-tmpdir.csh ${DESTDIR}/usr/share/Bastille
cp bastille-tmpdir.sh ${DESTDIR}/usr/share/Bastille
cp bastille-firewall.cfg ${DESTDIR}/usr/share/Bastille
cp bastille-ipchains ${DESTDIR}/usr/share/Bastille
cp bastille-netfilter ${DESTDIR}/usr/share/Bastille
cp bastille-firewall-early.sh ${DESTDIR}/usr/share/Bastille
cp bastille-firewall-pre-audit.sh ${DESTDIR}/usr/share/Bastille
cp complete.xbm ${DESTDIR}/usr/share/Bastille
cp incomplete.xbm ${DESTDIR}/usr/share/Bastille
cp ifup-local ${DESTDIR}/usr/share/Bastille


cp hosts.allow ${DESTDIR}/usr/share/Bastille
cp Bastille/AccountSecurity.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/Apache.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/API.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/BootSecurity.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/ConfigureMiscPAM.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/DisableUserTools.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/DNS.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/FilePermissions.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/FTP.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/Firewall.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/HP_API.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/OSX_API.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/LogAPI.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/HP_UX.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/IOLoader.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/Patches.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/Logging.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/MiscellaneousDaemons.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/PatchDownload.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/Printing.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/PSAD.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/RemoteAccess.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/SecureInetd.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/Sendmail.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/TMPDIR.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_AccountSecurity.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_Apache.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_DNS.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_FTP.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_HP_UX.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_MiscellaneousDaemons.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_SecureInetd.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_Sendmail.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_BootSecurity.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_DisableUserTools.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_FilePermissions.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_Logging.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/test_Printing.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/TestAPI.pm ${DESTDIR}/usr/lib/Bastille
cp Bastille/IPFilter.pm ${DESTDIR}/usr/lib/Bastille



cp OSMap/LINUX.bastille ${DESTDIR}/usr/share/Bastille/OSMap
cp OSMap/LINUX.system ${DESTDIR}/usr/share/Bastille/OSMap
cp OSMap/HP-UX.bastille ${DESTDIR}/usr/share/Bastille/OSMap
cp OSMap/HP-UX.system ${DESTDIR}/usr/share/Bastille/OSMap
cp OSMap/HP-UX.service ${DESTDIR}/usr/share/Bastille/OSMap
cp OSMap/OSX.bastille ${DESTDIR}/usr/share/Bastille/OSMap
cp OSMap/OSX.system ${DESTDIR}/usr/share/Bastille/OSMap

for file in `cat Modules.txt` ; do
   cp Questions/$file.txt ${DESTDIR}/usr/share/Bastille/Questions
done




    }
}

my $interface_available = 0;
for my $interface_module ("Curses", "Tk") {
   eval "use $interface_module";        
   if ($@) {                    
	 &B_log("ERROR","Could not load the '${interface_module}.pm' interface module." .
	       "This may be due to an invalid \$DISPLAY setting,".
	       "or the module not being visible to Perl.\n\n");
	 if ( ( $interface_available == 1 ) && ( $interface_module eq "Tk" ) )
	 {
	    $Interface = "Curses";
	 }
   }
   else
   {
        $interface_available = 1;
   }
}

if ( $interface_available == 0 )
{
    &B_log("ERROR","No suitable interface module found.\n");
    exit 1;
}

# KLUDGE: Load the stub...




bin,XFree86,'/usr/X11R6/bin/XFree86'
bin,XFree86,'/usr/bin/Xorg',GN
bin,Xwrapper,'/usr/X11R6/bin/Xwrapper'

bin,accton,'/usr/sbin/accton'

bin,bash,'/bin/bash'
bin,cardctl,'/sbin/cardctl'
bin,chattr,'/usr/bin/chattr'
bin,chattr,'/bin/chattr',GN
bin,chgrp,'/bin/chgrp'
bin,chkconfig,'/sbin/chkconfig'
bin,chkconfig,'/sbin/rc-update',GN
bin,chmod,'/bin/chmod'
bin,chown,'/bin/chown'
bin,cksum,'/usr/bin/cksum'

bin,diff,'/usr/bin/diff'
bin,dos,'/usr/bin/dos'
bin,dump,'/sbin/dump'
bin,dump,'/usr/sbin/dump',GN
bin,echo,'/bin/echo'
bin,grep,'/bin/grep'
bin,grep,'/usr/bin/grep',SE

bin,named-xfer,'/usr/sbin/named-xfer'
bin,ping,'/bin/ping'
bin,ping6,'/usr/sbin/ping6',RH7.0,RH7.1,RH7.2,RH7.3,RH8.0,RH9,RHEL2
bin,ping6,'/bin/ping6',DB,RHEL3,RHFC1,RHFC2,RHFC3,RHFC4,RHFC5,SE9.1,SE9.2,SE9.3,SE10.0,SESLES9,GN
bin,ping6,'/usr/bin/ping6',MN9.2,MN10.0,MN10.1,MN2006.0
bin,ps,'/bin/ps'
bin,rcp,'/usr/bin/rcp'
bin,rdist,'/usr/bin/rdist'
bin,restore,'/sbin/restore'
bin,restore,'/usr/sbin/restore',GN
bin,rexec,'/usr/bin/rexec'
bin,rexecd,'/usr/sbin/in.rexecd'
bin,rlogin,'/usr/bin/rlogin'

bin,rm,'/bin/rm'
bin,rmdir,'/bin/rmdir'
bin,rpm,'/bin/rpm'
bin,rpm,'/usr/bin/rpm',GN
bin,rsh,'/usr/bin/rsh'
bin,rcp,'/usr/bin/rcp'
bin,rshd,'/usr/sbin/in.rshd'

bin,startinnfeed,'/usr/bin/startinnfeed'
bin,sulogin,'/sbin/sulogin'
bin,touch,'/bin/touch'
bin,touch,'/usr/bin/touch',GN
bin,traceroute,'/usr/sbin/traceroute'
bin,traceroute,'/usr/bin/traceroute',GN

bin,traceroute6,'/bin/traceroute6'
bin,traceroute6,'/usr/sbin/traceroute6',RH7.0,RH7.1,RH7.2,RH7.3,RH8.0,RH9,RHEL2,MN9.2,MN10.0,MN10.1,MN2006.0,GN
bin,traceroute6,'/usr/bin/traceroute6',DB

bin,umount,'/bin/umount'

dir,home,'/home'

dir,initd,'/etc/rc.d/init.d'
dir,initd,'/etc/init.d',DB,SE,SLES,GN

dir,log,'/var/log'
dir,pamd,'/etc/pam.d'

dir,rcd,'/etc/rc.d'
dir,rcd,'/etc',DB
dir,rcd,'/etc/runlevels',GN

dir,sbin,'/sbin'
dir,xinetd.d,'/etc/xinetd.d'

file,chkconfig_apmd,'/etc/rc.d/rc3.d/S26apmd'
file,chkconfig_apmd,'/etc/rc3.d/S26apmd',DB
file,chkconfig_apmd,'/etc/rc.config',SE
file,chkconfig_apmd,'/etc/runlevels/default/apmd',GN
file,initd_apmd,'/etc/init.d/apmd'

file,initd_acpid,'/etc/init.d/acpid'

file,chkconfig_dhcpd,'/etc/rc.d/rc3.d/S65dhcpd'
file,chkconfig_dhcpd,'/etc/rc3.d/S65dhcpd',DB
file,chkconfig_dhcpd,'/etc/rc.config',SE
file,chkconfig_dhcpd,'/etc/runlevels/default/dhcpd',GN
file,initd_dhcpd,'/etc/init.d/dhcpd'

file,chkconfig_gated,'/etc/rc.d/rc3.d/S32gated'
file,chkconfig_gated,'/etc/rc3.d/S32gated',DB
file,chkconfig_gated,'/etc/runlevels/default/gated',GN
file,initd_gated,'/etc/init.d/gated'

file,chkconfig_gpm,'/etc/rc.d/rc3.d/S85gpm'
file,chkconfig_gpm,'/etc/rc3.d/S20gpm',DB
file,chkconfig_gpm,'/etc/rc.config',SE
file,chkconfig_gpm,'/etc/runlevels/default/gpm',GN
file,initd_gpm,'/etc/init.d/gpm'

file,chkconfig_httpd,'/etc/rc.d/rc3.d/S85httpd'
file,chkconfig_httpd,'/etc/rc3.d/S91httpd',DB
file,chkconfig_httpd,'/etc/runlevels/default/apache2',GN
file,initd_httpd,'/etc/init.d/httpd'
file,initd_httpd2,'/etc/init.d/httpd2'
file,initd_httpd,'/etc/init.d/apache2',GN
file,initd_httpd2,'/etc/init.d/apache2',GN

file,chkconfig_innd,'/etc/rc.d/rc3.d/S95innd'
file,chkconfig_innd,'/etc/rc3.d/S95innd',DB
file,chkconfig_innd,'/etc/runlevels/default/innd',GN
file,initd_innd,'/etc/init.d/innd'

file,chkconfig_kudzu,'/etc/init.d/kudzu'


file,chkconfig_named,'/etc/rc.d/rc3.d/S55named'
file,chkconfig_named,'/etc/rc3.d/S15named',DB
file,chkconfig_named,'/etc/runlevels/default/named',GN
file,initd_named,'/etc/init.d/named'

file,chkconfig_nfs,'/etc/rc.d/rc3.d/S60nfs'

file,chkconfig_pcmcia,'/etc/rc.d/rc3.d/S45pcmcia'
file,chkconfig_pcmcia,'/etc/rc3.d/S45pcmcia',DB
file,chkconfig_pcmcia,'/etc/rc.config',SE
file,chkconfig_pcmcia,'/etc/runlevels/default/pcmcia',GN
file,initd_pcmcia,'/etc/init.d/pcmcia'

file,initd_mDNSResponder,'/etc/init.d/mDNSResponder'


file,chkconfig_routed,'/etc/rc.d/rc3.d/S55gated'
file,chkconfig_routed,'/etc/rc3.d/S55gated',DB
file,chkconfig_routed,'/etc/runlevels/default/gated',GN
file,initd_routed,'/etc/init.d/routed'

file,chkconfig_snmpd,'/etc/rc.d/rc3.d/S50snmpd'

file,shadow,'/etc/shadow'

file,grub.conf,'/etc/grub.conf'
file,grub.conf,'/boot/grub/grub.conf',RH9,RHEL,RHFC,GN
file,grub.conf,'/boot/grub/menu.lst',SE,MN
file,hosts.allow,'/etc/hosts.allow'
file,hosts.deny,'/etc/hosts.deny'

file,httpd,'/usr/sbin/httpd'
file,httpd,'/usr/sbin/apache',DB
file,httpd,'/usr/sbin/apache2',GN

file,httpd2,'/usr/sbin/httpd2'
file,httpd2,'/usr/sbin/apache2',GN

file,httpd.conf,'/etc/httpd/conf/httpd.conf'
file,httpd.conf,'/etc/apache/httpd.conf',DB
file,httpd.conf,'/etc/httpd/httpd.conf',SE7.2 SE7.3 SE8.0
file,httpd.conf,'/etc/apache2/httpd.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES,GN
file,httpd.conf,'/etc/httpd/conf/httpd2.conf',MN10.1
# SuSE breaks httpd.conf into many files after 8.
file,listen.conf,'/etc/apache2/listen.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES

file,httpd_access.conf,'/etc/httpd/httpd.conf',SE7.2 SE7.3 SE8.0
file,httpd_access.conf,'/etc/apache2/httpd.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES
file,httpd_access.conf,'/etc/httpd/conf/commonhttpd.conf',MN10.1
file,httpd_access.conf,'/etc/apache2/access.conf',GN

file,inetd.conf,'/etc/inetd.conf'
file,inittab,'/etc/inittab'




PROPER_PARENT: namedoff

LABEL: apacheoff
SHORT_EXP: "Will you be using the Apache2 web server immediately? Again,
minimalism is a critical part of a good site security.  If you don't
need to run a web server, at least not right now, you should deactivate it.
You can restart the web server later by typing:

      /sbin/rc-update add apache2 default
"
QUESTION: "Would you like to deactivate the Apache2 web server? [Y]"
QUESTION_AUDIT: "Is the Apache Web server deactivated?"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "Even though you've deactivated the Apache2 web server, there are
still a few more questions related to it.  It's good to take the precautions in
the next steps even if you've turned off the web server, since it might get
turned on again later."

Lines 15-21 Link Here

(-)Bastille.orig/Questions/BootSecurity.txt (-1 / +5 lines)
15	purpose lab and dual boots, you probably shouldn't choose this option.	15	purpose lab and dual boots, you probably shouldn't choose this option.
16		16
17	Otherwise, this is strongly recommended for general use workstations and	17	Otherwise, this is strongly recommended for general use workstations and
18	servers which are not locked away in their own room."	18	servers which are not locked away in their own room.
		19
		20	WARNING: If you are currently managing the GRUB prompt manually OR through
		21	another program, and wish to maintain your current settings, please select
		22	NO for this prompt."
19	QUESTION: "Would you like to password-protect the GRUB prompt? [N]"	23	QUESTION: "Would you like to password-protect the GRUB prompt? [N]"
20	QUESTION_AUDIT: "Is the GRUB prompt password-protected?"	24	QUESTION_AUDIT: "Is the GRUB prompt password-protected?"
21	REQUIRE_DISTRO: LINUX DB SE TB	25	REQUIRE_DISTRO: LINUX DB SE TB

Lines 88-94 Link Here

(-)Bastille.orig/Questions/DNS.txt (-1 / +1 lines)
88		88
89	Even if you plan on setting up a name server on this machine, you should	89	Even if you plan on setting up a name server on this machine, you should
90	deactivate it for now until you get the configuration files setup. You	90	deactivate it for now until you get the configuration files setup. You
91	can reactivate it then by typing, as root: /sbin/chkconfig named on "	91	can reactivate it then by typing, as root: /sbin/rc-update add named default "
92	QUESTION: "Would you like to deactivate named, at least for now? [Y]"	92	QUESTION: "Would you like to deactivate named, at least for now? [Y]"
93	QUESTION_AUDIT: "Is named deactivated?"	93	QUESTION_AUDIT: "Is named deactivated?"
94	REQUIRE_DISTRO: LINUX	94	REQUIRE_DISTRO: LINUX

Lines 17-23 Link Here

(-)Bastille.orig/Questions/FilePermissions.txt (-1 / +1 lines)
17	QUESTION: "Would you like to set more restrictive permissions on the	17	QUESTION: "Would you like to set more restrictive permissions on the
18	administration utilities? [N]"	18	administration utilities? [N]"
19	QUESTION_AUDIT: "Are more restrictive permissions on the administration utilities set?"	19	QUESTION_AUDIT: "Are more restrictive permissions on the administration utilities set?"
20	REQUIRE_DISTRO: RH MN DB SE TB	20	REQUIRE_DISTRO: RH MN DB SE TB GN
21	YN_TOGGLE: 1	21	YN_TOGGLE: 1
22	YES_EXP:	22	YES_EXP:
23	NO_EXP:	23	NO_EXP:

Lines 1129-1136 Link Here

(-)Bastille.orig/Questions/Firewall.txt (-2 / +1 lines)
1129		1129
1130	Once you have a configuration that will work on your system, you can make it	1130	Once you have a configuration that will work on your system, you can make it
1131	run at every normal boot-up by typing	1131	run at every normal boot-up by typing
1132	/sbin/chkconfig --add bastille-firewall	1132	/sbin/rc-update add bastille-firewall default
1133	/sbin/chkconfig bastille-firewall reset
1134		1133
1135	If you are confident of your selections, Bastille can start the firewall	1134	If you are confident of your selections, Bastille can start the firewall
1136	and configure it to run at boot time for you.	1135	and configure it to run at boot time for you.




a \"risky\" move."
QUESTION: "Would you like to add additional logging? [Y]"
QUESTION_AUDIT: "Has additional logging been added?"
REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB GN
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"

SHORT_EXP: "If you already have a remote logging host, we can set this
machine to log to it."
QUESTION: "Do you have a remote logging host? [N]"
REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB GN
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"

      poisoning attacks on logging.  You may use a hostname, but it should be
      added to your /etc/hosts file..."
QUESTION: "What is the IP address of the machine you want to log to? [127.0.0.1]"
REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB GN
DEFAULT_ANSWER: 127.0.0.1
YN_TOGGLE: 0
YES_CHILD: pacct





 # /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm

 # /sbin/rc-update add lpd default

This is only recommended if this machine will not be used for printing
in the near future.  If you deactivate this, you might want to write
down the commands above in case you decide to re-enable printing later."
QUESTION: "Would you like to disable LPR/LPRng printing? [N]"
QUESTION_AUDIT: "Is printing disabled?"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: N

 # /bin/chmod 0755 /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat
 # /bin/chmod 04755 /usr/bin/lppasswd

 # /sbin/rc-update add cups default

This is only recommended if this machine will not be used for printing
in the near future.  If you deactivate this, you might want to write
down the commands above in case you decide to re-enable printing later."
QUESTION: "Would you like to disable CUPS printing? [N]"
QUESTION_AUDIT: "Is printing disabled?"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: N

Lines 259-265 Link Here

(-)Bastille.orig/Questions/PSAD.txt (-1 / +1 lines)
259	/etc/rc.d/init.d/psad stop	259	/etc/rc.d/init.d/psad stop
260		260
261	Bastille can configure your system to start psad at boot time by executing	261	Bastille can configure your system to start psad at boot time by executing
262	chkconfig psad on."	262	/sbin/rc-update add psad default "
263	QUESTION: "Should Bastille enable psad at boot time? [N]"	263	QUESTION: "Should Bastille enable psad at boot time? [N]"
264	REQUIRE_DISTRO: LINUX	264	REQUIRE_DISTRO: LINUX
265	YN_TOGGLE: 1	265	YN_TOGGLE: 1





Even if you plan on setting up a name server on this machine, you should
deactivate it for now until you get the configuration files setup.   You
can reactivate it then by typing, as root:     /sbin/rc-update add named default  "
QUESTION: "Would you like to deactivate named, at least for now? [Y]"
REQUIRE_DISTRO: LINUX
REQUIRE_FILE_EXISTS: chkconfig_named

need to run a web server, at least not right now, you should deactivate it.
You can restart the web server later by typing:

      /sbin/rc-update add apache2 default
"
QUESTION: "Would you like to deactivate the Apache2 web server? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_httpd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "Even though you've deactivated the Apache2 web server, there are
still a few more questions related to it.  It's good to take the precautions in
the next steps even if you've turned off the web server, since it might get
turned on again later."


 # /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm

 # /sbin/rc-update add lpd default

This is only recommended if this machine will not be used for printing
in the near future.  If you deactivate this, you might want to write

 # /bin/chmod 0755 /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat
 # /bin/chmod 04755 /usr/bin/lppasswd

 # /sbin/rc-update add cups default

This is only recommended if this machine will not be used for printing
in the near future.  If you deactivate this, you might want to write


 Once you have a configuration that will work on your system, you can make it
 run at every normal boot-up by typing
     /sbin/rc-update add bastille-firewall default
     /sbin/chkconfig bastille-firewall reset

If you are confident of your selections, Bastille can start the firewall
and configure it to run at boot time for you.




# Q:  Would you like to restrict the use of cron to administrative accounts? [Y]
IPChains.ip_intro="N"
# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
FilePermissions.generalperms_1.1="N"
# Q: What security level should we set? [3]
FilePermissions.security_level="2"
# Q: Would you like us to modify your file permissions?
FilePermissions.generalperms_1.2_mandrake="Y"
# Q: Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="N"
# Q: Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="N"
# Q: Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="Y"
# Q: Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="Y"
# Q: Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="N"
# Q: Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q: Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q: Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q: Would you like to disable SUID status for the r-tools? [Y]
FilePermissions.suidrtool="N"
# Q: Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="N"
# Q: Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="N"
# Q: Would you like to set up a second UID 0 account? [N]
AccountSecurity.secondadmin="N"
# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
AccountSecurity.protectrhost="N"
# Q: Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q: Would you like to create a non-root user account? [N]
AccountSecurity.createuser="N"
# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
AccountSecurity.cronuser="N"
# Q:  Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
AccountSecurity.protectrhost="N"
# Q:  Should we disallow root login on tty's 1-6? [N]
AccountSecurity.rootttylogins="Y"
# Q:  Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q:  Would you like to deactivate the Apache2 web server? [Y]
Apache.apacheoff="Y"
# Q:  Would you like to bind the Web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q:  Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q:  Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="N"
# Q:  Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q:  Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="N"
# Q:  Would you like to reduce the LILO delay time to zero? [N]
BootSecurity.lilodelay="N"
# Q:  Do you ever boot Linux from the hard drive? [Y]
BootSecurity.lilosub_drive="N"
# Q:  Would you like to write the LILO changes to a boot floppy? [N]
BootSecurity.lilosub_floppy="N"
# Q:  Would you like to password protect single-user mode? [Y]
BootSecurity.secureinittab="N"
# Q: Would you like to password protect single-user mode? [Y]
BootSecurity.passsum="Y"
# Q:  Would you like to password-protect the LILO prompt? [N]
BootSecurity.protectlilo="N"
# Q:  Would you like to disable CTRL-ALT-DELETE rebooting? [N]
BootSecurity.secureinittab="N"
# Q:  Should we restrict console access to a small group of user accounts? [N]
SecureInetd.deactivate_telnet="Y"
# Q: May we deactivate ftp? [Y]
SecureInetd.deactivate_ftp="N"
# Q: Would you like to make "Authorized Use" banners? [Y]
SecureInetd.banners="Y"
# Q: Would you like to disable the compiler? [N]
DisableUserTools.compiler="N"
# Q: Would you like to put limits on system resource usage? [Y]
ConfigureMiscPAM.limitsconf="N"
# Q: Should we restrict console access to a small group of user accounts? [N]
ConfigureMiscPAM.consolelogin="N"
# Q:  Would you like to put limits on system resource usage? [N]
ConfigureMiscPAM.limitsconf="N"
# Q:  Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q:  Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q:  Would you like to disable the gcc and/or g++ compiler? [N]
DisableUserTools.compiler="N"
# Q:  Would you like to disable anonymous download? [N]
FTP.anonftp="N"
# Q:  Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="N"
# Q:  Would you like to disable SUID status for XFree86? [N]
FilePermissions.suidXFree86="N"
# Q:  Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="N"
# Q:  Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="Y"
# Q:  Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q:  Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="Y"
# Q:  Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="N"
# Q:  Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q:  Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="N"
# Q:  Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q:  Would you like to disable the r-tools? [Y]
FilePermissions.suidrtool="N"
# Q:  Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="N"
# Q:  Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="N"
# Q:  Would you like to run the packet filtering script? [N]
Firewall.ip_intro="N"
# Q:  Would you like to add additional logging? [Y]
Logging.morelogging="Y"
# Q:  Would you like to set up process accounting? [N]
Logging.remotelog="N"
# Q: Would you like to set up process accounting? [N]
Logging.pacct="N"
# Q:  Would you like to disable acpid and/or apmd? [Y]
Logging.security_checks="Y"
# Q: Would you like to disable apmd? [Y]
MiscellaneousDaemons.apmd="Y"
# Q:  Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q: Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="Y"
# Q: Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.dhcpd="Y"
# Q:  Would you like to disable GPM? [Y]
MiscellaneousDaemons.gpm="N"
# Q:  Would you like to disable the news server daemon? [Y]
MiscellaneousDaemons.innd="Y"
# Q:  Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="Y"
# Q:  Would you like to deactivate NFS and Samba? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q:  Would you like to disable SNMPD? [Y]
MiscellaneousDaemons.snmpd="Y"
# Q:  Would you like to disable LPR/LPRng printing? [N]
Printing.printing="N"
# Q:  Would you like to disable CUPS printing? [N]
Printing.printing_cups="N"
# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
SecureInetd.banners="Y"
# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
SecureInetd.deactivate_ftp="N"
# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
SecureInetd.deactivate_telnet="Y"
# Q:  Who is responsible for granting authorization to use this machine?
SecureInetd.owner="its owner"
# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
SecureInetd.tcpd_default_deny="N"
# Q:  Would you like to run sendmail via cron to process the queue? [N]
Sendmail.sendmailcron="Y"
# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
Sendmail.sendmaildaemon="N"
# Q:  Would you like to disable the VRFY and EXPN sendmail commands? [Y]
Sendmail.vrfyexpn="Y"
# Q:  Would you like to install TMPDIR/TMP scripts? [N]
RemoteAccess.installssh="N"
# Q: Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q: Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q: Would you like to deactivate the Apache web server? [Y]
Apache.apacheoff="Y"
# Q: Would you like to bind the web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q: Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q: Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="N"
# Q: Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q: Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="N"
# Q: Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q: Would you like to disable printing? [N]
Printing.printing="N"
# Q: Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="N"
# Q: Would you like to disable anonymous download? [N]
FTP.anonftp="N"
# Q: Would you like to install TMPDIR/TMP scripts? [N]
TMPDIR.tmpdir="N"




# Q:  Would you like to restrict the use of cron to administrative accounts? [Y]
IPChains.ip_intro="Y"
# Q: 
IPChains.ip_detail_level_kludge="Y"
# Q: Do you need the advanced networking options?
IPChains.ip_advnetwork="N"
# Q: DNS Servers: [0.0.0.0/0]
IPChains.ip_b_dns="0.0.0.0/0"
# Q: 
IPChains.ip_b_trustiface="lo"
# Q: Public interfaces: [eth+ ppp+ slip+]
IPChains.ip_b_publiciface="eth+ ppp+ slip+"
# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# Q: UDP services to audit: [31337]
IPChains.ip_b_udpaudit="31337"
# Q: TCP service names or port numbers to allow on public interfaces: [ ]
IPChains.ip_b_publictcp="ssh"
# Q: Force passive mode? [N]
IPChains.ip_b_passiveftp="N"
# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
IPChains.ip_b_tcpblock="2049 2065:2090 7100"
# Q: UDP services to block: [2049 6770]
IPChains.ip_b_udpblock="2049 6770"
# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-request"
# Q: Enable source address verification? [Y]
IPChains.ip_b_srcaddr="Y"
# Q: Reject method: [DENY]
IPChains.ip_b_rejectmethod="REJECT"
# Q: Interfaces for DHCP queries: [ ]
IPChains.ip_b_dhcpiface="eth+ ppp+"
# Q: NTP servers to query: [ ]
IPChains.ip_b_ntpsrv="eth+ ppp+"
# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
FilePermissions.generalperms_1.1="N"
# Q: What security level should we set? [3]
FilePermissions.security_level="3"
# Q: Would you like us to modify your file permissions?
FilePermissions.generalperms_1.2_mandrake="Y"
# Q: Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="N"
# Q: Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="N"
# Q: Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="Y"
# Q: Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="Y"
# Q: Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="N"
# Q: Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q: Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q: Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q: Would you like to disable SUID status for the r-tools? [Y]
FilePermissions.suidrtool="Y"
# Q: Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="N"
# Q: Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="N"
# Q: Would you like to set up a second UID 0 account? [N]
AccountSecurity.secondadmin="N"
# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
AccountSecurity.protectrhost="Y"
# Q: Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q: Would you like to create a non-root user account? [N]
AccountSecurity.createuser="N"
# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
AccountSecurity.cronuser="N"
# Q:  Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
AccountSecurity.protectrhost="Y"
# Q:  Should we disallow root login on tty's 1-6? [N]
AccountSecurity.rootttylogins="Y"
# Q:  Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q:  Would you like to deactivate the Apache2 web server? [Y]
Apache.apacheoff="Y"
# Q:  Would you like to bind the Web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q:  Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q:  Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="Y"
# Q:  Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q:  Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="N"
# Q:  Would you like to reduce the LILO delay time to zero? [N]
BootSecurity.lilodelay="N"
# Q:  Do you ever boot Linux from the hard drive? [Y]
BootSecurity.lilosub_drive="N"
# Q:  Would you like to write the LILO changes to a boot floppy? [N]
BootSecurity.lilosub_floppy="N"
# Q:  Would you like to password protect single-user mode? [Y]
BootSecurity.secureinittab="N"
# Q: Would you like to password protect single-user mode? [Y]
BootSecurity.passsum="Y"
# Q:  Would you like to password-protect the LILO prompt? [N]
BootSecurity.protectlilo="N"
# Q:  Would you like to disable CTRL-ALT-DELETE rebooting? [N]
BootSecurity.secureinittab="N"
# Q:  Should we restrict console access to a small group of user accounts? [N]
SecureInetd.deactivate_telnet="Y"
# Q: May we deactivate ftp? [Y]
SecureInetd.deactivate_ftp="N"
# Q: Would you like to make "Authorized Use" banners? [Y]
SecureInetd.banners="Y"
# Q: Would you like to disable the compiler? [N]
DisableUserTools.compiler="N"
# Q: Would you like to put limits on system resource usage? [Y]
ConfigureMiscPAM.limitsconf="N"
# Q: Should we restrict console access to a small group of user accounts? [N]
ConfigureMiscPAM.consolelogin="N"
# Q:  Would you like to put limits on system resource usage? [N]
ConfigureMiscPAM.limitsconf="N"
# Q:  Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q:  Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q:  Would you like to disable the gcc and/or g++ compiler? [N]
DisableUserTools.compiler="N"
# Q:  Would you like to disable anonymous download? [N]
FTP.anonftp="Y"
# Q:  Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="Y"
# Q:  Would you like to disable SUID status for XFree86? [N]
FilePermissions.suidXFree86="N"
# Q:  Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="N"
# Q:  Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="Y"
# Q:  Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q:  Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="Y"
# Q:  Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="N"
# Q:  Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q:  Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="N"
# Q:  Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q:  Would you like to disable the r-tools? [Y]
FilePermissions.suidrtool="Y"
# Q:  Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="N"
# Q:  Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="N"
# Q:  Do you need the advanced networking options?
Firewall.ip_advnetwork="N"
# Q:  Interfaces for DHCP queries: [ ]
Firewall.ip_b_dhcpiface="eth+ ppp+ wlan+ ath+"
# Q:  DNS Servers: [0.0.0.0/0]
Firewall.ip_b_dns="0.0.0.0/0"
# Q:  ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-request"
# Q:  ICMP services to audit: [ ]
Firewall.ip_b_icmpaudit=""
# Q:  ICMP types to disallow outbound: [destination-unreachable time-exceeded]
Firewall.ip_b_icmpout="destination-unreachable time-exceeded"
# Q:  NTP servers to query: [ ]
Firewall.ip_b_ntpsrv=""
# Q:  Force passive mode? [N]
Firewall.ip_b_passiveftp="N"
# Q:  Public interfaces: [eth+ ppp+ slip+]
Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+"
# Q:  TCP service names or port numbers to allow on public interfaces: [ ]
Firewall.ip_b_publictcp="ssh"
# Q:  UDP service names or port numbers to allow on public interfaces: [ ]
Firewall.ip_b_publicudp=""
# Q:  Reject method: [DENY]
Firewall.ip_b_rejectmethod="REJECT"
# Q:  Enable source address verification? [Y]
Firewall.ip_b_srcaddr="Y"
# Q:  TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# Q:  TCP services to block: [2049 2065:2090 6000:6020 7100]
Firewall.ip_b_tcpblock="2049 2065:2090 7100"
# Q:  UDP services to audit: [31337]
Firewall.ip_b_udpaudit="31337"
# Q:  UDP services to block: [2049 6770]
Firewall.ip_b_udpblock="2049 6770"
# Q:  Should Bastille run the firewall and enable it at boot time? [N]
Firewall.ip_enable_firewall="Y"
# Q:  Would you like to run the packet filtering script? [N]
Firewall.ip_intro="Y"
# Q:  Would you like to add additional logging? [Y]
Logging.morelogging="Y"
# Q:  Would you like to set up process accounting? [N]
Logging.remotelog="N"
# Q: Would you like to set up process accounting? [N]
Logging.pacct="N"
# Q:  Would you like to disable acpid and/or apmd? [Y]
Logging.security_checks="Y"
# Q: Would you like to disable apmd? [Y]
MiscellaneousDaemons.apmd="Y"
# Q:  Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q: Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="Y"
# Q: Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.dhcpd="Y"
# Q:  Would you like to disable GPM? [Y]
MiscellaneousDaemons.gpm="Y"
# Q:  Would you like to disable the news server daemon? [Y]
MiscellaneousDaemons.innd="Y"
# Q:  Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="Y"
# Q:  Would you like to deactivate NFS and Samba? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q:  Would you like to disable SNMPD? [Y]
MiscellaneousDaemons.snmpd="Y"
# Q:  Would you like to setup psad?
PSAD.psad_config="N"
# Q:  Would you like to disable LPR/LPRng printing? [N]
Printing.printing="N"
# Q:  Would you like to disable CUPS printing? [N]
Printing.printing_cups="N"
# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
SecureInetd.banners="Y"
# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
SecureInetd.deactivate_ftp="N"
# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
SecureInetd.deactivate_telnet="Y"
# Q:  Who is responsible for granting authorization to use this machine?
SecureInetd.owner="its owner"
# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
SecureInetd.tcpd_default_deny="N"
# Q:  Would you like to run sendmail via cron to process the queue? [N]
Sendmail.sendmailcron="Y"
# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
Sendmail.sendmaildaemon="N"
# Q:  Would you like to disable the VRFY and EXPN sendmail commands? [Y]
Sendmail.vrfyexpn="Y"
# Q:  Would you like to install TMPDIR/TMP scripts? [N]
RemoteAccess.installssh="N"
# Q: Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q: Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q: Would you like to deactivate the Apache web server? [Y]
Apache.apacheoff="Y"
# Q: Would you like to bind the web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q: Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q: Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="N"
# Q: Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q: Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="Y"
# Q: Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q: Would you like to disable printing? [N]
Printing.printing="N"
# Q: Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="Y"
# Q: Would you like to disable anonymous download? [N]
FTP.anonftp="Y"
# Q: Would you like to install TMPDIR/TMP scripts? [N]
TMPDIR.tmpdir="N"




# Q:  Would you like to restrict the use of cron to administrative accounts? [Y]
IPChains.ip_intro="Y"
# Q: 
IPChains.ip_detail_level_kludge="Y"
# Q: Do you need the advanced networking options?
IPChains.ip_advnetwork="N"
# Q: DNS Servers: [0.0.0.0/0]
IPChains.ip_b_dns="0.0.0.0/0"
# Q: 
IPChains.ip_b_trustiface="lo"
# Q: Public interfaces: [eth+ ppp+ slip+]
IPChains.ip_b_publiciface="eth+ ppp+ slip+"
# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# Q: UDP services to audit: [31337]
IPChains.ip_b_udpaudit="31337"
# Q: TCP service names or port numbers to allow on public interfaces: [ ]
IPChains.ip_b_publictcp="ssh"
# Q: Force passive mode? [N]
IPChains.ip_b_passiveftp="N"
# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
IPChains.ip_b_tcpblock="2049 2065:2090 6000:6020 7100"
# Q: UDP services to block: [2049 6770]
IPChains.ip_b_udpblock="2049 6770"
# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded"
# Q: Enable source address verification? [Y]
IPChains.ip_b_srcaddr="Y"
# Q: Reject method: [DENY]
IPChains.ip_b_rejectmethod="DENY"
# Q: Interfaces for DHCP queries: [ ]
IPChains.ip_b_dhcpiface="eth+"
# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
IPChains.ip_b_icmpout="destination-unreachable time-exceeded echo-reply"
# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
FilePermissions.generalperms_1.1="N"
# Q: What security level should we set? [3]
FilePermissions.security_level="4"
# Q: Would you like us to modify your file permissions?
FilePermissions.generalperms_1.2_mandrake="Y"
# Q: Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="Y"
# Q: Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="Y"
# Q: Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="Y"
# Q: Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="Y"
# Q: Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="Y"
# Q: Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q: Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q: Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q: Would you like to disable SUID status for the r-tools? [Y]
FilePermissions.suidrtool="Y"
# Q: Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="Y"
# Q: Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="Y"
# Q: Would you like to set up a second UID 0 account? [N]
AccountSecurity.secondadmin="N"
# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
AccountSecurity.protectrhost="Y"
# Q: Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q: Would you like to create a non-root user account? [N]
AccountSecurity.createuser="N"
# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
AccountSecurity.cronuser="Y"
# Q:  Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
AccountSecurity.protectrhost="Y"
# Q:  Should we disallow root login on tty's 1-6? [N]
AccountSecurity.rootttylogins="N"
# Q:  Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q:  Would you like to deactivate the Apache2 web server? [Y]
Apache.apacheoff="Y"
# Q:  Would you like to bind the Web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q:  Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q:  Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="Y"
# Q:  Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q:  Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="Y"
# Q:  Would you like to reduce the LILO delay time to zero? [N]
BootSecurity.lilodelay="N"
# Q:  Do you ever boot Linux from the hard drive? [Y]
BootSecurity.lilosub_drive="N"
# Q:  Would you like to write the LILO changes to a boot floppy? [N]
BootSecurity.lilosub_floppy="N"
# Q:  Would you like to password protect single-user mode? [Y]
BootSecurity.secureinittab="N"
# Q: Would you like to password protect single-user mode? [Y]
BootSecurity.passsum="Y"
# Q:  Would you like to password-protect the LILO prompt? [N]
BootSecurity.protectlilo="N"
# Q:  Would you like to disable CTRL-ALT-DELETE rebooting? [N]
BootSecurity.secureinittab="N"
# Q:  Should we restrict console access to a small group of user accounts? [N]
SecureInetd.deactivate_telnet="Y"
# Q: May we deactivate ftp? [Y]
SecureInetd.deactivate_ftp="N"
# Q: Would you like to make "Authorized Use" banners? [Y]
SecureInetd.banners="Y"
# Q: Would you like to disable the compiler? [N]
DisableUserTools.compiler="N"
# Q: Would you like to put limits on system resource usage? [Y]
ConfigureMiscPAM.limitsconf="N"
# Q: Should we restrict console access to a small group of user accounts? [N]
ConfigureMiscPAM.consolelogin="N"
# Q:  Would you like to put limits on system resource usage? [N]
ConfigureMiscPAM.limitsconf="N"
# Q:  Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q:  Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q:  Would you like to disable the gcc and/or g++ compiler? [N]
DisableUserTools.compiler="N"
# Q:  Would you like to disable anonymous download? [N]
FTP.anonftp="Y"
# Q:  Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="Y"
# Q:  Would you like to disable SUID status for XFree86? [N]
FilePermissions.suidXFree86="N"
# Q:  Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="Y"
# Q:  Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="Y"
# Q:  Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q:  Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="Y"
# Q:  Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="Y"
# Q:  Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q:  Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="Y"
# Q:  Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q:  Would you like to disable the r-tools? [Y]
FilePermissions.suidrtool="Y"
# Q:  Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="Y"
# Q:  Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="Y"
# Q:  Do you need the advanced networking options?
Firewall.ip_advnetwork="N"
# Q:  Interfaces for DHCP queries: [ ]
Firewall.ip_b_dhcpiface="eth+ wlan+ ath+"
# Q:  DNS Servers: [0.0.0.0/0]
Firewall.ip_b_dns="0.0.0.0/0"
# Q:  ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded"
# Q:  ICMP services to audit: [ ]
Firewall.ip_b_icmpaudit=""
# Q:  ICMP types to disallow outbound: [destination-unreachable time-exceeded]
Firewall.ip_b_icmpout="destination-unreachable time-exceeded echo-reply"
# Q:  NTP servers to query: [ ]
Firewall.ip_b_ntpsrv=""
# Q:  Force passive mode? [N]
Firewall.ip_b_passiveftp="N"
# Q:  Public interfaces: [eth+ ppp+ slip+]
Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+"
# Q:  TCP service names or port numbers to allow on public interfaces: [ ]
Firewall.ip_b_publictcp="ssh"
# Q:  UDP service names or port numbers to allow on public interfaces: [ ]
Firewall.ip_b_publicudp=""
# Q:  Reject method: [DENY]
Firewall.ip_b_rejectmethod="DENY"
# Q:  Enable source address verification? [Y]
Firewall.ip_b_srcaddr="Y"
# Q:  TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# Q:  TCP services to block: [2049 2065:2090 6000:6020 7100]
Firewall.ip_b_tcpblock="2049 2065:2090 6000:6020 7100"
# Q:  UDP services to audit: [31337]
Firewall.ip_b_udpaudit="31337"
# Q:  UDP services to block: [2049 6770]
Firewall.ip_b_udpblock="2049 6770"
# Q:  Should Bastille run the firewall and enable it at boot time? [N]
Firewall.ip_enable_firewall="Y"
# Q:  Would you like to run the packet filtering script? [N]
Firewall.ip_intro="Y"
# Q:  Would you like to add additional logging? [Y]
Logging.morelogging="Y"
# Q:  Would you like to set up process accounting? [N]
Logging.remotelog="N"
# Q: Would you like to set up process accounting? [N]
Logging.pacct="N"
# Q:  Would you like to disable acpid and/or apmd? [Y]
Logging.security_checks="Y"
# Q: Would you like to disable apmd? [Y]
MiscellaneousDaemons.apmd="Y"
# Q:  Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q: Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="Y"
# Q: Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.dhcpd="Y"
# Q:  Would you like to disable GPM? [Y]
MiscellaneousDaemons.gpm="Y"
# Q:  Would you like to disable the news server daemon? [Y]
MiscellaneousDaemons.innd="Y"
# Q:  Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="Y"
# Q:  Would you like to deactivate NFS and Samba? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q:  Would you like to disable SNMPD? [Y]
MiscellaneousDaemons.snmpd="Y"
# Q:  Would you like to setup psad?
PSAD.psad_config="N"
# Q:  Would you like to disable LPR/LPRng printing? [N]
Printing.printing="Y"
# Q:  Would you like to disable CUPS printing? [N]
Printing.printing_cups="N"
# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
SecureInetd.banners="Y"
# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
SecureInetd.deactivate_ftp="N"
# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
SecureInetd.deactivate_telnet="Y"
# Q:  Who is responsible for granting authorization to use this machine?
SecureInetd.owner="its owner"
# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
SecureInetd.tcpd_default_deny="N"
# Q:  Would you like to run sendmail via cron to process the queue? [N]
Sendmail.sendmailcron="Y"
# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
Sendmail.sendmaildaemon="N"
# Q:  Would you like to disable the VRFY and EXPN sendmail commands? [Y]
Sendmail.vrfyexpn="Y"
# Q:  Would you like to install TMPDIR/TMP scripts? [N]
RemoteAccess.installssh="N"
# Q: Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q: Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q: Would you like to deactivate the Apache web server? [Y]
Apache.apacheoff="Y"
# Q: Would you like to bind the web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q: Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q: Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="Y"
# Q: Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q: Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="Y"
# Q: Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q: Would you like to disable printing? [N]
Printing.printing="Y"
# Q: Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="Y"
# Q: Would you like to disable anonymous download? [N]
FTP.anonftp="Y"
# Q: Would you like to install TMPDIR/TMP scripts? [N]
TMPDIR.tmpdir="Y"




# Q:  Would you like to restrict the use of cron to administrative accounts? [Y]
IPChains.ip_intro="N"
# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
FilePermissions.generalperms_1.1="N"
# Q: What security level should we set? [3]
FilePermissions.security_level="2"
# Q: Would you like us to modify your file permissions?
FilePermissions.generalperms_1.2_mandrake="Y"
# Q: Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="N"
# Q: Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="N"
# Q: Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="N"
# Q: Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="N"
# Q: Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="N"
# Q: Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q: Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q: Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q: Would you like to disable SUID status for the r-tools? [Y]
FilePermissions.suidrtool="N"
# Q: Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="N"
# Q: Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="N"
# Q: Would you like to set up a second UID 0 account? [N]
AccountSecurity.secondadmin="N"
# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
AccountSecurity.protectrhost="N"
# Q: Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q: Would you like to create a non-root user account? [N]
AccountSecurity.createuser="N"
# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
AccountSecurity.cronuser="N"
# Q:  Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
AccountSecurity.protectrhost="N"
# Q:  Should we disallow root login on tty's 1-6? [N]
AccountSecurity.rootttylogins="Y"
# Q:  Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q:  Would you like to deactivate the Apache2 web server? [Y]
Apache.apacheoff="Y"
# Q:  Would you like to bind the Web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q:  Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q:  Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="N"
# Q:  Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q:  Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="N"
# Q:  Would you like to reduce the LILO delay time to zero? [N]
BootSecurity.lilodelay="N"
# Q:  Do you ever boot Linux from the hard drive? [Y]
BootSecurity.lilosub_drive="N"
# Q:  Would you like to write the LILO changes to a boot floppy? [N]
BootSecurity.lilosub_floppy="N"
# Q:  Would you like to password protect single-user mode? [Y]
BootSecurity.secureinittab="N"
# Q: Would you like to password protect single-user mode? [Y]
BootSecurity.passsum="Y"
# Q:  Would you like to password-protect the LILO prompt? [N]
BootSecurity.protectlilo="N"
# Q:  Would you like to disable CTRL-ALT-DELETE rebooting? [N]
BootSecurity.secureinittab="N"
# Q:  Should we restrict console access to a small group of user accounts? [N]
SecureInetd.deactivate_telnet="Y"
# Q: May we deactivate ftp? [Y]
SecureInetd.deactivate_ftp="Y"
# Q: Would you like to make "Authorized Use" banners? [Y]
SecureInetd.banners="Y"
# Q: Would you like to disable the compiler? [N]
DisableUserTools.compiler="N"
# Q: Would you like to put limits on system resource usage? [Y]
ConfigureMiscPAM.limitsconf="N"
# Q: Should we restrict console access to a small group of user accounts? [N]
ConfigureMiscPAM.consolelogin="N"
# Q:  Would you like to put limits on system resource usage? [N]
ConfigureMiscPAM.limitsconf="N"
# Q:  Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q:  Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q:  Would you like to disable the gcc and/or g++ compiler? [N]
DisableUserTools.compiler="N"
# Q:  Would you like to disable anonymous download? [N]
FTP.anonftp="N"
# Q:  Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="N"
# Q:  Would you like to disable SUID status for XFree86? [N]
FilePermissions.suidXFree86="N"
# Q:  Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="N"
# Q:  Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="N"
# Q:  Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q:  Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="N"
# Q:  Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="N"
# Q:  Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q:  Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="N"
# Q:  Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q:  Would you like to disable the r-tools? [Y]
FilePermissions.suidrtool="N"
# Q:  Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="N"
# Q:  Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="N"
# Q:  Would you like to run the packet filtering script? [N]
Firewall.ip_intro="N"
# Q:  Would you like to add additional logging? [Y]
Logging.morelogging="Y"
# Q:  Would you like to set up process accounting? [N]
Logging.remotelog="N"
# Q: Would you like to set up process accounting? [N]
Logging.pacct="N"
# Q:  Would you like to disable acpid and/or apmd? [Y]
Logging.security_checks="Y"
# Q: Would you like to disable apmd? [Y]
MiscellaneousDaemons.apmd="N"
# Q:  Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.remotefs="N"
# Q: Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="N"
# Q: Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.dhcpd="Y"
# Q:  Would you like to disable GPM? [Y]
MiscellaneousDaemons.gpm="N"
# Q:  Would you like to disable the news server daemon? [Y]
MiscellaneousDaemons.innd="Y"
# Q:  Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="N"
# Q:  Would you like to deactivate NFS and Samba? [Y]
MiscellaneousDaemons.remotefs="N"
# Q:  Would you like to disable SNMPD? [Y]
MiscellaneousDaemons.snmpd="Y"
# Q:  Would you like to disable LPR/LPRng printing? [N]
Printing.printing="N"
# Q:  Would you like to disable CUPS printing? [N]
Printing.printing_cups="N"
# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
SecureInetd.banners="N"
# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
SecureInetd.deactivate_ftp="N"
# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
SecureInetd.deactivate_telnet="Y"
# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
SecureInetd.tcpd_default_deny="N"
# Q:  Would you like to run sendmail via cron to process the queue? [N]
Sendmail.sendmailcron="N"
# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
Sendmail.sendmaildaemon="Y"
# Q:  Would you like to disable the VRFY and EXPN sendmail commands? [Y]
Sendmail.vrfyexpn="Y"
# Q:  Would you like to install TMPDIR/TMP scripts? [N]
RemoteAccess.installssh="N"
# Q: Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q: Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q: Would you like to deactivate the Apache web server? [Y]
Apache.apacheoff="Y"
# Q: Would you like to bind the web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q: Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q: Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="N"
# Q: Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q: Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="N"
# Q: Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q: Would you like to disable printing? [N]
Printing.printing="N"
# Q: Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="N"
# Q: Would you like to disable anonymous download? [N]
FTP.anonftp="N"
# Q: Would you like to install TMPDIR/TMP scripts? [N]
TMPDIR.tmpdir="N"




# Q:  Would you like to restrict the use of cron to administrative accounts? [Y]
IPChains.ip_intro="Y"
# Q: 
IPChains.ip_detail_level_kludge="Y"
# Q: Do you need the advanced networking options?
IPChains.ip_advnetwork="N"
# Q: DNS Servers: [0.0.0.0/0]
IPChains.ip_b_dns="0.0.0.0/0"
# Q: 
IPChains.ip_b_trustiface="lo"
# Q: Public interfaces: [eth+ ppp+ slip+]
IPChains.ip_b_publiciface="eth+ ppp+ slip+"
# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# Q: UDP services to audit: [31337]
IPChains.ip_b_udpaudit="31337"
# Q: TCP service names or port numbers to allow on public interfaces: [ ]
IPChains.ip_b_publictcp="ssh 80 443 25 21 53"
# Q: UDP service names or port numbers to allow on public interfaces: [ ]
IPChains.ip_b_publicudp="53 67 68"
# Q: Force passive mode? [N]
IPChains.ip_b_passiveftp="N"
# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
IPChains.ip_b_tcpblock="2049 2065:2090 7100"
# Q: UDP services to block: [2049 6770]
IPChains.ip_b_udpblock="2049 6770"
# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-requested"
# Q: Enable source address verification? [Y]
IPChains.ip_b_srcaddr="Y"
# Q: Reject method: [DENY]
IPChains.ip_b_rejectmethod="REJECT"
# Q: Interfaces for DHCP queries: [ ]
IPChains.ip_b_dhcpiface="eth+"
# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
FilePermissions.generalperms_1.1="N"
# Q: What security level should we set? [3]
FilePermissions.security_level="3"
# Q: Would you like us to modify your file permissions?
FilePermissions.generalperms_1.2_mandrake="Y"
# Q: Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="N"
# Q: Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="N"
# Q: Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="Y"
# Q: Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="Y"
# Q: Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="N"
# Q: Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q: Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q: Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q: Would you like to disable SUID status for the r-tools? [Y]
FilePermissions.suidrtool="Y"
# Q: Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="N"
# Q: Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="N"
# Q: Would you like to set up a second UID 0 account? [N]
AccountSecurity.secondadmin="N"
# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
AccountSecurity.protectrhost="Y"
# Q: Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q: Would you like to create a non-root user account? [N]
AccountSecurity.createuser="N"
# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
AccountSecurity.cronuser="N"
# Q:  Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
AccountSecurity.protectrhost="Y"
# Q:  Should we disallow root login on tty's 1-6? [N]
AccountSecurity.rootttylogins="Y"
# Q:  Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q:  Would you like to deactivate the Apache2 web server? [Y]
Apache.apacheoff="Y"
# Q:  Would you like to bind the Web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q:  Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q:  Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="N"
# Q:  Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q:  Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="N"
# Q:  Would you like to reduce the LILO delay time to zero? [N]
BootSecurity.lilodelay="N"
# Q:  Do you ever boot Linux from the hard drive? [Y]
BootSecurity.lilosub_drive="N"
# Q:  Would you like to write the LILO changes to a boot floppy? [N]
BootSecurity.lilosub_floppy="N"
# Q:  Would you like to password protect single-user mode? [Y]
BootSecurity.secureinittab="N"
# Q: Would you like to password protect single-user mode? [Y]
BootSecurity.passsum="Y"
# Q:  Would you like to password-protect the LILO prompt? [N]
BootSecurity.protectlilo="N"
# Q:  Would you like to disable CTRL-ALT-DELETE rebooting? [N]
BootSecurity.secureinittab="N"
# Q:  Should we restrict console access to a small group of user accounts? [N]
SecureInetd.deactivate_telnet="Y"
# Q: May we deactivate ftp? [Y]
SecureInetd.deactivate_ftp="Y"
# Q: Would you like to make "Authorized Use" banners? [Y]
SecureInetd.banners="Y"
# Q: Would you like to disable the compiler? [N]
DisableUserTools.compiler="N"
# Q: Would you like to put limits on system resource usage? [Y]
ConfigureMiscPAM.limitsconf="N"
# Q: Should we restrict console access to a small group of user accounts? [N]
ConfigureMiscPAM.consolelogin="N"
# Q:  Would you like to put limits on system resource usage? [N]
ConfigureMiscPAM.limitsconf="N"
# Q:  Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q:  Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q:  Would you like to disable the gcc and/or g++ compiler? [N]
DisableUserTools.compiler="N"
# Q:  Would you like to disable anonymous download? [N]
FTP.anonftp="Y"
# Q:  Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="N"
# Q:  Would you like to disable SUID status for XFree86? [N]
FilePermissions.suidXFree86="N"
# Q:  Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="N"
# Q:  Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="Y"
# Q:  Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q:  Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="Y"
# Q:  Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="N"
# Q:  Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q:  Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="N"
# Q:  Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q:  Would you like to disable the r-tools? [Y]
FilePermissions.suidrtool="Y"
# Q:  Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="N"
# Q:  Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="N"
# Q:  Do you need the advanced networking options?
Firewall.ip_advnetwork="N"
# Q:  Interfaces for DHCP queries: [ ]
Firewall.ip_b_dhcpiface="eth+ wlan+ ath+"
# Q:  DNS Servers: [0.0.0.0/0]
Firewall.ip_b_dns="0.0.0.0/0"
# Q:  ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-request"
# Q:  ICMP services to audit: [ ]
Firewall.ip_b_icmpaudit=""
# Q:  ICMP types to disallow outbound: [destination-unreachable time-exceeded]
Firewall.ip_b_icmpout="destination-unreachable time-exceeded"
# Q:  NTP servers to query: [ ]
Firewall.ip_b_ntpsrv=""
# Q:  Force passive mode? [N]
Firewall.ip_b_passiveftp="N"
# Q:  Public interfaces: [eth+ ppp+ slip+]
Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+"
# Q:  TCP service names or port numbers to allow on public interfaces: [ ]
Firewall.ip_b_publictcp="ssh 80 443 25 21 53"
# Q:  UDP service names or port numbers to allow on public interfaces: [ ]
Firewall.ip_b_publicudp="53 67 68"
# Q:  Reject method: [DENY]
Firewall.ip_b_rejectmethod="REJECT"
# Q:  Enable source address verification? [Y]
Firewall.ip_b_srcaddr="Y"
# Q:  TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# Q:  TCP services to block: [2049 2065:2090 6000:6020 7100]
Firewall.ip_b_tcpblock="2049 2065:2090 7100"
# Q:  UDP services to audit: [31337]
Firewall.ip_b_udpaudit="31337"
# Q:  UDP services to block: [2049 6770]
Firewall.ip_b_udpblock="2049 6770"
# Q:  Should Bastille run the firewall and enable it at boot time? [N]
Firewall.ip_enable_firewall="Y"
# Q:  Would you like to run the packet filtering script? [N]
Firewall.ip_intro="Y"
# Q:  Would you like to add additional logging? [Y]
Logging.morelogging="Y"
# Q:  Would you like to set up process accounting? [N]
Logging.remotelog="N"
# Q: Would you like to set up process accounting? [N]
Logging.pacct="N"
# Q:  Would you like to disable acpid and/or apmd? [Y]
Logging.security_checks="Y"
# Q: Would you like to disable apmd? [Y]
MiscellaneousDaemons.apmd="Y"
# Q:  Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q: Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="N"
# Q: Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.dhcpd="Y"
# Q:  Would you like to disable GPM? [Y]
MiscellaneousDaemons.gpm="Y"
# Q:  Would you like to disable the news server daemon? [Y]
MiscellaneousDaemons.innd="Y"
# Q:  Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="N"
# Q:  Would you like to deactivate NFS and Samba? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q:  Would you like to disable SNMPD? [Y]
MiscellaneousDaemons.snmpd="Y"
# Q:  Would you like to setup psad?
PSAD.psad_config="N"
# Q:  Would you like to disable LPR/LPRng printing? [N]
Printing.printing="N"
# Q:  Would you like to disable CUPS printing? [N]
Printing.printing_cups="N"
# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
SecureInetd.banners="Y"
# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
SecureInetd.deactivate_ftp="Y"
# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
SecureInetd.deactivate_telnet="Y"
# Q:  Who is responsible for granting authorization to use this machine?
SecureInetd.owner="its owner"
# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
SecureInetd.tcpd_default_deny="N"
# Q:  Would you like to run sendmail via cron to process the queue? [N]
Sendmail.sendmailcron="Y"
# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
Sendmail.sendmaildaemon="N"
# Q:  Would you like to disable the VRFY and EXPN sendmail commands? [Y]
Sendmail.vrfyexpn="Y"
# Q:  Would you like to install TMPDIR/TMP scripts? [N]
RemoteAccess.installssh="N"
# Q: Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q: Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q: Would you like to deactivate the Apache web server? [Y]
Apache.apacheoff="Y"
# Q: Would you like to bind the web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q: Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q: Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="N"
# Q: Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q: Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="N"
# Q: Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q: Would you like to disable printing? [N]
Printing.printing="N"
# Q: Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="N"
# Q: Would you like to disable anonymous download? [N]
FTP.anonftp="Y"
# Q: Would you like to install TMPDIR/TMP scripts? [N]
TMPDIR.tmpdir="Y"




# Q:  Would you like to restrict the use of cron to administrative accounts? [Y]
IPChains.ip_intro="Y"
# Q: 
IPChains.ip_detail_level_kludge="Y"
# Q: Do you need the advanced networking options?
IPChains.ip_advnetwork="N"
# Q: DNS Servers: [0.0.0.0/0]
IPChains.ip_b_dns="0.0.0.0/0"
# Q: 
IPChains.ip_b_trustiface="lo"
# Q: Public interfaces: [eth+ ppp+ slip+]
IPChains.ip_b_publiciface="eth+ ppp+ slip+"
# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# Q: UDP services to audit: [31337]
IPChains.ip_b_udpaudit="31337"
# Q: TCP service names or port numbers to allow on public interfaces: [ ]
IPChains.ip_b_publictcp="ssh"
# Q: Force passive mode? [N]
IPChains.ip_b_passiveftp="N"
# Q: TCP services to block: [2065:2090 6000:6020 7100]
IPChains.ip_b_tcpblock="2049 2065:2090 6000:6020 7100"
# Q: UDP services to block: [2049 6770]
IPChains.ip_b_udpblock="2049 6770"
# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded"
# Q: Enable source address verification? [Y]
IPChains.ip_b_srcaddr="Y"
# Q: Reject method: [DENY]
IPChains.ip_b_rejectmethod="DENY"
# Q: Interfaces for DHCP queries: [ ]
IPChains.ip_b_dhcpiface="eth+"
# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
IPChains.ip_b_icmpout="destination-unreachable time-exceeded echo-reply"
# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
FilePermissions.generalperms_1.1="N"
# Q: What security level should we set? [3]
FilePermissions.security_level="4"
# Q: Would you like us to modify your file permissions?
FilePermissions.generalperms_1.2_mandrake="Y"
# Q: Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="Y"
# Q: Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="Y"
# Q: Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="Y"
# Q: Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="Y"
# Q: Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="Y"
# Q: Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q: Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q: Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q: Would you like to disable SUID status for the r-tools? [Y]
FilePermissions.suidrtool="Y"
# Q: Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="Y"
# Q: Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="Y"
# Q: Would you like to set up a second UID 0 account? [N]
AccountSecurity.secondadmin="N"
# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
AccountSecurity.protectrhost="Y"
# Q: Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q: Would you like to create a non-root user account? [N]
AccountSecurity.createuser="N"
# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
AccountSecurity.cronuser="Y"
# Q:  Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
AccountSecurity.protectrhost="Y"
# Q:  Should we disallow root login on tty's 1-6? [N]
AccountSecurity.rootttylogins="N"
# Q:  Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q:  Would you like to deactivate the Apache2 web server? [Y]
Apache.apacheoff="Y"
# Q:  Would you like to bind the Web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q:  Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q:  Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="Y"
# Q:  Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q:  Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="Y"
# Q:  Would you like to reduce the LILO delay time to zero? [N]
BootSecurity.lilodelay="N"
# Q:  Do you ever boot Linux from the hard drive? [Y]
BootSecurity.lilosub_drive="N"
# Q:  Would you like to write the LILO changes to a boot floppy? [N]
BootSecurity.lilosub_floppy="N"
# Q:  Would you like to password protect single-user mode? [Y]
BootSecurity.secureinittab="N"
# Q: Would you like to password protect single-user mode? [Y]
BootSecurity.passsum="Y"
# Q:  Would you like to password-protect the LILO prompt? [N]
BootSecurity.protectlilo="N"
# Q:  Would you like to disable CTRL-ALT-DELETE rebooting? [N]
BootSecurity.secureinittab="N"
# Q:  Should we restrict console access to a small group of user accounts? [N]
SecureInetd.deactivate_telnet="Y"
# Q: May we deactivate ftp? [Y]
SecureInetd.deactivate_ftp="Y"
# Q: Would you like to set sshd to accept connections only from a small list of IP addresses. [N]
SecureInetd.limit_ssh="N"
# Q: Would you like to make "Authorized Use" banners? [Y]
SecureInetd.banners="Y"
# Q: Would you like to disable the compiler? [N]
DisableUserTools.compiler="N"
# Q: Would you like to put limits on system resource usage? [Y]
ConfigureMiscPAM.limitsconf="N"
# Q: Should we restrict console access to a small group of user accounts? [N]
ConfigureMiscPAM.consolelogin="N"
# Q:  Would you like to put limits on system resource usage? [N]
ConfigureMiscPAM.limitsconf="N"
# Q:  Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q:  Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q:  Would you like to disable the gcc and/or g++ compiler? [N]
DisableUserTools.compiler="N"
# Q:  Would you like to disable anonymous download? [N]
FTP.anonftp="Y"
# Q:  Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="Y"
# Q:  Would you like to disable SUID status for XFree86? [N]
FilePermissions.suidXFree86="N"
# Q:  Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="Y"
# Q:  Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="Y"
# Q:  Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q:  Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="Y"
# Q:  Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="Y"
# Q:  Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q:  Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="Y"
# Q:  Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q:  Would you like to disable the r-tools? [Y]
FilePermissions.suidrtool="Y"
# Q:  Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="Y"
# Q:  Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="Y"
# Q:  Do you need the advanced networking options?
Firewall.ip_advnetwork="N"
# Q:  Interfaces for DHCP queries: [ ]
Firewall.ip_b_dhcpiface="eth+ wlan+ ath+"
# Q:  DNS Servers: [0.0.0.0/0]
Firewall.ip_b_dns="0.0.0.0/0"
# Q:  ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded"
# Q:  ICMP services to audit: [ ]
Firewall.ip_b_icmpaudit=""
# Q:  ICMP types to disallow outbound: [destination-unreachable time-exceeded]
Firewall.ip_b_icmpout="destination-unreachable time-exceeded echo-reply"
# Q:  NTP servers to query: [ ]
Firewall.ip_b_ntpsrv=""
# Q:  Force passive mode? [N]
Firewall.ip_b_passiveftp="N"
# Q:  Public interfaces: [eth+ ppp+ slip+]
Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+"
# Q:  TCP service names or port numbers to allow on public interfaces: [ ]
Firewall.ip_b_publictcp="ssh"
# Q:  UDP service names or port numbers to allow on public interfaces: [ ]
Firewall.ip_b_publicudp=""
# Q:  Reject method: [DENY]
Firewall.ip_b_rejectmethod="DENY"
# Q:  Enable source address verification? [Y]
Firewall.ip_b_srcaddr="Y"
# Q:  TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# Q:  TCP services to block: [2049 2065:2090 6000:6020 7100]
Firewall.ip_b_tcpblock="2049 2065:2090 6000:6020 7100"
# Q:  UDP services to audit: [31337]
Firewall.ip_b_udpaudit="31337"
# Q:  UDP services to block: [2049 6770]
Firewall.ip_b_udpblock="2049 6770"
# Q:  Should Bastille run the firewall and enable it at boot time? [N]
Firewall.ip_enable_firewall="Y"
# Q:  Would you like to run the packet filtering script? [N]
Firewall.ip_intro="Y"
# Q:  Would you like to add additional logging? [Y]
Logging.morelogging="Y"
# Q:  Would you like to set up process accounting? [N]
Logging.remotelog="N"
# Q: Would you like to set up process accounting? [N]
Logging.pacct="N"
# Q:  Would you like to disable acpid and/or apmd? [Y]
Logging.security_checks="Y"
# Q: Would you like to disable apmd? [Y]
MiscellaneousDaemons.apmd="Y"
# Q:  Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q: Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="Y"
# Q: Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.dhcpd="Y"
# Q:  Would you like to disable GPM? [Y]
MiscellaneousDaemons.gpm="Y"
# Q:  Would you like to disable the news server daemon? [Y]
MiscellaneousDaemons.innd="Y"
# Q:  Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="Y"
# Q:  Would you like to deactivate NFS and Samba? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q:  Would you like to disable SNMPD? [Y]
MiscellaneousDaemons.snmpd="Y"
# Q:  Would you like to setup psad?
PSAD.psad_config="N"
# Q:  Would you like to disable LPR/LPRng printing? [N]
Printing.printing="N"
# Q:  Would you like to disable CUPS printing? [N]
Printing.printing_cups="N"
# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
SecureInetd.banners="Y"
# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
SecureInetd.deactivate_ftp="Y"
# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
SecureInetd.deactivate_telnet="Y"
# Q:  Who is responsible for granting authorization to use this machine?
SecureInetd.owner="its owner"
# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
SecureInetd.tcpd_default_deny="N"
# Q:  Would you like to run sendmail via cron to process the queue? [N]
Sendmail.sendmailcron="Y"
# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
Sendmail.sendmaildaemon="N"
# Q:  Would you like to disable the VRFY and EXPN sendmail commands? [Y]
Sendmail.vrfyexpn="Y"
# Q:  Would you like to install TMPDIR/TMP scripts? [N]
RemoteAccess.installssh="N"
# Q: Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q: Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q: Would you like to deactivate the Apache web server? [Y]
Apache.apacheoff="Y"
# Q: Would you like to bind the web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q: Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q: Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="Y"
# Q: Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q: Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="Y"
# Q: Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q: Would you like to disable printing? [N]
Printing.printing="N"
# Q: Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="Y"
# Q: Would you like to disable anonymous download? [N]
FTP.anonftp="Y"
# Q: Would you like to install TMPDIR/TMP scripts? [N]
TMPDIR.tmpdir="Y"

Return to bug 431232

Lines 482-487 Link Here

(-)Bastille.orig/Bastille/API.pm.sweth (+10 lines)
482	"log" => "/usr/adm",	482	"log" => "/usr/adm",
483	"httpd.conf" => "/var/lib/apache/conf/httpd.conf",	483	"httpd.conf" => "/var/lib/apache/conf/httpd.conf",
484	"httpd_access.conf" => "/var/lib/apache/conf/access.conf"	484	"httpd_access.conf" => "/var/lib/apache/conf/access.conf"
		485	},
		486	"GN" => {
		487	"chattr" => "/bin/chattr",
		488	"floppy" => "/mnt/floppy",
		489	"group" => "/etc/group",
		490	"httpd.conf" => "/etc/apache2/httpd.conf",
		491	"httpd_access.conf" => "/etc/apache2/access.conf",
		492	"initd" => "/etc/init.d",
		493	"rcd" => "/etc/runlevels",
		494	"rpm" => "/usr/bin/rpm"
485	}	495	}
486	);	496	);
487	foreach my $DISTRO_FILE (keys %{$DISTRO_PATHS{'default'}}) {	497	foreach my $DISTRO_FILE (keys %{$DISTRO_PATHS{'default'}}) {

Lines 276-285 Link Here

(-)Bastille.orig/Bastille/Firewall.pm (-4 / +7 lines)
276	# only do this if the user answered ipchains questions	276	# only do this if the user answered ipchains questions
277	if ( &getGlobalConfig($configPrefix,"ip_intro") eq 'Y' ) {	277	if ( &getGlobalConfig($configPrefix,"ip_intro") eq 'Y' ) {
278		278
279	# Put the init script in place.
280	&B_place($virgin_init_script,$firewall_init_script);
281	&B_chmod(0500,$firewall_init_script);
282
283	# Put the ipchains script in place.	279	# Put the ipchains script in place.
284	&B_place($virgin_ipchains_script,$firewall_ipchains_script);	280	&B_place($virgin_ipchains_script,$firewall_ipchains_script);
285	&B_chmod(0500,$firewall_ipchains_script);	281	&B_chmod(0500,$firewall_ipchains_script);
Lines 404-409 Link Here
404	}	400	}
405		401
406	}	402	}
		403	elsif ( &GetDistro =~ /^GN/ && &getGlobalConfig($configPrefix,"ip_enable_firewall") eq 'Y' ) {
		404	&B_log("ACTION","# Firewall.pm: enabling firewall with distribution B_chkconfig_on\n");
		405	&B_chkconfig_on("bastille-firewall");
		406	if ( -x $firewall_init_script ) {
		407	`$firewall_init_script start`;
		408	}
		409	}
407	}	410	}
408	# end of things to do if ipchains was chosen	411	# end of things to do if ipchains was chosen
409	if ( &getGlobalConfig($configPrefix,"ip_intro") eq 'N' ) {	412	if ( &getGlobalConfig($configPrefix,"ip_intro") eq 'N' ) {

Lines 372-388 Link Here

(-)Bastille.orig/InteractiveBastille (-9 / +20 lines)
372	}	372	}
373	}	373	}
374		374
		375	my $interface_available = 0;
375	for my $interface_module ("Curses", "Tk") {	376	for my $interface_module ("Curses", "Tk") {
376	if ( $Interface eq $interface_module ) {	377	eval "use $interface_module";
377	eval "use $interface_module";	378	if ($@) {
378	if ($@) {	379	&B_log("ERROR","Could not load the '${interface_module}.pm' interface module." .
379	&B_log("ERROR","Could not load the '${interface_module}.pm' interface module." .	380	"This may be due to an invalid \$DISPLAY setting,".
380	"This may be due to an invalid \$DISPLAY setting,".	381	"or the module not being visible to Perl.\n\n");
381	"or the module not being visible to Perl.\n\n");	382	if ( ( $interface_available == 1 ) && ( $interface_module eq "Tk" ) )
382	print '\n';	383	{
383	exit 1;	384	$Interface = "Curses";
384	}	385	}
385	}	386	}
		387	else
		388	{
		389	$interface_available = 1;
		390	}
		391	}
		392
		393	if ( $interface_available == 0 )
		394	{
		395	&B_log("ERROR","No suitable interface module found.\n");
		396	exit 1;
386	}	397	}
387		398
388	# KLUDGE: Load the stub...	399	# KLUDGE: Load the stub...

Lines 45-69 Link Here

(-)Bastille.orig/Bastille/Logging.pm (-17 / +118 lines)
45	#	45	#
46	# Also configure the 7th and 8th TTYs for more logging.	46	# Also configure the 7th and 8th TTYs for more logging.
47		47
48	my $var_log_syslog_lines= <<END_SYSLOG;	48	my $logger, $syslogconf;
		49	my $var_log_syslog_lines, $var_log_kernel_lines, $var_log_loginlog_lines, $tty_log_lines;
		50
		51	if (( -e "/etc/runlevels/default/sysklogd" ) \|\| !(&GetDistro =~/^GN.*/))
		52	{
		53	$var_log_syslog_lines= <<END_SYSLOG;
49	# Log warning and errors to the new file /var/log/syslog	54	# Log warning and errors to the new file /var/log/syslog
50	.warn;.err\t/var/log/syslog	55	.warn;.err\t/var/log/syslog
51		56
52	END_SYSLOG	57	END_SYSLOG
53		58
54	my $var_log_kernel_lines= <<END_KERNEL;	59	$var_log_kernel_lines= <<END_KERNEL;
55	# Log all kernel messages to the new file /var/log/kernel	60	# Log all kernel messages to the new file /var/log/kernel
56	kern.*\t/var/log/kernel	61	kern.*\t/var/log/kernel
57		62
58	END_KERNEL	63	END_KERNEL
59		64
60	my $var_log_loginlog_lines = <<END_LOGINLOG;	65	$var_log_loginlog_lines = <<END_LOGINLOG;
61	# Log all logins to /var/log/loginlog	66	# Log all logins to /var/log/loginlog
62	auth.;user.;daemon.none\t/var/log/loginlog	67	auth.;user.;daemon.none\t/var/log/loginlog
63		68
64	END_LOGINLOG	69	END_LOGINLOG
65		70
66	my $tty_log_lines= <<END_TTY_LOG;	71	$tty_log_lines= <<END_TTY_LOG;
67	# Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8)	72	# Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8)
68		73
69	*.info;mail.none;authpriv.none\t/dev/tty7	74	*.info;mail.none;authpriv.none\t/dev/tty7
Lines 74-97 Link Here
74		79
75	END_TTY_LOG	80	END_TTY_LOG
76		81
77	my $syslogconf = &getGlobal('FILE','syslog.conf');	82	my $logger = "syslogd";
		83	if ($logging_host) {
		84	&B_append_line("/etc/syslog.conf","\\\@$logging_host",".warn;.err\t\@$logging_host\nauthpriv.;auth.\t\@$logging_host\n");
		85	}
		86
		87	}
		88	elsif ( -e "/etc/runlevels/default/syslog-ng" )
		89	{
		90	$var_log_syslog_lines= <<END_SYSLOG;
		91	# Log warning and errors to the new file /var/log/syslog
		92	destination syslog { file("/var/log/syslog"); };
		93	filter f_syslog { facility(warn, err); };
		94	log { source(src); filter(f_syslog); destination(syslog); };
		95
		96	END_SYSLOG
		97
		98	$var_log_kernel_lines= <<END_KERNEL;
		99	# Log all kernel messages to the new file /var/log/kernel
		100	source kernsrc { file("/proc/kmsg"); };
		101	destination kern { file("/var/log/kernel"); };
		102	filter f_kern { facility(kern); };
		103	log { source(kernsrc); filter(f_kern); destination(kern); };
		104
		105	END_KERNEL
		106
		107	$var_log_loginlog_lines = <<END_LOGINLOG;
		108	# Log all logins to /var/log/loginlog
		109	destination loginlog { file("/var/log/loginlog"); };
		110	filter f_loginlog { facility(auth, user) and not facility(daemon); };
		111	log { source(src); filter(f_loginlog); destination(loginlog); };
		112
		113	END_LOGINLOG
		114
		115	$tty_log_lines= <<END_TTY_LOG;
		116	# Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8)
		117
		118	destination tty7 { file("/dev/tty7"); };
		119	destination tty8 { file("/dev/tty8"); };
		120	filter f_info { level(info) and not facility(mail, authpriv); };
		121	filter f_authpriv { facility(authpriv); };
		122	filter f_warnerr { level(warn, err); };
		123	filter f_mail { facility(mail); };
		124	log { source(src); filter(f_info); destination(tty7); };
		125	log { source(src); filter(f_authpriv); destination(tty7); };
		126	log { source(src); filter(f_warnerr); destination(tty7); };
		127	log { source(kernsrc); filter(f_kern); destination(tty7); };
		128	log { source(src); filter(f_mail); destination(tty8); };
		129
		130	END_TTY_LOG
		131
		132	$logger = "syslog-ng";
		133	$syslogconf = "/etc/syslog-ng/syslog-ng.conf";
		134	}
		135	elsif ( -e "/etc/runlevels/default/metalog" )
		136	{
		137	$var_log_syslog_lines= <<END_SYSLOG;
		138	# Log warning and errors to the new directory /var/log/syslog
		139	Syslog :
		140
		141	facility = "warn"
		142	facility = "err"
		143	logdir = "/var/log/syslog"
		144
		145	END_SYSLOG
		146	# $var_log_kernel_lines is included in metalog default on Gentoo systems.
147
148	$var_log_loginlog_lines = <<END_LOGINLOG;
149	# Log all logins to /var/log/loginlog
150	Loginlog :
151	facility = "auth"
152	facility = "user"
153	logdir = "/var/log/loginlog"
154
155	END_LOGINLOG
156
157	$tty_log_lines= <<END_TTY_LOG;
158	# Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8)
159
160	# BASTILLE TODO: Scripts need to be used to run output to different TTYs.
161	END_TTY_LOG
162	$logger = "metalog";
163	$syslogconf = "/etc/metalog.conf";
164	}
165
78	&B_append_line($syslogconf,"ADDITIONS","############ BASTILLE ADDITIONS BELOW : ################# \n");	166	&B_append_line($syslogconf,"ADDITIONS","############ BASTILLE ADDITIONS BELOW : ################# \n");
79		167
80	&B_append_line($syslogconf,'\/var\/log\/syslog',$var_log_syslog_lines);	168	&B_append_line($syslogconf,'\/var\/log\/syslog',$var_log_syslog_lines);
81	&B_append_line($syslogconf,'\/var\/log\/kernel',$var_log_kernel_lines);	169	&B_append_line($syslogconf,'\/var\/log\/kernel',$var_log_kernel_lines);
82	&B_append_line($syslogconf,'\/var\/log\/loginlog',$var_log_loginlog_lines);	170	&B_append_line($syslogconf,'\/var\/log\/loginlog',$var_log_loginlog_lines);
83	&B_append_line($syslogconf,'\/dev\/tty7',$tty_log_lines);	171	&B_append_line($syslogconf,'\/dev\/tty7',$tty_log_lines);
84	&B_append_line($syslogconf,'\/dev\/tty12',".\t/dev/tty12\n");	172	&B_append_line($syslogconf,'\/dev\/tty12',".\t/dev/tty12\n");
		173	&B_append_line($syslogconf,"BASTILLE ADDITIONS CONCLUDED","########## BASTILLE ADDITIONS CONCLUDED : ###############\n");
85		174
86	if ($logging_host) {	175	# Metalog uses a directory-tree structure.
87	&B_append_line($syslogconf,"\\\@$logging_host",".warn;.err\t\@$logging_host\nauthpriv.;auth.\t\@$logging_host\n");	176	if($logger ne "metalog")
		177	{
		178	&B_create_file("/var/log/syslog");
		179	&B_create_file("/var/log/kernel");
		180	&B_create_file("/var/log/loginlog");
88	}	181	}
89		182
90	&B_append_line($syslogconf,"BASTILLE ADDITIONS CONCLUDED","########## BASTILLE ADDITIONS CONCLUDED : ###############\n");
91
92	&B_create_file("/var/log/syslog");
93	&B_create_file("/var/log/kernel");
94	&B_create_file("/var/log/loginlog");
95		183
96	#	184	#
97	# Configure log rotation for the new log files:	185	# Configure log rotation for the new log files:
Lines 101-125 Link Here
101		189
102	/var/log/kernel {	190	/var/log/kernel {
103	postrotate	191	postrotate
104	/usr/bin/killall -HUP syslogd	192	/usr/bin/killall -HUP $logger
105	endscript	193	endscript
106	}	194	}
107		195
108	/var/log/syslog {	196	/var/log/syslog {
109	postrotate	197	postrotate
110	/usr/bin/killall -HUP syslogd	198	/usr/bin/killall -HUP $logger
111	endscript	199	endscript
112	}	200	}
113		201
114	/var/log/loginlog {	202	/var/log/loginlog {
115	postrotate	203	postrotate
116	/usr/bin/killall -HUP syslogd	204	/usr/bin/killall -HUP $logger
117	endscript	205	endscript
118	}	206	}
119	END_NEW_ROT	207	END_NEW_ROT
120		208
		209	my $logrotated;
		210	if(&GetDistro =~/^GN.*/)
		211	{
		212	$logrotated = "/etc/logrotate.d/$logger";
		213	}
		214	else
		215	{
		216	$logrotated = "/etc/logrotate.d/syslog";
		217	}
121		218
122	&B_append_line("/etc/logrotate.d/syslog",'\bloginlog\b',$rotation_lines);	219	# Metalog rotates on its own.
		220	if($logger ne "metalog")
		221	{
		222	&B_append_line($logrotated,'\bloginlog\b',$rotation_lines);
		223	}
123		224
124	}	225	}
125	}	226	}

Line 0 Link Here

(-)Bastille.orig/bastille-firewall.gentoo-init (+42 lines)
	1	#!/sbin/runscript
	2	# Copyright 1999-2004 Gentoo Foundation
	3	# Distributed under the terms of the GNU General Public License v2
	4	# $Header: /var/cvsroot/gentoo-x86/app-admin/bastille/files/bastille-3.0.2-firewall.init,v 1.1 2005/07/31 05:21:10 battousai Exp $
	5
	6	opts="start stop"
	7	BASTILLEPREFIX="/usr/share/Bastille"
	8
	9	depend() {
	10	need logger
	11	}
	12
	13	start() {
	14	# "Borrowed" from the original bastille-firewall init script ((c) P. Watkins)
	15	REALSCRIPT=${BASTILLEPREFIX}/bastille-ipchains
	16	if [ -n "$(uname -r \| awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
	17	# We are using Linux 2.3 or newer; use the netfilter script if available
	18	if [ -x ${BASTILLEPREFIX}/bastille-netfilter ]; then
	19	REALSCRIPT=${BASTILLEPREFIX}/bastille-netfilter
	20	fi
	21	fi
	22
	23	ebegin "Starting bastille-firewall"
	24	$REALSCRIPT start
	25	eend $? "Failed to start bastille-firewall"
	26	}
	27
	28	stop() {
	29	# "Borrowed" from the original bastille-firewall init script ((c) P. Watkins)
	30	REALSCRIPT=${BASTILLEPREFIX}/bastille-ipchains
	31	if [ -n "$(uname -r \| awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
	32	# We are using Linux 2.3 or newer; use the netfilter script if available
	33	if [ -x ${BASTILLEPREFIX}/bastille-netfilter ]; then
	34	REALSCRIPT=${BASTILLEPREFIX}/bastille-netfilter
	35	fi
	36	fi
	37
	38	ebegin "Stopping bastille-firewall"
	39	$REALSCRIPT stop
	40	eend $? "Failed to stop bastille-firewall"
	41	}
	42

Lines 56-63 Link Here

(-)Bastille.orig/bastille-netfilter (-2 / +36 lines)
56	fi	56	fi
57		57
58	if [ ! -f ${CONFIG} ]; then	58	if [ ! -f ${CONFIG} ]; then
59	echo "ERROR: unable to read configuration file \"${CONFIG}\""	59	if [ "$1" == "stop" ]; then
60	exit 1	60	echo "INFO: called stop without a configuration file. Emergency firewall clear."
		61
		62	# flushing leaves the default input at ${REJECT_METHOD}
		63	echo -n "resetting default input rules to accept..."
		64	${IPTABLES} -P INPUT ACCEPT
		65	echo " done."
		66	echo -n "resetting default output rule to accept..."
		67	${IPTABLES} -P OUTPUT ACCEPT
		68	echo " done."
		69	# We disabled forwarding with the /proc interface, but we
		70	# reset FORWARD to ACCEPT because that;s the normal default
		71	echo -n "resetting default forward rule to accept..."
		72	${IPTABLES} -P FORWARD ACCEPT
		73	echo " done."
		74	for chain in INPUT OUTPUT FORWARD ; do
		75	echo -n "flushing ${chain} rules..."
		76	${IPTABLES} -F ${chain}
		77	echo " done."
		78	done
		79	for chain in PREROUTING POSTROUTING ; do
		80	${IPTABLES} -t nat -F ${chain}
		81	done
		82	${IPTABLES} -t mangle -F PREROUTING
		83	# flush and delete the user-defined chains
		84	echo -n "removing user-defined chains..."
		85	for chain in PUB_IN PUB_OUT INT_IN INT_OUT PAROLE ; do
		86	${IPTABLES} -F ${chain}
		87	${IPTABLES} -X ${chain}
		88	done
		89	echo " done."
		90	exit 0
		91	else
		92	echo "ERROR: unable to read configuration file \"${CONFIG}\""
		93	exit 1
		94	fi
61	fi	95	fi
62		96
63	# source the configuration file, which will set environment variables	97	# source the configuration file, which will set environment variables

Lines 1-107 Link Here

(-)Bastille.orig/Install.sh (-95 / +97 lines)
1	#!/bin/sh	1	#!/bin/sh
2		2
3	umask 077	3	umask 077
4	RPM_BUILD_ROOT=""
5		4
6	mkdir -p $RPM_BUILD_ROOT/usr/sbin	5	eval `perl -V:version`
7	mkdir -p $RPM_BUILD_ROOT/usr/lib/perl5/site_perl/Curses	6	PERLVERSION=${version}
8	mkdir -p $RPM_BUILD_ROOT/usr/lib/Bastille	7
9	mkdir -p $RPM_BUILD_ROOT/usr/share/Bastille	8	mkdir -p ${DESTDIR}/usr/sbin
10	mkdir -p $RPM_BUILD_ROOT/usr/share/Bastille/OSMap	9	mkdir -p ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}/Curses
11	mkdir -p $RPM_BUILD_ROOT/usr/share/Bastille/Questions	10	mkdir -p ${DESTDIR}/usr/lib/Bastille
12	mkdir -p $RPM_BUILD_ROOT/usr/share/Bastille/FKL/configs/	11	mkdir -p ${DESTDIR}/usr/share/Bastille
13	mkdir -p $RPM_BUILD_ROOT/var/lock/subsys/bastille	12	mkdir -p ${DESTDIR}/usr/share/Bastille/OSMap
		13	mkdir -p ${DESTDIR}/usr/share/Bastille/Questions
		14	mkdir -p ${DESTDIR}/usr/share/Bastille/FKL/configs/
		15	mkdir -p ${DESTDIR}/var/lock/subsys/bastille
14		16
15	cp AutomatedBastille $RPM_BUILD_ROOT/usr/sbin/	17	cp AutomatedBastille ${DESTDIR}/usr/sbin/
16	cp BastilleBackEnd $RPM_BUILD_ROOT/usr/sbin	18	cp BastilleBackEnd ${DESTDIR}/usr/sbin
17	cp Bastille_Curses.pm $RPM_BUILD_ROOT/usr/lib/perl5/site_perl	19	cp Bastille_Curses.pm ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}
18	cp Bastille_Tk.pm $RPM_BUILD_ROOT/usr/lib/perl5/site_perl	20	cp Bastille_Tk.pm ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}
19	cp Curses/Widgets.pm $RPM_BUILD_ROOT/usr/lib/perl5/site_perl/Curses	21	cp Curses/Widgets.pm ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}/Curses
20	cp InteractiveBastille $RPM_BUILD_ROOT/usr/sbin	22	cp InteractiveBastille ${DESTDIR}/usr/sbin
21	# Questions.txt has been replaced by Modules.txt and Questions/	23	# Questions.txt has been replaced by Modules.txt and Questions/
22	#cp Questions.txt $RPM_BUILD_ROOT/usr/share/Bastille	24	#cp Questions.txt ${DESTDIR}/usr/share/Bastille
23	cp Modules.txt $RPM_BUILD_ROOT/usr/share/Bastille	25	cp Modules.txt ${DESTDIR}/usr/share/Bastille
24	# New Weights file(s).	26	# New Weights file(s).
25	cp Weights.txt $RPM_BUILD_ROOT/usr/share/Bastille	27	cp Weights.txt ${DESTDIR}/usr/share/Bastille
26	# Castle graphic	28	# Castle graphic
27	cp bastille.jpg $RPM_BUILD_ROOT/usr/share/Bastille/	29	cp bastille.jpg ${DESTDIR}/usr/share/Bastille/
28	# Javascript file	30	# Javascript file
29	cp wz_tooltip.js $RPM_BUILD_ROOT/usr/share/Bastille/	31	cp wz_tooltip.js ${DESTDIR}/usr/share/Bastille/
30	cp Credits $RPM_BUILD_ROOT/usr/share/Bastille	32	cp Credits ${DESTDIR}/usr/share/Bastille
31	cp FKL/configs/fkl_config_redhat.cfg $RPM_BUILD_ROOT/usr/share/Bastille/FKL/configs/	33	cp FKL/configs/fkl_config_redhat.cfg ${DESTDIR}/usr/share/Bastille/FKL/configs/
32		34
33	cp RevertBastille $RPM_BUILD_ROOT/usr/sbin	35	cp RevertBastille ${DESTDIR}/usr/sbin
34	ln -s $RPM_BUILD_ROOT/usr/sbin/RevertBastille $RPM_BUILD_ROOT/usr/sbin/UndoBastille	36	ln -s ${DESTDIR}/usr/sbin/RevertBastille ${DESTDIR}/usr/sbin/UndoBastille
35	cp bin/bastille $RPM_BUILD_ROOT/usr/sbin	37	cp bin/bastille ${DESTDIR}/usr/sbin
36	chmod +x $RPM_BUILD_ROOT/usr/sbin/RevertBastille	38	chmod +x ${DESTDIR}/usr/sbin/RevertBastille
37	cp bastille-firewall $RPM_BUILD_ROOT/usr/share/Bastille	39	cp bastille-firewall ${DESTDIR}/usr/share/Bastille
38	cp bastille-firewall-reset $RPM_BUILD_ROOT/usr/share/Bastille	40	cp bastille-firewall-reset ${DESTDIR}/usr/share/Bastille
39	cp bastille-firewall-schedule $RPM_BUILD_ROOT/usr/share/Bastille	41	cp bastille-firewall-schedule ${DESTDIR}/usr/share/Bastille
40	cp bastille-tmpdir-defense.sh $RPM_BUILD_ROOT/usr/share/Bastille	42	cp bastille-tmpdir-defense.sh ${DESTDIR}/usr/share/Bastille
41	cp bastille-tmpdir.csh $RPM_BUILD_ROOT/usr/share/Bastille	43	cp bastille-tmpdir.csh ${DESTDIR}/usr/share/Bastille
42	cp bastille-tmpdir.sh $RPM_BUILD_ROOT/usr/share/Bastille	44	cp bastille-tmpdir.sh ${DESTDIR}/usr/share/Bastille
43	cp bastille-firewall.cfg $RPM_BUILD_ROOT/usr/share/Bastille	45	cp bastille-firewall.cfg ${DESTDIR}/usr/share/Bastille
44	cp bastille-ipchains $RPM_BUILD_ROOT/usr/share/Bastille	46	cp bastille-ipchains ${DESTDIR}/usr/share/Bastille
45	cp bastille-netfilter $RPM_BUILD_ROOT/usr/share/Bastille	47	cp bastille-netfilter ${DESTDIR}/usr/share/Bastille
46	cp bastille-firewall-early.sh $RPM_BUILD_ROOT/usr/share/Bastille	48	cp bastille-firewall-early.sh ${DESTDIR}/usr/share/Bastille
47	cp bastille-firewall-pre-audit.sh $RPM_BUILD_ROOT/usr/share/Bastille	49	cp bastille-firewall-pre-audit.sh ${DESTDIR}/usr/share/Bastille
48	cp complete.xbm $RPM_BUILD_ROOT/usr/share/Bastille	50	cp complete.xbm ${DESTDIR}/usr/share/Bastille
49	cp incomplete.xbm $RPM_BUILD_ROOT/usr/share/Bastille	51	cp incomplete.xbm ${DESTDIR}/usr/share/Bastille
50	cp ifup-local $RPM_BUILD_ROOT/usr/share/Bastille	52	cp ifup-local ${DESTDIR}/usr/share/Bastille
51		53
52		54
53	cp hosts.allow $RPM_BUILD_ROOT/usr/share/Bastille	55	cp hosts.allow ${DESTDIR}/usr/share/Bastille
54	cp Bastille/AccountSecurity.pm $RPM_BUILD_ROOT/usr/lib/Bastille	56	cp Bastille/AccountSecurity.pm ${DESTDIR}/usr/lib/Bastille
55	cp Bastille/Apache.pm $RPM_BUILD_ROOT/usr/lib/Bastille	57	cp Bastille/Apache.pm ${DESTDIR}/usr/lib/Bastille
56	cp Bastille/API.pm $RPM_BUILD_ROOT/usr/lib/Bastille	58	cp Bastille/API.pm ${DESTDIR}/usr/lib/Bastille
57	cp Bastille/BootSecurity.pm $RPM_BUILD_ROOT/usr/lib/Bastille	59	cp Bastille/BootSecurity.pm ${DESTDIR}/usr/lib/Bastille
58	cp Bastille/ConfigureMiscPAM.pm $RPM_BUILD_ROOT/usr/lib/Bastille	60	cp Bastille/ConfigureMiscPAM.pm ${DESTDIR}/usr/lib/Bastille
59	cp Bastille/DisableUserTools.pm $RPM_BUILD_ROOT/usr/lib/Bastille	61	cp Bastille/DisableUserTools.pm ${DESTDIR}/usr/lib/Bastille
60	cp Bastille/DNS.pm $RPM_BUILD_ROOT/usr/lib/Bastille	62	cp Bastille/DNS.pm ${DESTDIR}/usr/lib/Bastille
61	cp Bastille/FilePermissions.pm $RPM_BUILD_ROOT/usr/lib/Bastille	63	cp Bastille/FilePermissions.pm ${DESTDIR}/usr/lib/Bastille
62	cp Bastille/FTP.pm $RPM_BUILD_ROOT/usr/lib/Bastille	64	cp Bastille/FTP.pm ${DESTDIR}/usr/lib/Bastille
63	cp Bastille/Firewall.pm $RPM_BUILD_ROOT/usr/lib/Bastille	65	cp Bastille/Firewall.pm ${DESTDIR}/usr/lib/Bastille
64	cp Bastille/HP_API.pm $RPM_BUILD_ROOT/usr/lib/Bastille	66	cp Bastille/HP_API.pm ${DESTDIR}/usr/lib/Bastille
65	cp Bastille/OSX_API.pm $RPM_BUILD_ROOT/usr/lib/Bastille	67	cp Bastille/OSX_API.pm ${DESTDIR}/usr/lib/Bastille
66	cp Bastille/LogAPI.pm $RPM_BUILD_ROOT/usr/lib/Bastille	68	cp Bastille/LogAPI.pm ${DESTDIR}/usr/lib/Bastille
67	cp Bastille/HP_UX.pm $RPM_BUILD_ROOT/usr/lib/Bastille	69	cp Bastille/HP_UX.pm ${DESTDIR}/usr/lib/Bastille
68	cp Bastille/IOLoader.pm $RPM_BUILD_ROOT/usr/lib/Bastille	70	cp Bastille/IOLoader.pm ${DESTDIR}/usr/lib/Bastille
69	cp Bastille/Patches.pm $RPM_BUILD_ROOT/usr/lib/Bastille	71	cp Bastille/Patches.pm ${DESTDIR}/usr/lib/Bastille
70	cp Bastille/Logging.pm $RPM_BUILD_ROOT/usr/lib/Bastille	72	cp Bastille/Logging.pm ${DESTDIR}/usr/lib/Bastille
71	cp Bastille/MiscellaneousDaemons.pm $RPM_BUILD_ROOT/usr/lib/Bastille	73	cp Bastille/MiscellaneousDaemons.pm ${DESTDIR}/usr/lib/Bastille
72	cp Bastille/PatchDownload.pm $RPM_BUILD_ROOT/usr/lib/Bastille	74	cp Bastille/PatchDownload.pm ${DESTDIR}/usr/lib/Bastille
73	cp Bastille/Printing.pm $RPM_BUILD_ROOT/usr/lib/Bastille	75	cp Bastille/Printing.pm ${DESTDIR}/usr/lib/Bastille
74	cp Bastille/PSAD.pm $RPM_BUILD_ROOT/usr/lib/Bastille	76	cp Bastille/PSAD.pm ${DESTDIR}/usr/lib/Bastille
75	cp Bastille/RemoteAccess.pm $RPM_BUILD_ROOT/usr/lib/Bastille	77	cp Bastille/RemoteAccess.pm ${DESTDIR}/usr/lib/Bastille
76	cp Bastille/SecureInetd.pm $RPM_BUILD_ROOT/usr/lib/Bastille	78	cp Bastille/SecureInetd.pm ${DESTDIR}/usr/lib/Bastille
77	cp Bastille/Sendmail.pm $RPM_BUILD_ROOT/usr/lib/Bastille	79	cp Bastille/Sendmail.pm ${DESTDIR}/usr/lib/Bastille
78	cp Bastille/TMPDIR.pm $RPM_BUILD_ROOT/usr/lib/Bastille	80	cp Bastille/TMPDIR.pm ${DESTDIR}/usr/lib/Bastille
79	cp Bastille/test_AccountSecurity.pm $RPM_BUILD_ROOT/usr/lib/Bastille	81	cp Bastille/test_AccountSecurity.pm ${DESTDIR}/usr/lib/Bastille
80	cp Bastille/test_Apache.pm $RPM_BUILD_ROOT/usr/lib/Bastille	82	cp Bastille/test_Apache.pm ${DESTDIR}/usr/lib/Bastille
81	cp Bastille/test_DNS.pm $RPM_BUILD_ROOT/usr/lib/Bastille	83	cp Bastille/test_DNS.pm ${DESTDIR}/usr/lib/Bastille
82	cp Bastille/test_FTP.pm $RPM_BUILD_ROOT/usr/lib/Bastille	84	cp Bastille/test_FTP.pm ${DESTDIR}/usr/lib/Bastille
83	cp Bastille/test_HP_UX.pm $RPM_BUILD_ROOT/usr/lib/Bastille	85	cp Bastille/test_HP_UX.pm ${DESTDIR}/usr/lib/Bastille
84	cp Bastille/test_MiscellaneousDaemons.pm $RPM_BUILD_ROOT/usr/lib/Bastille	86	cp Bastille/test_MiscellaneousDaemons.pm ${DESTDIR}/usr/lib/Bastille
85	cp Bastille/test_SecureInetd.pm $RPM_BUILD_ROOT/usr/lib/Bastille	87	cp Bastille/test_SecureInetd.pm ${DESTDIR}/usr/lib/Bastille
86	cp Bastille/test_Sendmail.pm $RPM_BUILD_ROOT/usr/lib/Bastille	88	cp Bastille/test_Sendmail.pm ${DESTDIR}/usr/lib/Bastille
87	cp Bastille/test_BootSecurity.pm $RPM_BUILD_ROOT/usr/lib/Bastille	89	cp Bastille/test_BootSecurity.pm ${DESTDIR}/usr/lib/Bastille
88	cp Bastille/test_DisableUserTools.pm $RPM_BUILD_ROOT/usr/lib/Bastille	90	cp Bastille/test_DisableUserTools.pm ${DESTDIR}/usr/lib/Bastille
89	cp Bastille/test_FilePermissions.pm $RPM_BUILD_ROOT/usr/lib/Bastille	91	cp Bastille/test_FilePermissions.pm ${DESTDIR}/usr/lib/Bastille
90	cp Bastille/test_Logging.pm $RPM_BUILD_ROOT/usr/lib/Bastille	92	cp Bastille/test_Logging.pm ${DESTDIR}/usr/lib/Bastille
91	cp Bastille/test_Printing.pm $RPM_BUILD_ROOT/usr/lib/Bastille	93	cp Bastille/test_Printing.pm ${DESTDIR}/usr/lib/Bastille
92	cp Bastille/TestAPI.pm $RPM_BUILD_ROOT/usr/lib/Bastille	94	cp Bastille/TestAPI.pm ${DESTDIR}/usr/lib/Bastille
93	cp Bastille/IPFilter.pm $RPM_BUILD_ROOT/usr/lib/Bastille	95	cp Bastille/IPFilter.pm ${DESTDIR}/usr/lib/Bastille
94		96
95		97
96		98
97	cp OSMap/LINUX.bastille $RPM_BUILD_ROOT/usr/share/Bastille/OSMap	99	cp OSMap/LINUX.bastille ${DESTDIR}/usr/share/Bastille/OSMap
98	cp OSMap/LINUX.system $RPM_BUILD_ROOT/usr/share/Bastille/OSMap	100	cp OSMap/LINUX.system ${DESTDIR}/usr/share/Bastille/OSMap
99	cp OSMap/HP-UX.bastille $RPM_BUILD_ROOT/usr/share/Bastille/OSMap	101	cp OSMap/HP-UX.bastille ${DESTDIR}/usr/share/Bastille/OSMap
100	cp OSMap/HP-UX.system $RPM_BUILD_ROOT/usr/share/Bastille/OSMap	102	cp OSMap/HP-UX.system ${DESTDIR}/usr/share/Bastille/OSMap
101	cp OSMap/HP-UX.service $RPM_BUILD_ROOT/usr/share/Bastille/OSMap	103	cp OSMap/HP-UX.service ${DESTDIR}/usr/share/Bastille/OSMap
102	cp OSMap/OSX.bastille $RPM_BUILD_ROOT/usr/share/Bastille/OSMap	104	cp OSMap/OSX.bastille ${DESTDIR}/usr/share/Bastille/OSMap
103	cp OSMap/OSX.system $RPM_BUILD_ROOT/usr/share/Bastille/OSMap	105	cp OSMap/OSX.system ${DESTDIR}/usr/share/Bastille/OSMap
104		106
105	for file in `cat Modules.txt` ; do	107	for file in `cat Modules.txt` ; do
106	cp Questions/$file.txt $RPM_BUILD_ROOT/usr/share/Bastille/Questions	108	cp Questions/$file.txt ${DESTDIR}/usr/share/Bastille/Questions
107	done	109	done

Lines 1-4 Link Here

(-)Bastille.orig/OSMap/LINUX.system (-5 / +28 lines)
1	bin,XFree86,'/usr/X11R6/bin/XFree86'	1	bin,XFree86,'/usr/X11R6/bin/XFree86'
		2	bin,XFree86,'/usr/bin/Xorg',GN
2	bin,Xwrapper,'/usr/X11R6/bin/Xwrapper'	3	bin,Xwrapper,'/usr/X11R6/bin/Xwrapper'
3		4
4	bin,accton,'/usr/sbin/accton'	5	bin,accton,'/usr/sbin/accton'
Lines 9-16 Link Here
9	bin,bash,'/bin/bash'	10	bin,bash,'/bin/bash'
10	bin,cardctl,'/sbin/cardctl'	11	bin,cardctl,'/sbin/cardctl'
11	bin,chattr,'/usr/bin/chattr'	12	bin,chattr,'/usr/bin/chattr'
		13	bin,chattr,'/bin/chattr',GN
12	bin,chgrp,'/bin/chgrp'	14	bin,chgrp,'/bin/chgrp'
13	bin,chkconfig,'/sbin/chkconfig'	15	bin,chkconfig,'/sbin/chkconfig'
		16	bin,chkconfig,'/sbin/rc-update',GN
14	bin,chmod,'/bin/chmod'	17	bin,chmod,'/bin/chmod'
15	bin,chown,'/bin/chown'	18	bin,chown,'/bin/chown'
16	bin,cksum,'/usr/bin/cksum'	19	bin,cksum,'/usr/bin/cksum'
Lines 20-25 Link Here
20	bin,diff,'/usr/bin/diff'	23	bin,diff,'/usr/bin/diff'
21	bin,dos,'/usr/bin/dos'	24	bin,dos,'/usr/bin/dos'
22	bin,dump,'/sbin/dump'	25	bin,dump,'/sbin/dump'
		26	bin,dump,'/usr/sbin/dump',GN
23	bin,echo,'/bin/echo'	27	bin,echo,'/bin/echo'
24	bin,grep,'/bin/grep'	28	bin,grep,'/bin/grep'
25	bin,grep,'/usr/bin/grep',SE	29	bin,grep,'/usr/bin/grep',SE
Lines 44-55 Link Here
44	bin,named-xfer,'/usr/sbin/named-xfer'	48	bin,named-xfer,'/usr/sbin/named-xfer'
45	bin,ping,'/bin/ping'	49	bin,ping,'/bin/ping'
46	bin,ping6,'/usr/sbin/ping6',RH7.0,RH7.1,RH7.2,RH7.3,RH8.0,RH9,RHEL2	50	bin,ping6,'/usr/sbin/ping6',RH7.0,RH7.1,RH7.2,RH7.3,RH8.0,RH9,RHEL2
47	bin,ping6,'/bin/ping6',DB,RHEL3,RHFC1,RHFC2,RHFC3,RHFC4,RHFC5,SE9.1,SE9.2,SE9.3,SE10.0,SESLES9	51	bin,ping6,'/bin/ping6',DB,RHEL3,RHFC1,RHFC2,RHFC3,RHFC4,RHFC5,SE9.1,SE9.2,SE9.3,SE10.0,SESLES9,GN
48	bin,ping6,'/usr/bin/ping6',MN9.2,MN10.0,MN10.1,MN2006.0	52	bin,ping6,'/usr/bin/ping6',MN9.2,MN10.0,MN10.1,MN2006.0
49	bin,ps,'/bin/ps'	53	bin,ps,'/bin/ps'
50	bin,rcp,'/usr/bin/rcp'	54	bin,rcp,'/usr/bin/rcp'
51	bin,rdist,'/usr/bin/rdist'	55	bin,rdist,'/usr/bin/rdist'
52	bin,restore,'/sbin/restore'	56	bin,restore,'/sbin/restore'
		57	bin,restore,'/usr/sbin/restore',GN
53	bin,rexec,'/usr/bin/rexec'	58	bin,rexec,'/usr/bin/rexec'
54	bin,rexecd,'/usr/sbin/in.rexecd'	59	bin,rexecd,'/usr/sbin/in.rexecd'
55	bin,rlogin,'/usr/bin/rlogin'	60	bin,rlogin,'/usr/bin/rlogin'
Lines 57-62 Link Here
57	bin,rm,'/bin/rm'	62	bin,rm,'/bin/rm'
58	bin,rmdir,'/bin/rmdir'	63	bin,rmdir,'/bin/rmdir'
59	bin,rpm,'/bin/rpm'	64	bin,rpm,'/bin/rpm'
		65	bin,rpm,'/usr/bin/rpm',GN
60	bin,rsh,'/usr/bin/rsh'	66	bin,rsh,'/usr/bin/rsh'
61	bin,rcp,'/usr/bin/rcp'	67	bin,rcp,'/usr/bin/rcp'
62	bin,rshd,'/usr/sbin/in.rshd'	68	bin,rshd,'/usr/sbin/in.rshd'
Lines 65-74 Link Here
65	bin,startinnfeed,'/usr/bin/startinnfeed'	71	bin,startinnfeed,'/usr/bin/startinnfeed'
66	bin,sulogin,'/sbin/sulogin'	72	bin,sulogin,'/sbin/sulogin'
67	bin,touch,'/bin/touch'	73	bin,touch,'/bin/touch'
		74	bin,touch,'/usr/bin/touch',GN
68	bin,traceroute,'/usr/sbin/traceroute'	75	bin,traceroute,'/usr/sbin/traceroute'
		76	bin,traceroute,'/usr/bin/traceroute',GN
69		77
70	bin,traceroute6,'/bin/traceroute6'	78	bin,traceroute6,'/bin/traceroute6'
71	bin,traceroute6,'/usr/sbin/traceroute6',RH7.0,RH7.1,RH7.2,RH7.3,RH8.0,RH9,RHEL2,MN9.2,MN10.0,MN10.1,MN2006.0	79	bin,traceroute6,'/usr/sbin/traceroute6',RH7.0,RH7.1,RH7.2,RH7.3,RH8.0,RH9,RHEL2,MN9.2,MN10.0,MN10.1,MN2006.0,GN
72	bin,traceroute6,'/usr/bin/traceroute6',DB	80	bin,traceroute6,'/usr/bin/traceroute6',DB
73		81
74	bin,umount,'/bin/umount'	82	bin,umount,'/bin/umount'
Lines 82-94 Link Here
82	dir,home,'/home'	90	dir,home,'/home'
83		91
84	dir,initd,'/etc/rc.d/init.d'	92	dir,initd,'/etc/rc.d/init.d'
85	dir,initd,'/etc/init.d',DB,SE,SLES	93	dir,initd,'/etc/init.d',DB,SE,SLES,GN
86		94
87	dir,log,'/var/log'	95	dir,log,'/var/log'
88	dir,pamd,'/etc/pam.d'	96	dir,pamd,'/etc/pam.d'
89		97
90	dir,rcd,'/etc/rc.d'	98	dir,rcd,'/etc/rc.d'
91	dir,rcd,'/etc',DB	99	dir,rcd,'/etc',DB
		100	dir,rcd,'/etc/runlevels',GN
92		101
93	dir,sbin,'/sbin'	102	dir,sbin,'/sbin'
94	dir,xinetd.d,'/etc/xinetd.d'	103	dir,xinetd.d,'/etc/xinetd.d'
Lines 104-109 Link Here
104	file,chkconfig_apmd,'/etc/rc.d/rc3.d/S26apmd'	113	file,chkconfig_apmd,'/etc/rc.d/rc3.d/S26apmd'
105	file,chkconfig_apmd,'/etc/rc3.d/S26apmd',DB	114	file,chkconfig_apmd,'/etc/rc3.d/S26apmd',DB
106	file,chkconfig_apmd,'/etc/rc.config',SE	115	file,chkconfig_apmd,'/etc/rc.config',SE
		116	file,chkconfig_apmd,'/etc/runlevels/default/apmd',GN
107	file,initd_apmd,'/etc/init.d/apmd'	117	file,initd_apmd,'/etc/init.d/apmd'
108		118
109	file,initd_acpid,'/etc/init.d/acpid'	119	file,initd_acpid,'/etc/init.d/acpid'
Lines 114-137 Link Here
114	file,chkconfig_dhcpd,'/etc/rc.d/rc3.d/S65dhcpd'	124	file,chkconfig_dhcpd,'/etc/rc.d/rc3.d/S65dhcpd'
115	file,chkconfig_dhcpd,'/etc/rc3.d/S65dhcpd',DB	125	file,chkconfig_dhcpd,'/etc/rc3.d/S65dhcpd',DB
116	file,chkconfig_dhcpd,'/etc/rc.config',SE	126	file,chkconfig_dhcpd,'/etc/rc.config',SE
		127	file,chkconfig_dhcpd,'/etc/runlevels/default/dhcpd',GN
117	file,initd_dhcpd,'/etc/init.d/dhcpd'	128	file,initd_dhcpd,'/etc/init.d/dhcpd'
118		129
119	file,chkconfig_gated,'/etc/rc.d/rc3.d/S32gated'	130	file,chkconfig_gated,'/etc/rc.d/rc3.d/S32gated'
120	file,chkconfig_gated,'/etc/rc3.d/S32gated',DB	131	file,chkconfig_gated,'/etc/rc3.d/S32gated',DB
		132	file,chkconfig_gated,'/etc/runlevels/default/gated',GN
121	file,initd_gated,'/etc/init.d/gated'	133	file,initd_gated,'/etc/init.d/gated'
122		134
123	file,chkconfig_gpm,'/etc/rc.d/rc3.d/S85gpm'	135	file,chkconfig_gpm,'/etc/rc.d/rc3.d/S85gpm'
124	file,chkconfig_gpm,'/etc/rc3.d/S20gpm',DB	136	file,chkconfig_gpm,'/etc/rc3.d/S20gpm',DB
125	file,chkconfig_gpm,'/etc/rc.config',SE	137	file,chkconfig_gpm,'/etc/rc.config',SE
		138	file,chkconfig_gpm,'/etc/runlevels/default/gpm',GN
126	file,initd_gpm,'/etc/init.d/gpm'	139	file,initd_gpm,'/etc/init.d/gpm'
127		140
128	file,chkconfig_httpd,'/etc/rc.d/rc3.d/S85httpd'	141	file,chkconfig_httpd,'/etc/rc.d/rc3.d/S85httpd'
129	file,chkconfig_httpd,'/etc/rc3.d/S91httpd',DB	142	file,chkconfig_httpd,'/etc/rc3.d/S91httpd',DB
		143	file,chkconfig_httpd,'/etc/runlevels/default/apache2',GN
130	file,initd_httpd,'/etc/init.d/httpd'	144	file,initd_httpd,'/etc/init.d/httpd'
131	file,initd_httpd2,'/etc/init.d/httpd2'	145	file,initd_httpd2,'/etc/init.d/httpd2'
		146	file,initd_httpd,'/etc/init.d/apache2',GN
		147	file,initd_httpd2,'/etc/init.d/apache2',GN
132		148
133	file,chkconfig_innd,'/etc/rc.d/rc3.d/S95innd'	149	file,chkconfig_innd,'/etc/rc.d/rc3.d/S95innd'
134	file,chkconfig_innd,'/etc/rc3.d/S95innd',DB	150	file,chkconfig_innd,'/etc/rc3.d/S95innd',DB
		151	file,chkconfig_innd,'/etc/runlevels/default/innd',GN
135	file,initd_innd,'/etc/init.d/innd'	152	file,initd_innd,'/etc/init.d/innd'
136		153
137	file,chkconfig_kudzu,'/etc/init.d/kudzu'	154	file,chkconfig_kudzu,'/etc/init.d/kudzu'
Lines 139-144 Link Here
139		156
140	file,chkconfig_named,'/etc/rc.d/rc3.d/S55named'	157	file,chkconfig_named,'/etc/rc.d/rc3.d/S55named'
141	file,chkconfig_named,'/etc/rc3.d/S15named',DB	158	file,chkconfig_named,'/etc/rc3.d/S15named',DB
		159	file,chkconfig_named,'/etc/runlevels/default/named',GN
142	file,initd_named,'/etc/init.d/named'	160	file,initd_named,'/etc/init.d/named'
143		161
144	file,chkconfig_nfs,'/etc/rc.d/rc3.d/S60nfs'	162	file,chkconfig_nfs,'/etc/rc.d/rc3.d/S60nfs'
Lines 149-154 Link Here
149	file,chkconfig_pcmcia,'/etc/rc.d/rc3.d/S45pcmcia'	167	file,chkconfig_pcmcia,'/etc/rc.d/rc3.d/S45pcmcia'
150	file,chkconfig_pcmcia,'/etc/rc3.d/S45pcmcia',DB	168	file,chkconfig_pcmcia,'/etc/rc3.d/S45pcmcia',DB
151	file,chkconfig_pcmcia,'/etc/rc.config',SE	169	file,chkconfig_pcmcia,'/etc/rc.config',SE
		170	file,chkconfig_pcmcia,'/etc/runlevels/default/pcmcia',GN
152	file,initd_pcmcia,'/etc/init.d/pcmcia'	171	file,initd_pcmcia,'/etc/init.d/pcmcia'
153		172
154	file,initd_mDNSResponder,'/etc/init.d/mDNSResponder'	173	file,initd_mDNSResponder,'/etc/init.d/mDNSResponder'
Lines 163-168 Link Here
163		182
164	file,chkconfig_routed,'/etc/rc.d/rc3.d/S55gated'	183	file,chkconfig_routed,'/etc/rc.d/rc3.d/S55gated'
165	file,chkconfig_routed,'/etc/rc3.d/S55gated',DB	184	file,chkconfig_routed,'/etc/rc3.d/S55gated',DB
		185	file,chkconfig_routed,'/etc/runlevels/default/gated',GN
166	file,initd_routed,'/etc/init.d/routed'	186	file,initd_routed,'/etc/init.d/routed'
167		187
168	file,chkconfig_snmpd,'/etc/rc.d/rc3.d/S50snmpd'	188	file,chkconfig_snmpd,'/etc/rc.d/rc3.d/S50snmpd'
Lines 190-209 Link Here
190	file,shadow,'/etc/shadow'	210	file,shadow,'/etc/shadow'
191		211
192	file,grub.conf,'/etc/grub.conf'	212	file,grub.conf,'/etc/grub.conf'
193	file,grub.conf,'/boot/grub/grub.conf',RH9,RHEL,RHFC	213	file,grub.conf,'/boot/grub/grub.conf',RH9,RHEL,RHFC,GN
194	file,grub.conf,'/boot/grub/menu.lst',SE,MN	214	file,grub.conf,'/boot/grub/menu.lst',SE,MN
195	file,hosts.allow,'/etc/hosts.allow'	215	file,hosts.allow,'/etc/hosts.allow'
196	file,hosts.deny,'/etc/hosts.deny'	216	file,hosts.deny,'/etc/hosts.deny'
197		217
198	file,httpd,'/usr/sbin/httpd'	218	file,httpd,'/usr/sbin/httpd'
199	file,httpd,'/usr/sbin/apache',DB	219	file,httpd,'/usr/sbin/apache',DB
		220	file,httpd,'/usr/sbin/apache2',GN
200		221
201	file,httpd2,'/usr/sbin/httpd2'	222	file,httpd2,'/usr/sbin/httpd2'
		223	file,httpd2,'/usr/sbin/apache2',GN
202		224
203	file,httpd.conf,'/etc/httpd/conf/httpd.conf'	225	file,httpd.conf,'/etc/httpd/conf/httpd.conf'
204	file,httpd.conf,'/etc/apache/httpd.conf',DB	226	file,httpd.conf,'/etc/apache/httpd.conf',DB
205	file,httpd.conf,'/etc/httpd/httpd.conf',SE7.2 SE7.3 SE8.0	227	file,httpd.conf,'/etc/httpd/httpd.conf',SE7.2 SE7.3 SE8.0
206	file,httpd.conf,'/etc/apache2/httpd.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES	228	file,httpd.conf,'/etc/apache2/httpd.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES,GN
207	file,httpd.conf,'/etc/httpd/conf/httpd2.conf',MN10.1	229	file,httpd.conf,'/etc/httpd/conf/httpd2.conf',MN10.1
208	# SuSE breaks httpd.conf into many files after 8.	230	# SuSE breaks httpd.conf into many files after 8.
209	file,listen.conf,'/etc/apache2/listen.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES	231	file,listen.conf,'/etc/apache2/listen.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES
Lines 216-221 Link Here
216	file,httpd_access.conf,'/etc/httpd/httpd.conf',SE7.2 SE7.3 SE8.0	238	file,httpd_access.conf,'/etc/httpd/httpd.conf',SE7.2 SE7.3 SE8.0
217	file,httpd_access.conf,'/etc/apache2/httpd.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES	239	file,httpd_access.conf,'/etc/apache2/httpd.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES
218	file,httpd_access.conf,'/etc/httpd/conf/commonhttpd.conf',MN10.1	240	file,httpd_access.conf,'/etc/httpd/conf/commonhttpd.conf',MN10.1
		241	file,httpd_access.conf,'/etc/apache2/access.conf',GN
219		242
220	file,inetd.conf,'/etc/inetd.conf'	243	file,inetd.conf,'/etc/inetd.conf'
221	file,inittab,'/etc/inittab'	244	file,inittab,'/etc/inittab'

Lines 20-39 Link Here

(-)Bastille.orig/Questions/Apache.txt (-4 / +4 lines)
20	PROPER_PARENT: namedoff	20	PROPER_PARENT: namedoff
21		21
22	LABEL: apacheoff	22	LABEL: apacheoff
23	SHORT_EXP: "Will you be using the Apache web server immediately? Again,	23	SHORT_EXP: "Will you be using the Apache2 web server immediately? Again,
24	minimalism is a critical part of a good site security. If you don't	24	minimalism is a critical part of a good site security. If you don't
25	need to run a web server, at least not right now, you should deactivate it.	25	need to run a web server, at least not right now, you should deactivate it.
26	You can restart the web server later by typing:	26	You can restart the web server later by typing:
27		27
28	/sbin/chkconfig httpd on	28	/sbin/rc-update add apache2 default
29	"	29	"
30	QUESTION: "Would you like to deactivate the Apache web server? [Y]"	30	QUESTION: "Would you like to deactivate the Apache2 web server? [Y]"
31	QUESTION_AUDIT: "Is the Apache Web server deactivated?"	31	QUESTION_AUDIT: "Is the Apache Web server deactivated?"
32	REQUIRE_DISTRO: LINUX DB SE TB	32	REQUIRE_DISTRO: LINUX DB SE TB
33	DEFAULT_ANSWER: Y	33	DEFAULT_ANSWER: Y
34	YN_TOGGLE: 1	34	YN_TOGGLE: 1
35	REG_EXP: "^Y$\|^N$"	35	REG_EXP: "^Y$\|^N$"
36	YES_EXP: "Even though you've deactivated the Apache web server, there are	36	YES_EXP: "Even though you've deactivated the Apache2 web server, there are
37	still a few more questions related to it. It's good to take the precautions in	37	still a few more questions related to it. It's good to take the precautions in
38	the next steps even if you've turned off the web server, since it might get	38	the next steps even if you've turned off the web server, since it might get
39	turned on again later."	39	turned on again later."

Lines 10-16 Link Here

(-)Bastille.orig/Questions/Logging.txt (-3 / +3 lines)
10	a \"risky\" move."	10	a \"risky\" move."
11	QUESTION: "Would you like to add additional logging? [Y]"	11	QUESTION: "Would you like to add additional logging? [Y]"
12	QUESTION_AUDIT: "Has additional logging been added?"	12	QUESTION_AUDIT: "Has additional logging been added?"
13	REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB	13	REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB GN
14	DEFAULT_ANSWER: Y	14	DEFAULT_ANSWER: Y
15	YN_TOGGLE: 1	15	YN_TOGGLE: 1
16	REG_EXP: "^Y$\|^N$"	16	REG_EXP: "^Y$\|^N$"
Lines 33-39 Link Here
33	SHORT_EXP: "If you already have a remote logging host, we can set this	33	SHORT_EXP: "If you already have a remote logging host, we can set this
34	machine to log to it."	34	machine to log to it."
35	QUESTION: "Do you have a remote logging host? [N]"	35	QUESTION: "Do you have a remote logging host? [N]"
36	REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB	36	REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB GN
37	DEFAULT_ANSWER: N	37	DEFAULT_ANSWER: N
38	YN_TOGGLE: 1	38	YN_TOGGLE: 1
39	REG_EXP: "^Y$\|^N$"	39	REG_EXP: "^Y$\|^N$"
Lines 53-59 Link Here
53	poisoning attacks on logging. You may use a hostname, but it should be	53	poisoning attacks on logging. You may use a hostname, but it should be
54	added to your /etc/hosts file..."	54	added to your /etc/hosts file..."
55	QUESTION: "What is the IP address of the machine you want to log to? [127.0.0.1]"	55	QUESTION: "What is the IP address of the machine you want to log to? [127.0.0.1]"
56	REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB	56	REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB GN
57	DEFAULT_ANSWER: 127.0.0.1	57	DEFAULT_ANSWER: 127.0.0.1
58	YN_TOGGLE: 0	58	YN_TOGGLE: 0
59	YES_CHILD: pacct	59	YES_CHILD: pacct

Lines 15-26 Link Here

(-)Bastille.orig/Questions/Printing.txt (-4 / +4 lines)
15		15
16	# /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm	16	# /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm
17		17
18	# /sbin/chkconfig lpd on	18	# /sbin/rc-update add lpd default
19		19
20	This is only recommended if this machine will not be used for printing	20	This is only recommended if this machine will not be used for printing
21	in the near future. If you deactivate this, you might want to write	21	in the near future. If you deactivate this, you might want to write
22	down the commands above in case you decide to re-enable printing later."	22	down the commands above in case you decide to re-enable printing later."
23	QUESTION: "Would you like to disable printing? [N]"	23	QUESTION: "Would you like to disable LPR/LPRng printing? [N]"
24	QUESTION_AUDIT: "Is printing disabled?"	24	QUESTION_AUDIT: "Is printing disabled?"
25	REQUIRE_DISTRO: LINUX	25	REQUIRE_DISTRO: LINUX
26	DEFAULT_ANSWER: N	26	DEFAULT_ANSWER: N
Lines 48-59 Link Here
48	# /bin/chmod 0755 /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat	48	# /bin/chmod 0755 /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat
49	# /bin/chmod 04755 /usr/bin/lppasswd	49	# /bin/chmod 04755 /usr/bin/lppasswd
50		50
51	# /sbin/chkconfig cups on	51	# /sbin/rc-update add cups default
52		52
53	This is only recommended if this machine will not be used for printing	53	This is only recommended if this machine will not be used for printing
54	in the near future. If you deactivate this, you might want to write	54	in the near future. If you deactivate this, you might want to write
55	down the commands above in case you decide to re-enable printing later."	55	down the commands above in case you decide to re-enable printing later."
56	QUESTION: "Would you like to disable printing? [N]"	56	QUESTION: "Would you like to disable CUPS printing? [N]"
57	QUESTION_AUDIT: "Is printing disabled?"	57	QUESTION_AUDIT: "Is printing disabled?"
58	REQUIRE_DISTRO: LINUX	58	REQUIRE_DISTRO: LINUX
59	DEFAULT_ANSWER: N	59	DEFAULT_ANSWER: N

Lines 2975-2981 Link Here

(-)Bastille.orig/Questions.txt (-8 / +7 lines)
2975		2975
2976	Even if you plan on setting up a name server on this machine, you should	2976	Even if you plan on setting up a name server on this machine, you should
2977	deactivate it for now until you get the configuration files setup. You	2977	deactivate it for now until you get the configuration files setup. You
2978	can reactivate it then by typing, as root: /sbin/chkconfig named on "	2978	can reactivate it then by typing, as root: /sbin/rc-update add named default "
2979	QUESTION: "Would you like to deactivate named, at least for now? [Y]"	2979	QUESTION: "Would you like to deactivate named, at least for now? [Y]"
2980	REQUIRE_DISTRO: LINUX	2980	REQUIRE_DISTRO: LINUX
2981	REQUIRE_FILE_EXISTS: chkconfig_named	2981	REQUIRE_FILE_EXISTS: chkconfig_named
Lines 3014-3028 Link Here
3014	need to run a web server, at least not right now, you should deactivate it.	3014	need to run a web server, at least not right now, you should deactivate it.
3015	You can restart the web server later by typing:	3015	You can restart the web server later by typing:
3016		3016
3017	/sbin/chkconfig httpd on	3017	/sbin/rc-update add apache2 default
3018	"	3018	"
3019	QUESTION: "Would you like to deactivate the Apache web server? [Y]"	3019	QUESTION: "Would you like to deactivate the Apache2 web server? [Y]"
3020	REQUIRE_DISTRO: LINUX DB SE TB	3020	REQUIRE_DISTRO: LINUX DB SE TB
3021	REQUIRE_FILE_EXISTS: chkconfig_httpd	3021	REQUIRE_FILE_EXISTS: chkconfig_httpd
3022	DEFAULT_ANSWER: Y	3022	DEFAULT_ANSWER: Y
3023	YN_TOGGLE: 1	3023	YN_TOGGLE: 1
3024	REG_EXP: "^Y$\|^N$"	3024	REG_EXP: "^Y$\|^N$"
3025	YES_EXP: "Even though you've deactivated the Apache web server, there are	3025	YES_EXP: "Even though you've deactivated the Apache2 web server, there are
3026	still a few more questions related to it. It's good to take the precautions in	3026	still a few more questions related to it. It's good to take the precautions in
3027	the next steps even if you've turned off the web server, since it might get	3027	the next steps even if you've turned off the web server, since it might get
3028	turned on again later."	3028	turned on again later."
Lines 3297-3303 Link Here
3297		3297
3298	# /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm	3298	# /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm
3299		3299
3300	# /sbin/chkconfig lpd on	3300	# /sbin/rc-update add lpd default
3301		3301
3302	This is only recommended if this machine will not be used for printing	3302	This is only recommended if this machine will not be used for printing
3303	in the near future. If you deactivate this, you might want to write	3303	in the near future. If you deactivate this, you might want to write
Lines 3330-3336 Link Here
3330	# /bin/chmod 0755 /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat	3330	# /bin/chmod 0755 /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat
3331	# /bin/chmod 04755 /usr/bin/lppasswd	3331	# /bin/chmod 04755 /usr/bin/lppasswd
3332		3332
3333	# /sbin/chkconfig cups on	3333	# /sbin/rc-update add cups default
3334		3334
3335	This is only recommended if this machine will not be used for printing	3335	This is only recommended if this machine will not be used for printing
3336	in the near future. If you deactivate this, you might want to write	3336	in the near future. If you deactivate this, you might want to write
Lines 5130-5137 Link Here
5130		5130
5131	Once you have a configuration that will work on your system, you can make it	5131	Once you have a configuration that will work on your system, you can make it
5132	run at every normal boot-up by typing	5132	run at every normal boot-up by typing
5133	/sbin/chkconfig --add bastille-firewall	5133	/sbin/rc-update add bastille-firewall default
5134	/sbin/chkconfig bastille-firewall reset
5135		5134
5136	If you are confident of your selections, Bastille can start the firewall	5135	If you are confident of your selections, Bastille can start the firewall
5137	and configure it to run at boot time for you.	5136	and configure it to run at boot time for you.

Lines 1-138 Link Here

(-)Bastille.orig/ServerLax.config (-121 / +97 lines)
1	# Q: Would you like to run the packet filtering script? [N]	1	# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
2	IPChains.ip_intro="N"
3	# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
4	FilePermissions.generalperms_1.1="N"
5	# Q: What security level should we set? [3]
6	FilePermissions.security_level="2"
7	# Q: Would you like us to modify your file permissions?
8	FilePermissions.generalperms_1.2_mandrake="Y"
9	# Q: Would you like to disable SUID status for mount/umount?
10	FilePermissions.suidmount="N"
11	# Q: Would you like to disable SUID status for ping? [Y]
12	FilePermissions.suidping="N"
13	# Q: Would you like to disable SUID status for dump and restore? [Y]
14	FilePermissions.suiddump="Y"
15	# Q: Would you like to disable SUID status for cardctl? [Y]
16	FilePermissions.suidcard="Y"
17	# Q: Would you like to disable SUID status for at? [Y]
18	FilePermissions.suidat="N"
19	# Q: Would you like to disable SUID status for DOSEMU? [Y]
20	FilePermissions.suiddos="Y"
21	# Q: Would you like to disable SUID status for news server tools? [Y]
22	FilePermissions.suidnews="Y"
23	# Q: Would you like to disable SUID status for printing utilities? [N]
24	FilePermissions.suidprint="N"
25	# Q: Would you like to disable SUID status for the r-tools? [Y]
26	FilePermissions.suidrtool="N"
27	# Q: Would you like to disable SUID status for usernetctl? [Y]
28	FilePermissions.suidusernetctl="N"
29	# Q: Would you like to disable SUID status for traceroute? [Y]
30	FilePermissions.suidtrace="N"
31	# Q: Would you like to set up a second UID 0 account? [N]
32	AccountSecurity.secondadmin="N"
33	# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
34	AccountSecurity.protectrhost="N"
35	# Q: Would you like to enforce password aging? [Y]
36	AccountSecurity.passwdage="Y"
37	# Q: Would you like to create a non-root user account? [N]
38	AccountSecurity.createuser="N"
39	# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
40	AccountSecurity.cronuser="N"	2	AccountSecurity.cronuser="N"
41	# Q: What umask would you like to set for users on the system? [077]	3	# Q: Would you like to enforce password aging? [Y]
42	AccountSecurity.umask="022"	4	AccountSecurity.passwdage="Y"
43	# Q: Should we allow root to login on tty's 1-6? [Y]	5	# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
		6	AccountSecurity.protectrhost="N"
		7	# Q: Should we disallow root login on tty's 1-6? [N]
44	AccountSecurity.rootttylogins="Y"	8	AccountSecurity.rootttylogins="Y"
45	# Q: Should we allow the PATH to include the current directory? [N]	9	# Q: Would you like to disable indexes? [N]
46	AccountSecurity.restrict_path_mdk="Y"	10	Apache.apacheindex="N"
47	# Q: Should we deactivate this list of users? [N]	11	# Q: Would you like to deactivate the Apache2 web server? [Y]
48	AccountSecurity.forbiduserview="N"	12	Apache.apacheoff="Y"
49	# Q: Would you like to password-protect the LILO prompt? [N]	13	# Q: Would you like to bind the Web server to listen only to the localhost? [N]
50	BootSecurity.protectlilo="N"	14	Apache.bindapachelocal="N"
51	# Q: Would you like to reduce the LILO delay time to zero? [N]	15	# Q: Would you like to bind the web server to a particular interface? [N]
		16	Apache.bindapachenic="N"
		17	# Q: Would you like to disable CGI scripts, at least for now? [Y]
		18	Apache.cgi="N"
		19	# Q: Would you like to deactivate server-side includes? [Y]
		20	Apache.ssi="Y"
		21	# Q: Would you like to deactivate the following of symbolic links? [Y]
		22	Apache.symlink="N"
		23	# Q: Would you like to reduce the LILO delay time to zero? [N]
52	BootSecurity.lilodelay="N"	24	BootSecurity.lilodelay="N"
53	# Q: Do you ever boot Linux from the hard drive? [Y]	25	# Q: Do you ever boot Linux from the hard drive? [Y]
54	BootSecurity.lilosub_drive="N"	26	BootSecurity.lilosub_drive="N"
55	# Q: Would you like to write the LILO changes to a boot floppy? [N]	27	# Q: Would you like to write the LILO changes to a boot floppy? [N]
56	BootSecurity.lilosub_floppy="N"	28	BootSecurity.lilosub_floppy="N"
57	# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]	29	# Q: Would you like to password protect single-user mode? [Y]
58	BootSecurity.secureinittab="N"
59	# Q: Would you like to password protect single-user mode? [Y]
60	BootSecurity.passsum="Y"	30	BootSecurity.passsum="Y"
61	# Q: May we disable Autologin? [Y]	31	# Q: Would you like to password-protect the LILO prompt? [N]
62	BootSecurity.disable_autologin="N"	32	BootSecurity.protectlilo="N"
63	# Q: Would you like to set a default-deny on TCP Wrappers? [N]	33	# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
64	SecureInetd.tcpd_default_deny="N"	34	BootSecurity.secureinittab="N"
65	# Q: May we deactivate telnet? [Y]	35	# Q: Should we restrict console access to a small group of user accounts? [N]
66	SecureInetd.deactivate_telnet="Y"
67	# Q: May we deactivate ftp? [Y]
68	SecureInetd.deactivate_ftp="N"
69	# Q: Would you like to make "Authorized Use" banners? [Y]
70	SecureInetd.banners="Y"
71	# Q: Would you like to disable the compiler? [N]
72	DisableUserTools.compiler="N"
73	# Q: Would you like to put limits on system resource usage? [Y]
74	ConfigureMiscPAM.limitsconf="N"
75	# Q: Should we restrict console access to a small group of user accounts? [N]
76	ConfigureMiscPAM.consolelogin="N"	36	ConfigureMiscPAM.consolelogin="N"
77	# Q: Would you like to add additional logging? [Y]	37	# Q: Would you like to put limits on system resource usage? [N]
		38	ConfigureMiscPAM.limitsconf="N"
		39	# Q: Would you like to chroot named and set it to run as a non-root user? [N]
		40	DNS.chrootbind="N"
		41	# Q: Would you like to deactivate named, at least for now? [Y]
		42	DNS.namedoff="Y"
		43	# Q: Would you like to disable the gcc and/or g++ compiler? [N]
		44	DisableUserTools.compiler="N"
		45	# Q: Would you like to disable anonymous download? [N]
		46	FTP.anonftp="N"
		47	# Q: Would you like to disable user privileges on the FTP daemon? [N]
		48	FTP.userftp="N"
		49	# Q: Would you like to disable SUID status for XFree86? [N]
		50	FilePermissions.suidXFree86="N"
		51	# Q: Would you like to disable SUID status for at? [Y]
		52	FilePermissions.suidat="N"
		53	# Q: Would you like to disable SUID status for cardctl? [Y]
		54	FilePermissions.suidcard="Y"
		55	# Q: Would you like to disable SUID status for DOSEMU? [Y]
		56	FilePermissions.suiddos="Y"
		57	# Q: Would you like to disable SUID status for dump and restore? [Y]
		58	FilePermissions.suiddump="Y"
		59	# Q: Would you like to disable SUID status for mount/umount?
		60	FilePermissions.suidmount="N"
		61	# Q: Would you like to disable SUID status for news server tools? [Y]
		62	FilePermissions.suidnews="Y"
		63	# Q: Would you like to disable SUID status for ping? [Y]
		64	FilePermissions.suidping="N"
		65	# Q: Would you like to disable SUID status for printing utilities? [N]
		66	FilePermissions.suidprint="N"
		67	# Q: Would you like to disable the r-tools? [Y]
		68	FilePermissions.suidrtool="N"
		69	# Q: Would you like to disable SUID status for traceroute? [Y]
		70	FilePermissions.suidtrace="N"
		71	# Q: Would you like to disable SUID status for usernetctl? [Y]
		72	FilePermissions.suidusernetctl="N"
		73	# Q: Would you like to run the packet filtering script? [N]
		74	Firewall.ip_intro="N"
		75	# Q: Would you like to add additional logging? [Y]
78	Logging.morelogging="Y"	76	Logging.morelogging="Y"
79	# Q: Do you have a remote logging host? [N]	77	# Q: Would you like to set up process accounting? [N]
80	Logging.remotelog="N"
81	# Q: Would you like to set up process accounting? [N]
82	Logging.pacct="N"	78	Logging.pacct="N"
83	# Q: Would you like to set up nightly security checks? [N]"	79	# Q: Would you like to disable acpid and/or apmd? [Y]
84	Logging.security_checks="Y"
85	# Q: Would you like to disable apmd? [Y]
86	MiscellaneousDaemons.apmd="Y"	80	MiscellaneousDaemons.apmd="Y"
87	# Q: Would you like to deactivate NFS and Samba? [Y]	81	# Q: Would you like to disable the DHCP daemon? [Y]
88	MiscellaneousDaemons.remotefs="Y"
89	# Q: Would you like to disable PCMCIA services? [Y]
90	MiscellaneousDaemons.pcmcia="Y"
91	# Q: Would you like to disable the DHCP daemon? [Y]
92	MiscellaneousDaemons.dhcpd="Y"	82	MiscellaneousDaemons.dhcpd="Y"
93	# Q: Would you like to disable GPM? [Y]	83	# Q: Would you like to disable GPM? [Y]
94	MiscellaneousDaemons.gpm="N"	84	MiscellaneousDaemons.gpm="N"
95	# Q: Would you like to disable the news server daemon? [Y]	85	# Q: Would you like to disable the news server daemon? [Y]
96	MiscellaneousDaemons.innd="Y"	86	MiscellaneousDaemons.innd="Y"
97	# Q: Would you like to deactivate the routing daemons? [Y]	87	# Q: Would you like to disable PCMCIA services? [Y]
98	MiscellaneousDaemons.routing="Y"	88	MiscellaneousDaemons.pcmcia="Y"
99	# Q: Would you like to deactivate NIS server and client programs? [Y]	89	# Q: Would you like to deactivate NFS and Samba? [Y]
100	MiscellaneousDaemons.nis="Y"	90	MiscellaneousDaemons.remotefs="Y"
101	# Q: Would you like to disable SNMPD? [Y]	91	# Q: Would you like to disable SNMPD? [Y]
102	MiscellaneousDaemons.snmpd="Y"	92	MiscellaneousDaemons.snmpd="Y"
103	# Q: Should we disable most chkconfig'd services?	93	# Q: Would you like to disable LPR/LPRng printing? [N]
104	MiscellaneousDaemons.minimize_chkconfig="N"	94	Printing.printing="N"
105	# Q: Do you want to leave sendmail running in daemon mode? [Y]	95	# Q: Would you like to disable CUPS printing? [N]
106	Sendmail.sendmaildaemon="N"	96	Printing.printing_cups="N"
107	# Q: Would you like to run sendmail via cron to process the queue? [N]	97	# Q: Would you like to display "Authorized Use" messages at log-in time? [Y]
		98	SecureInetd.banners="Y"
		99	# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y]
		100	SecureInetd.deactivate_ftp="N"
		101	# Q: Should Bastille ensure the telnet service does not run on this system? [y]
		102	SecureInetd.deactivate_telnet="Y"
		103	# Q: Who is responsible for granting authorization to use this machine?
		104	SecureInetd.owner="its owner"
		105	# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
		106	SecureInetd.tcpd_default_deny="N"
		107	# Q: Would you like to run sendmail via cron to process the queue? [N]
108	Sendmail.sendmailcron="Y"	108	Sendmail.sendmailcron="Y"
109	# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]	109	# Q: Do you want to stop sendmail from running in daemon mode? [Y]
		110	Sendmail.sendmaildaemon="N"
		111	# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
110	Sendmail.vrfyexpn="Y"	112	Sendmail.vrfyexpn="Y"
111	# Q: Would you like to download and install ssh? [N]	113	# Q: Would you like to install TMPDIR/TMP scripts? [N]
112	RemoteAccess.installssh="N"
113	# Q: Would you like to chroot named and set it to run as a non-root user? [N]
114	DNS.chrootbind="N"
115	# Q: Would you like to deactivate named, at least for now? [Y]
116	DNS.namedoff="Y"
117	# Q: Would you like to deactivate the Apache web server? [Y]
118	Apache.apacheoff="Y"
119	# Q: Would you like to bind the web server to listen only to the localhost? [N]
120	Apache.bindapachelocal="N"
121	# Q: Would you like to bind the web server to a particular interface? [N]
122	Apache.bindapachenic="N"
123	# Q: Would you like to deactivate the following of symbolic links? [Y]
124	Apache.symlink="N"
125	# Q: Would you like to deactivate server-side includes? [Y]
126	Apache.ssi="Y"
127	# Q: Would you like to disable CGI scripts, at least for now? [Y]
128	Apache.cgi="N"
129	# Q: Would you like to disable indexes? [N]
130	Apache.apacheindex="N"
131	# Q: Would you like to disable printing? [N]
132	Printing.printing="N"
133	# Q: Would you like to disable user privileges on the FTP daemon? [N]
134	FTP.userftp="N"
135	# Q: Would you like to disable anonymous download? [N]
136	FTP.anonftp="N"
137	# Q: Would you like to install TMPDIR/TMP scripts? [N]
138	TMPDIR.tmpdir="N"	114	TMPDIR.tmpdir="N"

Lines 1-170 Link Here

(-)Bastille.orig/ServerModerate.config (-153 / +135 lines)
1	# Q: Would you like to run the packet filtering script? [N]	1	# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
2	IPChains.ip_intro="Y"
3	# Q:
4	IPChains.ip_detail_level_kludge="Y"
5	# Q: Do you need the advanced networking options?
6	IPChains.ip_advnetwork="N"
7	# Q: DNS Servers: [0.0.0.0/0]
8	IPChains.ip_b_dns="0.0.0.0/0"
9	# Q:
10	IPChains.ip_b_trustiface="lo"
11	# Q: Public interfaces: [eth+ ppp+ slip+]
12	IPChains.ip_b_publiciface="eth+ ppp+ slip+"
13	# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
14	IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
15	# Q: UDP services to audit: [31337]
16	IPChains.ip_b_udpaudit="31337"
17	# Q: TCP service names or port numbers to allow on public interfaces: [ ]
18	IPChains.ip_b_publictcp="ssh"
19	# Q: Force passive mode? [N]
20	IPChains.ip_b_passiveftp="N"
21	# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
22	IPChains.ip_b_tcpblock="2049 2065:2090 7100"
23	# Q: UDP services to block: [2049 6770]
24	IPChains.ip_b_udpblock="2049 6770"
25	# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
26	IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-request"
27	# Q: Enable source address verification? [Y]
28	IPChains.ip_b_srcaddr="Y"
29	# Q: Reject method: [DENY]
30	IPChains.ip_b_rejectmethod="REJECT"
31	# Q: Interfaces for DHCP queries: [ ]
32	IPChains.ip_b_dhcpiface="eth+ ppp+"
33	# Q: NTP servers to query: [ ]
34	IPChains.ip_b_ntpsrv="eth+ ppp+"
35	# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
36	FilePermissions.generalperms_1.1="N"
37	# Q: What security level should we set? [3]
38	FilePermissions.security_level="3"
39	# Q: Would you like us to modify your file permissions?
40	FilePermissions.generalperms_1.2_mandrake="Y"
41	# Q: Would you like to disable SUID status for mount/umount?
42	FilePermissions.suidmount="N"
43	# Q: Would you like to disable SUID status for ping? [Y]
44	FilePermissions.suidping="N"
45	# Q: Would you like to disable SUID status for dump and restore? [Y]
46	FilePermissions.suiddump="Y"
47	# Q: Would you like to disable SUID status for cardctl? [Y]
48	FilePermissions.suidcard="Y"
49	# Q: Would you like to disable SUID status for at? [Y]
50	FilePermissions.suidat="N"
51	# Q: Would you like to disable SUID status for DOSEMU? [Y]
52	FilePermissions.suiddos="Y"
53	# Q: Would you like to disable SUID status for news server tools? [Y]
54	FilePermissions.suidnews="Y"
55	# Q: Would you like to disable SUID status for printing utilities? [N]
56	FilePermissions.suidprint="N"
57	# Q: Would you like to disable SUID status for the r-tools? [Y]
58	FilePermissions.suidrtool="Y"
59	# Q: Would you like to disable SUID status for usernetctl? [Y]
60	FilePermissions.suidusernetctl="N"
61	# Q: Would you like to disable SUID status for traceroute? [Y]
62	FilePermissions.suidtrace="N"
63	# Q: Would you like to set up a second UID 0 account? [N]
64	AccountSecurity.secondadmin="N"
65	# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
66	AccountSecurity.protectrhost="Y"
67	# Q: Would you like to enforce password aging? [Y]
68	AccountSecurity.passwdage="Y"
69	# Q: Would you like to create a non-root user account? [N]
70	AccountSecurity.createuser="N"
71	# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
72	AccountSecurity.cronuser="N"	2	AccountSecurity.cronuser="N"
73	# Q: What umask would you like to set for users on the system? [077]	3	# Q: Would you like to enforce password aging? [Y]
74	AccountSecurity.umask="077"	4	AccountSecurity.passwdage="Y"
75	# Q: Should we allow root to login on tty's 1-6? [Y]	5	# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
		6	AccountSecurity.protectrhost="Y"
		7	# Q: Should we disallow root login on tty's 1-6? [N]
76	AccountSecurity.rootttylogins="Y"	8	AccountSecurity.rootttylogins="Y"
77	# Q: Should we allow the PATH to include the current directory? [N]	9	# Q: Would you like to disable indexes? [N]
78	AccountSecurity.restrict_path_mdk="N"	10	Apache.apacheindex="N"
79	# Q: Should we deactivate this list of users? [N]	11	# Q: Would you like to deactivate the Apache2 web server? [Y]
80	AccountSecurity.forbiduserview="N"	12	Apache.apacheoff="Y"
81	# Q: Would you like to password-protect the LILO prompt? [N]	13	# Q: Would you like to bind the Web server to listen only to the localhost? [N]
82	BootSecurity.protectlilo="N"	14	Apache.bindapachelocal="N"
83	# Q: Would you like to reduce the LILO delay time to zero? [N]	15	# Q: Would you like to bind the web server to a particular interface? [N]
		16	Apache.bindapachenic="N"
		17	# Q: Would you like to disable CGI scripts, at least for now? [Y]
		18	Apache.cgi="Y"
		19	# Q: Would you like to deactivate server-side includes? [Y]
		20	Apache.ssi="Y"
		21	# Q: Would you like to deactivate the following of symbolic links? [Y]
		22	Apache.symlink="N"
		23	# Q: Would you like to reduce the LILO delay time to zero? [N]
84	BootSecurity.lilodelay="N"	24	BootSecurity.lilodelay="N"
85	# Q: Do you ever boot Linux from the hard drive? [Y]	25	# Q: Do you ever boot Linux from the hard drive? [Y]
86	BootSecurity.lilosub_drive="N"	26	BootSecurity.lilosub_drive="N"
87	# Q: Would you like to write the LILO changes to a boot floppy? [N]	27	# Q: Would you like to write the LILO changes to a boot floppy? [N]
88	BootSecurity.lilosub_floppy="N"	28	BootSecurity.lilosub_floppy="N"
89	# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]	29	# Q: Would you like to password protect single-user mode? [Y]
90	BootSecurity.secureinittab="N"
91	# Q: Would you like to password protect single-user mode? [Y]
92	BootSecurity.passsum="Y"	30	BootSecurity.passsum="Y"
93	Q: May we disable Autologin? [Y]	31	# Q: Would you like to password-protect the LILO prompt? [N]
94	BootSecurity.disable_autologin="Y"	32	BootSecurity.protectlilo="N"
95	# Q: Would you like to set a default-deny on TCP Wrappers? [N]	33	# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
96	SecureInetd.tcpd_default_deny="N"	34	BootSecurity.secureinittab="N"
97	# Q: May we deactivate telnet? [Y]	35	# Q: Should we restrict console access to a small group of user accounts? [N]
98	SecureInetd.deactivate_telnet="Y"
99	# Q: May we deactivate ftp? [Y]
100	SecureInetd.deactivate_ftp="N"
101	# Q: Would you like to make "Authorized Use" banners? [Y]
102	SecureInetd.banners="Y"
103	# Q: Would you like to disable the compiler? [N]
104	DisableUserTools.compiler="N"
105	# Q: Would you like to put limits on system resource usage? [Y]
106	ConfigureMiscPAM.limitsconf="N"
107	# Q: Should we restrict console access to a small group of user accounts? [N]
108	ConfigureMiscPAM.consolelogin="N"	36	ConfigureMiscPAM.consolelogin="N"
109	# Q: Would you like to add additional logging? [Y]	37	# Q: Would you like to put limits on system resource usage? [N]
		38	ConfigureMiscPAM.limitsconf="N"
		39	# Q: Would you like to chroot named and set it to run as a non-root user? [N]
		40	DNS.chrootbind="N"
		41	# Q: Would you like to deactivate named, at least for now? [Y]
		42	DNS.namedoff="Y"
		43	# Q: Would you like to disable the gcc and/or g++ compiler? [N]
		44	DisableUserTools.compiler="N"
		45	# Q: Would you like to disable anonymous download? [N]
		46	FTP.anonftp="Y"
		47	# Q: Would you like to disable user privileges on the FTP daemon? [N]
		48	FTP.userftp="Y"
		49	# Q: Would you like to disable SUID status for XFree86? [N]
		50	FilePermissions.suidXFree86="N"
		51	# Q: Would you like to disable SUID status for at? [Y]
		52	FilePermissions.suidat="N"
		53	# Q: Would you like to disable SUID status for cardctl? [Y]
		54	FilePermissions.suidcard="Y"
		55	# Q: Would you like to disable SUID status for DOSEMU? [Y]
		56	FilePermissions.suiddos="Y"
		57	# Q: Would you like to disable SUID status for dump and restore? [Y]
		58	FilePermissions.suiddump="Y"
		59	# Q: Would you like to disable SUID status for mount/umount?
		60	FilePermissions.suidmount="N"
		61	# Q: Would you like to disable SUID status for news server tools? [Y]
		62	FilePermissions.suidnews="Y"
		63	# Q: Would you like to disable SUID status for ping? [Y]
		64	FilePermissions.suidping="N"
		65	# Q: Would you like to disable SUID status for printing utilities? [N]
		66	FilePermissions.suidprint="N"
		67	# Q: Would you like to disable the r-tools? [Y]
		68	FilePermissions.suidrtool="Y"
		69	# Q: Would you like to disable SUID status for traceroute? [Y]
		70	FilePermissions.suidtrace="N"
		71	# Q: Would you like to disable SUID status for usernetctl? [Y]
		72	FilePermissions.suidusernetctl="N"
		73	# Q: Do you need the advanced networking options?
		74	Firewall.ip_advnetwork="N"
		75	# Q: Interfaces for DHCP queries: [ ]
		76	Firewall.ip_b_dhcpiface="eth+ ppp+ wlan+ ath+"
		77	# Q: DNS Servers: [0.0.0.0/0]
		78	Firewall.ip_b_dns="0.0.0.0/0"
		79	# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
		80	Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-request"
		81	# Q: ICMP services to audit: [ ]
		82	Firewall.ip_b_icmpaudit=""
		83	# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
		84	Firewall.ip_b_icmpout="destination-unreachable time-exceeded"
		85	# Q: NTP servers to query: [ ]
		86	Firewall.ip_b_ntpsrv=""
		87	# Q: Force passive mode? [N]
		88	Firewall.ip_b_passiveftp="N"
		89	# Q: Public interfaces: [eth+ ppp+ slip+]
		90	Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+"
		91	# Q: TCP service names or port numbers to allow on public interfaces: [ ]
		92	Firewall.ip_b_publictcp="ssh"
		93	# Q: UDP service names or port numbers to allow on public interfaces: [ ]
		94	Firewall.ip_b_publicudp=""
		95	# Q: Reject method: [DENY]
		96	Firewall.ip_b_rejectmethod="REJECT"
		97	# Q: Enable source address verification? [Y]
		98	Firewall.ip_b_srcaddr="Y"
		99	# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
		100	Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
		101	# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
102	Firewall.ip_b_tcpblock="2049 2065:2090 7100"
103	# Q: UDP services to audit: [31337]
104	Firewall.ip_b_udpaudit="31337"
105	# Q: UDP services to block: [2049 6770]
106	Firewall.ip_b_udpblock="2049 6770"
107	# Q: Should Bastille run the firewall and enable it at boot time? [N]
108	Firewall.ip_enable_firewall="Y"
109	# Q: Would you like to run the packet filtering script? [N]
110	Firewall.ip_intro="Y"
111	# Q: Would you like to add additional logging? [Y]
110	Logging.morelogging="Y"	112	Logging.morelogging="Y"
111	# Q: Do you have a remote logging host? [N]	113	# Q: Would you like to set up process accounting? [N]
112	Logging.remotelog="N"
113	# Q: Would you like to set up process accounting? [N]
114	Logging.pacct="N"	114	Logging.pacct="N"
115	# Q: Would you like to set up nightly security checks? [N]"	115	# Q: Would you like to disable acpid and/or apmd? [Y]
116	Logging.security_checks="Y"
117	# Q: Would you like to disable apmd? [Y]
118	MiscellaneousDaemons.apmd="Y"	116	MiscellaneousDaemons.apmd="Y"
119	# Q: Would you like to deactivate NFS and Samba? [Y]	117	# Q: Would you like to disable the DHCP daemon? [Y]
120	MiscellaneousDaemons.remotefs="Y"
121	# Q: Would you like to disable PCMCIA services? [Y]
122	MiscellaneousDaemons.pcmcia="Y"
123	# Q: Would you like to disable the DHCP daemon? [Y]
124	MiscellaneousDaemons.dhcpd="Y"	118	MiscellaneousDaemons.dhcpd="Y"
125	# Q: Would you like to disable GPM? [Y]	119	# Q: Would you like to disable GPM? [Y]
126	MiscellaneousDaemons.gpm="Y"	120	MiscellaneousDaemons.gpm="Y"
127	# Q: Would you like to disable the news server daemon? [Y]	121	# Q: Would you like to disable the news server daemon? [Y]
128	MiscellaneousDaemons.innd="Y"	122	MiscellaneousDaemons.innd="Y"
129	# Q: Would you like to deactivate the routing daemons? [Y]	123	# Q: Would you like to disable PCMCIA services? [Y]
130	MiscellaneousDaemons.routing="Y"	124	MiscellaneousDaemons.pcmcia="Y"
131	# Q: Would you like to deactivate NIS server and client programs? [Y]	125	# Q: Would you like to deactivate NFS and Samba? [Y]
132	MiscellaneousDaemons.nis="Y"	126	MiscellaneousDaemons.remotefs="Y"
133	# Q: Would you like to disable SNMPD? [Y]	127	# Q: Would you like to disable SNMPD? [Y]
134	MiscellaneousDaemons.snmpd="Y"	128	MiscellaneousDaemons.snmpd="Y"
135	# Q: Should we disable most chkconfig'd services?	129	# Q: Would you like to setup psad?
136	MiscellaneousDaemons.minimize_chkconfig="N"	130	PSAD.psad_config="N"
137	# Q: Do you want to leave sendmail running in daemon mode? [Y]	131	# Q: Would you like to disable LPR/LPRng printing? [N]
138	Sendmail.sendmaildaemon="N"	132	Printing.printing="N"
139	# Q: Would you like to run sendmail via cron to process the queue? [N]	133	# Q: Would you like to disable CUPS printing? [N]
		134	Printing.printing_cups="N"
		135	# Q: Would you like to display "Authorized Use" messages at log-in time? [Y]
		136	SecureInetd.banners="Y"
		137	# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y]
		138	SecureInetd.deactivate_ftp="N"
		139	# Q: Should Bastille ensure the telnet service does not run on this system? [y]
		140	SecureInetd.deactivate_telnet="Y"
		141	# Q: Who is responsible for granting authorization to use this machine?
		142	SecureInetd.owner="its owner"
		143	# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
		144	SecureInetd.tcpd_default_deny="N"
		145	# Q: Would you like to run sendmail via cron to process the queue? [N]
140	Sendmail.sendmailcron="Y"	146	Sendmail.sendmailcron="Y"
141	# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]	147	# Q: Do you want to stop sendmail from running in daemon mode? [Y]
		148	Sendmail.sendmaildaemon="N"
		149	# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
142	Sendmail.vrfyexpn="Y"	150	Sendmail.vrfyexpn="Y"
143	# Q: Would you like to download and install ssh? [N]	151	# Q: Would you like to install TMPDIR/TMP scripts? [N]
144	RemoteAccess.installssh="N"
145	# Q: Would you like to chroot named and set it to run as a non-root user? [N]
146	DNS.chrootbind="N"
147	# Q: Would you like to deactivate named, at least for now? [Y]
148	DNS.namedoff="Y"
149	# Q: Would you like to deactivate the Apache web server? [Y]
150	Apache.apacheoff="Y"
151	# Q: Would you like to bind the web server to listen only to the localhost? [N]
152	Apache.bindapachelocal="N"
153	# Q: Would you like to bind the web server to a particular interface? [N]
154	Apache.bindapachenic="N"
155	# Q: Would you like to deactivate the following of symbolic links? [Y]
156	Apache.symlink="N"
157	# Q: Would you like to deactivate server-side includes? [Y]
158	Apache.ssi="Y"
159	# Q: Would you like to disable CGI scripts, at least for now? [Y]
160	Apache.cgi="Y"
161	# Q: Would you like to disable indexes? [N]
162	Apache.apacheindex="N"
163	# Q: Would you like to disable printing? [N]
164	Printing.printing="N"
165	# Q: Would you like to disable user privileges on the FTP daemon? [N]
166	FTP.userftp="Y"
167	# Q: Would you like to disable anonymous download? [N]
168	FTP.anonftp="Y"
169	# Q: Would you like to install TMPDIR/TMP scripts? [N]
170	TMPDIR.tmpdir="N"	152	TMPDIR.tmpdir="N"

Lines 1-170 Link Here

(-)Bastille.orig/ServerParanoia.config (-153 / +135 lines)
1	# Q: Would you like to run the packet filtering script? [N]	1	# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
2	IPChains.ip_intro="Y"
3	# Q:
4	IPChains.ip_detail_level_kludge="Y"
5	# Q: Do you need the advanced networking options?
6	IPChains.ip_advnetwork="N"
7	# Q: DNS Servers: [0.0.0.0/0]
8	IPChains.ip_b_dns="0.0.0.0/0"
9	# Q:
10	IPChains.ip_b_trustiface="lo"
11	# Q: Public interfaces: [eth+ ppp+ slip+]
12	IPChains.ip_b_publiciface="eth+ ppp+ slip+"
13	# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
14	IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
15	# Q: UDP services to audit: [31337]
16	IPChains.ip_b_udpaudit="31337"
17	# Q: TCP service names or port numbers to allow on public interfaces: [ ]
18	IPChains.ip_b_publictcp="ssh"
19	# Q: Force passive mode? [N]
20	IPChains.ip_b_passiveftp="N"
21	# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
22	IPChains.ip_b_tcpblock="2049 2065:2090 6000:6020 7100"
23	# Q: UDP services to block: [2049 6770]
24	IPChains.ip_b_udpblock="2049 6770"
25	# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
26	IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded"
27	# Q: Enable source address verification? [Y]
28	IPChains.ip_b_srcaddr="Y"
29	# Q: Reject method: [DENY]
30	IPChains.ip_b_rejectmethod="DENY"
31	# Q: Interfaces for DHCP queries: [ ]
32	IPChains.ip_b_dhcpiface="eth+"
33	# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
34	IPChains.ip_b_icmpout="destination-unreachable time-exceeded echo-reply"
35	# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
36	FilePermissions.generalperms_1.1="N"
37	# Q: What security level should we set? [3]
38	FilePermissions.security_level="4"
39	# Q: Would you like us to modify your file permissions?
40	FilePermissions.generalperms_1.2_mandrake="Y"
41	# Q: Would you like to disable SUID status for mount/umount?
42	FilePermissions.suidmount="Y"
43	# Q: Would you like to disable SUID status for ping? [Y]
44	FilePermissions.suidping="Y"
45	# Q: Would you like to disable SUID status for dump and restore? [Y]
46	FilePermissions.suiddump="Y"
47	# Q: Would you like to disable SUID status for cardctl? [Y]
48	FilePermissions.suidcard="Y"
49	# Q: Would you like to disable SUID status for at? [Y]
50	FilePermissions.suidat="Y"
51	# Q: Would you like to disable SUID status for DOSEMU? [Y]
52	FilePermissions.suiddos="Y"
53	# Q: Would you like to disable SUID status for news server tools? [Y]
54	FilePermissions.suidnews="Y"
55	# Q: Would you like to disable SUID status for printing utilities? [N]
56	FilePermissions.suidprint="N"
57	# Q: Would you like to disable SUID status for the r-tools? [Y]
58	FilePermissions.suidrtool="Y"
59	# Q: Would you like to disable SUID status for usernetctl? [Y]
60	FilePermissions.suidusernetctl="Y"
61	# Q: Would you like to disable SUID status for traceroute? [Y]
62	FilePermissions.suidtrace="Y"
63	# Q: Would you like to set up a second UID 0 account? [N]
64	AccountSecurity.secondadmin="N"
65	# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
66	AccountSecurity.protectrhost="Y"
67	# Q: Would you like to enforce password aging? [Y]
68	AccountSecurity.passwdage="Y"
69	# Q: Would you like to create a non-root user account? [N]
70	AccountSecurity.createuser="N"
71	# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
72	AccountSecurity.cronuser="Y"	2	AccountSecurity.cronuser="Y"
73	# Q: What umask would you like to set for users on the system? [077]	3	# Q: Would you like to enforce password aging? [Y]
74	AccountSecurity.umask="077"	4	AccountSecurity.passwdage="Y"
75	# Q: Should we allow root to login on tty's 1-6? [Y]	5	# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
		6	AccountSecurity.protectrhost="Y"
		7	# Q: Should we disallow root login on tty's 1-6? [N]
76	AccountSecurity.rootttylogins="N"	8	AccountSecurity.rootttylogins="N"
77	# Q: Should we allow the PATH to include the current directory? [N]	9	# Q: Would you like to disable indexes? [N]
78	AccountSecurity.restrict_path_mdk="N"	10	Apache.apacheindex="N"
79	# Q: Should we deactivate this list of users? [N]	11	# Q: Would you like to deactivate the Apache2 web server? [Y]
80	AccountSecurity.forbiduserview="Y"	12	Apache.apacheoff="Y"
81	# Q: Would you like to password-protect the LILO prompt? [N]	13	# Q: Would you like to bind the Web server to listen only to the localhost? [N]
82	BootSecurity.protectlilo="N"	14	Apache.bindapachelocal="N"
83	# Q: Would you like to reduce the LILO delay time to zero? [N]	15	# Q: Would you like to bind the web server to a particular interface? [N]
		16	Apache.bindapachenic="N"
		17	# Q: Would you like to disable CGI scripts, at least for now? [Y]
		18	Apache.cgi="Y"
		19	# Q: Would you like to deactivate server-side includes? [Y]
		20	Apache.ssi="Y"
		21	# Q: Would you like to deactivate the following of symbolic links? [Y]
		22	Apache.symlink="Y"
		23	# Q: Would you like to reduce the LILO delay time to zero? [N]
84	BootSecurity.lilodelay="N"	24	BootSecurity.lilodelay="N"
85	# Q: Do you ever boot Linux from the hard drive? [Y]	25	# Q: Do you ever boot Linux from the hard drive? [Y]
86	BootSecurity.lilosub_drive="N"	26	BootSecurity.lilosub_drive="N"
87	# Q: Would you like to write the LILO changes to a boot floppy? [N]	27	# Q: Would you like to write the LILO changes to a boot floppy? [N]
88	BootSecurity.lilosub_floppy="N"	28	BootSecurity.lilosub_floppy="N"
89	# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]	29	# Q: Would you like to password protect single-user mode? [Y]
90	BootSecurity.secureinittab="N"
91	# Q: Would you like to password protect single-user mode? [Y]
92	BootSecurity.passsum="Y"	30	BootSecurity.passsum="Y"
93	Q: May we disable Autologin? [Y]	31	# Q: Would you like to password-protect the LILO prompt? [N]
94	BootSecurity.disable_autologin="Y"	32	BootSecurity.protectlilo="N"
95	# Q: Would you like to set a default-deny on TCP Wrappers? [N]	33	# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
96	SecureInetd.tcpd_default_deny="N"	34	BootSecurity.secureinittab="N"
97	# Q: May we deactivate telnet? [Y]	35	# Q: Should we restrict console access to a small group of user accounts? [N]
98	SecureInetd.deactivate_telnet="Y"
99	# Q: May we deactivate ftp? [Y]
100	SecureInetd.deactivate_ftp="N"
101	# Q: Would you like to make "Authorized Use" banners? [Y]
102	SecureInetd.banners="Y"
103	# Q: Would you like to disable the compiler? [N]
104	DisableUserTools.compiler="N"
105	# Q: Would you like to put limits on system resource usage? [Y]
106	ConfigureMiscPAM.limitsconf="N"
107	# Q: Should we restrict console access to a small group of user accounts? [N]
108	ConfigureMiscPAM.consolelogin="N"	36	ConfigureMiscPAM.consolelogin="N"
109	# Q: Would you like to add additional logging? [Y]	37	# Q: Would you like to put limits on system resource usage? [N]
		38	ConfigureMiscPAM.limitsconf="N"
		39	# Q: Would you like to chroot named and set it to run as a non-root user? [N]
		40	DNS.chrootbind="N"
		41	# Q: Would you like to deactivate named, at least for now? [Y]
		42	DNS.namedoff="Y"
		43	# Q: Would you like to disable the gcc and/or g++ compiler? [N]
		44	DisableUserTools.compiler="N"
		45	# Q: Would you like to disable anonymous download? [N]
		46	FTP.anonftp="Y"
		47	# Q: Would you like to disable user privileges on the FTP daemon? [N]
		48	FTP.userftp="Y"
		49	# Q: Would you like to disable SUID status for XFree86? [N]
		50	FilePermissions.suidXFree86="N"
		51	# Q: Would you like to disable SUID status for at? [Y]
		52	FilePermissions.suidat="Y"
		53	# Q: Would you like to disable SUID status for cardctl? [Y]
		54	FilePermissions.suidcard="Y"
		55	# Q: Would you like to disable SUID status for DOSEMU? [Y]
		56	FilePermissions.suiddos="Y"
		57	# Q: Would you like to disable SUID status for dump and restore? [Y]
		58	FilePermissions.suiddump="Y"
		59	# Q: Would you like to disable SUID status for mount/umount?
		60	FilePermissions.suidmount="Y"
		61	# Q: Would you like to disable SUID status for news server tools? [Y]
		62	FilePermissions.suidnews="Y"
		63	# Q: Would you like to disable SUID status for ping? [Y]
		64	FilePermissions.suidping="Y"
		65	# Q: Would you like to disable SUID status for printing utilities? [N]
		66	FilePermissions.suidprint="N"
		67	# Q: Would you like to disable the r-tools? [Y]
		68	FilePermissions.suidrtool="Y"
		69	# Q: Would you like to disable SUID status for traceroute? [Y]
		70	FilePermissions.suidtrace="Y"
		71	# Q: Would you like to disable SUID status for usernetctl? [Y]
		72	FilePermissions.suidusernetctl="Y"
		73	# Q: Do you need the advanced networking options?
		74	Firewall.ip_advnetwork="N"
		75	# Q: Interfaces for DHCP queries: [ ]
		76	Firewall.ip_b_dhcpiface="eth+ wlan+ ath+"
		77	# Q: DNS Servers: [0.0.0.0/0]
		78	Firewall.ip_b_dns="0.0.0.0/0"
		79	# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
		80	Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded"
		81	# Q: ICMP services to audit: [ ]
		82	Firewall.ip_b_icmpaudit=""
		83	# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
		84	Firewall.ip_b_icmpout="destination-unreachable time-exceeded echo-reply"
		85	# Q: NTP servers to query: [ ]
		86	Firewall.ip_b_ntpsrv=""
		87	# Q: Force passive mode? [N]
		88	Firewall.ip_b_passiveftp="N"
		89	# Q: Public interfaces: [eth+ ppp+ slip+]
		90	Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+"
		91	# Q: TCP service names or port numbers to allow on public interfaces: [ ]
		92	Firewall.ip_b_publictcp="ssh"
		93	# Q: UDP service names or port numbers to allow on public interfaces: [ ]
		94	Firewall.ip_b_publicudp=""
		95	# Q: Reject method: [DENY]
		96	Firewall.ip_b_rejectmethod="DENY"
		97	# Q: Enable source address verification? [Y]
		98	Firewall.ip_b_srcaddr="Y"
		99	# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
		100	Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
		101	# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
102	Firewall.ip_b_tcpblock="2049 2065:2090 6000:6020 7100"
103	# Q: UDP services to audit: [31337]
104	Firewall.ip_b_udpaudit="31337"
105	# Q: UDP services to block: [2049 6770]
106	Firewall.ip_b_udpblock="2049 6770"
107	# Q: Should Bastille run the firewall and enable it at boot time? [N]
108	Firewall.ip_enable_firewall="Y"
109	# Q: Would you like to run the packet filtering script? [N]
110	Firewall.ip_intro="Y"
111	# Q: Would you like to add additional logging? [Y]
110	Logging.morelogging="Y"	112	Logging.morelogging="Y"
111	# Q: Do you have a remote logging host? [N]	113	# Q: Would you like to set up process accounting? [N]
112	Logging.remotelog="N"
113	# Q: Would you like to set up process accounting? [N]
114	Logging.pacct="N"	114	Logging.pacct="N"
115	# Q: Would you like to set up nightly security checks? [N]"	115	# Q: Would you like to disable acpid and/or apmd? [Y]
116	Logging.security_checks="Y"
117	# Q: Would you like to disable apmd? [Y]
118	MiscellaneousDaemons.apmd="Y"	116	MiscellaneousDaemons.apmd="Y"
119	# Q: Would you like to deactivate NFS and Samba? [Y]	117	# Q: Would you like to disable the DHCP daemon? [Y]
120	MiscellaneousDaemons.remotefs="Y"
121	# Q: Would you like to disable PCMCIA services? [Y]
122	MiscellaneousDaemons.pcmcia="Y"
123	# Q: Would you like to disable the DHCP daemon? [Y]
124	MiscellaneousDaemons.dhcpd="Y"	118	MiscellaneousDaemons.dhcpd="Y"
125	# Q: Would you like to disable GPM? [Y]	119	# Q: Would you like to disable GPM? [Y]
126	MiscellaneousDaemons.gpm="Y"	120	MiscellaneousDaemons.gpm="Y"
127	# Q: Would you like to disable the news server daemon? [Y]	121	# Q: Would you like to disable the news server daemon? [Y]
128	MiscellaneousDaemons.innd="Y"	122	MiscellaneousDaemons.innd="Y"
129	# Q: Would you like to deactivate the routing daemons? [Y]	123	# Q: Would you like to disable PCMCIA services? [Y]
130	MiscellaneousDaemons.routing="Y"	124	MiscellaneousDaemons.pcmcia="Y"
131	# Q: Would you like to deactivate NIS server and client programs? [Y]	125	# Q: Would you like to deactivate NFS and Samba? [Y]
132	MiscellaneousDaemons.nis="Y"	126	MiscellaneousDaemons.remotefs="Y"
133	# Q: Would you like to disable SNMPD? [Y]	127	# Q: Would you like to disable SNMPD? [Y]
134	MiscellaneousDaemons.snmpd="Y"	128	MiscellaneousDaemons.snmpd="Y"
135	# Q: Should we disable most chkconfig'd services?	129	# Q: Would you like to setup psad?
136	MiscellaneousDaemons.minimize_chkconfig="N"	130	PSAD.psad_config="N"
137	# Q: Do you want to leave sendmail running in daemon mode? [Y]	131	# Q: Would you like to disable LPR/LPRng printing? [N]
138	Sendmail.sendmaildaemon="N"	132	Printing.printing="Y"
139	# Q: Would you like to run sendmail via cron to process the queue? [N]	133	# Q: Would you like to disable CUPS printing? [N]
		134	Printing.printing_cups="N"
		135	# Q: Would you like to display "Authorized Use" messages at log-in time? [Y]
		136	SecureInetd.banners="Y"
		137	# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y]
		138	SecureInetd.deactivate_ftp="N"
		139	# Q: Should Bastille ensure the telnet service does not run on this system? [y]
		140	SecureInetd.deactivate_telnet="Y"
		141	# Q: Who is responsible for granting authorization to use this machine?
		142	SecureInetd.owner="its owner"
		143	# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
		144	SecureInetd.tcpd_default_deny="N"
		145	# Q: Would you like to run sendmail via cron to process the queue? [N]
140	Sendmail.sendmailcron="Y"	146	Sendmail.sendmailcron="Y"
141	# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]	147	# Q: Do you want to stop sendmail from running in daemon mode? [Y]
		148	Sendmail.sendmaildaemon="N"
		149	# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
142	Sendmail.vrfyexpn="Y"	150	Sendmail.vrfyexpn="Y"
143	# Q: Would you like to download and install ssh? [N]	151	# Q: Would you like to install TMPDIR/TMP scripts? [N]
144	RemoteAccess.installssh="N"
145	# Q: Would you like to chroot named and set it to run as a non-root user? [N]
146	DNS.chrootbind="N"
147	# Q: Would you like to deactivate named, at least for now? [Y]
148	DNS.namedoff="Y"
149	# Q: Would you like to deactivate the Apache web server? [Y]
150	Apache.apacheoff="Y"
151	# Q: Would you like to bind the web server to listen only to the localhost? [N]
152	Apache.bindapachelocal="N"
153	# Q: Would you like to bind the web server to a particular interface? [N]
154	Apache.bindapachenic="N"
155	# Q: Would you like to deactivate the following of symbolic links? [Y]
156	Apache.symlink="Y"
157	# Q: Would you like to deactivate server-side includes? [Y]
158	Apache.ssi="Y"
159	# Q: Would you like to disable CGI scripts, at least for now? [Y]
160	Apache.cgi="Y"
161	# Q: Would you like to disable indexes? [N]
162	Apache.apacheindex="N"
163	# Q: Would you like to disable printing? [N]
164	Printing.printing="Y"
165	# Q: Would you like to disable user privileges on the FTP daemon? [N]
166	FTP.userftp="Y"
167	# Q: Would you like to disable anonymous download? [N]
168	FTP.anonftp="Y"
169	# Q: Would you like to install TMPDIR/TMP scripts? [N]
170	TMPDIR.tmpdir="Y"	152	TMPDIR.tmpdir="Y"

Lines 1-138 Link Here

(-)Bastille.orig/WorkstationLax.config (-121 / +95 lines)
1	# Q: Would you like to run the packet filtering script? [N]	1	# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
2	IPChains.ip_intro="N"
3	# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
4	FilePermissions.generalperms_1.1="N"
5	# Q: What security level should we set? [3]
6	FilePermissions.security_level="2"
7	# Q: Would you like us to modify your file permissions?
8	FilePermissions.generalperms_1.2_mandrake="Y"
9	# Q: Would you like to disable SUID status for mount/umount?
10	FilePermissions.suidmount="N"
11	# Q: Would you like to disable SUID status for ping? [Y]
12	FilePermissions.suidping="N"
13	# Q: Would you like to disable SUID status for dump and restore? [Y]
14	FilePermissions.suiddump="N"
15	# Q: Would you like to disable SUID status for cardctl? [Y]
16	FilePermissions.suidcard="N"
17	# Q: Would you like to disable SUID status for at? [Y]
18	FilePermissions.suidat="N"
19	# Q: Would you like to disable SUID status for DOSEMU? [Y]
20	FilePermissions.suiddos="Y"
21	# Q: Would you like to disable SUID status for news server tools? [Y]
22	FilePermissions.suidnews="Y"
23	# Q: Would you like to disable SUID status for printing utilities? [N]
24	FilePermissions.suidprint="N"
25	# Q: Would you like to disable SUID status for the r-tools? [Y]
26	FilePermissions.suidrtool="N"
27	# Q: Would you like to disable SUID status for usernetctl? [Y]
28	FilePermissions.suidusernetctl="N"
29	# Q: Would you like to disable SUID status for traceroute? [Y]
30	FilePermissions.suidtrace="N"
31	# Q: Would you like to set up a second UID 0 account? [N]
32	AccountSecurity.secondadmin="N"
33	# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
34	AccountSecurity.protectrhost="N"
35	# Q: Would you like to enforce password aging? [Y]
36	AccountSecurity.passwdage="Y"
37	# Q: Would you like to create a non-root user account? [N]
38	AccountSecurity.createuser="N"
39	# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
40	AccountSecurity.cronuser="N"	2	AccountSecurity.cronuser="N"
41	# Q: What umask would you like to set for users on the system? [077]	3	# Q: Would you like to enforce password aging? [Y]
42	AccountSecurity.umask="022"	4	AccountSecurity.passwdage="Y"
43	# Q: Should we allow root to login on tty's 1-6? [Y]	5	# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
		6	AccountSecurity.protectrhost="N"
		7	# Q: Should we disallow root login on tty's 1-6? [N]
44	AccountSecurity.rootttylogins="Y"	8	AccountSecurity.rootttylogins="Y"
45	# Q: Should we allow the PATH to include the current directory? [N]	9	# Q: Would you like to disable indexes? [N]
46	AccountSecurity.restrict_path_mdk="Y"	10	Apache.apacheindex="N"
47	# Q: Should we deactivate this list of users? [N]	11	# Q: Would you like to deactivate the Apache2 web server? [Y]
48	AccountSecurity.forbiduserview="N"	12	Apache.apacheoff="Y"
49	# Q: Would you like to password-protect the LILO prompt? [N]	13	# Q: Would you like to bind the Web server to listen only to the localhost? [N]
50	BootSecurity.protectlilo="N"	14	Apache.bindapachelocal="N"
51	# Q: Would you like to reduce the LILO delay time to zero? [N]	15	# Q: Would you like to bind the web server to a particular interface? [N]
		16	Apache.bindapachenic="N"
		17	# Q: Would you like to disable CGI scripts, at least for now? [Y]
		18	Apache.cgi="N"
		19	# Q: Would you like to deactivate server-side includes? [Y]
		20	Apache.ssi="Y"
		21	# Q: Would you like to deactivate the following of symbolic links? [Y]
		22	Apache.symlink="N"
		23	# Q: Would you like to reduce the LILO delay time to zero? [N]
52	BootSecurity.lilodelay="N"	24	BootSecurity.lilodelay="N"
53	# Q: Do you ever boot Linux from the hard drive? [Y]	25	# Q: Do you ever boot Linux from the hard drive? [Y]
54	BootSecurity.lilosub_drive="N"	26	BootSecurity.lilosub_drive="N"
55	# Q: Would you like to write the LILO changes to a boot floppy? [N]	27	# Q: Would you like to write the LILO changes to a boot floppy? [N]
56	BootSecurity.lilosub_floppy="N"	28	BootSecurity.lilosub_floppy="N"
57	# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]	29	# Q: Would you like to password protect single-user mode? [Y]
58	BootSecurity.secureinittab="N"
59	# Q: Would you like to password protect single-user mode? [Y]
60	BootSecurity.passsum="Y"	30	BootSecurity.passsum="Y"
61	# Q: May we disable Autologin? [Y]	31	# Q: Would you like to password-protect the LILO prompt? [N]
62	BootSecurity.disable_autologin="N"	32	BootSecurity.protectlilo="N"
63	# Q: Would you like to set a default-deny on TCP Wrappers? [N]	33	# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
64	SecureInetd.tcpd_default_deny="N"	34	BootSecurity.secureinittab="N"
65	# Q: May we deactivate telnet? [Y]	35	# Q: Should we restrict console access to a small group of user accounts? [N]
66	SecureInetd.deactivate_telnet="Y"
67	# Q: May we deactivate ftp? [Y]
68	SecureInetd.deactivate_ftp="Y"
69	# Q: Would you like to make "Authorized Use" banners? [Y]
70	SecureInetd.banners="Y"
71	# Q: Would you like to disable the compiler? [N]
72	DisableUserTools.compiler="N"
73	# Q: Would you like to put limits on system resource usage? [Y]
74	ConfigureMiscPAM.limitsconf="N"
75	# Q: Should we restrict console access to a small group of user accounts? [N]
76	ConfigureMiscPAM.consolelogin="N"	36	ConfigureMiscPAM.consolelogin="N"
77	# Q: Would you like to add additional logging? [Y]	37	# Q: Would you like to put limits on system resource usage? [N]
		38	ConfigureMiscPAM.limitsconf="N"
		39	# Q: Would you like to chroot named and set it to run as a non-root user? [N]
		40	DNS.chrootbind="N"
		41	# Q: Would you like to deactivate named, at least for now? [Y]
		42	DNS.namedoff="Y"
		43	# Q: Would you like to disable the gcc and/or g++ compiler? [N]
		44	DisableUserTools.compiler="N"
		45	# Q: Would you like to disable anonymous download? [N]
		46	FTP.anonftp="N"
		47	# Q: Would you like to disable user privileges on the FTP daemon? [N]
		48	FTP.userftp="N"
		49	# Q: Would you like to disable SUID status for XFree86? [N]
		50	FilePermissions.suidXFree86="N"
		51	# Q: Would you like to disable SUID status for at? [Y]
		52	FilePermissions.suidat="N"
		53	# Q: Would you like to disable SUID status for cardctl? [Y]
		54	FilePermissions.suidcard="N"
		55	# Q: Would you like to disable SUID status for DOSEMU? [Y]
		56	FilePermissions.suiddos="Y"
		57	# Q: Would you like to disable SUID status for dump and restore? [Y]
		58	FilePermissions.suiddump="N"
		59	# Q: Would you like to disable SUID status for mount/umount?
		60	FilePermissions.suidmount="N"
		61	# Q: Would you like to disable SUID status for news server tools? [Y]
		62	FilePermissions.suidnews="Y"
		63	# Q: Would you like to disable SUID status for ping? [Y]
		64	FilePermissions.suidping="N"
		65	# Q: Would you like to disable SUID status for printing utilities? [N]
		66	FilePermissions.suidprint="N"
		67	# Q: Would you like to disable the r-tools? [Y]
		68	FilePermissions.suidrtool="N"
		69	# Q: Would you like to disable SUID status for traceroute? [Y]
		70	FilePermissions.suidtrace="N"
		71	# Q: Would you like to disable SUID status for usernetctl? [Y]
		72	FilePermissions.suidusernetctl="N"
		73	# Q: Would you like to run the packet filtering script? [N]
		74	Firewall.ip_intro="N"
		75	# Q: Would you like to add additional logging? [Y]
78	Logging.morelogging="Y"	76	Logging.morelogging="Y"
79	# Q: Do you have a remote logging host? [N]	77	# Q: Would you like to set up process accounting? [N]
80	Logging.remotelog="N"
81	# Q: Would you like to set up process accounting? [N]
82	Logging.pacct="N"	78	Logging.pacct="N"
83	# Q: Would you like to set up nightly security checks? [N]"	79	# Q: Would you like to disable acpid and/or apmd? [Y]
84	Logging.security_checks="Y"
85	# Q: Would you like to disable apmd? [Y]
86	MiscellaneousDaemons.apmd="N"	80	MiscellaneousDaemons.apmd="N"
87	# Q: Would you like to deactivate NFS and Samba? [Y]	81	# Q: Would you like to disable the DHCP daemon? [Y]
88	MiscellaneousDaemons.remotefs="N"
89	# Q: Would you like to disable PCMCIA services? [Y]
90	MiscellaneousDaemons.pcmcia="N"
91	# Q: Would you like to disable the DHCP daemon? [Y]
92	MiscellaneousDaemons.dhcpd="Y"	82	MiscellaneousDaemons.dhcpd="Y"
93	# Q: Would you like to disable GPM? [Y]	83	# Q: Would you like to disable GPM? [Y]
94	MiscellaneousDaemons.gpm="N"	84	MiscellaneousDaemons.gpm="N"
95	# Q: Would you like to disable the news server daemon? [Y]	85	# Q: Would you like to disable the news server daemon? [Y]
96	MiscellaneousDaemons.innd="Y"	86	MiscellaneousDaemons.innd="Y"
97	# Q: Would you like to deactivate the routing daemons? [Y]	87	# Q: Would you like to disable PCMCIA services? [Y]
98	MiscellaneousDaemons.routing="Y"	88	MiscellaneousDaemons.pcmcia="N"
99	# Q: Would you like to deactivate NIS server and client programs? [Y]	89	# Q: Would you like to deactivate NFS and Samba? [Y]
100	MiscellaneousDaemons.nis="Y"	90	MiscellaneousDaemons.remotefs="N"
101	# Q: Would you like to disable SNMPD? [Y]	91	# Q: Would you like to disable SNMPD? [Y]
102	MiscellaneousDaemons.snmpd="Y"	92	MiscellaneousDaemons.snmpd="Y"
103	# Q: Should we disable most chkconfig'd services?	93	# Q: Would you like to disable LPR/LPRng printing? [N]
104	MiscellaneousDaemons.minimize_chkconfig="N"	94	Printing.printing="N"
105	# Q: Do you want to leave sendmail running in daemon mode? [Y]	95	# Q: Would you like to disable CUPS printing? [N]
106	Sendmail.sendmaildaemon="Y"	96	Printing.printing_cups="N"
107	# Q: Would you like to run sendmail via cron to process the queue? [N]	97	# Q: Would you like to display "Authorized Use" messages at log-in time? [Y]
		98	SecureInetd.banners="N"
		99	# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y]
		100	SecureInetd.deactivate_ftp="N"
		101	# Q: Should Bastille ensure the telnet service does not run on this system? [y]
		102	SecureInetd.deactivate_telnet="Y"
		103	# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
		104	SecureInetd.tcpd_default_deny="N"
		105	# Q: Would you like to run sendmail via cron to process the queue? [N]
108	Sendmail.sendmailcron="N"	106	Sendmail.sendmailcron="N"
109	# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]	107	# Q: Do you want to stop sendmail from running in daemon mode? [Y]
		108	Sendmail.sendmaildaemon="Y"
		109	# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
110	Sendmail.vrfyexpn="Y"	110	Sendmail.vrfyexpn="Y"
111	# Q: Would you like to download and install ssh? [N]	111	# Q: Would you like to install TMPDIR/TMP scripts? [N]
112	RemoteAccess.installssh="N"
113	# Q: Would you like to chroot named and set it to run as a non-root user? [N]
114	DNS.chrootbind="N"
115	# Q: Would you like to deactivate named, at least for now? [Y]
116	DNS.namedoff="Y"
117	# Q: Would you like to deactivate the Apache web server? [Y]
118	Apache.apacheoff="Y"
119	# Q: Would you like to bind the web server to listen only to the localhost? [N]
120	Apache.bindapachelocal="N"
121	# Q: Would you like to bind the web server to a particular interface? [N]
122	Apache.bindapachenic="N"
123	# Q: Would you like to deactivate the following of symbolic links? [Y]
124	Apache.symlink="N"
125	# Q: Would you like to deactivate server-side includes? [Y]
126	Apache.ssi="Y"
127	# Q: Would you like to disable CGI scripts, at least for now? [Y]
128	Apache.cgi="N"
129	# Q: Would you like to disable indexes? [N]
130	Apache.apacheindex="N"
131	# Q: Would you like to disable printing? [N]
132	Printing.printing="N"
133	# Q: Would you like to disable user privileges on the FTP daemon? [N]
134	FTP.userftp="N"
135	# Q: Would you like to disable anonymous download? [N]
136	FTP.anonftp="N"
137	# Q: Would you like to install TMPDIR/TMP scripts? [N]
138	TMPDIR.tmpdir="N"	112	TMPDIR.tmpdir="N"

Lines 1-170 Link Here

(-)Bastille.orig/WorkstationModerate.config (-153 / +135 lines)
1	# Q: Would you like to run the packet filtering script? [N]	1	# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
2	IPChains.ip_intro="Y"
3	# Q:
4	IPChains.ip_detail_level_kludge="Y"
5	# Q: Do you need the advanced networking options?
6	IPChains.ip_advnetwork="N"
7	# Q: DNS Servers: [0.0.0.0/0]
8	IPChains.ip_b_dns="0.0.0.0/0"
9	# Q:
10	IPChains.ip_b_trustiface="lo"
11	# Q: Public interfaces: [eth+ ppp+ slip+]
12	IPChains.ip_b_publiciface="eth+ ppp+ slip+"
13	# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
14	IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
15	# Q: UDP services to audit: [31337]
16	IPChains.ip_b_udpaudit="31337"
17	# Q: TCP service names or port numbers to allow on public interfaces: [ ]
18	IPChains.ip_b_publictcp="ssh 80 443 25 21 53"
19	# Q: UDP service names or port numbers to allow on public interfaces: [ ]
20	IPChains.ip_b_publicudp="53 67 68"
21	# Q: Force passive mode? [N]
22	IPChains.ip_b_passiveftp="N"
23	# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
24	IPChains.ip_b_tcpblock="2049 2065:2090 7100"
25	# Q: UDP services to block: [2049 6770]
26	IPChains.ip_b_udpblock="2049 6770"
27	# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
28	IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-requested"
29	# Q: Enable source address verification? [Y]
30	IPChains.ip_b_srcaddr="Y"
31	# Q: Reject method: [DENY]
32	IPChains.ip_b_rejectmethod="REJECT"
33	# Q: Interfaces for DHCP queries: [ ]
34	IPChains.ip_b_dhcpiface="eth+"
35	# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
36	FilePermissions.generalperms_1.1="N"
37	# Q: What security level should we set? [3]
38	FilePermissions.security_level="3"
39	# Q: Would you like us to modify your file permissions?
40	FilePermissions.generalperms_1.2_mandrake="Y"
41	# Q: Would you like to disable SUID status for mount/umount?
42	FilePermissions.suidmount="N"
43	# Q: Would you like to disable SUID status for ping? [Y]
44	FilePermissions.suidping="N"
45	# Q: Would you like to disable SUID status for dump and restore? [Y]
46	FilePermissions.suiddump="Y"
47	# Q: Would you like to disable SUID status for cardctl? [Y]
48	FilePermissions.suidcard="Y"
49	# Q: Would you like to disable SUID status for at? [Y]
50	FilePermissions.suidat="N"
51	# Q: Would you like to disable SUID status for DOSEMU? [Y]
52	FilePermissions.suiddos="Y"
53	# Q: Would you like to disable SUID status for news server tools? [Y]
54	FilePermissions.suidnews="Y"
55	# Q: Would you like to disable SUID status for printing utilities? [N]
56	FilePermissions.suidprint="N"
57	# Q: Would you like to disable SUID status for the r-tools? [Y]
58	FilePermissions.suidrtool="Y"
59	# Q: Would you like to disable SUID status for usernetctl? [Y]
60	FilePermissions.suidusernetctl="N"
61	# Q: Would you like to disable SUID status for traceroute? [Y]
62	FilePermissions.suidtrace="N"
63	# Q: Would you like to set up a second UID 0 account? [N]
64	AccountSecurity.secondadmin="N"
65	# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
66	AccountSecurity.protectrhost="Y"
67	# Q: Would you like to enforce password aging? [Y]
68	AccountSecurity.passwdage="Y"
69	# Q: Would you like to create a non-root user account? [N]
70	AccountSecurity.createuser="N"
71	# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
72	AccountSecurity.cronuser="N"	2	AccountSecurity.cronuser="N"
73	# Q: What umask would you like to set for users on the system? [077]	3	# Q: Would you like to enforce password aging? [Y]
74	AccountSecurity.umask="077"	4	AccountSecurity.passwdage="Y"
75	# Q: Should we allow root to login on tty's 1-6? [Y]	5	# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
		6	AccountSecurity.protectrhost="Y"
		7	# Q: Should we disallow root login on tty's 1-6? [N]
76	AccountSecurity.rootttylogins="Y"	8	AccountSecurity.rootttylogins="Y"
77	# Q: Should we allow the PATH to include the current directory? [N]	9	# Q: Would you like to disable indexes? [N]
78	AccountSecurity.restrict_path_mdk="N"	10	Apache.apacheindex="N"
79	# Q: Should we deactivate this list of users? [N]	11	# Q: Would you like to deactivate the Apache2 web server? [Y]
80	AccountSecurity.forbiduserview="N"	12	Apache.apacheoff="Y"
81	# Q: Would you like to password-protect the LILO prompt? [N]	13	# Q: Would you like to bind the Web server to listen only to the localhost? [N]
82	BootSecurity.protectlilo="N"	14	Apache.bindapachelocal="N"
83	# Q: Would you like to reduce the LILO delay time to zero? [N]	15	# Q: Would you like to bind the web server to a particular interface? [N]
		16	Apache.bindapachenic="N"
		17	# Q: Would you like to disable CGI scripts, at least for now? [Y]
		18	Apache.cgi="N"
		19	# Q: Would you like to deactivate server-side includes? [Y]
		20	Apache.ssi="Y"
		21	# Q: Would you like to deactivate the following of symbolic links? [Y]
		22	Apache.symlink="N"
		23	# Q: Would you like to reduce the LILO delay time to zero? [N]
84	BootSecurity.lilodelay="N"	24	BootSecurity.lilodelay="N"
85	# Q: Do you ever boot Linux from the hard drive? [Y]	25	# Q: Do you ever boot Linux from the hard drive? [Y]
86	BootSecurity.lilosub_drive="N"	26	BootSecurity.lilosub_drive="N"
87	# Q: Would you like to write the LILO changes to a boot floppy? [N]	27	# Q: Would you like to write the LILO changes to a boot floppy? [N]
88	BootSecurity.lilosub_floppy="N"	28	BootSecurity.lilosub_floppy="N"
89	# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]	29	# Q: Would you like to password protect single-user mode? [Y]
90	BootSecurity.secureinittab="N"
91	# Q: Would you like to password protect single-user mode? [Y]
92	BootSecurity.passsum="Y"	30	BootSecurity.passsum="Y"
93	# Q: May we disable Autologin? [Y]	31	# Q: Would you like to password-protect the LILO prompt? [N]
94	BootSecurity.disable_autologin="Y"	32	BootSecurity.protectlilo="N"
95	# Q: Would you like to set a default-deny on TCP Wrappers? [N]	33	# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
96	SecureInetd.tcpd_default_deny="N"	34	BootSecurity.secureinittab="N"
97	# Q: May we deactivate telnet? [Y]	35	# Q: Should we restrict console access to a small group of user accounts? [N]
98	SecureInetd.deactivate_telnet="Y"
99	# Q: May we deactivate ftp? [Y]
100	SecureInetd.deactivate_ftp="Y"
101	# Q: Would you like to make "Authorized Use" banners? [Y]
102	SecureInetd.banners="Y"
103	# Q: Would you like to disable the compiler? [N]
104	DisableUserTools.compiler="N"
105	# Q: Would you like to put limits on system resource usage? [Y]
106	ConfigureMiscPAM.limitsconf="N"
107	# Q: Should we restrict console access to a small group of user accounts? [N]
108	ConfigureMiscPAM.consolelogin="N"	36	ConfigureMiscPAM.consolelogin="N"
109	# Q: Would you like to add additional logging? [Y]	37	# Q: Would you like to put limits on system resource usage? [N]
		38	ConfigureMiscPAM.limitsconf="N"
		39	# Q: Would you like to chroot named and set it to run as a non-root user? [N]
		40	DNS.chrootbind="N"
		41	# Q: Would you like to deactivate named, at least for now? [Y]
		42	DNS.namedoff="Y"
		43	# Q: Would you like to disable the gcc and/or g++ compiler? [N]
		44	DisableUserTools.compiler="N"
		45	# Q: Would you like to disable anonymous download? [N]
		46	FTP.anonftp="Y"
		47	# Q: Would you like to disable user privileges on the FTP daemon? [N]
		48	FTP.userftp="N"
		49	# Q: Would you like to disable SUID status for XFree86? [N]
		50	FilePermissions.suidXFree86="N"
		51	# Q: Would you like to disable SUID status for at? [Y]
		52	FilePermissions.suidat="N"
		53	# Q: Would you like to disable SUID status for cardctl? [Y]
		54	FilePermissions.suidcard="Y"
		55	# Q: Would you like to disable SUID status for DOSEMU? [Y]
		56	FilePermissions.suiddos="Y"
		57	# Q: Would you like to disable SUID status for dump and restore? [Y]
		58	FilePermissions.suiddump="Y"
		59	# Q: Would you like to disable SUID status for mount/umount?
		60	FilePermissions.suidmount="N"
		61	# Q: Would you like to disable SUID status for news server tools? [Y]
		62	FilePermissions.suidnews="Y"
		63	# Q: Would you like to disable SUID status for ping? [Y]
		64	FilePermissions.suidping="N"
		65	# Q: Would you like to disable SUID status for printing utilities? [N]
		66	FilePermissions.suidprint="N"
		67	# Q: Would you like to disable the r-tools? [Y]
		68	FilePermissions.suidrtool="Y"
		69	# Q: Would you like to disable SUID status for traceroute? [Y]
		70	FilePermissions.suidtrace="N"
		71	# Q: Would you like to disable SUID status for usernetctl? [Y]
		72	FilePermissions.suidusernetctl="N"
		73	# Q: Do you need the advanced networking options?
		74	Firewall.ip_advnetwork="N"
		75	# Q: Interfaces for DHCP queries: [ ]
		76	Firewall.ip_b_dhcpiface="eth+ wlan+ ath+"
		77	# Q: DNS Servers: [0.0.0.0/0]
		78	Firewall.ip_b_dns="0.0.0.0/0"
		79	# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
		80	Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-request"
		81	# Q: ICMP services to audit: [ ]
		82	Firewall.ip_b_icmpaudit=""
		83	# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
		84	Firewall.ip_b_icmpout="destination-unreachable time-exceeded"
		85	# Q: NTP servers to query: [ ]
		86	Firewall.ip_b_ntpsrv=""
		87	# Q: Force passive mode? [N]
		88	Firewall.ip_b_passiveftp="N"
		89	# Q: Public interfaces: [eth+ ppp+ slip+]
		90	Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+"
		91	# Q: TCP service names or port numbers to allow on public interfaces: [ ]
		92	Firewall.ip_b_publictcp="ssh 80 443 25 21 53"
		93	# Q: UDP service names or port numbers to allow on public interfaces: [ ]
		94	Firewall.ip_b_publicudp="53 67 68"
		95	# Q: Reject method: [DENY]
		96	Firewall.ip_b_rejectmethod="REJECT"
		97	# Q: Enable source address verification? [Y]
		98	Firewall.ip_b_srcaddr="Y"
		99	# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
		100	Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
		101	# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
102	Firewall.ip_b_tcpblock="2049 2065:2090 7100"
103	# Q: UDP services to audit: [31337]
104	Firewall.ip_b_udpaudit="31337"
105	# Q: UDP services to block: [2049 6770]
106	Firewall.ip_b_udpblock="2049 6770"
107	# Q: Should Bastille run the firewall and enable it at boot time? [N]
108	Firewall.ip_enable_firewall="Y"
109	# Q: Would you like to run the packet filtering script? [N]
110	Firewall.ip_intro="Y"
111	# Q: Would you like to add additional logging? [Y]
110	Logging.morelogging="Y"	112	Logging.morelogging="Y"
111	# Q: Do you have a remote logging host? [N]	113	# Q: Would you like to set up process accounting? [N]
112	Logging.remotelog="N"
113	# Q: Would you like to set up process accounting? [N]
114	Logging.pacct="N"	114	Logging.pacct="N"
115	# Q: Would you like to set up nightly security checks? [N]"	115	# Q: Would you like to disable acpid and/or apmd? [Y]
116	Logging.security_checks="Y"
117	# Q: Would you like to disable apmd? [Y]
118	MiscellaneousDaemons.apmd="Y"	116	MiscellaneousDaemons.apmd="Y"
119	# Q: Would you like to deactivate NFS and Samba? [Y]	117	# Q: Would you like to disable the DHCP daemon? [Y]
120	MiscellaneousDaemons.remotefs="Y"
121	# Q: Would you like to disable PCMCIA services? [Y]
122	MiscellaneousDaemons.pcmcia="N"
123	# Q: Would you like to disable the DHCP daemon? [Y]
124	MiscellaneousDaemons.dhcpd="Y"	118	MiscellaneousDaemons.dhcpd="Y"
125	# Q: Would you like to disable GPM? [Y]	119	# Q: Would you like to disable GPM? [Y]
126	MiscellaneousDaemons.gpm="Y"	120	MiscellaneousDaemons.gpm="Y"
127	# Q: Would you like to disable the news server daemon? [Y]	121	# Q: Would you like to disable the news server daemon? [Y]
128	MiscellaneousDaemons.innd="Y"	122	MiscellaneousDaemons.innd="Y"
129	# Q: Would you like to deactivate the routing daemons? [Y]	123	# Q: Would you like to disable PCMCIA services? [Y]
130	MiscellaneousDaemons.routing="Y"	124	MiscellaneousDaemons.pcmcia="N"
131	# Q: Would you like to deactivate NIS server and client programs? [Y]	125	# Q: Would you like to deactivate NFS and Samba? [Y]
132	MiscellaneousDaemons.nis="Y"	126	MiscellaneousDaemons.remotefs="Y"
133	# Q: Would you like to disable SNMPD? [Y]	127	# Q: Would you like to disable SNMPD? [Y]
134	MiscellaneousDaemons.snmpd="Y"	128	MiscellaneousDaemons.snmpd="Y"
135	# Q: Should we disable most chkconfig'd services?	129	# Q: Would you like to setup psad?
136	MiscellaneousDaemons.minimize_chkconfig="N"	130	PSAD.psad_config="N"
137	# Q: Do you want to leave sendmail running in daemon mode? [Y]	131	# Q: Would you like to disable LPR/LPRng printing? [N]
138	Sendmail.sendmaildaemon="N"	132	Printing.printing="N"
139	# Q: Would you like to run sendmail via cron to process the queue? [N]	133	# Q: Would you like to disable CUPS printing? [N]
		134	Printing.printing_cups="N"
		135	# Q: Would you like to display "Authorized Use" messages at log-in time? [Y]
		136	SecureInetd.banners="Y"
		137	# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y]
		138	SecureInetd.deactivate_ftp="Y"
		139	# Q: Should Bastille ensure the telnet service does not run on this system? [y]
		140	SecureInetd.deactivate_telnet="Y"
		141	# Q: Who is responsible for granting authorization to use this machine?
		142	SecureInetd.owner="its owner"
		143	# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
		144	SecureInetd.tcpd_default_deny="N"
		145	# Q: Would you like to run sendmail via cron to process the queue? [N]
140	Sendmail.sendmailcron="Y"	146	Sendmail.sendmailcron="Y"
141	# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]	147	# Q: Do you want to stop sendmail from running in daemon mode? [Y]
		148	Sendmail.sendmaildaemon="N"
		149	# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
142	Sendmail.vrfyexpn="Y"	150	Sendmail.vrfyexpn="Y"
143	# Q: Would you like to download and install ssh? [N]	151	# Q: Would you like to install TMPDIR/TMP scripts? [N]
144	RemoteAccess.installssh="N"
145	# Q: Would you like to chroot named and set it to run as a non-root user? [N]
146	DNS.chrootbind="N"
147	# Q: Would you like to deactivate named, at least for now? [Y]
148	DNS.namedoff="Y"
149	# Q: Would you like to deactivate the Apache web server? [Y]
150	Apache.apacheoff="Y"
151	# Q: Would you like to bind the web server to listen only to the localhost? [N]
152	Apache.bindapachelocal="N"
153	# Q: Would you like to bind the web server to a particular interface? [N]
154	Apache.bindapachenic="N"
155	# Q: Would you like to deactivate the following of symbolic links? [Y]
156	Apache.symlink="N"
157	# Q: Would you like to deactivate server-side includes? [Y]
158	Apache.ssi="Y"
159	# Q: Would you like to disable CGI scripts, at least for now? [Y]
160	Apache.cgi="N"
161	# Q: Would you like to disable indexes? [N]
162	Apache.apacheindex="N"
163	# Q: Would you like to disable printing? [N]
164	Printing.printing="N"
165	# Q: Would you like to disable user privileges on the FTP daemon? [N]
166	FTP.userftp="N"
167	# Q: Would you like to disable anonymous download? [N]
168	FTP.anonftp="Y"
169	# Q: Would you like to install TMPDIR/TMP scripts? [N]
170	TMPDIR.tmpdir="Y"	152	TMPDIR.tmpdir="Y"

Lines 1-172 Link Here

(-)Bastille.orig/WorkstationParanoia.config (-155 / +135 lines)
1	# Q: Would you like to run the packet filtering script? [N]	1	# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
2	IPChains.ip_intro="Y"
3	# Q:
4	IPChains.ip_detail_level_kludge="Y"
5	# Q: Do you need the advanced networking options?
6	IPChains.ip_advnetwork="N"
7	# Q: DNS Servers: [0.0.0.0/0]
8	IPChains.ip_b_dns="0.0.0.0/0"
9	# Q:
10	IPChains.ip_b_trustiface="lo"
11	# Q: Public interfaces: [eth+ ppp+ slip+]
12	IPChains.ip_b_publiciface="eth+ ppp+ slip+"
13	# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
14	IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
15	# Q: UDP services to audit: [31337]
16	IPChains.ip_b_udpaudit="31337"
17	# Q: TCP service names or port numbers to allow on public interfaces: [ ]
18	IPChains.ip_b_publictcp="ssh"
19	# Q: Force passive mode? [N]
20	IPChains.ip_b_passiveftp="N"
21	# Q: TCP services to block: [2065:2090 6000:6020 7100]
22	IPChains.ip_b_tcpblock="2049 2065:2090 6000:6020 7100"
23	# Q: UDP services to block: [2049 6770]
24	IPChains.ip_b_udpblock="2049 6770"
25	# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
26	IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded"
27	# Q: Enable source address verification? [Y]
28	IPChains.ip_b_srcaddr="Y"
29	# Q: Reject method: [DENY]
30	IPChains.ip_b_rejectmethod="DENY"
31	# Q: Interfaces for DHCP queries: [ ]
32	IPChains.ip_b_dhcpiface="eth+"
33	# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
34	IPChains.ip_b_icmpout="destination-unreachable time-exceeded echo-reply"
35	# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
36	FilePermissions.generalperms_1.1="N"
37	# Q: What security level should we set? [3]
38	FilePermissions.security_level="4"
39	# Q: Would you like us to modify your file permissions?
40	FilePermissions.generalperms_1.2_mandrake="Y"
41	# Q: Would you like to disable SUID status for mount/umount?
42	FilePermissions.suidmount="Y"
43	# Q: Would you like to disable SUID status for ping? [Y]
44	FilePermissions.suidping="Y"
45	# Q: Would you like to disable SUID status for dump and restore? [Y]
46	FilePermissions.suiddump="Y"
47	# Q: Would you like to disable SUID status for cardctl? [Y]
48	FilePermissions.suidcard="Y"
49	# Q: Would you like to disable SUID status for at? [Y]
50	FilePermissions.suidat="Y"
51	# Q: Would you like to disable SUID status for DOSEMU? [Y]
52	FilePermissions.suiddos="Y"
53	# Q: Would you like to disable SUID status for news server tools? [Y]
54	FilePermissions.suidnews="Y"
55	# Q: Would you like to disable SUID status for printing utilities? [N]
56	FilePermissions.suidprint="N"
57	# Q: Would you like to disable SUID status for the r-tools? [Y]
58	FilePermissions.suidrtool="Y"
59	# Q: Would you like to disable SUID status for usernetctl? [Y]
60	FilePermissions.suidusernetctl="Y"
61	# Q: Would you like to disable SUID status for traceroute? [Y]
62	FilePermissions.suidtrace="Y"
63	# Q: Would you like to set up a second UID 0 account? [N]
64	AccountSecurity.secondadmin="N"
65	# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
66	AccountSecurity.protectrhost="Y"
67	# Q: Would you like to enforce password aging? [Y]
68	AccountSecurity.passwdage="Y"
69	# Q: Would you like to create a non-root user account? [N]
70	AccountSecurity.createuser="N"
71	# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
72	AccountSecurity.cronuser="Y"	2	AccountSecurity.cronuser="Y"
73	# Q: What umask would you like to set for users on the system? [077]	3	# Q: Would you like to enforce password aging? [Y]
74	AccountSecurity.umask="077"	4	AccountSecurity.passwdage="Y"
75	# Q: Should we allow root to login on tty's 1-6? [Y]	5	# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
		6	AccountSecurity.protectrhost="Y"
		7	# Q: Should we disallow root login on tty's 1-6? [N]
76	AccountSecurity.rootttylogins="N"	8	AccountSecurity.rootttylogins="N"
77	# Q: Should we allow the PATH to include the current directory? [N]	9	# Q: Would you like to disable indexes? [N]
78	AccountSecurity.restrict_path_mdk="N"	10	Apache.apacheindex="N"
79	# Q: Should we deactivate this list of users? [N]	11	# Q: Would you like to deactivate the Apache2 web server? [Y]
80	AccountSecurity.forbiduserview="Y"	12	Apache.apacheoff="Y"
81	# Q: Would you like to password-protect the LILO prompt? [N]	13	# Q: Would you like to bind the Web server to listen only to the localhost? [N]
82	BootSecurity.protectlilo="N"	14	Apache.bindapachelocal="N"
83	# Q: Would you like to reduce the LILO delay time to zero? [N]	15	# Q: Would you like to bind the web server to a particular interface? [N]
		16	Apache.bindapachenic="N"
		17	# Q: Would you like to disable CGI scripts, at least for now? [Y]
		18	Apache.cgi="Y"
		19	# Q: Would you like to deactivate server-side includes? [Y]
		20	Apache.ssi="Y"
		21	# Q: Would you like to deactivate the following of symbolic links? [Y]
		22	Apache.symlink="Y"
		23	# Q: Would you like to reduce the LILO delay time to zero? [N]
84	BootSecurity.lilodelay="N"	24	BootSecurity.lilodelay="N"
85	# Q: Do you ever boot Linux from the hard drive? [Y]	25	# Q: Do you ever boot Linux from the hard drive? [Y]
86	BootSecurity.lilosub_drive="N"	26	BootSecurity.lilosub_drive="N"
87	# Q: Would you like to write the LILO changes to a boot floppy? [N]	27	# Q: Would you like to write the LILO changes to a boot floppy? [N]
88	BootSecurity.lilosub_floppy="N"	28	BootSecurity.lilosub_floppy="N"
89	# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]	29	# Q: Would you like to password protect single-user mode? [Y]
90	BootSecurity.secureinittab="N"
91	# Q: Would you like to password protect single-user mode? [Y]
92	BootSecurity.passsum="Y"	30	BootSecurity.passsum="Y"
93	# Q: May we disable Autologin? [Y]	31	# Q: Would you like to password-protect the LILO prompt? [N]
94	BootSecurity.disable_autologin="Y"	32	BootSecurity.protectlilo="N"
95	# Q: Would you like to set a default-deny on TCP Wrappers? [N]	33	# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
96	SecureInetd.tcpd_default_deny="N"	34	BootSecurity.secureinittab="N"
97	# Q: May we deactivate telnet? [Y]	35	# Q: Should we restrict console access to a small group of user accounts? [N]
98	SecureInetd.deactivate_telnet="Y"
99	# Q: May we deactivate ftp? [Y]
100	SecureInetd.deactivate_ftp="Y"
101	# Q: Would you like to set sshd to accept connections only from a small list of IP addresses. [N]
102	SecureInetd.limit_ssh="N"
103	# Q: Would you like to make "Authorized Use" banners? [Y]
104	SecureInetd.banners="Y"
105	# Q: Would you like to disable the compiler? [N]
106	DisableUserTools.compiler="N"
107	# Q: Would you like to put limits on system resource usage? [Y]
108	ConfigureMiscPAM.limitsconf="N"
109	# Q: Should we restrict console access to a small group of user accounts? [N]
110	ConfigureMiscPAM.consolelogin="N"	36	ConfigureMiscPAM.consolelogin="N"
111	# Q: Would you like to add additional logging? [Y]	37	# Q: Would you like to put limits on system resource usage? [N]
		38	ConfigureMiscPAM.limitsconf="N"
		39	# Q: Would you like to chroot named and set it to run as a non-root user? [N]
		40	DNS.chrootbind="N"
		41	# Q: Would you like to deactivate named, at least for now? [Y]
		42	DNS.namedoff="Y"
		43	# Q: Would you like to disable the gcc and/or g++ compiler? [N]
		44	DisableUserTools.compiler="N"
		45	# Q: Would you like to disable anonymous download? [N]
		46	FTP.anonftp="Y"
		47	# Q: Would you like to disable user privileges on the FTP daemon? [N]
		48	FTP.userftp="Y"
		49	# Q: Would you like to disable SUID status for XFree86? [N]
		50	FilePermissions.suidXFree86="N"
		51	# Q: Would you like to disable SUID status for at? [Y]
		52	FilePermissions.suidat="Y"
		53	# Q: Would you like to disable SUID status for cardctl? [Y]
		54	FilePermissions.suidcard="Y"
		55	# Q: Would you like to disable SUID status for DOSEMU? [Y]
		56	FilePermissions.suiddos="Y"
		57	# Q: Would you like to disable SUID status for dump and restore? [Y]
		58	FilePermissions.suiddump="Y"
		59	# Q: Would you like to disable SUID status for mount/umount?
		60	FilePermissions.suidmount="Y"
		61	# Q: Would you like to disable SUID status for news server tools? [Y]
		62	FilePermissions.suidnews="Y"
		63	# Q: Would you like to disable SUID status for ping? [Y]
		64	FilePermissions.suidping="Y"
		65	# Q: Would you like to disable SUID status for printing utilities? [N]
		66	FilePermissions.suidprint="N"
		67	# Q: Would you like to disable the r-tools? [Y]
		68	FilePermissions.suidrtool="Y"
		69	# Q: Would you like to disable SUID status for traceroute? [Y]
		70	FilePermissions.suidtrace="Y"
		71	# Q: Would you like to disable SUID status for usernetctl? [Y]
		72	FilePermissions.suidusernetctl="Y"
		73	# Q: Do you need the advanced networking options?
		74	Firewall.ip_advnetwork="N"
		75	# Q: Interfaces for DHCP queries: [ ]
		76	Firewall.ip_b_dhcpiface="eth+ wlan+ ath+"
		77	# Q: DNS Servers: [0.0.0.0/0]
		78	Firewall.ip_b_dns="0.0.0.0/0"
		79	# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
		80	Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded"
		81	# Q: ICMP services to audit: [ ]
		82	Firewall.ip_b_icmpaudit=""
		83	# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
		84	Firewall.ip_b_icmpout="destination-unreachable time-exceeded echo-reply"
		85	# Q: NTP servers to query: [ ]
		86	Firewall.ip_b_ntpsrv=""
		87	# Q: Force passive mode? [N]
		88	Firewall.ip_b_passiveftp="N"
		89	# Q: Public interfaces: [eth+ ppp+ slip+]
		90	Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+"
		91	# Q: TCP service names or port numbers to allow on public interfaces: [ ]
		92	Firewall.ip_b_publictcp="ssh"
		93	# Q: UDP service names or port numbers to allow on public interfaces: [ ]
		94	Firewall.ip_b_publicudp=""
		95	# Q: Reject method: [DENY]
		96	Firewall.ip_b_rejectmethod="DENY"
		97	# Q: Enable source address verification? [Y]
		98	Firewall.ip_b_srcaddr="Y"
		99	# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
		100	Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
		101	# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
102	Firewall.ip_b_tcpblock="2049 2065:2090 6000:6020 7100"
103	# Q: UDP services to audit: [31337]
104	Firewall.ip_b_udpaudit="31337"
105	# Q: UDP services to block: [2049 6770]
106	Firewall.ip_b_udpblock="2049 6770"
107	# Q: Should Bastille run the firewall and enable it at boot time? [N]
108	Firewall.ip_enable_firewall="Y"
109	# Q: Would you like to run the packet filtering script? [N]
110	Firewall.ip_intro="Y"
111	# Q: Would you like to add additional logging? [Y]
112	Logging.morelogging="Y"	112	Logging.morelogging="Y"
113	# Q: Do you have a remote logging host? [N]	113	# Q: Would you like to set up process accounting? [N]
114	Logging.remotelog="N"
115	# Q: Would you like to set up process accounting? [N]
116	Logging.pacct="N"	114	Logging.pacct="N"
117	# Q: Would you like to set up nightly security checks? [N]"	115	# Q: Would you like to disable acpid and/or apmd? [Y]
118	Logging.security_checks="Y"
119	# Q: Would you like to disable apmd? [Y]
120	MiscellaneousDaemons.apmd="Y"	116	MiscellaneousDaemons.apmd="Y"
121	# Q: Would you like to deactivate NFS and Samba? [Y]	117	# Q: Would you like to disable the DHCP daemon? [Y]
122	MiscellaneousDaemons.remotefs="Y"
123	# Q: Would you like to disable PCMCIA services? [Y]
124	MiscellaneousDaemons.pcmcia="Y"
125	# Q: Would you like to disable the DHCP daemon? [Y]
126	MiscellaneousDaemons.dhcpd="Y"	118	MiscellaneousDaemons.dhcpd="Y"
127	# Q: Would you like to disable GPM? [Y]	119	# Q: Would you like to disable GPM? [Y]
128	MiscellaneousDaemons.gpm="Y"	120	MiscellaneousDaemons.gpm="Y"
129	# Q: Would you like to disable the news server daemon? [Y]	121	# Q: Would you like to disable the news server daemon? [Y]
130	MiscellaneousDaemons.innd="Y"	122	MiscellaneousDaemons.innd="Y"
131	# Q: Would you like to deactivate the routing daemons? [Y]	123	# Q: Would you like to disable PCMCIA services? [Y]
132	MiscellaneousDaemons.routing="Y"	124	MiscellaneousDaemons.pcmcia="Y"
133	# Q: Would you like to deactivate NIS server and client programs? [Y]	125	# Q: Would you like to deactivate NFS and Samba? [Y]
134	MiscellaneousDaemons.nis="Y"	126	MiscellaneousDaemons.remotefs="Y"
135	# Q: Would you like to disable SNMPD? [Y]	127	# Q: Would you like to disable SNMPD? [Y]
136	MiscellaneousDaemons.snmpd="Y"	128	MiscellaneousDaemons.snmpd="Y"
137	# Q: Should we disable most chkconfig'd services?	129	# Q: Would you like to setup psad?
138	MiscellaneousDaemons.minimize_chkconfig="Y"	130	PSAD.psad_config="N"
139	# Q: Do you want to leave sendmail running in daemon mode? [Y]	131	# Q: Would you like to disable LPR/LPRng printing? [N]
140	Sendmail.sendmaildaemon="N"	132	Printing.printing="N"
141	# Q: Would you like to run sendmail via cron to process the queue? [N]	133	# Q: Would you like to disable CUPS printing? [N]
		134	Printing.printing_cups="N"
		135	# Q: Would you like to display "Authorized Use" messages at log-in time? [Y]
		136	SecureInetd.banners="Y"
		137	# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y]
		138	SecureInetd.deactivate_ftp="Y"
		139	# Q: Should Bastille ensure the telnet service does not run on this system? [y]
		140	SecureInetd.deactivate_telnet="Y"
		141	# Q: Who is responsible for granting authorization to use this machine?
		142	SecureInetd.owner="its owner"
		143	# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
		144	SecureInetd.tcpd_default_deny="N"
		145	# Q: Would you like to run sendmail via cron to process the queue? [N]
142	Sendmail.sendmailcron="Y"	146	Sendmail.sendmailcron="Y"
143	# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]	147	# Q: Do you want to stop sendmail from running in daemon mode? [Y]
		148	Sendmail.sendmaildaemon="N"
		149	# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
144	Sendmail.vrfyexpn="Y"	150	Sendmail.vrfyexpn="Y"
145	# Q: Would you like to download and install ssh? [N]	151	# Q: Would you like to install TMPDIR/TMP scripts? [N]
146	RemoteAccess.installssh="N"
147	# Q: Would you like to chroot named and set it to run as a non-root user? [N]
148	DNS.chrootbind="N"
149	# Q: Would you like to deactivate named, at least for now? [Y]
150	DNS.namedoff="Y"
151	# Q: Would you like to deactivate the Apache web server? [Y]
152	Apache.apacheoff="Y"
153	# Q: Would you like to bind the web server to listen only to the localhost? [N]
154	Apache.bindapachelocal="N"
155	# Q: Would you like to bind the web server to a particular interface? [N]
156	Apache.bindapachenic="N"
157	# Q: Would you like to deactivate the following of symbolic links? [Y]
158	Apache.symlink="Y"
159	# Q: Would you like to deactivate server-side includes? [Y]
160	Apache.ssi="Y"
161	# Q: Would you like to disable CGI scripts, at least for now? [Y]
162	Apache.cgi="Y"
163	# Q: Would you like to disable indexes? [N]
164	Apache.apacheindex="N"
165	# Q: Would you like to disable printing? [N]
166	Printing.printing="N"
167	# Q: Would you like to disable user privileges on the FTP daemon? [N]
168	FTP.userftp="Y"
169	# Q: Would you like to disable anonymous download? [N]
170	FTP.anonftp="Y"
171	# Q: Would you like to install TMPDIR/TMP scripts? [N]
172	TMPDIR.tmpdir="Y"	152	TMPDIR.tmpdir="Y"