Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 378422 Details for
Bug 431232
app-admin/bastille-3.0.9: installs in site_perl
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix install path
bastille-3.0.9-gentoo-0.3.patch (text/plain), 119.89 KB, created by
Ferenc Erki
on 2014-06-07 13:41:07 UTC
(
hide
)
Description:
Fix install path
Filename:
MIME Type:
Creator:
Ferenc Erki
Created:
2014-06-07 13:41:07 UTC
Size:
119.89 KB
patch
obsolete
>diff -urN Bastille.orig/AutomatedBastille Bastille/AutomatedBastille >--- Bastille.orig/AutomatedBastille 2005-04-06 01:18:11.000000000 +0200 >+++ Bastille/AutomatedBastille 2014-06-07 13:15:52.877123074 +0200 >@@ -80,7 +80,7 @@ > use Curses::Widgets; > > # Hardcoded List of configurations -- to be replaced by list read from file >-@list = ("Default_Workstation","Default_Workstation_plus_Firewall","Quit"); >+@list = ("WorkstationLax","WorkstationModerate","WorkstationParanoia","ServerLax","ServerModerate","ServerParanoia","Quit"); > > $window = new Curses; > >@@ -113,7 +113,7 @@ > endwin; > > unless ($selection == $#list) { >- $file = $list[$selection]; >+ $file = $list[$selection].".config"; > } > else { > exit 0; >diff -urN Bastille.orig/Bastille/Apache.pm Bastille/Bastille/Apache.pm >--- Bastille.orig/Bastille/Apache.pm 2005-04-11 11:43:51.000000000 +0200 >+++ Bastille/Bastille/Apache.pm 2014-06-07 13:15:52.877123074 +0200 >@@ -35,7 +35,7 @@ > if ( &getGlobalConfig("Apache","apacheoff") eq "Y" ) { > > &B_log("ACTION","# sub DeactivateApacheServer\n"); >- &B_chkconfig_off ("httpd"); >+ &B_chkconfig_off ("apache2"); > > } > } >diff -urN Bastille.orig/Bastille/API.pm Bastille/Bastille/API.pm >--- Bastille.orig/Bastille/API.pm 2006-04-03 15:16:05.000000000 +0200 >+++ Bastille/Bastille/API.pm 2014-06-07 13:15:52.879123148 +0200 >@@ -461,6 +461,9 @@ > } > close(TURBOLINUX_RELEASE); > } >+ elsif ( -e "/etc/gentoo-release") { >+ $distro="GN"; # Rolling releases in Gentoo >+ } > else { > # We're either on Mac OS X, HP-UX or an unsupported O/S. > if ( -x '/usr/bin/uname') { >@@ -567,7 +570,8 @@ > "SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1", > "SE9.2","SE9.3","SE10.0", > "SESLES8","SESLES9", >- "TB7.0" >+ "TB7.0", >+ "GN" > ], > > "HP-UX" => [ >@@ -2672,6 +2676,15 @@ > } > > } >+ elsif (&GetDistro =~ /^GN/) { >+ $rcupdate = &getGlobal('BIN', "chkconfig") . " add " . "$startup_script default"; >+ if (system($rcupdate) == 0) { >+ return 1; >+ } >+ else { >+ return 0; >+ } >+ } > > # > # Run through the init script looking for the chkconfig line... >@@ -2847,6 +2860,16 @@ > } > > } >+ elsif (&GetDistro =~ /^GN/) { >+ $rcupdate = &getGlobal('BIN', "chkconfig") . " del $startup_script"; >+ if (system($rcupdate) == 0) >+ { >+ return 1; >+ } >+ else { >+ return 0; >+ } >+ } > else { > > # Run through the init script looking for the chkconfig line... >diff -urN Bastille.orig/Bastille/API.pm.sweth Bastille/Bastille/API.pm.sweth >--- Bastille.orig/Bastille/API.pm.sweth 2005-04-06 01:18:11.000000000 +0200 >+++ Bastille/Bastille/API.pm.sweth 2014-06-07 13:15:52.880123189 +0200 >@@ -482,6 +482,16 @@ > "log" => "/usr/adm", > "httpd.conf" => "/var/lib/apache/conf/httpd.conf", > "httpd_access.conf" => "/var/lib/apache/conf/access.conf" >+ }, >+ "GN" => { >+ "chattr" => "/bin/chattr", >+ "floppy" => "/mnt/floppy", >+ "group" => "/etc/group", >+ "httpd.conf" => "/etc/apache2/httpd.conf", >+ "httpd_access.conf" => "/etc/apache2/access.conf", >+ "initd" => "/etc/init.d", >+ "rcd" => "/etc/runlevels", >+ "rpm" => "/usr/bin/rpm" > } > ); > foreach my $DISTRO_FILE (keys %{$DISTRO_PATHS{'default'}}) { >diff -urN Bastille.orig/Bastille/Firewall.pm Bastille/Bastille/Firewall.pm >--- Bastille.orig/Bastille/Firewall.pm 2005-04-06 21:30:35.000000000 +0200 >+++ Bastille/Bastille/Firewall.pm 2014-06-07 13:15:52.881123225 +0200 >@@ -276,10 +276,6 @@ > # only do this if the user answered ipchains questions > if ( &getGlobalConfig($configPrefix,"ip_intro") eq 'Y' ) { > >- # Put the init script in place. >- &B_place($virgin_init_script,$firewall_init_script); >- &B_chmod(0500,$firewall_init_script); >- > # Put the ipchains script in place. > &B_place($virgin_ipchains_script,$firewall_ipchains_script); > &B_chmod(0500,$firewall_ipchains_script); >@@ -404,6 +400,13 @@ > } > > } >+ elsif ( &GetDistro =~ /^GN/ && &getGlobalConfig($configPrefix,"ip_enable_firewall") eq 'Y' ) { >+ &B_log("ACTION","# Firewall.pm: enabling firewall with distribution B_chkconfig_on\n"); >+ &B_chkconfig_on("bastille-firewall"); >+ if ( -x $firewall_init_script ) { >+ `$firewall_init_script start`; >+ } >+ } > } > # end of things to do if ipchains was chosen > if ( &getGlobalConfig($configPrefix,"ip_intro") eq 'N' ) { >diff -urN Bastille.orig/Bastille/IOLoader.pm Bastille/Bastille/IOLoader.pm >--- Bastille.orig/Bastille/IOLoader.pm 2006-04-03 15:16:13.000000000 +0200 >+++ Bastille/Bastille/IOLoader.pm 2014-06-07 13:15:52.882123261 +0200 >@@ -213,7 +213,7 @@ > # making sure to respect recursively defined macros. > > if ($data =~ /\bLINUX\b/) { >- my $supported_distros = 'RH MN RHEL RHFC DB SE'; >+ my $supported_distros = 'RH MN RHEL RHFC DB SE GN'; > $data =~ s/\bLINUX\b/$supported_distros/; > } > if ($data =~ /\bRH\b/) { >diff -urN Bastille.orig/Bastille/Logging.pm Bastille/Bastille/Logging.pm >--- Bastille.orig/Bastille/Logging.pm 2005-04-08 06:42:54.000000000 +0200 >+++ Bastille/Bastille/Logging.pm 2014-06-07 13:15:52.882123261 +0200 >@@ -45,25 +45,30 @@ > # > # Also configure the 7th and 8th TTYs for more logging. > >- my $var_log_syslog_lines= <<END_SYSLOG; >+ my $logger, $syslogconf; >+ my $var_log_syslog_lines, $var_log_kernel_lines, $var_log_loginlog_lines, $tty_log_lines; >+ >+ if (( -e "/etc/runlevels/default/sysklogd" ) || !(&GetDistro =~/^GN.*/)) >+ { >+ $var_log_syslog_lines= <<END_SYSLOG; > # Log warning and errors to the new file /var/log/syslog > *.warn;*.err\t/var/log/syslog > > END_SYSLOG > >- my $var_log_kernel_lines= <<END_KERNEL; >+ $var_log_kernel_lines= <<END_KERNEL; > # Log all kernel messages to the new file /var/log/kernel > kern.*\t/var/log/kernel > > END_KERNEL > >- my $var_log_loginlog_lines = <<END_LOGINLOG; >+ $var_log_loginlog_lines = <<END_LOGINLOG; > # Log all logins to /var/log/loginlog > auth.*;user.*;daemon.none\t/var/log/loginlog > > END_LOGINLOG > >- my $tty_log_lines= <<END_TTY_LOG; >+ $tty_log_lines= <<END_TTY_LOG; > # Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8) > > *.info;mail.none;authpriv.none\t/dev/tty7 >@@ -74,24 +79,107 @@ > > END_TTY_LOG > >- my $syslogconf = &getGlobal('FILE','syslog.conf'); >+ my $logger = "syslogd"; >+ if ($logging_host) { >+ &B_append_line("/etc/syslog.conf","\\\@$logging_host","*.warn;*.err\t\@$logging_host\nauthpriv.*;auth.*\t\@$logging_host\n"); >+ } >+ >+ } >+ elsif ( -e "/etc/runlevels/default/syslog-ng" ) >+ { >+ $var_log_syslog_lines= <<END_SYSLOG; >+# Log warning and errors to the new file /var/log/syslog >+destination syslog { file("/var/log/syslog"); }; >+filter f_syslog { facility(warn, err); }; >+log { source(src); filter(f_syslog); destination(syslog); }; >+ >+END_SYSLOG >+ >+ $var_log_kernel_lines= <<END_KERNEL; >+# Log all kernel messages to the new file /var/log/kernel >+source kernsrc { file("/proc/kmsg"); }; >+destination kern { file("/var/log/kernel"); }; >+filter f_kern { facility(kern); }; >+log { source(kernsrc); filter(f_kern); destination(kern); }; >+ >+END_KERNEL >+ >+ $var_log_loginlog_lines = <<END_LOGINLOG; >+# Log all logins to /var/log/loginlog >+destination loginlog { file("/var/log/loginlog"); }; >+filter f_loginlog { facility(auth, user) and not facility(daemon); }; >+log { source(src); filter(f_loginlog); destination(loginlog); }; >+ >+END_LOGINLOG >+ >+ $tty_log_lines= <<END_TTY_LOG; >+# Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8) >+ >+destination tty7 { file("/dev/tty7"); }; >+destination tty8 { file("/dev/tty8"); }; >+filter f_info { level(info) and not facility(mail, authpriv); }; >+filter f_authpriv { facility(authpriv); }; >+filter f_warnerr { level(warn, err); }; >+filter f_mail { facility(mail); }; >+log { source(src); filter(f_info); destination(tty7); }; >+log { source(src); filter(f_authpriv); destination(tty7); }; >+log { source(src); filter(f_warnerr); destination(tty7); }; >+log { source(kernsrc); filter(f_kern); destination(tty7); }; >+log { source(src); filter(f_mail); destination(tty8); }; >+ >+END_TTY_LOG >+ >+ $logger = "syslog-ng"; >+ $syslogconf = "/etc/syslog-ng/syslog-ng.conf"; >+ } >+ elsif ( -e "/etc/runlevels/default/metalog" ) >+ { >+ $var_log_syslog_lines= <<END_SYSLOG; >+# Log warning and errors to the new directory /var/log/syslog >+Syslog : >+ >+ facility = "warn" >+ facility = "err" >+ logdir = "/var/log/syslog" >+ >+END_SYSLOG >+ # $var_log_kernel_lines is included in metalog default on Gentoo systems. >+ >+ $var_log_loginlog_lines = <<END_LOGINLOG; >+# Log all logins to /var/log/loginlog >+Loginlog : >+ facility = "auth" >+ facility = "user" >+ logdir = "/var/log/loginlog" >+ >+END_LOGINLOG >+ >+ $tty_log_lines= <<END_TTY_LOG; >+# Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8) >+ >+# BASTILLE TODO: Scripts need to be used to run output to different TTYs. >+END_TTY_LOG >+ $logger = "metalog"; >+ $syslogconf = "/etc/metalog.conf"; >+ } >+ > &B_append_line($syslogconf,"ADDITIONS","############ BASTILLE ADDITIONS BELOW : ################# \n"); >- >+ > &B_append_line($syslogconf,'\/var\/log\/syslog',$var_log_syslog_lines); > &B_append_line($syslogconf,'\/var\/log\/kernel',$var_log_kernel_lines); > &B_append_line($syslogconf,'\/var\/log\/loginlog',$var_log_loginlog_lines); > &B_append_line($syslogconf,'\/dev\/tty7',$tty_log_lines); > &B_append_line($syslogconf,'\/dev\/tty12',"*.*\t/dev/tty12\n"); >+ &B_append_line($syslogconf,"BASTILLE ADDITIONS CONCLUDED","########## BASTILLE ADDITIONS CONCLUDED : ###############\n"); > >- if ($logging_host) { >- &B_append_line($syslogconf,"\\\@$logging_host","*.warn;*.err\t\@$logging_host\nauthpriv.*;auth.*\t\@$logging_host\n"); >+ # Metalog uses a directory-tree structure. >+ if($logger ne "metalog") >+ { >+ &B_create_file("/var/log/syslog"); >+ &B_create_file("/var/log/kernel"); >+ &B_create_file("/var/log/loginlog"); > } > >- &B_append_line($syslogconf,"BASTILLE ADDITIONS CONCLUDED","########## BASTILLE ADDITIONS CONCLUDED : ###############\n"); >- >- &B_create_file("/var/log/syslog"); >- &B_create_file("/var/log/kernel"); >- &B_create_file("/var/log/loginlog"); > > # > # Configure log rotation for the new log files: >@@ -101,25 +189,38 @@ > > /var/log/kernel { > postrotate >- /usr/bin/killall -HUP syslogd >+ /usr/bin/killall -HUP $logger > endscript > } > > /var/log/syslog { > postrotate >- /usr/bin/killall -HUP syslogd >+ /usr/bin/killall -HUP $logger > endscript > } > > /var/log/loginlog { > postrotate >- /usr/bin/killall -HUP syslogd >+ /usr/bin/killall -HUP $logger > endscript > } > END_NEW_ROT > >+ my $logrotated; >+ if(&GetDistro =~/^GN.*/) >+ { >+ $logrotated = "/etc/logrotate.d/$logger"; >+ } >+ else >+ { >+ $logrotated = "/etc/logrotate.d/syslog"; >+ } > >- &B_append_line("/etc/logrotate.d/syslog",'\bloginlog\b',$rotation_lines); >+ # Metalog rotates on its own. >+ if($logger ne "metalog") >+ { >+ &B_append_line($logrotated,'\bloginlog\b',$rotation_lines); >+ } > > } > } >diff -urN Bastille.orig/bastille-firewall.gentoo-init Bastille/bastille-firewall.gentoo-init >--- Bastille.orig/bastille-firewall.gentoo-init 1970-01-01 01:00:00.000000000 +0100 >+++ Bastille/bastille-firewall.gentoo-init 2014-06-07 13:15:52.883123307 +0200 >@@ -0,0 +1,42 @@ >+#!/sbin/runscript >+# Copyright 1999-2004 Gentoo Foundation >+# Distributed under the terms of the GNU General Public License v2 >+# $Header: /var/cvsroot/gentoo-x86/app-admin/bastille/files/bastille-3.0.2-firewall.init,v 1.1 2005/07/31 05:21:10 battousai Exp $ >+ >+opts="start stop" >+BASTILLEPREFIX="/usr/share/Bastille" >+ >+depend() { >+ need logger >+} >+ >+start() { >+ # "Borrowed" from the original bastille-firewall init script ((c) P. Watkins) >+ REALSCRIPT=${BASTILLEPREFIX}/bastille-ipchains >+ if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then >+ # We are using Linux 2.3 or newer; use the netfilter script if available >+ if [ -x ${BASTILLEPREFIX}/bastille-netfilter ]; then >+ REALSCRIPT=${BASTILLEPREFIX}/bastille-netfilter >+ fi >+ fi >+ >+ ebegin "Starting bastille-firewall" >+ $REALSCRIPT start >+ eend $? "Failed to start bastille-firewall" >+} >+ >+stop() { >+ # "Borrowed" from the original bastille-firewall init script ((c) P. Watkins) >+ REALSCRIPT=${BASTILLEPREFIX}/bastille-ipchains >+ if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then >+ # We are using Linux 2.3 or newer; use the netfilter script if available >+ if [ -x ${BASTILLEPREFIX}/bastille-netfilter ]; then >+ REALSCRIPT=${BASTILLEPREFIX}/bastille-netfilter >+ fi >+ fi >+ >+ ebegin "Stopping bastille-firewall" >+ $REALSCRIPT stop >+ eend $? "Failed to stop bastille-firewall" >+} >+ >diff -urN Bastille.orig/bastille-netfilter Bastille/bastille-netfilter >--- Bastille.orig/bastille-netfilter 2005-04-06 01:18:11.000000000 +0200 >+++ Bastille/bastille-netfilter 2014-06-07 13:15:52.883123307 +0200 >@@ -56,8 +56,42 @@ > fi > > if [ ! -f ${CONFIG} ]; then >- echo "ERROR: unable to read configuration file \"${CONFIG}\"" >- exit 1 >+ if [ "$1" == "stop" ]; then >+ echo "INFO: called stop without a configuration file. Emergency firewall clear." >+ >+ # flushing leaves the default input at ${REJECT_METHOD} >+ echo -n "resetting default input rules to accept..." >+ ${IPTABLES} -P INPUT ACCEPT >+ echo " done." >+ echo -n "resetting default output rule to accept..." >+ ${IPTABLES} -P OUTPUT ACCEPT >+ echo " done." >+ # We disabled forwarding with the /proc interface, but we >+ # reset FORWARD to ACCEPT because that;s the normal default >+ echo -n "resetting default forward rule to accept..." >+ ${IPTABLES} -P FORWARD ACCEPT >+ echo " done." >+ for chain in INPUT OUTPUT FORWARD ; do >+ echo -n "flushing ${chain} rules..." >+ ${IPTABLES} -F ${chain} >+ echo " done." >+ done >+ for chain in PREROUTING POSTROUTING ; do >+ ${IPTABLES} -t nat -F ${chain} >+ done >+ ${IPTABLES} -t mangle -F PREROUTING >+ # flush and delete the user-defined chains >+ echo -n "removing user-defined chains..." >+ for chain in PUB_IN PUB_OUT INT_IN INT_OUT PAROLE ; do >+ ${IPTABLES} -F ${chain} >+ ${IPTABLES} -X ${chain} >+ done >+ echo " done." >+ exit 0 >+ else >+ echo "ERROR: unable to read configuration file \"${CONFIG}\"" >+ exit 1 >+ fi > fi > > # source the configuration file, which will set environment variables >diff -urN Bastille.orig/Install.sh Bastille/Install.sh >--- Bastille.orig/Install.sh 2005-04-18 23:26:39.000000000 +0200 >+++ Bastille/Install.sh 2014-06-07 13:16:38.279233102 +0200 >@@ -1,107 +1,109 @@ > #!/bin/sh > > umask 077 >-RPM_BUILD_ROOT="" > >-mkdir -p $RPM_BUILD_ROOT/usr/sbin >-mkdir -p $RPM_BUILD_ROOT/usr/lib/perl5/site_perl/Curses >-mkdir -p $RPM_BUILD_ROOT/usr/lib/Bastille >-mkdir -p $RPM_BUILD_ROOT/usr/share/Bastille >-mkdir -p $RPM_BUILD_ROOT/usr/share/Bastille/OSMap >-mkdir -p $RPM_BUILD_ROOT/usr/share/Bastille/Questions >-mkdir -p $RPM_BUILD_ROOT/usr/share/Bastille/FKL/configs/ >-mkdir -p $RPM_BUILD_ROOT/var/lock/subsys/bastille >+eval `perl -V:version` >+PERLVERSION=${version} >+ >+mkdir -p ${DESTDIR}/usr/sbin >+mkdir -p ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}/Curses >+mkdir -p ${DESTDIR}/usr/lib/Bastille >+mkdir -p ${DESTDIR}/usr/share/Bastille >+mkdir -p ${DESTDIR}/usr/share/Bastille/OSMap >+mkdir -p ${DESTDIR}/usr/share/Bastille/Questions >+mkdir -p ${DESTDIR}/usr/share/Bastille/FKL/configs/ >+mkdir -p ${DESTDIR}/var/lock/subsys/bastille > >-cp AutomatedBastille $RPM_BUILD_ROOT/usr/sbin/ >-cp BastilleBackEnd $RPM_BUILD_ROOT/usr/sbin >-cp Bastille_Curses.pm $RPM_BUILD_ROOT/usr/lib/perl5/site_perl >-cp Bastille_Tk.pm $RPM_BUILD_ROOT/usr/lib/perl5/site_perl >-cp Curses/Widgets.pm $RPM_BUILD_ROOT/usr/lib/perl5/site_perl/Curses >-cp InteractiveBastille $RPM_BUILD_ROOT/usr/sbin >+cp AutomatedBastille ${DESTDIR}/usr/sbin/ >+cp BastilleBackEnd ${DESTDIR}/usr/sbin >+cp Bastille_Curses.pm ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION} >+cp Bastille_Tk.pm ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION} >+cp Curses/Widgets.pm ${DESTDIR}/usr/lib/perl5/vendor_perl/${PERLVERSION}/Curses >+cp InteractiveBastille ${DESTDIR}/usr/sbin > # Questions.txt has been replaced by Modules.txt and Questions/ >-#cp Questions.txt $RPM_BUILD_ROOT/usr/share/Bastille >-cp Modules.txt $RPM_BUILD_ROOT/usr/share/Bastille >+#cp Questions.txt ${DESTDIR}/usr/share/Bastille >+cp Modules.txt ${DESTDIR}/usr/share/Bastille > # New Weights file(s). >-cp Weights.txt $RPM_BUILD_ROOT/usr/share/Bastille >+cp Weights.txt ${DESTDIR}/usr/share/Bastille > # Castle graphic >-cp bastille.jpg $RPM_BUILD_ROOT/usr/share/Bastille/ >+cp bastille.jpg ${DESTDIR}/usr/share/Bastille/ > # Javascript file >-cp wz_tooltip.js $RPM_BUILD_ROOT/usr/share/Bastille/ >-cp Credits $RPM_BUILD_ROOT/usr/share/Bastille >-cp FKL/configs/fkl_config_redhat.cfg $RPM_BUILD_ROOT/usr/share/Bastille/FKL/configs/ >- >-cp RevertBastille $RPM_BUILD_ROOT/usr/sbin >-ln -s $RPM_BUILD_ROOT/usr/sbin/RevertBastille $RPM_BUILD_ROOT/usr/sbin/UndoBastille >-cp bin/bastille $RPM_BUILD_ROOT/usr/sbin >-chmod +x $RPM_BUILD_ROOT/usr/sbin/RevertBastille >-cp bastille-firewall $RPM_BUILD_ROOT/usr/share/Bastille >-cp bastille-firewall-reset $RPM_BUILD_ROOT/usr/share/Bastille >-cp bastille-firewall-schedule $RPM_BUILD_ROOT/usr/share/Bastille >-cp bastille-tmpdir-defense.sh $RPM_BUILD_ROOT/usr/share/Bastille >-cp bastille-tmpdir.csh $RPM_BUILD_ROOT/usr/share/Bastille >-cp bastille-tmpdir.sh $RPM_BUILD_ROOT/usr/share/Bastille >-cp bastille-firewall.cfg $RPM_BUILD_ROOT/usr/share/Bastille >-cp bastille-ipchains $RPM_BUILD_ROOT/usr/share/Bastille >-cp bastille-netfilter $RPM_BUILD_ROOT/usr/share/Bastille >-cp bastille-firewall-early.sh $RPM_BUILD_ROOT/usr/share/Bastille >-cp bastille-firewall-pre-audit.sh $RPM_BUILD_ROOT/usr/share/Bastille >-cp complete.xbm $RPM_BUILD_ROOT/usr/share/Bastille >-cp incomplete.xbm $RPM_BUILD_ROOT/usr/share/Bastille >-cp ifup-local $RPM_BUILD_ROOT/usr/share/Bastille >- >- >-cp hosts.allow $RPM_BUILD_ROOT/usr/share/Bastille >-cp Bastille/AccountSecurity.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/Apache.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/API.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/BootSecurity.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/ConfigureMiscPAM.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/DisableUserTools.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/DNS.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/FilePermissions.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/FTP.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/Firewall.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/HP_API.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/OSX_API.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/LogAPI.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/HP_UX.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/IOLoader.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/Patches.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/Logging.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/MiscellaneousDaemons.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/PatchDownload.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/Printing.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/PSAD.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/RemoteAccess.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/SecureInetd.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/Sendmail.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/TMPDIR.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_AccountSecurity.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_Apache.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_DNS.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_FTP.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_HP_UX.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_MiscellaneousDaemons.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_SecureInetd.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_Sendmail.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_BootSecurity.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_DisableUserTools.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_FilePermissions.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_Logging.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/test_Printing.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/TestAPI.pm $RPM_BUILD_ROOT/usr/lib/Bastille >-cp Bastille/IPFilter.pm $RPM_BUILD_ROOT/usr/lib/Bastille >- >- >- >-cp OSMap/LINUX.bastille $RPM_BUILD_ROOT/usr/share/Bastille/OSMap >-cp OSMap/LINUX.system $RPM_BUILD_ROOT/usr/share/Bastille/OSMap >-cp OSMap/HP-UX.bastille $RPM_BUILD_ROOT/usr/share/Bastille/OSMap >-cp OSMap/HP-UX.system $RPM_BUILD_ROOT/usr/share/Bastille/OSMap >-cp OSMap/HP-UX.service $RPM_BUILD_ROOT/usr/share/Bastille/OSMap >-cp OSMap/OSX.bastille $RPM_BUILD_ROOT/usr/share/Bastille/OSMap >-cp OSMap/OSX.system $RPM_BUILD_ROOT/usr/share/Bastille/OSMap >+cp wz_tooltip.js ${DESTDIR}/usr/share/Bastille/ >+cp Credits ${DESTDIR}/usr/share/Bastille >+cp FKL/configs/fkl_config_redhat.cfg ${DESTDIR}/usr/share/Bastille/FKL/configs/ >+ >+cp RevertBastille ${DESTDIR}/usr/sbin >+ln -s ${DESTDIR}/usr/sbin/RevertBastille ${DESTDIR}/usr/sbin/UndoBastille >+cp bin/bastille ${DESTDIR}/usr/sbin >+chmod +x ${DESTDIR}/usr/sbin/RevertBastille >+cp bastille-firewall ${DESTDIR}/usr/share/Bastille >+cp bastille-firewall-reset ${DESTDIR}/usr/share/Bastille >+cp bastille-firewall-schedule ${DESTDIR}/usr/share/Bastille >+cp bastille-tmpdir-defense.sh ${DESTDIR}/usr/share/Bastille >+cp bastille-tmpdir.csh ${DESTDIR}/usr/share/Bastille >+cp bastille-tmpdir.sh ${DESTDIR}/usr/share/Bastille >+cp bastille-firewall.cfg ${DESTDIR}/usr/share/Bastille >+cp bastille-ipchains ${DESTDIR}/usr/share/Bastille >+cp bastille-netfilter ${DESTDIR}/usr/share/Bastille >+cp bastille-firewall-early.sh ${DESTDIR}/usr/share/Bastille >+cp bastille-firewall-pre-audit.sh ${DESTDIR}/usr/share/Bastille >+cp complete.xbm ${DESTDIR}/usr/share/Bastille >+cp incomplete.xbm ${DESTDIR}/usr/share/Bastille >+cp ifup-local ${DESTDIR}/usr/share/Bastille >+ >+ >+cp hosts.allow ${DESTDIR}/usr/share/Bastille >+cp Bastille/AccountSecurity.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/Apache.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/API.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/BootSecurity.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/ConfigureMiscPAM.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/DisableUserTools.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/DNS.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/FilePermissions.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/FTP.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/Firewall.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/HP_API.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/OSX_API.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/LogAPI.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/HP_UX.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/IOLoader.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/Patches.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/Logging.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/MiscellaneousDaemons.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/PatchDownload.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/Printing.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/PSAD.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/RemoteAccess.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/SecureInetd.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/Sendmail.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/TMPDIR.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_AccountSecurity.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_Apache.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_DNS.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_FTP.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_HP_UX.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_MiscellaneousDaemons.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_SecureInetd.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_Sendmail.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_BootSecurity.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_DisableUserTools.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_FilePermissions.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_Logging.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/test_Printing.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/TestAPI.pm ${DESTDIR}/usr/lib/Bastille >+cp Bastille/IPFilter.pm ${DESTDIR}/usr/lib/Bastille >+ >+ >+ >+cp OSMap/LINUX.bastille ${DESTDIR}/usr/share/Bastille/OSMap >+cp OSMap/LINUX.system ${DESTDIR}/usr/share/Bastille/OSMap >+cp OSMap/HP-UX.bastille ${DESTDIR}/usr/share/Bastille/OSMap >+cp OSMap/HP-UX.system ${DESTDIR}/usr/share/Bastille/OSMap >+cp OSMap/HP-UX.service ${DESTDIR}/usr/share/Bastille/OSMap >+cp OSMap/OSX.bastille ${DESTDIR}/usr/share/Bastille/OSMap >+cp OSMap/OSX.system ${DESTDIR}/usr/share/Bastille/OSMap > > for file in `cat Modules.txt` ; do >- cp Questions/$file.txt $RPM_BUILD_ROOT/usr/share/Bastille/Questions >+ cp Questions/$file.txt ${DESTDIR}/usr/share/Bastille/Questions > done >diff -urN Bastille.orig/InteractiveBastille Bastille/InteractiveBastille >--- Bastille.orig/InteractiveBastille 2006-04-03 15:16:23.000000000 +0200 >+++ Bastille/InteractiveBastille 2014-06-07 13:15:52.885123358 +0200 >@@ -372,17 +372,28 @@ > } > } > >+my $interface_available = 0; > for my $interface_module ("Curses", "Tk") { >- if ( $Interface eq $interface_module ) { >- eval "use $interface_module"; >- if ($@) { >- &B_log("ERROR","Could not load the '${interface_module}.pm' interface module." . >- "This may be due to an invalid \$DISPLAY setting,". >- "or the module not being visible to Perl.\n\n"); >- print '\n'; >- exit 1; >- } >+ eval "use $interface_module"; >+ if ($@) { >+ &B_log("ERROR","Could not load the '${interface_module}.pm' interface module." . >+ "This may be due to an invalid \$DISPLAY setting,". >+ "or the module not being visible to Perl.\n\n"); >+ if ( ( $interface_available == 1 ) && ( $interface_module eq "Tk" ) ) >+ { >+ $Interface = "Curses"; >+ } > } >+ else >+ { >+ $interface_available = 1; >+ } >+} >+ >+if ( $interface_available == 0 ) >+{ >+ &B_log("ERROR","No suitable interface module found.\n"); >+ exit 1; > } > > # KLUDGE: Load the stub... >diff -urN Bastille.orig/OSMap/LINUX.system Bastille/OSMap/LINUX.system >--- Bastille.orig/OSMap/LINUX.system 2006-04-03 15:42:28.000000000 +0200 >+++ Bastille/OSMap/LINUX.system 2014-06-07 13:15:52.886123379 +0200 >@@ -1,4 +1,5 @@ > bin,XFree86,'/usr/X11R6/bin/XFree86' >+bin,XFree86,'/usr/bin/Xorg',GN > bin,Xwrapper,'/usr/X11R6/bin/Xwrapper' > > bin,accton,'/usr/sbin/accton' >@@ -9,8 +10,10 @@ > bin,bash,'/bin/bash' > bin,cardctl,'/sbin/cardctl' > bin,chattr,'/usr/bin/chattr' >+bin,chattr,'/bin/chattr',GN > bin,chgrp,'/bin/chgrp' > bin,chkconfig,'/sbin/chkconfig' >+bin,chkconfig,'/sbin/rc-update',GN > bin,chmod,'/bin/chmod' > bin,chown,'/bin/chown' > bin,cksum,'/usr/bin/cksum' >@@ -20,6 +23,7 @@ > bin,diff,'/usr/bin/diff' > bin,dos,'/usr/bin/dos' > bin,dump,'/sbin/dump' >+bin,dump,'/usr/sbin/dump',GN > bin,echo,'/bin/echo' > bin,grep,'/bin/grep' > bin,grep,'/usr/bin/grep',SE >@@ -44,12 +48,13 @@ > bin,named-xfer,'/usr/sbin/named-xfer' > bin,ping,'/bin/ping' > bin,ping6,'/usr/sbin/ping6',RH7.0,RH7.1,RH7.2,RH7.3,RH8.0,RH9,RHEL2 >-bin,ping6,'/bin/ping6',DB,RHEL3,RHFC1,RHFC2,RHFC3,RHFC4,RHFC5,SE9.1,SE9.2,SE9.3,SE10.0,SESLES9 >+bin,ping6,'/bin/ping6',DB,RHEL3,RHFC1,RHFC2,RHFC3,RHFC4,RHFC5,SE9.1,SE9.2,SE9.3,SE10.0,SESLES9,GN > bin,ping6,'/usr/bin/ping6',MN9.2,MN10.0,MN10.1,MN2006.0 > bin,ps,'/bin/ps' > bin,rcp,'/usr/bin/rcp' > bin,rdist,'/usr/bin/rdist' > bin,restore,'/sbin/restore' >+bin,restore,'/usr/sbin/restore',GN > bin,rexec,'/usr/bin/rexec' > bin,rexecd,'/usr/sbin/in.rexecd' > bin,rlogin,'/usr/bin/rlogin' >@@ -57,6 +62,7 @@ > bin,rm,'/bin/rm' > bin,rmdir,'/bin/rmdir' > bin,rpm,'/bin/rpm' >+bin,rpm,'/usr/bin/rpm',GN > bin,rsh,'/usr/bin/rsh' > bin,rcp,'/usr/bin/rcp' > bin,rshd,'/usr/sbin/in.rshd' >@@ -65,10 +71,12 @@ > bin,startinnfeed,'/usr/bin/startinnfeed' > bin,sulogin,'/sbin/sulogin' > bin,touch,'/bin/touch' >+bin,touch,'/usr/bin/touch',GN > bin,traceroute,'/usr/sbin/traceroute' >+bin,traceroute,'/usr/bin/traceroute',GN > > bin,traceroute6,'/bin/traceroute6' >-bin,traceroute6,'/usr/sbin/traceroute6',RH7.0,RH7.1,RH7.2,RH7.3,RH8.0,RH9,RHEL2,MN9.2,MN10.0,MN10.1,MN2006.0 >+bin,traceroute6,'/usr/sbin/traceroute6',RH7.0,RH7.1,RH7.2,RH7.3,RH8.0,RH9,RHEL2,MN9.2,MN10.0,MN10.1,MN2006.0,GN > bin,traceroute6,'/usr/bin/traceroute6',DB > > bin,umount,'/bin/umount' >@@ -82,13 +90,14 @@ > dir,home,'/home' > > dir,initd,'/etc/rc.d/init.d' >-dir,initd,'/etc/init.d',DB,SE,SLES >+dir,initd,'/etc/init.d',DB,SE,SLES,GN > > dir,log,'/var/log' > dir,pamd,'/etc/pam.d' > > dir,rcd,'/etc/rc.d' > dir,rcd,'/etc',DB >+dir,rcd,'/etc/runlevels',GN > > dir,sbin,'/sbin' > dir,xinetd.d,'/etc/xinetd.d' >@@ -104,6 +113,7 @@ > file,chkconfig_apmd,'/etc/rc.d/rc3.d/S26apmd' > file,chkconfig_apmd,'/etc/rc3.d/S26apmd',DB > file,chkconfig_apmd,'/etc/rc.config',SE >+file,chkconfig_apmd,'/etc/runlevels/default/apmd',GN > file,initd_apmd,'/etc/init.d/apmd' > > file,initd_acpid,'/etc/init.d/acpid' >@@ -114,24 +124,31 @@ > file,chkconfig_dhcpd,'/etc/rc.d/rc3.d/S65dhcpd' > file,chkconfig_dhcpd,'/etc/rc3.d/S65dhcpd',DB > file,chkconfig_dhcpd,'/etc/rc.config',SE >+file,chkconfig_dhcpd,'/etc/runlevels/default/dhcpd',GN > file,initd_dhcpd,'/etc/init.d/dhcpd' > > file,chkconfig_gated,'/etc/rc.d/rc3.d/S32gated' > file,chkconfig_gated,'/etc/rc3.d/S32gated',DB >+file,chkconfig_gated,'/etc/runlevels/default/gated',GN > file,initd_gated,'/etc/init.d/gated' > > file,chkconfig_gpm,'/etc/rc.d/rc3.d/S85gpm' > file,chkconfig_gpm,'/etc/rc3.d/S20gpm',DB > file,chkconfig_gpm,'/etc/rc.config',SE >+file,chkconfig_gpm,'/etc/runlevels/default/gpm',GN > file,initd_gpm,'/etc/init.d/gpm' > > file,chkconfig_httpd,'/etc/rc.d/rc3.d/S85httpd' > file,chkconfig_httpd,'/etc/rc3.d/S91httpd',DB >+file,chkconfig_httpd,'/etc/runlevels/default/apache2',GN > file,initd_httpd,'/etc/init.d/httpd' > file,initd_httpd2,'/etc/init.d/httpd2' >+file,initd_httpd,'/etc/init.d/apache2',GN >+file,initd_httpd2,'/etc/init.d/apache2',GN > > file,chkconfig_innd,'/etc/rc.d/rc3.d/S95innd' > file,chkconfig_innd,'/etc/rc3.d/S95innd',DB >+file,chkconfig_innd,'/etc/runlevels/default/innd',GN > file,initd_innd,'/etc/init.d/innd' > > file,chkconfig_kudzu,'/etc/init.d/kudzu' >@@ -139,6 +156,7 @@ > > file,chkconfig_named,'/etc/rc.d/rc3.d/S55named' > file,chkconfig_named,'/etc/rc3.d/S15named',DB >+file,chkconfig_named,'/etc/runlevels/default/named',GN > file,initd_named,'/etc/init.d/named' > > file,chkconfig_nfs,'/etc/rc.d/rc3.d/S60nfs' >@@ -149,6 +167,7 @@ > file,chkconfig_pcmcia,'/etc/rc.d/rc3.d/S45pcmcia' > file,chkconfig_pcmcia,'/etc/rc3.d/S45pcmcia',DB > file,chkconfig_pcmcia,'/etc/rc.config',SE >+file,chkconfig_pcmcia,'/etc/runlevels/default/pcmcia',GN > file,initd_pcmcia,'/etc/init.d/pcmcia' > > file,initd_mDNSResponder,'/etc/init.d/mDNSResponder' >@@ -163,6 +182,7 @@ > > file,chkconfig_routed,'/etc/rc.d/rc3.d/S55gated' > file,chkconfig_routed,'/etc/rc3.d/S55gated',DB >+file,chkconfig_routed,'/etc/runlevels/default/gated',GN > file,initd_routed,'/etc/init.d/routed' > > file,chkconfig_snmpd,'/etc/rc.d/rc3.d/S50snmpd' >@@ -190,20 +210,22 @@ > file,shadow,'/etc/shadow' > > file,grub.conf,'/etc/grub.conf' >-file,grub.conf,'/boot/grub/grub.conf',RH9,RHEL,RHFC >+file,grub.conf,'/boot/grub/grub.conf',RH9,RHEL,RHFC,GN > file,grub.conf,'/boot/grub/menu.lst',SE,MN > file,hosts.allow,'/etc/hosts.allow' > file,hosts.deny,'/etc/hosts.deny' > > file,httpd,'/usr/sbin/httpd' > file,httpd,'/usr/sbin/apache',DB >+file,httpd,'/usr/sbin/apache2',GN > > file,httpd2,'/usr/sbin/httpd2' >+file,httpd2,'/usr/sbin/apache2',GN > > file,httpd.conf,'/etc/httpd/conf/httpd.conf' > file,httpd.conf,'/etc/apache/httpd.conf',DB > file,httpd.conf,'/etc/httpd/httpd.conf',SE7.2 SE7.3 SE8.0 >-file,httpd.conf,'/etc/apache2/httpd.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES >+file,httpd.conf,'/etc/apache2/httpd.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES,GN > file,httpd.conf,'/etc/httpd/conf/httpd2.conf',MN10.1 > # SuSE breaks httpd.conf into many files after 8. > file,listen.conf,'/etc/apache2/listen.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES >@@ -216,6 +238,7 @@ > file,httpd_access.conf,'/etc/httpd/httpd.conf',SE7.2 SE7.3 SE8.0 > file,httpd_access.conf,'/etc/apache2/httpd.conf',SE9.0,SE9.1,SE9.2,SE9.3,SLES > file,httpd_access.conf,'/etc/httpd/conf/commonhttpd.conf',MN10.1 >+file,httpd_access.conf,'/etc/apache2/access.conf',GN > > file,inetd.conf,'/etc/inetd.conf' > file,inittab,'/etc/inittab' >diff -urN Bastille.orig/Questions/Apache.txt Bastille/Questions/Apache.txt >--- Bastille.orig/Questions/Apache.txt 2005-08-04 07:07:44.000000000 +0200 >+++ Bastille/Questions/Apache.txt 2014-06-07 13:15:52.886123379 +0200 >@@ -20,20 +20,20 @@ > PROPER_PARENT: namedoff > > LABEL: apacheoff >-SHORT_EXP: "Will you be using the Apache web server immediately? Again, >+SHORT_EXP: "Will you be using the Apache2 web server immediately? Again, > minimalism is a critical part of a good site security. If you don't > need to run a web server, at least not right now, you should deactivate it. > You can restart the web server later by typing: > >- /sbin/chkconfig httpd on >+ /sbin/rc-update add apache2 default > " >-QUESTION: "Would you like to deactivate the Apache web server? [Y]" >+QUESTION: "Would you like to deactivate the Apache2 web server? [Y]" > QUESTION_AUDIT: "Is the Apache Web server deactivated?" > REQUIRE_DISTRO: LINUX DB SE TB > DEFAULT_ANSWER: Y > YN_TOGGLE: 1 > REG_EXP: "^Y$|^N$" >-YES_EXP: "Even though you've deactivated the Apache web server, there are >+YES_EXP: "Even though you've deactivated the Apache2 web server, there are > still a few more questions related to it. It's good to take the precautions in > the next steps even if you've turned off the web server, since it might get > turned on again later." >diff -urN Bastille.orig/Questions/BootSecurity.txt Bastille/Questions/BootSecurity.txt >--- Bastille.orig/Questions/BootSecurity.txt 2005-09-11 10:58:23.000000000 +0200 >+++ Bastille/Questions/BootSecurity.txt 2014-06-07 13:15:52.886123379 +0200 >@@ -15,7 +15,11 @@ > purpose lab and dual boots, you probably shouldn't choose this option. > > Otherwise, this is strongly recommended for general use workstations and >-servers which are not locked away in their own room." >+servers which are not locked away in their own room. >+ >+WARNING: If you are currently managing the GRUB prompt manually OR through >+another program, and wish to maintain your current settings, please select >+NO for this prompt." > QUESTION: "Would you like to password-protect the GRUB prompt? [N]" > QUESTION_AUDIT: "Is the GRUB prompt password-protected?" > REQUIRE_DISTRO: LINUX DB SE TB >diff -urN Bastille.orig/Questions/DNS.txt Bastille/Questions/DNS.txt >--- Bastille.orig/Questions/DNS.txt 2005-04-10 00:25:56.000000000 +0200 >+++ Bastille/Questions/DNS.txt 2014-06-07 13:15:52.887123400 +0200 >@@ -88,7 +88,7 @@ > > Even if you plan on setting up a name server on this machine, you should > deactivate it for now until you get the configuration files setup. You >-can reactivate it then by typing, as root: /sbin/chkconfig named on " >+can reactivate it then by typing, as root: /sbin/rc-update add named default " > QUESTION: "Would you like to deactivate named, at least for now? [Y]" > QUESTION_AUDIT: "Is named deactivated?" > REQUIRE_DISTRO: LINUX >diff -urN Bastille.orig/Questions/FilePermissions.txt Bastille/Questions/FilePermissions.txt >--- Bastille.orig/Questions/FilePermissions.txt 2005-04-18 18:47:42.000000000 +0200 >+++ Bastille/Questions/FilePermissions.txt 2014-06-07 13:15:52.888123422 +0200 >@@ -17,7 +17,7 @@ > QUESTION: "Would you like to set more restrictive permissions on the > administration utilities? [N]" > QUESTION_AUDIT: "Are more restrictive permissions on the administration utilities set?" >-REQUIRE_DISTRO: RH MN DB SE TB >+REQUIRE_DISTRO: RH MN DB SE TB GN > YN_TOGGLE: 1 > YES_EXP: > NO_EXP: >diff -urN Bastille.orig/Questions/Firewall.txt Bastille/Questions/Firewall.txt >--- Bastille.orig/Questions/Firewall.txt 2005-04-10 00:25:56.000000000 +0200 >+++ Bastille/Questions/Firewall.txt 2014-06-07 13:15:52.889123445 +0200 >@@ -1129,8 +1129,7 @@ > > Once you have a configuration that will work on your system, you can make it > run at every normal boot-up by typing >- /sbin/chkconfig --add bastille-firewall >- /sbin/chkconfig bastille-firewall reset >+ /sbin/rc-update add bastille-firewall default > > If you are confident of your selections, Bastille can start the firewall > and configure it to run at boot time for you. >diff -urN Bastille.orig/Questions/Logging.txt Bastille/Questions/Logging.txt >--- Bastille.orig/Questions/Logging.txt 2005-08-04 07:07:44.000000000 +0200 >+++ Bastille/Questions/Logging.txt 2014-06-07 13:15:52.889123445 +0200 >@@ -10,7 +10,7 @@ > a \"risky\" move." > QUESTION: "Would you like to add additional logging? [Y]" > QUESTION_AUDIT: "Has additional logging been added?" >-REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB >+REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB GN > DEFAULT_ANSWER: Y > YN_TOGGLE: 1 > REG_EXP: "^Y$|^N$" >@@ -33,7 +33,7 @@ > SHORT_EXP: "If you already have a remote logging host, we can set this > machine to log to it." > QUESTION: "Do you have a remote logging host? [N]" >-REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB >+REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB GN > DEFAULT_ANSWER: N > YN_TOGGLE: 1 > REG_EXP: "^Y$|^N$" >@@ -53,7 +53,7 @@ > poisoning attacks on logging. You may use a hostname, but it should be > added to your /etc/hosts file..." > QUESTION: "What is the IP address of the machine you want to log to? [127.0.0.1]" >-REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB >+REQUIRE_DISTRO: RH MN RHEL RHFC DB SE7.2 SE7.3 SE8.0 SE9.0 SE9.1 SE9.2 SESLES TB GN > DEFAULT_ANSWER: 127.0.0.1 > YN_TOGGLE: 0 > YES_CHILD: pacct >diff -urN Bastille.orig/Questions/Printing.txt Bastille/Questions/Printing.txt >--- Bastille.orig/Questions/Printing.txt 2005-04-10 00:25:56.000000000 +0200 >+++ Bastille/Questions/Printing.txt 2014-06-07 13:15:52.890123470 +0200 >@@ -15,12 +15,12 @@ > > # /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm > >- # /sbin/chkconfig lpd on >+ # /sbin/rc-update add lpd default > > This is only recommended if this machine will not be used for printing > in the near future. If you deactivate this, you might want to write > down the commands above in case you decide to re-enable printing later." >-QUESTION: "Would you like to disable printing? [N]" >+QUESTION: "Would you like to disable LPR/LPRng printing? [N]" > QUESTION_AUDIT: "Is printing disabled?" > REQUIRE_DISTRO: LINUX > DEFAULT_ANSWER: N >@@ -48,12 +48,12 @@ > # /bin/chmod 0755 /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat > # /bin/chmod 04755 /usr/bin/lppasswd > >- # /sbin/chkconfig cups on >+ # /sbin/rc-update add cups default > > This is only recommended if this machine will not be used for printing > in the near future. If you deactivate this, you might want to write > down the commands above in case you decide to re-enable printing later." >-QUESTION: "Would you like to disable printing? [N]" >+QUESTION: "Would you like to disable CUPS printing? [N]" > QUESTION_AUDIT: "Is printing disabled?" > REQUIRE_DISTRO: LINUX > DEFAULT_ANSWER: N >diff -urN Bastille.orig/Questions/PSAD.txt Bastille/Questions/PSAD.txt >--- Bastille.orig/Questions/PSAD.txt 2005-04-10 00:25:57.000000000 +0200 >+++ Bastille/Questions/PSAD.txt 2014-06-07 13:15:52.890123470 +0200 >@@ -259,7 +259,7 @@ > /etc/rc.d/init.d/psad stop > > Bastille can configure your system to start psad at boot time by executing >- chkconfig psad on." >+ /sbin/rc-update add psad default " > QUESTION: "Should Bastille enable psad at boot time? [N]" > REQUIRE_DISTRO: LINUX > YN_TOGGLE: 1 >diff -urN Bastille.orig/Questions.txt Bastille/Questions.txt >--- Bastille.orig/Questions.txt 2005-04-06 01:18:11.000000000 +0200 >+++ Bastille/Questions.txt 2014-06-07 13:15:52.894123570 +0200 >@@ -2975,7 +2975,7 @@ > > Even if you plan on setting up a name server on this machine, you should > deactivate it for now until you get the configuration files setup. You >-can reactivate it then by typing, as root: /sbin/chkconfig named on " >+can reactivate it then by typing, as root: /sbin/rc-update add named default " > QUESTION: "Would you like to deactivate named, at least for now? [Y]" > REQUIRE_DISTRO: LINUX > REQUIRE_FILE_EXISTS: chkconfig_named >@@ -3014,15 +3014,15 @@ > need to run a web server, at least not right now, you should deactivate it. > You can restart the web server later by typing: > >- /sbin/chkconfig httpd on >+ /sbin/rc-update add apache2 default > " >-QUESTION: "Would you like to deactivate the Apache web server? [Y]" >+QUESTION: "Would you like to deactivate the Apache2 web server? [Y]" > REQUIRE_DISTRO: LINUX DB SE TB > REQUIRE_FILE_EXISTS: chkconfig_httpd > DEFAULT_ANSWER: Y > YN_TOGGLE: 1 > REG_EXP: "^Y$|^N$" >-YES_EXP: "Even though you've deactivated the Apache web server, there are >+YES_EXP: "Even though you've deactivated the Apache2 web server, there are > still a few more questions related to it. It's good to take the precautions in > the next steps even if you've turned off the web server, since it might get > turned on again later." >@@ -3297,7 +3297,7 @@ > > # /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm > >- # /sbin/chkconfig lpd on >+ # /sbin/rc-update add lpd default > > This is only recommended if this machine will not be used for printing > in the near future. If you deactivate this, you might want to write >@@ -3330,7 +3330,7 @@ > # /bin/chmod 0755 /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat > # /bin/chmod 04755 /usr/bin/lppasswd > >- # /sbin/chkconfig cups on >+ # /sbin/rc-update add cups default > > This is only recommended if this machine will not be used for printing > in the near future. If you deactivate this, you might want to write >@@ -5130,8 +5130,7 @@ > > Once you have a configuration that will work on your system, you can make it > run at every normal boot-up by typing >- /sbin/chkconfig --add bastille-firewall >- /sbin/chkconfig bastille-firewall reset >+ /sbin/rc-update add bastille-firewall default > > If you are confident of your selections, Bastille can start the firewall > and configure it to run at boot time for you. >diff -urN Bastille.orig/ServerLax.config Bastille/ServerLax.config >--- Bastille.orig/ServerLax.config 2005-04-06 01:18:11.000000000 +0200 >+++ Bastille/ServerLax.config 2014-06-07 13:15:52.896123619 +0200 >@@ -1,138 +1,114 @@ >-# Q: Would you like to run the packet filtering script? [N] >-IPChains.ip_intro="N" >-# Q: Would you like to set more restrictive permissions on the administration utilities? [N] >-FilePermissions.generalperms_1.1="N" >-# Q: What security level should we set? [3] >-FilePermissions.security_level="2" >-# Q: Would you like us to modify your file permissions? >-FilePermissions.generalperms_1.2_mandrake="Y" >-# Q: Would you like to disable SUID status for mount/umount? >-FilePermissions.suidmount="N" >-# Q: Would you like to disable SUID status for ping? [Y] >-FilePermissions.suidping="N" >-# Q: Would you like to disable SUID status for dump and restore? [Y] >-FilePermissions.suiddump="Y" >-# Q: Would you like to disable SUID status for cardctl? [Y] >-FilePermissions.suidcard="Y" >-# Q: Would you like to disable SUID status for at? [Y] >-FilePermissions.suidat="N" >-# Q: Would you like to disable SUID status for DOSEMU? [Y] >-FilePermissions.suiddos="Y" >-# Q: Would you like to disable SUID status for news server tools? [Y] >-FilePermissions.suidnews="Y" >-# Q: Would you like to disable SUID status for printing utilities? [N] >-FilePermissions.suidprint="N" >-# Q: Would you like to disable SUID status for the r-tools? [Y] >-FilePermissions.suidrtool="N" >-# Q: Would you like to disable SUID status for usernetctl? [Y] >-FilePermissions.suidusernetctl="N" >-# Q: Would you like to disable SUID status for traceroute? [Y] >-FilePermissions.suidtrace="N" >-# Q: Would you like to set up a second UID 0 account? [N] >-AccountSecurity.secondadmin="N" >-# Q: May we take strong steps to disallow the dangerous r-protocols? [Y] >-AccountSecurity.protectrhost="N" >-# Q: Would you like to enforce password aging? [Y] >-AccountSecurity.passwdage="Y" >-# Q: Would you like to create a non-root user account? [N] >-AccountSecurity.createuser="N" >-# Q: Would you like to restrict the use of cron to administrative accounts? [Y] >+# Q: Would you like to restrict the use of cron to administrative accounts? [Y] > AccountSecurity.cronuser="N" >-# Q: What umask would you like to set for users on the system? [077] >-AccountSecurity.umask="022" >-# Q: Should we allow root to login on tty's 1-6? [Y] >+# Q: Would you like to enforce password aging? [Y] >+AccountSecurity.passwdage="Y" >+# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] >+AccountSecurity.protectrhost="N" >+# Q: Should we disallow root login on tty's 1-6? [N] > AccountSecurity.rootttylogins="Y" >-# Q: Should we allow the PATH to include the current directory? [N] >-AccountSecurity.restrict_path_mdk="Y" >-# Q: Should we deactivate this list of users? [N] >-AccountSecurity.forbiduserview="N" >-# Q: Would you like to password-protect the LILO prompt? [N] >-BootSecurity.protectlilo="N" >-# Q: Would you like to reduce the LILO delay time to zero? [N] >+# Q: Would you like to disable indexes? [N] >+Apache.apacheindex="N" >+# Q: Would you like to deactivate the Apache2 web server? [Y] >+Apache.apacheoff="Y" >+# Q: Would you like to bind the Web server to listen only to the localhost? [N] >+Apache.bindapachelocal="N" >+# Q: Would you like to bind the web server to a particular interface? [N] >+Apache.bindapachenic="N" >+# Q: Would you like to disable CGI scripts, at least for now? [Y] >+Apache.cgi="N" >+# Q: Would you like to deactivate server-side includes? [Y] >+Apache.ssi="Y" >+# Q: Would you like to deactivate the following of symbolic links? [Y] >+Apache.symlink="N" >+# Q: Would you like to reduce the LILO delay time to zero? [N] > BootSecurity.lilodelay="N" >-# Q: Do you ever boot Linux from the hard drive? [Y] >+# Q: Do you ever boot Linux from the hard drive? [Y] > BootSecurity.lilosub_drive="N" >-# Q: Would you like to write the LILO changes to a boot floppy? [N] >+# Q: Would you like to write the LILO changes to a boot floppy? [N] > BootSecurity.lilosub_floppy="N" >-# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] >-BootSecurity.secureinittab="N" >-# Q: Would you like to password protect single-user mode? [Y] >+# Q: Would you like to password protect single-user mode? [Y] > BootSecurity.passsum="Y" >-# Q: May we disable Autologin? [Y] >-BootSecurity.disable_autologin="N" >-# Q: Would you like to set a default-deny on TCP Wrappers? [N] >-SecureInetd.tcpd_default_deny="N" >-# Q: May we deactivate telnet? [Y] >-SecureInetd.deactivate_telnet="Y" >-# Q: May we deactivate ftp? [Y] >-SecureInetd.deactivate_ftp="N" >-# Q: Would you like to make "Authorized Use" banners? [Y] >-SecureInetd.banners="Y" >-# Q: Would you like to disable the compiler? [N] >-DisableUserTools.compiler="N" >-# Q: Would you like to put limits on system resource usage? [Y] >-ConfigureMiscPAM.limitsconf="N" >-# Q: Should we restrict console access to a small group of user accounts? [N] >+# Q: Would you like to password-protect the LILO prompt? [N] >+BootSecurity.protectlilo="N" >+# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] >+BootSecurity.secureinittab="N" >+# Q: Should we restrict console access to a small group of user accounts? [N] > ConfigureMiscPAM.consolelogin="N" >-# Q: Would you like to add additional logging? [Y] >+# Q: Would you like to put limits on system resource usage? [N] >+ConfigureMiscPAM.limitsconf="N" >+# Q: Would you like to chroot named and set it to run as a non-root user? [N] >+DNS.chrootbind="N" >+# Q: Would you like to deactivate named, at least for now? [Y] >+DNS.namedoff="Y" >+# Q: Would you like to disable the gcc and/or g++ compiler? [N] >+DisableUserTools.compiler="N" >+# Q: Would you like to disable anonymous download? [N] >+FTP.anonftp="N" >+# Q: Would you like to disable user privileges on the FTP daemon? [N] >+FTP.userftp="N" >+# Q: Would you like to disable SUID status for XFree86? [N] >+FilePermissions.suidXFree86="N" >+# Q: Would you like to disable SUID status for at? [Y] >+FilePermissions.suidat="N" >+# Q: Would you like to disable SUID status for cardctl? [Y] >+FilePermissions.suidcard="Y" >+# Q: Would you like to disable SUID status for DOSEMU? [Y] >+FilePermissions.suiddos="Y" >+# Q: Would you like to disable SUID status for dump and restore? [Y] >+FilePermissions.suiddump="Y" >+# Q: Would you like to disable SUID status for mount/umount? >+FilePermissions.suidmount="N" >+# Q: Would you like to disable SUID status for news server tools? [Y] >+FilePermissions.suidnews="Y" >+# Q: Would you like to disable SUID status for ping? [Y] >+FilePermissions.suidping="N" >+# Q: Would you like to disable SUID status for printing utilities? [N] >+FilePermissions.suidprint="N" >+# Q: Would you like to disable the r-tools? [Y] >+FilePermissions.suidrtool="N" >+# Q: Would you like to disable SUID status for traceroute? [Y] >+FilePermissions.suidtrace="N" >+# Q: Would you like to disable SUID status for usernetctl? [Y] >+FilePermissions.suidusernetctl="N" >+# Q: Would you like to run the packet filtering script? [N] >+Firewall.ip_intro="N" >+# Q: Would you like to add additional logging? [Y] > Logging.morelogging="Y" >-# Q: Do you have a remote logging host? [N] >-Logging.remotelog="N" >-# Q: Would you like to set up process accounting? [N] >+# Q: Would you like to set up process accounting? [N] > Logging.pacct="N" >-# Q: Would you like to set up nightly security checks? [N]" >-Logging.security_checks="Y" >-# Q: Would you like to disable apmd? [Y] >+# Q: Would you like to disable acpid and/or apmd? [Y] > MiscellaneousDaemons.apmd="Y" >-# Q: Would you like to deactivate NFS and Samba? [Y] >-MiscellaneousDaemons.remotefs="Y" >-# Q: Would you like to disable PCMCIA services? [Y] >-MiscellaneousDaemons.pcmcia="Y" >-# Q: Would you like to disable the DHCP daemon? [Y] >+# Q: Would you like to disable the DHCP daemon? [Y] > MiscellaneousDaemons.dhcpd="Y" >-# Q: Would you like to disable GPM? [Y] >+# Q: Would you like to disable GPM? [Y] > MiscellaneousDaemons.gpm="N" >-# Q: Would you like to disable the news server daemon? [Y] >+# Q: Would you like to disable the news server daemon? [Y] > MiscellaneousDaemons.innd="Y" >-# Q: Would you like to deactivate the routing daemons? [Y] >-MiscellaneousDaemons.routing="Y" >-# Q: Would you like to deactivate NIS server and client programs? [Y] >-MiscellaneousDaemons.nis="Y" >-# Q: Would you like to disable SNMPD? [Y] >+# Q: Would you like to disable PCMCIA services? [Y] >+MiscellaneousDaemons.pcmcia="Y" >+# Q: Would you like to deactivate NFS and Samba? [Y] >+MiscellaneousDaemons.remotefs="Y" >+# Q: Would you like to disable SNMPD? [Y] > MiscellaneousDaemons.snmpd="Y" >-# Q: Should we disable most chkconfig'd services? >-MiscellaneousDaemons.minimize_chkconfig="N" >-# Q: Do you want to leave sendmail running in daemon mode? [Y] >-Sendmail.sendmaildaemon="N" >-# Q: Would you like to run sendmail via cron to process the queue? [N] >+# Q: Would you like to disable LPR/LPRng printing? [N] >+Printing.printing="N" >+# Q: Would you like to disable CUPS printing? [N] >+Printing.printing_cups="N" >+# Q: Would you like to display "Authorized Use" messages at log-in time? [Y] >+SecureInetd.banners="Y" >+# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y] >+SecureInetd.deactivate_ftp="N" >+# Q: Should Bastille ensure the telnet service does not run on this system? [y] >+SecureInetd.deactivate_telnet="Y" >+# Q: Who is responsible for granting authorization to use this machine? >+SecureInetd.owner="its owner" >+# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N] >+SecureInetd.tcpd_default_deny="N" >+# Q: Would you like to run sendmail via cron to process the queue? [N] > Sendmail.sendmailcron="Y" >-# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y] >+# Q: Do you want to stop sendmail from running in daemon mode? [Y] >+Sendmail.sendmaildaemon="N" >+# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y] > Sendmail.vrfyexpn="Y" >-# Q: Would you like to download and install ssh? [N] >-RemoteAccess.installssh="N" >-# Q: Would you like to chroot named and set it to run as a non-root user? [N] >-DNS.chrootbind="N" >-# Q: Would you like to deactivate named, at least for now? [Y] >-DNS.namedoff="Y" >-# Q: Would you like to deactivate the Apache web server? [Y] >-Apache.apacheoff="Y" >-# Q: Would you like to bind the web server to listen only to the localhost? [N] >-Apache.bindapachelocal="N" >-# Q: Would you like to bind the web server to a particular interface? [N] >-Apache.bindapachenic="N" >-# Q: Would you like to deactivate the following of symbolic links? [Y] >-Apache.symlink="N" >-# Q: Would you like to deactivate server-side includes? [Y] >-Apache.ssi="Y" >-# Q: Would you like to disable CGI scripts, at least for now? [Y] >-Apache.cgi="N" >-# Q: Would you like to disable indexes? [N] >-Apache.apacheindex="N" >-# Q: Would you like to disable printing? [N] >-Printing.printing="N" >-# Q: Would you like to disable user privileges on the FTP daemon? [N] >-FTP.userftp="N" >-# Q: Would you like to disable anonymous download? [N] >-FTP.anonftp="N" >-# Q: Would you like to install TMPDIR/TMP scripts? [N] >+# Q: Would you like to install TMPDIR/TMP scripts? [N] > TMPDIR.tmpdir="N" >diff -urN Bastille.orig/ServerModerate.config Bastille/ServerModerate.config >--- Bastille.orig/ServerModerate.config 2005-04-06 01:18:11.000000000 +0200 >+++ Bastille/ServerModerate.config 2014-06-07 13:15:52.897123643 +0200 >@@ -1,170 +1,152 @@ >-# Q: Would you like to run the packet filtering script? [N] >-IPChains.ip_intro="Y" >-# Q: >-IPChains.ip_detail_level_kludge="Y" >-# Q: Do you need the advanced networking options? >-IPChains.ip_advnetwork="N" >-# Q: DNS Servers: [0.0.0.0/0] >-IPChains.ip_b_dns="0.0.0.0/0" >-# Q: >-IPChains.ip_b_trustiface="lo" >-# Q: Public interfaces: [eth+ ppp+ slip+] >-IPChains.ip_b_publiciface="eth+ ppp+ slip+" >-# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] >-IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" >-# Q: UDP services to audit: [31337] >-IPChains.ip_b_udpaudit="31337" >-# Q: TCP service names or port numbers to allow on public interfaces: [ ] >-IPChains.ip_b_publictcp="ssh" >-# Q: Force passive mode? [N] >-IPChains.ip_b_passiveftp="N" >-# Q: TCP services to block: [2049 2065:2090 6000:6020 7100] >-IPChains.ip_b_tcpblock="2049 2065:2090 7100" >-# Q: UDP services to block: [2049 6770] >-IPChains.ip_b_udpblock="2049 6770" >-# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] >-IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-request" >-# Q: Enable source address verification? [Y] >-IPChains.ip_b_srcaddr="Y" >-# Q: Reject method: [DENY] >-IPChains.ip_b_rejectmethod="REJECT" >-# Q: Interfaces for DHCP queries: [ ] >-IPChains.ip_b_dhcpiface="eth+ ppp+" >-# Q: NTP servers to query: [ ] >-IPChains.ip_b_ntpsrv="eth+ ppp+" >-# Q: Would you like to set more restrictive permissions on the administration utilities? [N] >-FilePermissions.generalperms_1.1="N" >-# Q: What security level should we set? [3] >-FilePermissions.security_level="3" >-# Q: Would you like us to modify your file permissions? >-FilePermissions.generalperms_1.2_mandrake="Y" >-# Q: Would you like to disable SUID status for mount/umount? >-FilePermissions.suidmount="N" >-# Q: Would you like to disable SUID status for ping? [Y] >-FilePermissions.suidping="N" >-# Q: Would you like to disable SUID status for dump and restore? [Y] >-FilePermissions.suiddump="Y" >-# Q: Would you like to disable SUID status for cardctl? [Y] >-FilePermissions.suidcard="Y" >-# Q: Would you like to disable SUID status for at? [Y] >-FilePermissions.suidat="N" >-# Q: Would you like to disable SUID status for DOSEMU? [Y] >-FilePermissions.suiddos="Y" >-# Q: Would you like to disable SUID status for news server tools? [Y] >-FilePermissions.suidnews="Y" >-# Q: Would you like to disable SUID status for printing utilities? [N] >-FilePermissions.suidprint="N" >-# Q: Would you like to disable SUID status for the r-tools? [Y] >-FilePermissions.suidrtool="Y" >-# Q: Would you like to disable SUID status for usernetctl? [Y] >-FilePermissions.suidusernetctl="N" >-# Q: Would you like to disable SUID status for traceroute? [Y] >-FilePermissions.suidtrace="N" >-# Q: Would you like to set up a second UID 0 account? [N] >-AccountSecurity.secondadmin="N" >-# Q: May we take strong steps to disallow the dangerous r-protocols? [Y] >-AccountSecurity.protectrhost="Y" >-# Q: Would you like to enforce password aging? [Y] >-AccountSecurity.passwdage="Y" >-# Q: Would you like to create a non-root user account? [N] >-AccountSecurity.createuser="N" >-# Q: Would you like to restrict the use of cron to administrative accounts? [Y] >+# Q: Would you like to restrict the use of cron to administrative accounts? [Y] > AccountSecurity.cronuser="N" >-# Q: What umask would you like to set for users on the system? [077] >-AccountSecurity.umask="077" >-# Q: Should we allow root to login on tty's 1-6? [Y] >+# Q: Would you like to enforce password aging? [Y] >+AccountSecurity.passwdage="Y" >+# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] >+AccountSecurity.protectrhost="Y" >+# Q: Should we disallow root login on tty's 1-6? [N] > AccountSecurity.rootttylogins="Y" >-# Q: Should we allow the PATH to include the current directory? [N] >-AccountSecurity.restrict_path_mdk="N" >-# Q: Should we deactivate this list of users? [N] >-AccountSecurity.forbiduserview="N" >-# Q: Would you like to password-protect the LILO prompt? [N] >-BootSecurity.protectlilo="N" >-# Q: Would you like to reduce the LILO delay time to zero? [N] >+# Q: Would you like to disable indexes? [N] >+Apache.apacheindex="N" >+# Q: Would you like to deactivate the Apache2 web server? [Y] >+Apache.apacheoff="Y" >+# Q: Would you like to bind the Web server to listen only to the localhost? [N] >+Apache.bindapachelocal="N" >+# Q: Would you like to bind the web server to a particular interface? [N] >+Apache.bindapachenic="N" >+# Q: Would you like to disable CGI scripts, at least for now? [Y] >+Apache.cgi="Y" >+# Q: Would you like to deactivate server-side includes? [Y] >+Apache.ssi="Y" >+# Q: Would you like to deactivate the following of symbolic links? [Y] >+Apache.symlink="N" >+# Q: Would you like to reduce the LILO delay time to zero? [N] > BootSecurity.lilodelay="N" >-# Q: Do you ever boot Linux from the hard drive? [Y] >+# Q: Do you ever boot Linux from the hard drive? [Y] > BootSecurity.lilosub_drive="N" >-# Q: Would you like to write the LILO changes to a boot floppy? [N] >+# Q: Would you like to write the LILO changes to a boot floppy? [N] > BootSecurity.lilosub_floppy="N" >-# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] >-BootSecurity.secureinittab="N" >-# Q: Would you like to password protect single-user mode? [Y] >+# Q: Would you like to password protect single-user mode? [Y] > BootSecurity.passsum="Y" >- Q: May we disable Autologin? [Y] >-BootSecurity.disable_autologin="Y" >-# Q: Would you like to set a default-deny on TCP Wrappers? [N] >-SecureInetd.tcpd_default_deny="N" >-# Q: May we deactivate telnet? [Y] >-SecureInetd.deactivate_telnet="Y" >-# Q: May we deactivate ftp? [Y] >-SecureInetd.deactivate_ftp="N" >-# Q: Would you like to make "Authorized Use" banners? [Y] >-SecureInetd.banners="Y" >-# Q: Would you like to disable the compiler? [N] >-DisableUserTools.compiler="N" >-# Q: Would you like to put limits on system resource usage? [Y] >-ConfigureMiscPAM.limitsconf="N" >-# Q: Should we restrict console access to a small group of user accounts? [N] >+# Q: Would you like to password-protect the LILO prompt? [N] >+BootSecurity.protectlilo="N" >+# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] >+BootSecurity.secureinittab="N" >+# Q: Should we restrict console access to a small group of user accounts? [N] > ConfigureMiscPAM.consolelogin="N" >-# Q: Would you like to add additional logging? [Y] >+# Q: Would you like to put limits on system resource usage? [N] >+ConfigureMiscPAM.limitsconf="N" >+# Q: Would you like to chroot named and set it to run as a non-root user? [N] >+DNS.chrootbind="N" >+# Q: Would you like to deactivate named, at least for now? [Y] >+DNS.namedoff="Y" >+# Q: Would you like to disable the gcc and/or g++ compiler? [N] >+DisableUserTools.compiler="N" >+# Q: Would you like to disable anonymous download? [N] >+FTP.anonftp="Y" >+# Q: Would you like to disable user privileges on the FTP daemon? [N] >+FTP.userftp="Y" >+# Q: Would you like to disable SUID status for XFree86? [N] >+FilePermissions.suidXFree86="N" >+# Q: Would you like to disable SUID status for at? [Y] >+FilePermissions.suidat="N" >+# Q: Would you like to disable SUID status for cardctl? [Y] >+FilePermissions.suidcard="Y" >+# Q: Would you like to disable SUID status for DOSEMU? [Y] >+FilePermissions.suiddos="Y" >+# Q: Would you like to disable SUID status for dump and restore? [Y] >+FilePermissions.suiddump="Y" >+# Q: Would you like to disable SUID status for mount/umount? >+FilePermissions.suidmount="N" >+# Q: Would you like to disable SUID status for news server tools? [Y] >+FilePermissions.suidnews="Y" >+# Q: Would you like to disable SUID status for ping? [Y] >+FilePermissions.suidping="N" >+# Q: Would you like to disable SUID status for printing utilities? [N] >+FilePermissions.suidprint="N" >+# Q: Would you like to disable the r-tools? [Y] >+FilePermissions.suidrtool="Y" >+# Q: Would you like to disable SUID status for traceroute? [Y] >+FilePermissions.suidtrace="N" >+# Q: Would you like to disable SUID status for usernetctl? [Y] >+FilePermissions.suidusernetctl="N" >+# Q: Do you need the advanced networking options? >+Firewall.ip_advnetwork="N" >+# Q: Interfaces for DHCP queries: [ ] >+Firewall.ip_b_dhcpiface="eth+ ppp+ wlan+ ath+" >+# Q: DNS Servers: [0.0.0.0/0] >+Firewall.ip_b_dns="0.0.0.0/0" >+# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] >+Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-request" >+# Q: ICMP services to audit: [ ] >+Firewall.ip_b_icmpaudit="" >+# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded] >+Firewall.ip_b_icmpout="destination-unreachable time-exceeded" >+# Q: NTP servers to query: [ ] >+Firewall.ip_b_ntpsrv="" >+# Q: Force passive mode? [N] >+Firewall.ip_b_passiveftp="N" >+# Q: Public interfaces: [eth+ ppp+ slip+] >+Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+" >+# Q: TCP service names or port numbers to allow on public interfaces: [ ] >+Firewall.ip_b_publictcp="ssh" >+# Q: UDP service names or port numbers to allow on public interfaces: [ ] >+Firewall.ip_b_publicudp="" >+# Q: Reject method: [DENY] >+Firewall.ip_b_rejectmethod="REJECT" >+# Q: Enable source address verification? [Y] >+Firewall.ip_b_srcaddr="Y" >+# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] >+Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" >+# Q: TCP services to block: [2049 2065:2090 6000:6020 7100] >+Firewall.ip_b_tcpblock="2049 2065:2090 7100" >+# Q: UDP services to audit: [31337] >+Firewall.ip_b_udpaudit="31337" >+# Q: UDP services to block: [2049 6770] >+Firewall.ip_b_udpblock="2049 6770" >+# Q: Should Bastille run the firewall and enable it at boot time? [N] >+Firewall.ip_enable_firewall="Y" >+# Q: Would you like to run the packet filtering script? [N] >+Firewall.ip_intro="Y" >+# Q: Would you like to add additional logging? [Y] > Logging.morelogging="Y" >-# Q: Do you have a remote logging host? [N] >-Logging.remotelog="N" >-# Q: Would you like to set up process accounting? [N] >+# Q: Would you like to set up process accounting? [N] > Logging.pacct="N" >-# Q: Would you like to set up nightly security checks? [N]" >-Logging.security_checks="Y" >-# Q: Would you like to disable apmd? [Y] >+# Q: Would you like to disable acpid and/or apmd? [Y] > MiscellaneousDaemons.apmd="Y" >-# Q: Would you like to deactivate NFS and Samba? [Y] >-MiscellaneousDaemons.remotefs="Y" >-# Q: Would you like to disable PCMCIA services? [Y] >-MiscellaneousDaemons.pcmcia="Y" >-# Q: Would you like to disable the DHCP daemon? [Y] >+# Q: Would you like to disable the DHCP daemon? [Y] > MiscellaneousDaemons.dhcpd="Y" >-# Q: Would you like to disable GPM? [Y] >+# Q: Would you like to disable GPM? [Y] > MiscellaneousDaemons.gpm="Y" >-# Q: Would you like to disable the news server daemon? [Y] >+# Q: Would you like to disable the news server daemon? [Y] > MiscellaneousDaemons.innd="Y" >-# Q: Would you like to deactivate the routing daemons? [Y] >-MiscellaneousDaemons.routing="Y" >-# Q: Would you like to deactivate NIS server and client programs? [Y] >-MiscellaneousDaemons.nis="Y" >-# Q: Would you like to disable SNMPD? [Y] >+# Q: Would you like to disable PCMCIA services? [Y] >+MiscellaneousDaemons.pcmcia="Y" >+# Q: Would you like to deactivate NFS and Samba? [Y] >+MiscellaneousDaemons.remotefs="Y" >+# Q: Would you like to disable SNMPD? [Y] > MiscellaneousDaemons.snmpd="Y" >-# Q: Should we disable most chkconfig'd services? >-MiscellaneousDaemons.minimize_chkconfig="N" >-# Q: Do you want to leave sendmail running in daemon mode? [Y] >-Sendmail.sendmaildaemon="N" >-# Q: Would you like to run sendmail via cron to process the queue? [N] >+# Q: Would you like to setup psad? >+PSAD.psad_config="N" >+# Q: Would you like to disable LPR/LPRng printing? [N] >+Printing.printing="N" >+# Q: Would you like to disable CUPS printing? [N] >+Printing.printing_cups="N" >+# Q: Would you like to display "Authorized Use" messages at log-in time? [Y] >+SecureInetd.banners="Y" >+# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y] >+SecureInetd.deactivate_ftp="N" >+# Q: Should Bastille ensure the telnet service does not run on this system? [y] >+SecureInetd.deactivate_telnet="Y" >+# Q: Who is responsible for granting authorization to use this machine? >+SecureInetd.owner="its owner" >+# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N] >+SecureInetd.tcpd_default_deny="N" >+# Q: Would you like to run sendmail via cron to process the queue? [N] > Sendmail.sendmailcron="Y" >-# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y] >+# Q: Do you want to stop sendmail from running in daemon mode? [Y] >+Sendmail.sendmaildaemon="N" >+# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y] > Sendmail.vrfyexpn="Y" >-# Q: Would you like to download and install ssh? [N] >-RemoteAccess.installssh="N" >-# Q: Would you like to chroot named and set it to run as a non-root user? [N] >-DNS.chrootbind="N" >-# Q: Would you like to deactivate named, at least for now? [Y] >-DNS.namedoff="Y" >-# Q: Would you like to deactivate the Apache web server? [Y] >-Apache.apacheoff="Y" >-# Q: Would you like to bind the web server to listen only to the localhost? [N] >-Apache.bindapachelocal="N" >-# Q: Would you like to bind the web server to a particular interface? [N] >-Apache.bindapachenic="N" >-# Q: Would you like to deactivate the following of symbolic links? [Y] >-Apache.symlink="N" >-# Q: Would you like to deactivate server-side includes? [Y] >-Apache.ssi="Y" >-# Q: Would you like to disable CGI scripts, at least for now? [Y] >-Apache.cgi="Y" >-# Q: Would you like to disable indexes? [N] >-Apache.apacheindex="N" >-# Q: Would you like to disable printing? [N] >-Printing.printing="N" >-# Q: Would you like to disable user privileges on the FTP daemon? [N] >-FTP.userftp="Y" >-# Q: Would you like to disable anonymous download? [N] >-FTP.anonftp="Y" >-# Q: Would you like to install TMPDIR/TMP scripts? [N] >+# Q: Would you like to install TMPDIR/TMP scripts? [N] > TMPDIR.tmpdir="N" >diff -urN Bastille.orig/ServerParanoia.config Bastille/ServerParanoia.config >--- Bastille.orig/ServerParanoia.config 2005-04-06 01:18:11.000000000 +0200 >+++ Bastille/ServerParanoia.config 2014-06-07 13:15:52.898123667 +0200 >@@ -1,170 +1,152 @@ >-# Q: Would you like to run the packet filtering script? [N] >-IPChains.ip_intro="Y" >-# Q: >-IPChains.ip_detail_level_kludge="Y" >-# Q: Do you need the advanced networking options? >-IPChains.ip_advnetwork="N" >-# Q: DNS Servers: [0.0.0.0/0] >-IPChains.ip_b_dns="0.0.0.0/0" >-# Q: >-IPChains.ip_b_trustiface="lo" >-# Q: Public interfaces: [eth+ ppp+ slip+] >-IPChains.ip_b_publiciface="eth+ ppp+ slip+" >-# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] >-IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" >-# Q: UDP services to audit: [31337] >-IPChains.ip_b_udpaudit="31337" >-# Q: TCP service names or port numbers to allow on public interfaces: [ ] >-IPChains.ip_b_publictcp="ssh" >-# Q: Force passive mode? [N] >-IPChains.ip_b_passiveftp="N" >-# Q: TCP services to block: [2049 2065:2090 6000:6020 7100] >-IPChains.ip_b_tcpblock="2049 2065:2090 6000:6020 7100" >-# Q: UDP services to block: [2049 6770] >-IPChains.ip_b_udpblock="2049 6770" >-# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] >-IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded" >-# Q: Enable source address verification? [Y] >-IPChains.ip_b_srcaddr="Y" >-# Q: Reject method: [DENY] >-IPChains.ip_b_rejectmethod="DENY" >-# Q: Interfaces for DHCP queries: [ ] >-IPChains.ip_b_dhcpiface="eth+" >-# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded] >-IPChains.ip_b_icmpout="destination-unreachable time-exceeded echo-reply" >-# Q: Would you like to set more restrictive permissions on the administration utilities? [N] >-FilePermissions.generalperms_1.1="N" >-# Q: What security level should we set? [3] >-FilePermissions.security_level="4" >-# Q: Would you like us to modify your file permissions? >-FilePermissions.generalperms_1.2_mandrake="Y" >-# Q: Would you like to disable SUID status for mount/umount? >-FilePermissions.suidmount="Y" >-# Q: Would you like to disable SUID status for ping? [Y] >-FilePermissions.suidping="Y" >-# Q: Would you like to disable SUID status for dump and restore? [Y] >-FilePermissions.suiddump="Y" >-# Q: Would you like to disable SUID status for cardctl? [Y] >-FilePermissions.suidcard="Y" >-# Q: Would you like to disable SUID status for at? [Y] >-FilePermissions.suidat="Y" >-# Q: Would you like to disable SUID status for DOSEMU? [Y] >-FilePermissions.suiddos="Y" >-# Q: Would you like to disable SUID status for news server tools? [Y] >-FilePermissions.suidnews="Y" >-# Q: Would you like to disable SUID status for printing utilities? [N] >-FilePermissions.suidprint="N" >-# Q: Would you like to disable SUID status for the r-tools? [Y] >-FilePermissions.suidrtool="Y" >-# Q: Would you like to disable SUID status for usernetctl? [Y] >-FilePermissions.suidusernetctl="Y" >-# Q: Would you like to disable SUID status for traceroute? [Y] >-FilePermissions.suidtrace="Y" >-# Q: Would you like to set up a second UID 0 account? [N] >-AccountSecurity.secondadmin="N" >-# Q: May we take strong steps to disallow the dangerous r-protocols? [Y] >-AccountSecurity.protectrhost="Y" >-# Q: Would you like to enforce password aging? [Y] >-AccountSecurity.passwdage="Y" >-# Q: Would you like to create a non-root user account? [N] >-AccountSecurity.createuser="N" >-# Q: Would you like to restrict the use of cron to administrative accounts? [Y] >+# Q: Would you like to restrict the use of cron to administrative accounts? [Y] > AccountSecurity.cronuser="Y" >-# Q: What umask would you like to set for users on the system? [077] >-AccountSecurity.umask="077" >-# Q: Should we allow root to login on tty's 1-6? [Y] >+# Q: Would you like to enforce password aging? [Y] >+AccountSecurity.passwdage="Y" >+# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] >+AccountSecurity.protectrhost="Y" >+# Q: Should we disallow root login on tty's 1-6? [N] > AccountSecurity.rootttylogins="N" >-# Q: Should we allow the PATH to include the current directory? [N] >-AccountSecurity.restrict_path_mdk="N" >-# Q: Should we deactivate this list of users? [N] >-AccountSecurity.forbiduserview="Y" >-# Q: Would you like to password-protect the LILO prompt? [N] >-BootSecurity.protectlilo="N" >-# Q: Would you like to reduce the LILO delay time to zero? [N] >+# Q: Would you like to disable indexes? [N] >+Apache.apacheindex="N" >+# Q: Would you like to deactivate the Apache2 web server? [Y] >+Apache.apacheoff="Y" >+# Q: Would you like to bind the Web server to listen only to the localhost? [N] >+Apache.bindapachelocal="N" >+# Q: Would you like to bind the web server to a particular interface? [N] >+Apache.bindapachenic="N" >+# Q: Would you like to disable CGI scripts, at least for now? [Y] >+Apache.cgi="Y" >+# Q: Would you like to deactivate server-side includes? [Y] >+Apache.ssi="Y" >+# Q: Would you like to deactivate the following of symbolic links? [Y] >+Apache.symlink="Y" >+# Q: Would you like to reduce the LILO delay time to zero? [N] > BootSecurity.lilodelay="N" >-# Q: Do you ever boot Linux from the hard drive? [Y] >+# Q: Do you ever boot Linux from the hard drive? [Y] > BootSecurity.lilosub_drive="N" >-# Q: Would you like to write the LILO changes to a boot floppy? [N] >+# Q: Would you like to write the LILO changes to a boot floppy? [N] > BootSecurity.lilosub_floppy="N" >-# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] >-BootSecurity.secureinittab="N" >-# Q: Would you like to password protect single-user mode? [Y] >+# Q: Would you like to password protect single-user mode? [Y] > BootSecurity.passsum="Y" >- Q: May we disable Autologin? [Y] >-BootSecurity.disable_autologin="Y" >-# Q: Would you like to set a default-deny on TCP Wrappers? [N] >-SecureInetd.tcpd_default_deny="N" >-# Q: May we deactivate telnet? [Y] >-SecureInetd.deactivate_telnet="Y" >-# Q: May we deactivate ftp? [Y] >-SecureInetd.deactivate_ftp="N" >-# Q: Would you like to make "Authorized Use" banners? [Y] >-SecureInetd.banners="Y" >-# Q: Would you like to disable the compiler? [N] >-DisableUserTools.compiler="N" >-# Q: Would you like to put limits on system resource usage? [Y] >-ConfigureMiscPAM.limitsconf="N" >-# Q: Should we restrict console access to a small group of user accounts? [N] >+# Q: Would you like to password-protect the LILO prompt? [N] >+BootSecurity.protectlilo="N" >+# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] >+BootSecurity.secureinittab="N" >+# Q: Should we restrict console access to a small group of user accounts? [N] > ConfigureMiscPAM.consolelogin="N" >-# Q: Would you like to add additional logging? [Y] >+# Q: Would you like to put limits on system resource usage? [N] >+ConfigureMiscPAM.limitsconf="N" >+# Q: Would you like to chroot named and set it to run as a non-root user? [N] >+DNS.chrootbind="N" >+# Q: Would you like to deactivate named, at least for now? [Y] >+DNS.namedoff="Y" >+# Q: Would you like to disable the gcc and/or g++ compiler? [N] >+DisableUserTools.compiler="N" >+# Q: Would you like to disable anonymous download? [N] >+FTP.anonftp="Y" >+# Q: Would you like to disable user privileges on the FTP daemon? [N] >+FTP.userftp="Y" >+# Q: Would you like to disable SUID status for XFree86? [N] >+FilePermissions.suidXFree86="N" >+# Q: Would you like to disable SUID status for at? [Y] >+FilePermissions.suidat="Y" >+# Q: Would you like to disable SUID status for cardctl? [Y] >+FilePermissions.suidcard="Y" >+# Q: Would you like to disable SUID status for DOSEMU? [Y] >+FilePermissions.suiddos="Y" >+# Q: Would you like to disable SUID status for dump and restore? [Y] >+FilePermissions.suiddump="Y" >+# Q: Would you like to disable SUID status for mount/umount? >+FilePermissions.suidmount="Y" >+# Q: Would you like to disable SUID status for news server tools? [Y] >+FilePermissions.suidnews="Y" >+# Q: Would you like to disable SUID status for ping? [Y] >+FilePermissions.suidping="Y" >+# Q: Would you like to disable SUID status for printing utilities? [N] >+FilePermissions.suidprint="N" >+# Q: Would you like to disable the r-tools? [Y] >+FilePermissions.suidrtool="Y" >+# Q: Would you like to disable SUID status for traceroute? [Y] >+FilePermissions.suidtrace="Y" >+# Q: Would you like to disable SUID status for usernetctl? [Y] >+FilePermissions.suidusernetctl="Y" >+# Q: Do you need the advanced networking options? >+Firewall.ip_advnetwork="N" >+# Q: Interfaces for DHCP queries: [ ] >+Firewall.ip_b_dhcpiface="eth+ wlan+ ath+" >+# Q: DNS Servers: [0.0.0.0/0] >+Firewall.ip_b_dns="0.0.0.0/0" >+# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] >+Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded" >+# Q: ICMP services to audit: [ ] >+Firewall.ip_b_icmpaudit="" >+# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded] >+Firewall.ip_b_icmpout="destination-unreachable time-exceeded echo-reply" >+# Q: NTP servers to query: [ ] >+Firewall.ip_b_ntpsrv="" >+# Q: Force passive mode? [N] >+Firewall.ip_b_passiveftp="N" >+# Q: Public interfaces: [eth+ ppp+ slip+] >+Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+" >+# Q: TCP service names or port numbers to allow on public interfaces: [ ] >+Firewall.ip_b_publictcp="ssh" >+# Q: UDP service names or port numbers to allow on public interfaces: [ ] >+Firewall.ip_b_publicudp="" >+# Q: Reject method: [DENY] >+Firewall.ip_b_rejectmethod="DENY" >+# Q: Enable source address verification? [Y] >+Firewall.ip_b_srcaddr="Y" >+# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] >+Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" >+# Q: TCP services to block: [2049 2065:2090 6000:6020 7100] >+Firewall.ip_b_tcpblock="2049 2065:2090 6000:6020 7100" >+# Q: UDP services to audit: [31337] >+Firewall.ip_b_udpaudit="31337" >+# Q: UDP services to block: [2049 6770] >+Firewall.ip_b_udpblock="2049 6770" >+# Q: Should Bastille run the firewall and enable it at boot time? [N] >+Firewall.ip_enable_firewall="Y" >+# Q: Would you like to run the packet filtering script? [N] >+Firewall.ip_intro="Y" >+# Q: Would you like to add additional logging? [Y] > Logging.morelogging="Y" >-# Q: Do you have a remote logging host? [N] >-Logging.remotelog="N" >-# Q: Would you like to set up process accounting? [N] >+# Q: Would you like to set up process accounting? [N] > Logging.pacct="N" >-# Q: Would you like to set up nightly security checks? [N]" >-Logging.security_checks="Y" >-# Q: Would you like to disable apmd? [Y] >+# Q: Would you like to disable acpid and/or apmd? [Y] > MiscellaneousDaemons.apmd="Y" >-# Q: Would you like to deactivate NFS and Samba? [Y] >-MiscellaneousDaemons.remotefs="Y" >-# Q: Would you like to disable PCMCIA services? [Y] >-MiscellaneousDaemons.pcmcia="Y" >-# Q: Would you like to disable the DHCP daemon? [Y] >+# Q: Would you like to disable the DHCP daemon? [Y] > MiscellaneousDaemons.dhcpd="Y" >-# Q: Would you like to disable GPM? [Y] >+# Q: Would you like to disable GPM? [Y] > MiscellaneousDaemons.gpm="Y" >-# Q: Would you like to disable the news server daemon? [Y] >+# Q: Would you like to disable the news server daemon? [Y] > MiscellaneousDaemons.innd="Y" >-# Q: Would you like to deactivate the routing daemons? [Y] >-MiscellaneousDaemons.routing="Y" >-# Q: Would you like to deactivate NIS server and client programs? [Y] >-MiscellaneousDaemons.nis="Y" >-# Q: Would you like to disable SNMPD? [Y] >+# Q: Would you like to disable PCMCIA services? [Y] >+MiscellaneousDaemons.pcmcia="Y" >+# Q: Would you like to deactivate NFS and Samba? [Y] >+MiscellaneousDaemons.remotefs="Y" >+# Q: Would you like to disable SNMPD? [Y] > MiscellaneousDaemons.snmpd="Y" >-# Q: Should we disable most chkconfig'd services? >-MiscellaneousDaemons.minimize_chkconfig="N" >-# Q: Do you want to leave sendmail running in daemon mode? [Y] >-Sendmail.sendmaildaemon="N" >-# Q: Would you like to run sendmail via cron to process the queue? [N] >+# Q: Would you like to setup psad? >+PSAD.psad_config="N" >+# Q: Would you like to disable LPR/LPRng printing? [N] >+Printing.printing="Y" >+# Q: Would you like to disable CUPS printing? [N] >+Printing.printing_cups="N" >+# Q: Would you like to display "Authorized Use" messages at log-in time? [Y] >+SecureInetd.banners="Y" >+# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y] >+SecureInetd.deactivate_ftp="N" >+# Q: Should Bastille ensure the telnet service does not run on this system? [y] >+SecureInetd.deactivate_telnet="Y" >+# Q: Who is responsible for granting authorization to use this machine? >+SecureInetd.owner="its owner" >+# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N] >+SecureInetd.tcpd_default_deny="N" >+# Q: Would you like to run sendmail via cron to process the queue? [N] > Sendmail.sendmailcron="Y" >-# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y] >+# Q: Do you want to stop sendmail from running in daemon mode? [Y] >+Sendmail.sendmaildaemon="N" >+# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y] > Sendmail.vrfyexpn="Y" >-# Q: Would you like to download and install ssh? [N] >-RemoteAccess.installssh="N" >-# Q: Would you like to chroot named and set it to run as a non-root user? [N] >-DNS.chrootbind="N" >-# Q: Would you like to deactivate named, at least for now? [Y] >-DNS.namedoff="Y" >-# Q: Would you like to deactivate the Apache web server? [Y] >-Apache.apacheoff="Y" >-# Q: Would you like to bind the web server to listen only to the localhost? [N] >-Apache.bindapachelocal="N" >-# Q: Would you like to bind the web server to a particular interface? [N] >-Apache.bindapachenic="N" >-# Q: Would you like to deactivate the following of symbolic links? [Y] >-Apache.symlink="Y" >-# Q: Would you like to deactivate server-side includes? [Y] >-Apache.ssi="Y" >-# Q: Would you like to disable CGI scripts, at least for now? [Y] >-Apache.cgi="Y" >-# Q: Would you like to disable indexes? [N] >-Apache.apacheindex="N" >-# Q: Would you like to disable printing? [N] >-Printing.printing="Y" >-# Q: Would you like to disable user privileges on the FTP daemon? [N] >-FTP.userftp="Y" >-# Q: Would you like to disable anonymous download? [N] >-FTP.anonftp="Y" >-# Q: Would you like to install TMPDIR/TMP scripts? [N] >+# Q: Would you like to install TMPDIR/TMP scripts? [N] > TMPDIR.tmpdir="Y" >diff -urN Bastille.orig/WorkstationLax.config Bastille/WorkstationLax.config >--- Bastille.orig/WorkstationLax.config 2005-04-06 01:18:11.000000000 +0200 >+++ Bastille/WorkstationLax.config 2014-06-07 13:15:52.898123667 +0200 >@@ -1,138 +1,112 @@ >-# Q: Would you like to run the packet filtering script? [N] >-IPChains.ip_intro="N" >-# Q: Would you like to set more restrictive permissions on the administration utilities? [N] >-FilePermissions.generalperms_1.1="N" >-# Q: What security level should we set? [3] >-FilePermissions.security_level="2" >-# Q: Would you like us to modify your file permissions? >-FilePermissions.generalperms_1.2_mandrake="Y" >-# Q: Would you like to disable SUID status for mount/umount? >-FilePermissions.suidmount="N" >-# Q: Would you like to disable SUID status for ping? [Y] >-FilePermissions.suidping="N" >-# Q: Would you like to disable SUID status for dump and restore? [Y] >-FilePermissions.suiddump="N" >-# Q: Would you like to disable SUID status for cardctl? [Y] >-FilePermissions.suidcard="N" >-# Q: Would you like to disable SUID status for at? [Y] >-FilePermissions.suidat="N" >-# Q: Would you like to disable SUID status for DOSEMU? [Y] >-FilePermissions.suiddos="Y" >-# Q: Would you like to disable SUID status for news server tools? [Y] >-FilePermissions.suidnews="Y" >-# Q: Would you like to disable SUID status for printing utilities? [N] >-FilePermissions.suidprint="N" >-# Q: Would you like to disable SUID status for the r-tools? [Y] >-FilePermissions.suidrtool="N" >-# Q: Would you like to disable SUID status for usernetctl? [Y] >-FilePermissions.suidusernetctl="N" >-# Q: Would you like to disable SUID status for traceroute? [Y] >-FilePermissions.suidtrace="N" >-# Q: Would you like to set up a second UID 0 account? [N] >-AccountSecurity.secondadmin="N" >-# Q: May we take strong steps to disallow the dangerous r-protocols? [Y] >-AccountSecurity.protectrhost="N" >-# Q: Would you like to enforce password aging? [Y] >-AccountSecurity.passwdage="Y" >-# Q: Would you like to create a non-root user account? [N] >-AccountSecurity.createuser="N" >-# Q: Would you like to restrict the use of cron to administrative accounts? [Y] >+# Q: Would you like to restrict the use of cron to administrative accounts? [Y] > AccountSecurity.cronuser="N" >-# Q: What umask would you like to set for users on the system? [077] >-AccountSecurity.umask="022" >-# Q: Should we allow root to login on tty's 1-6? [Y] >+# Q: Would you like to enforce password aging? [Y] >+AccountSecurity.passwdage="Y" >+# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] >+AccountSecurity.protectrhost="N" >+# Q: Should we disallow root login on tty's 1-6? [N] > AccountSecurity.rootttylogins="Y" >-# Q: Should we allow the PATH to include the current directory? [N] >-AccountSecurity.restrict_path_mdk="Y" >-# Q: Should we deactivate this list of users? [N] >-AccountSecurity.forbiduserview="N" >-# Q: Would you like to password-protect the LILO prompt? [N] >-BootSecurity.protectlilo="N" >-# Q: Would you like to reduce the LILO delay time to zero? [N] >+# Q: Would you like to disable indexes? [N] >+Apache.apacheindex="N" >+# Q: Would you like to deactivate the Apache2 web server? [Y] >+Apache.apacheoff="Y" >+# Q: Would you like to bind the Web server to listen only to the localhost? [N] >+Apache.bindapachelocal="N" >+# Q: Would you like to bind the web server to a particular interface? [N] >+Apache.bindapachenic="N" >+# Q: Would you like to disable CGI scripts, at least for now? [Y] >+Apache.cgi="N" >+# Q: Would you like to deactivate server-side includes? [Y] >+Apache.ssi="Y" >+# Q: Would you like to deactivate the following of symbolic links? [Y] >+Apache.symlink="N" >+# Q: Would you like to reduce the LILO delay time to zero? [N] > BootSecurity.lilodelay="N" >-# Q: Do you ever boot Linux from the hard drive? [Y] >+# Q: Do you ever boot Linux from the hard drive? [Y] > BootSecurity.lilosub_drive="N" >-# Q: Would you like to write the LILO changes to a boot floppy? [N] >+# Q: Would you like to write the LILO changes to a boot floppy? [N] > BootSecurity.lilosub_floppy="N" >-# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] >-BootSecurity.secureinittab="N" >-# Q: Would you like to password protect single-user mode? [Y] >+# Q: Would you like to password protect single-user mode? [Y] > BootSecurity.passsum="Y" >-# Q: May we disable Autologin? [Y] >-BootSecurity.disable_autologin="N" >-# Q: Would you like to set a default-deny on TCP Wrappers? [N] >-SecureInetd.tcpd_default_deny="N" >-# Q: May we deactivate telnet? [Y] >-SecureInetd.deactivate_telnet="Y" >-# Q: May we deactivate ftp? [Y] >-SecureInetd.deactivate_ftp="Y" >-# Q: Would you like to make "Authorized Use" banners? [Y] >-SecureInetd.banners="Y" >-# Q: Would you like to disable the compiler? [N] >-DisableUserTools.compiler="N" >-# Q: Would you like to put limits on system resource usage? [Y] >-ConfigureMiscPAM.limitsconf="N" >-# Q: Should we restrict console access to a small group of user accounts? [N] >+# Q: Would you like to password-protect the LILO prompt? [N] >+BootSecurity.protectlilo="N" >+# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] >+BootSecurity.secureinittab="N" >+# Q: Should we restrict console access to a small group of user accounts? [N] > ConfigureMiscPAM.consolelogin="N" >-# Q: Would you like to add additional logging? [Y] >+# Q: Would you like to put limits on system resource usage? [N] >+ConfigureMiscPAM.limitsconf="N" >+# Q: Would you like to chroot named and set it to run as a non-root user? [N] >+DNS.chrootbind="N" >+# Q: Would you like to deactivate named, at least for now? [Y] >+DNS.namedoff="Y" >+# Q: Would you like to disable the gcc and/or g++ compiler? [N] >+DisableUserTools.compiler="N" >+# Q: Would you like to disable anonymous download? [N] >+FTP.anonftp="N" >+# Q: Would you like to disable user privileges on the FTP daemon? [N] >+FTP.userftp="N" >+# Q: Would you like to disable SUID status for XFree86? [N] >+FilePermissions.suidXFree86="N" >+# Q: Would you like to disable SUID status for at? [Y] >+FilePermissions.suidat="N" >+# Q: Would you like to disable SUID status for cardctl? [Y] >+FilePermissions.suidcard="N" >+# Q: Would you like to disable SUID status for DOSEMU? [Y] >+FilePermissions.suiddos="Y" >+# Q: Would you like to disable SUID status for dump and restore? [Y] >+FilePermissions.suiddump="N" >+# Q: Would you like to disable SUID status for mount/umount? >+FilePermissions.suidmount="N" >+# Q: Would you like to disable SUID status for news server tools? [Y] >+FilePermissions.suidnews="Y" >+# Q: Would you like to disable SUID status for ping? [Y] >+FilePermissions.suidping="N" >+# Q: Would you like to disable SUID status for printing utilities? [N] >+FilePermissions.suidprint="N" >+# Q: Would you like to disable the r-tools? [Y] >+FilePermissions.suidrtool="N" >+# Q: Would you like to disable SUID status for traceroute? [Y] >+FilePermissions.suidtrace="N" >+# Q: Would you like to disable SUID status for usernetctl? [Y] >+FilePermissions.suidusernetctl="N" >+# Q: Would you like to run the packet filtering script? [N] >+Firewall.ip_intro="N" >+# Q: Would you like to add additional logging? [Y] > Logging.morelogging="Y" >-# Q: Do you have a remote logging host? [N] >-Logging.remotelog="N" >-# Q: Would you like to set up process accounting? [N] >+# Q: Would you like to set up process accounting? [N] > Logging.pacct="N" >-# Q: Would you like to set up nightly security checks? [N]" >-Logging.security_checks="Y" >-# Q: Would you like to disable apmd? [Y] >+# Q: Would you like to disable acpid and/or apmd? [Y] > MiscellaneousDaemons.apmd="N" >-# Q: Would you like to deactivate NFS and Samba? [Y] >-MiscellaneousDaemons.remotefs="N" >-# Q: Would you like to disable PCMCIA services? [Y] >-MiscellaneousDaemons.pcmcia="N" >-# Q: Would you like to disable the DHCP daemon? [Y] >+# Q: Would you like to disable the DHCP daemon? [Y] > MiscellaneousDaemons.dhcpd="Y" >-# Q: Would you like to disable GPM? [Y] >+# Q: Would you like to disable GPM? [Y] > MiscellaneousDaemons.gpm="N" >-# Q: Would you like to disable the news server daemon? [Y] >+# Q: Would you like to disable the news server daemon? [Y] > MiscellaneousDaemons.innd="Y" >-# Q: Would you like to deactivate the routing daemons? [Y] >-MiscellaneousDaemons.routing="Y" >-# Q: Would you like to deactivate NIS server and client programs? [Y] >-MiscellaneousDaemons.nis="Y" >-# Q: Would you like to disable SNMPD? [Y] >+# Q: Would you like to disable PCMCIA services? [Y] >+MiscellaneousDaemons.pcmcia="N" >+# Q: Would you like to deactivate NFS and Samba? [Y] >+MiscellaneousDaemons.remotefs="N" >+# Q: Would you like to disable SNMPD? [Y] > MiscellaneousDaemons.snmpd="Y" >-# Q: Should we disable most chkconfig'd services? >-MiscellaneousDaemons.minimize_chkconfig="N" >-# Q: Do you want to leave sendmail running in daemon mode? [Y] >-Sendmail.sendmaildaemon="Y" >-# Q: Would you like to run sendmail via cron to process the queue? [N] >+# Q: Would you like to disable LPR/LPRng printing? [N] >+Printing.printing="N" >+# Q: Would you like to disable CUPS printing? [N] >+Printing.printing_cups="N" >+# Q: Would you like to display "Authorized Use" messages at log-in time? [Y] >+SecureInetd.banners="N" >+# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y] >+SecureInetd.deactivate_ftp="N" >+# Q: Should Bastille ensure the telnet service does not run on this system? [y] >+SecureInetd.deactivate_telnet="Y" >+# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N] >+SecureInetd.tcpd_default_deny="N" >+# Q: Would you like to run sendmail via cron to process the queue? [N] > Sendmail.sendmailcron="N" >-# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y] >+# Q: Do you want to stop sendmail from running in daemon mode? [Y] >+Sendmail.sendmaildaemon="Y" >+# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y] > Sendmail.vrfyexpn="Y" >-# Q: Would you like to download and install ssh? [N] >-RemoteAccess.installssh="N" >-# Q: Would you like to chroot named and set it to run as a non-root user? [N] >-DNS.chrootbind="N" >-# Q: Would you like to deactivate named, at least for now? [Y] >-DNS.namedoff="Y" >-# Q: Would you like to deactivate the Apache web server? [Y] >-Apache.apacheoff="Y" >-# Q: Would you like to bind the web server to listen only to the localhost? [N] >-Apache.bindapachelocal="N" >-# Q: Would you like to bind the web server to a particular interface? [N] >-Apache.bindapachenic="N" >-# Q: Would you like to deactivate the following of symbolic links? [Y] >-Apache.symlink="N" >-# Q: Would you like to deactivate server-side includes? [Y] >-Apache.ssi="Y" >-# Q: Would you like to disable CGI scripts, at least for now? [Y] >-Apache.cgi="N" >-# Q: Would you like to disable indexes? [N] >-Apache.apacheindex="N" >-# Q: Would you like to disable printing? [N] >-Printing.printing="N" >-# Q: Would you like to disable user privileges on the FTP daemon? [N] >-FTP.userftp="N" >-# Q: Would you like to disable anonymous download? [N] >-FTP.anonftp="N" >-# Q: Would you like to install TMPDIR/TMP scripts? [N] >+# Q: Would you like to install TMPDIR/TMP scripts? [N] > TMPDIR.tmpdir="N" >diff -urN Bastille.orig/WorkstationModerate.config Bastille/WorkstationModerate.config >--- Bastille.orig/WorkstationModerate.config 2005-04-06 01:18:11.000000000 +0200 >+++ Bastille/WorkstationModerate.config 2014-06-07 13:15:52.899123692 +0200 >@@ -1,170 +1,152 @@ >-# Q: Would you like to run the packet filtering script? [N] >-IPChains.ip_intro="Y" >-# Q: >-IPChains.ip_detail_level_kludge="Y" >-# Q: Do you need the advanced networking options? >-IPChains.ip_advnetwork="N" >-# Q: DNS Servers: [0.0.0.0/0] >-IPChains.ip_b_dns="0.0.0.0/0" >-# Q: >-IPChains.ip_b_trustiface="lo" >-# Q: Public interfaces: [eth+ ppp+ slip+] >-IPChains.ip_b_publiciface="eth+ ppp+ slip+" >-# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] >-IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" >-# Q: UDP services to audit: [31337] >-IPChains.ip_b_udpaudit="31337" >-# Q: TCP service names or port numbers to allow on public interfaces: [ ] >-IPChains.ip_b_publictcp="ssh 80 443 25 21 53" >-# Q: UDP service names or port numbers to allow on public interfaces: [ ] >-IPChains.ip_b_publicudp="53 67 68" >-# Q: Force passive mode? [N] >-IPChains.ip_b_passiveftp="N" >-# Q: TCP services to block: [2049 2065:2090 6000:6020 7100] >-IPChains.ip_b_tcpblock="2049 2065:2090 7100" >-# Q: UDP services to block: [2049 6770] >-IPChains.ip_b_udpblock="2049 6770" >-# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] >-IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-requested" >-# Q: Enable source address verification? [Y] >-IPChains.ip_b_srcaddr="Y" >-# Q: Reject method: [DENY] >-IPChains.ip_b_rejectmethod="REJECT" >-# Q: Interfaces for DHCP queries: [ ] >-IPChains.ip_b_dhcpiface="eth+" >-# Q: Would you like to set more restrictive permissions on the administration utilities? [N] >-FilePermissions.generalperms_1.1="N" >-# Q: What security level should we set? [3] >-FilePermissions.security_level="3" >-# Q: Would you like us to modify your file permissions? >-FilePermissions.generalperms_1.2_mandrake="Y" >-# Q: Would you like to disable SUID status for mount/umount? >-FilePermissions.suidmount="N" >-# Q: Would you like to disable SUID status for ping? [Y] >-FilePermissions.suidping="N" >-# Q: Would you like to disable SUID status for dump and restore? [Y] >-FilePermissions.suiddump="Y" >-# Q: Would you like to disable SUID status for cardctl? [Y] >-FilePermissions.suidcard="Y" >-# Q: Would you like to disable SUID status for at? [Y] >-FilePermissions.suidat="N" >-# Q: Would you like to disable SUID status for DOSEMU? [Y] >-FilePermissions.suiddos="Y" >-# Q: Would you like to disable SUID status for news server tools? [Y] >-FilePermissions.suidnews="Y" >-# Q: Would you like to disable SUID status for printing utilities? [N] >-FilePermissions.suidprint="N" >-# Q: Would you like to disable SUID status for the r-tools? [Y] >-FilePermissions.suidrtool="Y" >-# Q: Would you like to disable SUID status for usernetctl? [Y] >-FilePermissions.suidusernetctl="N" >-# Q: Would you like to disable SUID status for traceroute? [Y] >-FilePermissions.suidtrace="N" >-# Q: Would you like to set up a second UID 0 account? [N] >-AccountSecurity.secondadmin="N" >-# Q: May we take strong steps to disallow the dangerous r-protocols? [Y] >-AccountSecurity.protectrhost="Y" >-# Q: Would you like to enforce password aging? [Y] >-AccountSecurity.passwdage="Y" >-# Q: Would you like to create a non-root user account? [N] >-AccountSecurity.createuser="N" >-# Q: Would you like to restrict the use of cron to administrative accounts? [Y] >+# Q: Would you like to restrict the use of cron to administrative accounts? [Y] > AccountSecurity.cronuser="N" >-# Q: What umask would you like to set for users on the system? [077] >-AccountSecurity.umask="077" >-# Q: Should we allow root to login on tty's 1-6? [Y] >+# Q: Would you like to enforce password aging? [Y] >+AccountSecurity.passwdage="Y" >+# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] >+AccountSecurity.protectrhost="Y" >+# Q: Should we disallow root login on tty's 1-6? [N] > AccountSecurity.rootttylogins="Y" >-# Q: Should we allow the PATH to include the current directory? [N] >-AccountSecurity.restrict_path_mdk="N" >-# Q: Should we deactivate this list of users? [N] >-AccountSecurity.forbiduserview="N" >-# Q: Would you like to password-protect the LILO prompt? [N] >-BootSecurity.protectlilo="N" >-# Q: Would you like to reduce the LILO delay time to zero? [N] >+# Q: Would you like to disable indexes? [N] >+Apache.apacheindex="N" >+# Q: Would you like to deactivate the Apache2 web server? [Y] >+Apache.apacheoff="Y" >+# Q: Would you like to bind the Web server to listen only to the localhost? [N] >+Apache.bindapachelocal="N" >+# Q: Would you like to bind the web server to a particular interface? [N] >+Apache.bindapachenic="N" >+# Q: Would you like to disable CGI scripts, at least for now? [Y] >+Apache.cgi="N" >+# Q: Would you like to deactivate server-side includes? [Y] >+Apache.ssi="Y" >+# Q: Would you like to deactivate the following of symbolic links? [Y] >+Apache.symlink="N" >+# Q: Would you like to reduce the LILO delay time to zero? [N] > BootSecurity.lilodelay="N" >-# Q: Do you ever boot Linux from the hard drive? [Y] >+# Q: Do you ever boot Linux from the hard drive? [Y] > BootSecurity.lilosub_drive="N" >-# Q: Would you like to write the LILO changes to a boot floppy? [N] >+# Q: Would you like to write the LILO changes to a boot floppy? [N] > BootSecurity.lilosub_floppy="N" >-# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] >-BootSecurity.secureinittab="N" >-# Q: Would you like to password protect single-user mode? [Y] >+# Q: Would you like to password protect single-user mode? [Y] > BootSecurity.passsum="Y" >-# Q: May we disable Autologin? [Y] >-BootSecurity.disable_autologin="Y" >-# Q: Would you like to set a default-deny on TCP Wrappers? [N] >-SecureInetd.tcpd_default_deny="N" >-# Q: May we deactivate telnet? [Y] >-SecureInetd.deactivate_telnet="Y" >-# Q: May we deactivate ftp? [Y] >-SecureInetd.deactivate_ftp="Y" >-# Q: Would you like to make "Authorized Use" banners? [Y] >-SecureInetd.banners="Y" >-# Q: Would you like to disable the compiler? [N] >-DisableUserTools.compiler="N" >-# Q: Would you like to put limits on system resource usage? [Y] >-ConfigureMiscPAM.limitsconf="N" >-# Q: Should we restrict console access to a small group of user accounts? [N] >+# Q: Would you like to password-protect the LILO prompt? [N] >+BootSecurity.protectlilo="N" >+# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] >+BootSecurity.secureinittab="N" >+# Q: Should we restrict console access to a small group of user accounts? [N] > ConfigureMiscPAM.consolelogin="N" >-# Q: Would you like to add additional logging? [Y] >+# Q: Would you like to put limits on system resource usage? [N] >+ConfigureMiscPAM.limitsconf="N" >+# Q: Would you like to chroot named and set it to run as a non-root user? [N] >+DNS.chrootbind="N" >+# Q: Would you like to deactivate named, at least for now? [Y] >+DNS.namedoff="Y" >+# Q: Would you like to disable the gcc and/or g++ compiler? [N] >+DisableUserTools.compiler="N" >+# Q: Would you like to disable anonymous download? [N] >+FTP.anonftp="Y" >+# Q: Would you like to disable user privileges on the FTP daemon? [N] >+FTP.userftp="N" >+# Q: Would you like to disable SUID status for XFree86? [N] >+FilePermissions.suidXFree86="N" >+# Q: Would you like to disable SUID status for at? [Y] >+FilePermissions.suidat="N" >+# Q: Would you like to disable SUID status for cardctl? [Y] >+FilePermissions.suidcard="Y" >+# Q: Would you like to disable SUID status for DOSEMU? [Y] >+FilePermissions.suiddos="Y" >+# Q: Would you like to disable SUID status for dump and restore? [Y] >+FilePermissions.suiddump="Y" >+# Q: Would you like to disable SUID status for mount/umount? >+FilePermissions.suidmount="N" >+# Q: Would you like to disable SUID status for news server tools? [Y] >+FilePermissions.suidnews="Y" >+# Q: Would you like to disable SUID status for ping? [Y] >+FilePermissions.suidping="N" >+# Q: Would you like to disable SUID status for printing utilities? [N] >+FilePermissions.suidprint="N" >+# Q: Would you like to disable the r-tools? [Y] >+FilePermissions.suidrtool="Y" >+# Q: Would you like to disable SUID status for traceroute? [Y] >+FilePermissions.suidtrace="N" >+# Q: Would you like to disable SUID status for usernetctl? [Y] >+FilePermissions.suidusernetctl="N" >+# Q: Do you need the advanced networking options? >+Firewall.ip_advnetwork="N" >+# Q: Interfaces for DHCP queries: [ ] >+Firewall.ip_b_dhcpiface="eth+ wlan+ ath+" >+# Q: DNS Servers: [0.0.0.0/0] >+Firewall.ip_b_dns="0.0.0.0/0" >+# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] >+Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-request" >+# Q: ICMP services to audit: [ ] >+Firewall.ip_b_icmpaudit="" >+# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded] >+Firewall.ip_b_icmpout="destination-unreachable time-exceeded" >+# Q: NTP servers to query: [ ] >+Firewall.ip_b_ntpsrv="" >+# Q: Force passive mode? [N] >+Firewall.ip_b_passiveftp="N" >+# Q: Public interfaces: [eth+ ppp+ slip+] >+Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+" >+# Q: TCP service names or port numbers to allow on public interfaces: [ ] >+Firewall.ip_b_publictcp="ssh 80 443 25 21 53" >+# Q: UDP service names or port numbers to allow on public interfaces: [ ] >+Firewall.ip_b_publicudp="53 67 68" >+# Q: Reject method: [DENY] >+Firewall.ip_b_rejectmethod="REJECT" >+# Q: Enable source address verification? [Y] >+Firewall.ip_b_srcaddr="Y" >+# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] >+Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" >+# Q: TCP services to block: [2049 2065:2090 6000:6020 7100] >+Firewall.ip_b_tcpblock="2049 2065:2090 7100" >+# Q: UDP services to audit: [31337] >+Firewall.ip_b_udpaudit="31337" >+# Q: UDP services to block: [2049 6770] >+Firewall.ip_b_udpblock="2049 6770" >+# Q: Should Bastille run the firewall and enable it at boot time? [N] >+Firewall.ip_enable_firewall="Y" >+# Q: Would you like to run the packet filtering script? [N] >+Firewall.ip_intro="Y" >+# Q: Would you like to add additional logging? [Y] > Logging.morelogging="Y" >-# Q: Do you have a remote logging host? [N] >-Logging.remotelog="N" >-# Q: Would you like to set up process accounting? [N] >+# Q: Would you like to set up process accounting? [N] > Logging.pacct="N" >-# Q: Would you like to set up nightly security checks? [N]" >-Logging.security_checks="Y" >-# Q: Would you like to disable apmd? [Y] >+# Q: Would you like to disable acpid and/or apmd? [Y] > MiscellaneousDaemons.apmd="Y" >-# Q: Would you like to deactivate NFS and Samba? [Y] >-MiscellaneousDaemons.remotefs="Y" >-# Q: Would you like to disable PCMCIA services? [Y] >-MiscellaneousDaemons.pcmcia="N" >-# Q: Would you like to disable the DHCP daemon? [Y] >+# Q: Would you like to disable the DHCP daemon? [Y] > MiscellaneousDaemons.dhcpd="Y" >-# Q: Would you like to disable GPM? [Y] >+# Q: Would you like to disable GPM? [Y] > MiscellaneousDaemons.gpm="Y" >-# Q: Would you like to disable the news server daemon? [Y] >+# Q: Would you like to disable the news server daemon? [Y] > MiscellaneousDaemons.innd="Y" >-# Q: Would you like to deactivate the routing daemons? [Y] >-MiscellaneousDaemons.routing="Y" >-# Q: Would you like to deactivate NIS server and client programs? [Y] >-MiscellaneousDaemons.nis="Y" >-# Q: Would you like to disable SNMPD? [Y] >+# Q: Would you like to disable PCMCIA services? [Y] >+MiscellaneousDaemons.pcmcia="N" >+# Q: Would you like to deactivate NFS and Samba? [Y] >+MiscellaneousDaemons.remotefs="Y" >+# Q: Would you like to disable SNMPD? [Y] > MiscellaneousDaemons.snmpd="Y" >-# Q: Should we disable most chkconfig'd services? >-MiscellaneousDaemons.minimize_chkconfig="N" >-# Q: Do you want to leave sendmail running in daemon mode? [Y] >-Sendmail.sendmaildaemon="N" >-# Q: Would you like to run sendmail via cron to process the queue? [N] >+# Q: Would you like to setup psad? >+PSAD.psad_config="N" >+# Q: Would you like to disable LPR/LPRng printing? [N] >+Printing.printing="N" >+# Q: Would you like to disable CUPS printing? [N] >+Printing.printing_cups="N" >+# Q: Would you like to display "Authorized Use" messages at log-in time? [Y] >+SecureInetd.banners="Y" >+# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y] >+SecureInetd.deactivate_ftp="Y" >+# Q: Should Bastille ensure the telnet service does not run on this system? [y] >+SecureInetd.deactivate_telnet="Y" >+# Q: Who is responsible for granting authorization to use this machine? >+SecureInetd.owner="its owner" >+# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N] >+SecureInetd.tcpd_default_deny="N" >+# Q: Would you like to run sendmail via cron to process the queue? [N] > Sendmail.sendmailcron="Y" >-# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y] >+# Q: Do you want to stop sendmail from running in daemon mode? [Y] >+Sendmail.sendmaildaemon="N" >+# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y] > Sendmail.vrfyexpn="Y" >-# Q: Would you like to download and install ssh? [N] >-RemoteAccess.installssh="N" >-# Q: Would you like to chroot named and set it to run as a non-root user? [N] >-DNS.chrootbind="N" >-# Q: Would you like to deactivate named, at least for now? [Y] >-DNS.namedoff="Y" >-# Q: Would you like to deactivate the Apache web server? [Y] >-Apache.apacheoff="Y" >-# Q: Would you like to bind the web server to listen only to the localhost? [N] >-Apache.bindapachelocal="N" >-# Q: Would you like to bind the web server to a particular interface? [N] >-Apache.bindapachenic="N" >-# Q: Would you like to deactivate the following of symbolic links? [Y] >-Apache.symlink="N" >-# Q: Would you like to deactivate server-side includes? [Y] >-Apache.ssi="Y" >-# Q: Would you like to disable CGI scripts, at least for now? [Y] >-Apache.cgi="N" >-# Q: Would you like to disable indexes? [N] >-Apache.apacheindex="N" >-# Q: Would you like to disable printing? [N] >-Printing.printing="N" >-# Q: Would you like to disable user privileges on the FTP daemon? [N] >-FTP.userftp="N" >-# Q: Would you like to disable anonymous download? [N] >-FTP.anonftp="Y" >-# Q: Would you like to install TMPDIR/TMP scripts? [N] >+# Q: Would you like to install TMPDIR/TMP scripts? [N] > TMPDIR.tmpdir="Y" >diff -urN Bastille.orig/WorkstationParanoia.config Bastille/WorkstationParanoia.config >--- Bastille.orig/WorkstationParanoia.config 2005-04-06 01:18:11.000000000 +0200 >+++ Bastille/WorkstationParanoia.config 2014-06-07 13:15:52.900123716 +0200 >@@ -1,172 +1,152 @@ >-# Q: Would you like to run the packet filtering script? [N] >-IPChains.ip_intro="Y" >-# Q: >-IPChains.ip_detail_level_kludge="Y" >-# Q: Do you need the advanced networking options? >-IPChains.ip_advnetwork="N" >-# Q: DNS Servers: [0.0.0.0/0] >-IPChains.ip_b_dns="0.0.0.0/0" >-# Q: >-IPChains.ip_b_trustiface="lo" >-# Q: Public interfaces: [eth+ ppp+ slip+] >-IPChains.ip_b_publiciface="eth+ ppp+ slip+" >-# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] >-IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" >-# Q: UDP services to audit: [31337] >-IPChains.ip_b_udpaudit="31337" >-# Q: TCP service names or port numbers to allow on public interfaces: [ ] >-IPChains.ip_b_publictcp="ssh" >-# Q: Force passive mode? [N] >-IPChains.ip_b_passiveftp="N" >-# Q: TCP services to block: [2065:2090 6000:6020 7100] >-IPChains.ip_b_tcpblock="2049 2065:2090 6000:6020 7100" >-# Q: UDP services to block: [2049 6770] >-IPChains.ip_b_udpblock="2049 6770" >-# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] >-IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded" >-# Q: Enable source address verification? [Y] >-IPChains.ip_b_srcaddr="Y" >-# Q: Reject method: [DENY] >-IPChains.ip_b_rejectmethod="DENY" >-# Q: Interfaces for DHCP queries: [ ] >-IPChains.ip_b_dhcpiface="eth+" >-# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded] >-IPChains.ip_b_icmpout="destination-unreachable time-exceeded echo-reply" >-# Q: Would you like to set more restrictive permissions on the administration utilities? [N] >-FilePermissions.generalperms_1.1="N" >-# Q: What security level should we set? [3] >-FilePermissions.security_level="4" >-# Q: Would you like us to modify your file permissions? >-FilePermissions.generalperms_1.2_mandrake="Y" >-# Q: Would you like to disable SUID status for mount/umount? >-FilePermissions.suidmount="Y" >-# Q: Would you like to disable SUID status for ping? [Y] >-FilePermissions.suidping="Y" >-# Q: Would you like to disable SUID status for dump and restore? [Y] >-FilePermissions.suiddump="Y" >-# Q: Would you like to disable SUID status for cardctl? [Y] >-FilePermissions.suidcard="Y" >-# Q: Would you like to disable SUID status for at? [Y] >-FilePermissions.suidat="Y" >-# Q: Would you like to disable SUID status for DOSEMU? [Y] >-FilePermissions.suiddos="Y" >-# Q: Would you like to disable SUID status for news server tools? [Y] >-FilePermissions.suidnews="Y" >-# Q: Would you like to disable SUID status for printing utilities? [N] >-FilePermissions.suidprint="N" >-# Q: Would you like to disable SUID status for the r-tools? [Y] >-FilePermissions.suidrtool="Y" >-# Q: Would you like to disable SUID status for usernetctl? [Y] >-FilePermissions.suidusernetctl="Y" >-# Q: Would you like to disable SUID status for traceroute? [Y] >-FilePermissions.suidtrace="Y" >-# Q: Would you like to set up a second UID 0 account? [N] >-AccountSecurity.secondadmin="N" >-# Q: May we take strong steps to disallow the dangerous r-protocols? [Y] >-AccountSecurity.protectrhost="Y" >-# Q: Would you like to enforce password aging? [Y] >-AccountSecurity.passwdage="Y" >-# Q: Would you like to create a non-root user account? [N] >-AccountSecurity.createuser="N" >-# Q: Would you like to restrict the use of cron to administrative accounts? [Y] >+# Q: Would you like to restrict the use of cron to administrative accounts? [Y] > AccountSecurity.cronuser="Y" >-# Q: What umask would you like to set for users on the system? [077] >-AccountSecurity.umask="077" >-# Q: Should we allow root to login on tty's 1-6? [Y] >+# Q: Would you like to enforce password aging? [Y] >+AccountSecurity.passwdage="Y" >+# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] >+AccountSecurity.protectrhost="Y" >+# Q: Should we disallow root login on tty's 1-6? [N] > AccountSecurity.rootttylogins="N" >-# Q: Should we allow the PATH to include the current directory? [N] >-AccountSecurity.restrict_path_mdk="N" >-# Q: Should we deactivate this list of users? [N] >-AccountSecurity.forbiduserview="Y" >-# Q: Would you like to password-protect the LILO prompt? [N] >-BootSecurity.protectlilo="N" >-# Q: Would you like to reduce the LILO delay time to zero? [N] >+# Q: Would you like to disable indexes? [N] >+Apache.apacheindex="N" >+# Q: Would you like to deactivate the Apache2 web server? [Y] >+Apache.apacheoff="Y" >+# Q: Would you like to bind the Web server to listen only to the localhost? [N] >+Apache.bindapachelocal="N" >+# Q: Would you like to bind the web server to a particular interface? [N] >+Apache.bindapachenic="N" >+# Q: Would you like to disable CGI scripts, at least for now? [Y] >+Apache.cgi="Y" >+# Q: Would you like to deactivate server-side includes? [Y] >+Apache.ssi="Y" >+# Q: Would you like to deactivate the following of symbolic links? [Y] >+Apache.symlink="Y" >+# Q: Would you like to reduce the LILO delay time to zero? [N] > BootSecurity.lilodelay="N" >-# Q: Do you ever boot Linux from the hard drive? [Y] >+# Q: Do you ever boot Linux from the hard drive? [Y] > BootSecurity.lilosub_drive="N" >-# Q: Would you like to write the LILO changes to a boot floppy? [N] >+# Q: Would you like to write the LILO changes to a boot floppy? [N] > BootSecurity.lilosub_floppy="N" >-# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] >-BootSecurity.secureinittab="N" >-# Q: Would you like to password protect single-user mode? [Y] >+# Q: Would you like to password protect single-user mode? [Y] > BootSecurity.passsum="Y" >-# Q: May we disable Autologin? [Y] >-BootSecurity.disable_autologin="Y" >-# Q: Would you like to set a default-deny on TCP Wrappers? [N] >-SecureInetd.tcpd_default_deny="N" >-# Q: May we deactivate telnet? [Y] >-SecureInetd.deactivate_telnet="Y" >-# Q: May we deactivate ftp? [Y] >-SecureInetd.deactivate_ftp="Y" >-# Q: Would you like to set sshd to accept connections only from a small list of IP addresses. [N] >-SecureInetd.limit_ssh="N" >-# Q: Would you like to make "Authorized Use" banners? [Y] >-SecureInetd.banners="Y" >-# Q: Would you like to disable the compiler? [N] >-DisableUserTools.compiler="N" >-# Q: Would you like to put limits on system resource usage? [Y] >-ConfigureMiscPAM.limitsconf="N" >-# Q: Should we restrict console access to a small group of user accounts? [N] >+# Q: Would you like to password-protect the LILO prompt? [N] >+BootSecurity.protectlilo="N" >+# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] >+BootSecurity.secureinittab="N" >+# Q: Should we restrict console access to a small group of user accounts? [N] > ConfigureMiscPAM.consolelogin="N" >-# Q: Would you like to add additional logging? [Y] >+# Q: Would you like to put limits on system resource usage? [N] >+ConfigureMiscPAM.limitsconf="N" >+# Q: Would you like to chroot named and set it to run as a non-root user? [N] >+DNS.chrootbind="N" >+# Q: Would you like to deactivate named, at least for now? [Y] >+DNS.namedoff="Y" >+# Q: Would you like to disable the gcc and/or g++ compiler? [N] >+DisableUserTools.compiler="N" >+# Q: Would you like to disable anonymous download? [N] >+FTP.anonftp="Y" >+# Q: Would you like to disable user privileges on the FTP daemon? [N] >+FTP.userftp="Y" >+# Q: Would you like to disable SUID status for XFree86? [N] >+FilePermissions.suidXFree86="N" >+# Q: Would you like to disable SUID status for at? [Y] >+FilePermissions.suidat="Y" >+# Q: Would you like to disable SUID status for cardctl? [Y] >+FilePermissions.suidcard="Y" >+# Q: Would you like to disable SUID status for DOSEMU? [Y] >+FilePermissions.suiddos="Y" >+# Q: Would you like to disable SUID status for dump and restore? [Y] >+FilePermissions.suiddump="Y" >+# Q: Would you like to disable SUID status for mount/umount? >+FilePermissions.suidmount="Y" >+# Q: Would you like to disable SUID status for news server tools? [Y] >+FilePermissions.suidnews="Y" >+# Q: Would you like to disable SUID status for ping? [Y] >+FilePermissions.suidping="Y" >+# Q: Would you like to disable SUID status for printing utilities? [N] >+FilePermissions.suidprint="N" >+# Q: Would you like to disable the r-tools? [Y] >+FilePermissions.suidrtool="Y" >+# Q: Would you like to disable SUID status for traceroute? [Y] >+FilePermissions.suidtrace="Y" >+# Q: Would you like to disable SUID status for usernetctl? [Y] >+FilePermissions.suidusernetctl="Y" >+# Q: Do you need the advanced networking options? >+Firewall.ip_advnetwork="N" >+# Q: Interfaces for DHCP queries: [ ] >+Firewall.ip_b_dhcpiface="eth+ wlan+ ath+" >+# Q: DNS Servers: [0.0.0.0/0] >+Firewall.ip_b_dns="0.0.0.0/0" >+# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] >+Firewall.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded" >+# Q: ICMP services to audit: [ ] >+Firewall.ip_b_icmpaudit="" >+# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded] >+Firewall.ip_b_icmpout="destination-unreachable time-exceeded echo-reply" >+# Q: NTP servers to query: [ ] >+Firewall.ip_b_ntpsrv="" >+# Q: Force passive mode? [N] >+Firewall.ip_b_passiveftp="N" >+# Q: Public interfaces: [eth+ ppp+ slip+] >+Firewall.ip_b_publiciface="eth+ ppp+ slip+ wlan+ ath+" >+# Q: TCP service names or port numbers to allow on public interfaces: [ ] >+Firewall.ip_b_publictcp="ssh" >+# Q: UDP service names or port numbers to allow on public interfaces: [ ] >+Firewall.ip_b_publicudp="" >+# Q: Reject method: [DENY] >+Firewall.ip_b_rejectmethod="DENY" >+# Q: Enable source address verification? [Y] >+Firewall.ip_b_srcaddr="Y" >+# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] >+Firewall.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" >+# Q: TCP services to block: [2049 2065:2090 6000:6020 7100] >+Firewall.ip_b_tcpblock="2049 2065:2090 6000:6020 7100" >+# Q: UDP services to audit: [31337] >+Firewall.ip_b_udpaudit="31337" >+# Q: UDP services to block: [2049 6770] >+Firewall.ip_b_udpblock="2049 6770" >+# Q: Should Bastille run the firewall and enable it at boot time? [N] >+Firewall.ip_enable_firewall="Y" >+# Q: Would you like to run the packet filtering script? [N] >+Firewall.ip_intro="Y" >+# Q: Would you like to add additional logging? [Y] > Logging.morelogging="Y" >-# Q: Do you have a remote logging host? [N] >-Logging.remotelog="N" >-# Q: Would you like to set up process accounting? [N] >+# Q: Would you like to set up process accounting? [N] > Logging.pacct="N" >-# Q: Would you like to set up nightly security checks? [N]" >-Logging.security_checks="Y" >-# Q: Would you like to disable apmd? [Y] >+# Q: Would you like to disable acpid and/or apmd? [Y] > MiscellaneousDaemons.apmd="Y" >-# Q: Would you like to deactivate NFS and Samba? [Y] >-MiscellaneousDaemons.remotefs="Y" >-# Q: Would you like to disable PCMCIA services? [Y] >-MiscellaneousDaemons.pcmcia="Y" >-# Q: Would you like to disable the DHCP daemon? [Y] >+# Q: Would you like to disable the DHCP daemon? [Y] > MiscellaneousDaemons.dhcpd="Y" >-# Q: Would you like to disable GPM? [Y] >+# Q: Would you like to disable GPM? [Y] > MiscellaneousDaemons.gpm="Y" >-# Q: Would you like to disable the news server daemon? [Y] >+# Q: Would you like to disable the news server daemon? [Y] > MiscellaneousDaemons.innd="Y" >-# Q: Would you like to deactivate the routing daemons? [Y] >-MiscellaneousDaemons.routing="Y" >-# Q: Would you like to deactivate NIS server and client programs? [Y] >-MiscellaneousDaemons.nis="Y" >-# Q: Would you like to disable SNMPD? [Y] >+# Q: Would you like to disable PCMCIA services? [Y] >+MiscellaneousDaemons.pcmcia="Y" >+# Q: Would you like to deactivate NFS and Samba? [Y] >+MiscellaneousDaemons.remotefs="Y" >+# Q: Would you like to disable SNMPD? [Y] > MiscellaneousDaemons.snmpd="Y" >-# Q: Should we disable most chkconfig'd services? >-MiscellaneousDaemons.minimize_chkconfig="Y" >-# Q: Do you want to leave sendmail running in daemon mode? [Y] >-Sendmail.sendmaildaemon="N" >-# Q: Would you like to run sendmail via cron to process the queue? [N] >+# Q: Would you like to setup psad? >+PSAD.psad_config="N" >+# Q: Would you like to disable LPR/LPRng printing? [N] >+Printing.printing="N" >+# Q: Would you like to disable CUPS printing? [N] >+Printing.printing_cups="N" >+# Q: Would you like to display "Authorized Use" messages at log-in time? [Y] >+SecureInetd.banners="Y" >+# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y] >+SecureInetd.deactivate_ftp="Y" >+# Q: Should Bastille ensure the telnet service does not run on this system? [y] >+SecureInetd.deactivate_telnet="Y" >+# Q: Who is responsible for granting authorization to use this machine? >+SecureInetd.owner="its owner" >+# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N] >+SecureInetd.tcpd_default_deny="N" >+# Q: Would you like to run sendmail via cron to process the queue? [N] > Sendmail.sendmailcron="Y" >-# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y] >+# Q: Do you want to stop sendmail from running in daemon mode? [Y] >+Sendmail.sendmaildaemon="N" >+# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y] > Sendmail.vrfyexpn="Y" >-# Q: Would you like to download and install ssh? [N] >-RemoteAccess.installssh="N" >-# Q: Would you like to chroot named and set it to run as a non-root user? [N] >-DNS.chrootbind="N" >-# Q: Would you like to deactivate named, at least for now? [Y] >-DNS.namedoff="Y" >-# Q: Would you like to deactivate the Apache web server? [Y] >-Apache.apacheoff="Y" >-# Q: Would you like to bind the web server to listen only to the localhost? [N] >-Apache.bindapachelocal="N" >-# Q: Would you like to bind the web server to a particular interface? [N] >-Apache.bindapachenic="N" >-# Q: Would you like to deactivate the following of symbolic links? [Y] >-Apache.symlink="Y" >-# Q: Would you like to deactivate server-side includes? [Y] >-Apache.ssi="Y" >-# Q: Would you like to disable CGI scripts, at least for now? [Y] >-Apache.cgi="Y" >-# Q: Would you like to disable indexes? [N] >-Apache.apacheindex="N" >-# Q: Would you like to disable printing? [N] >-Printing.printing="N" >-# Q: Would you like to disable user privileges on the FTP daemon? [N] >-FTP.userftp="Y" >-# Q: Would you like to disable anonymous download? [N] >-FTP.anonftp="Y" >-# Q: Would you like to install TMPDIR/TMP scripts? [N] >+# Q: Would you like to install TMPDIR/TMP scripts? [N] > TMPDIR.tmpdir="Y"
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=378422">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 431232
: 378422
