bastille-linux-discuss Mailing List for Bastille Linux
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
You can subscribe to this list here.
2000 |
Jan
|
Feb
|
Mar
(13) |
Apr
(31) |
May
(26) |
Jun
(160) |
Jul
(197) |
Aug
(88) |
Sep
(86) |
Oct
(66) |
Nov
(50) |
Dec
(26) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2001 |
Jan
(55) |
Feb
(119) |
Mar
(295) |
Apr
(191) |
May
(182) |
Jun
(209) |
Jul
(205) |
Aug
(195) |
Sep
(19) |
Oct
(61) |
Nov
(78) |
Dec
(50) |
2002 |
Jan
(257) |
Feb
(118) |
Mar
(90) |
Apr
(104) |
May
(94) |
Jun
(129) |
Jul
(86) |
Aug
(121) |
Sep
(34) |
Oct
(97) |
Nov
(128) |
Dec
(35) |
2003 |
Jan
(31) |
Feb
(59) |
Mar
(71) |
Apr
(61) |
May
(62) |
Jun
(77) |
Jul
(33) |
Aug
(74) |
Sep
(48) |
Oct
(26) |
Nov
(27) |
Dec
(39) |
2004 |
Jan
(17) |
Feb
(5) |
Mar
(19) |
Apr
(16) |
May
(15) |
Jun
(21) |
Jul
(22) |
Aug
(18) |
Sep
(47) |
Oct
(21) |
Nov
(18) |
Dec
(11) |
2005 |
Jan
(8) |
Feb
(11) |
Mar
(23) |
Apr
(24) |
May
(8) |
Jun
(23) |
Jul
(20) |
Aug
(8) |
Sep
(7) |
Oct
(9) |
Nov
|
Dec
(7) |
2006 |
Jan
(11) |
Feb
(4) |
Mar
(2) |
Apr
(1) |
May
|
Jun
(24) |
Jul
(2) |
Aug
(16) |
Sep
|
Oct
(1) |
Nov
(33) |
Dec
(7) |
2007 |
Jan
(1) |
Feb
|
Mar
(8) |
Apr
|
May
|
Jun
(1) |
Jul
(3) |
Aug
(6) |
Sep
|
Oct
(4) |
Nov
(1) |
Dec
|
2008 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
|
May
(6) |
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
(3) |
Nov
|
Dec
|
2009 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
2012 |
Jan
|
Feb
|
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Paul A. <pau...@co...> - 2012-03-17 21:12:32
|
On 03/17/2012 12:21 AM, Dwijadas Dey wrote: > Hi > List users > I have installed Bastille 3.2.1 in Centos 6 but > whenever i try to run bastille -x through command prompt i get the > following error. > > |ERROR: Could not determine CentOS version! Setting to Red Hat > Enterprise 4 AS. > |ERROR: Could not determine CentOS version! Setting to Red Hat > Enterprise 4 AS. > |NOTE: Using Tk user interface module. > |NOTE: Only displaying questions relevant to the current configuration. > |NOTE: Bastille is scanning the system configuration... > |ERROR: Bastille tried to use $GLOBAL_SERVICE{'nis.server'} but it > does not exist. > |Can't use an undefined value as an ARRAY reference at > /usr/lib/Bastille/API/ServiceAdmin.pm line 598, |<FILE> line 249. > > For running Bastille is it absolutely necessary to install and run NIS > server ? Nope. It should be completely optional. But, the larger issue is that Bastille has been essentially dead since about 2008. There's a note dated 1/29/2012 on www.bastille-unix.org claiming that the project is starting back up, but > Can anyone guide me in right direction ? 3.2.1 was horribly broken when I tried it just now on my Fedora 14 setup. But, Jay appears to have been working on bringing things up to date. I see lots of changes since January in the repository, and when I snatched a tarball copy just now, it installed and the Tk interface cheerfully announced version 3.3. (Way to go, Jay!) So, the first guidance would be to work from CVS and install using the Install.sh script. You might need some perl chops in order to really get it to do the right thing on your system. If you're a perl developer and have some fairly deep experience with how Linux systems have changed over the past four years or so, Jay could probably use some help. If you're not a developer, or don't have the time or a test machine to break, you might wait a bit and see what happens. Good luck! Paul Allen |
From: Dwijadas D. <dw...@gm...> - 2012-03-17 07:21:53
|
Hi List users I have installed Bastille 3.2.1 in Centos 6 but whenever i try to run bastille -x through command prompt i get the following error. |ERROR: Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS. |ERROR: Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS. |NOTE: Using Tk user interface module. |NOTE: Only displaying questions relevant to the current configuration. |NOTE: Bastille is scanning the system configuration... |ERROR: Bastille tried to use $GLOBAL_SERVICE{'nis.server'} but it does not exist. |Can't use an undefined value as an ARRAY reference at /usr/lib/Bastille/API/ServiceAdmin.pm line 598, |<FILE> line 249. For running Bastille is it absolutely necessary to install and run NIS server ? Can anyone guide me in right direction ? Thanks in advance Dwdy |
From: Joe_Wulf <Joe...@ya...> - 2009-09-11 13:10:53
|
Johan, It might be helpful to share the contents of your bastille config files for the firewall. R, -Joe Wulf, CISSP, RHCT, VCP, USN(RET) Senior IA Engineer ProSync Technology Group, LLC www.prosync.com _____ From: Johan Draaisma [mailto:jo...@dr...] Sent: Friday, September 11, 2009 07:59 To: bas...@li... Subject: [Bastille-linux-discuss] Question regarding Bastille firewall andppp connections Hello Bastille mailinglist, I was wondering if any of you could help me with setting up a PPTP server in combination with Bastille firewall? I am attempting to get the VPN clients to communicate between themselves... but so far Bastille seems to block this. I have a server on the internet that is directly connected to the internet on interface eth0. It relies on Bastille firewall to keep it fairly safe. This works well and I have configured Bastille to allow access to ports 22 and 80 and so on. I also allowed ICMP ECHO so I can ping the server from the internet. I decided to add a second network card in the machine at interface number eth1 with IP address 172.16.253.254 that goes to a network that does not have internet access. It leads to a set of workstations that are all on the 172.16.253.100-199 range. This all works fine, and as expected, Bastille blocks attempts to access blocked ports from both eth0 and eth1. This is good. I can't still ping the server from the eth0 and eth1 interfaces, which is also good. I want to be able to make a VPN connection to the network behind my server, so I installed pptpd and configured it, and I opened port 1723 in Bastille firewall so I could get a connection. I have configured PPTPD to set the server's local IP address to 172.16.253.254 (same as address on eth1) and to assign a free address to the remote VPN client in the 172.16.253.1-99 range. This works and from the client I can access the 172.16.253.254 interface. I wanted to allow the VPN clients to communicate with workstations in the 172.16.253.100-199 range, and also between the VPN clients themselves. I have done this before on other servers that do not use Bastille firewall. The only thing I needed to do was to enable IP forward in /etc/sysctl.conf and /proc/sys/net/ipv4/ip_forward (1). With Bastille disabled and IP forwarding enabled, this works fine - I can have communication between the VPN clients on the 172.16.253.1-99 range and to and from the 172.16.253.100-199 range and even to and from 172.16.253.254. However, when I did this with Bastille enabled, the traffic between the VPN client and the VPN server would work, but I could not get VPN clients to communicate between themselves nor get the VPN clients to access the 172.16.253.x workstations. For the life of me, I can't figure out how to configure Bastille firewall to allow traffic between all 172.16.253.x interfaces. I don't even mind if Bastille still blocks ports, but I would at least like to get ICMP PING and port 80 working and such. I don't know if this helps, but this schematic might help. To the left are two clients that are connected via a VPN connection to the PPTPD server on my internet server in the middle. To the right is the network with computers in the 172.16.253.100-199 range. --------------------- -------------------------------------- | PC1 (pptp client 1) | | PPTPD server with Bastille firewall | | eth0 interface: | | eth0 interface: (public internet IP) | | 192.168.47.100 | |--------------------------------------| -------------------- | | | eth1 interface: 172.16.253.254 |----| 172.16.253.100-199 | | ppp interface: | | | | workstations | | 172.16.253.1 |--------| ppp0 172.16.253.1 - 172.16.253.254 | -------------------- --------------------- | (remote IP) (local IP) | | | --------------------- | | | PC2 (pptp client 2) | --| ppp1 172.16.253.2 - 172.16.253.254 | | eth0 interface: | / | (remote IP) (local IP) | | 10.0.0.100 | / | | | | / -------------------------------------- | ppp interface: | / | 172.16.253.2 |-- --------------------- Anything you can do to help would be greatly appreciated! -- Met vriendelijke groet, Johan Draaisma Jellema Automatisering Tel.nr.: 058 2120288 Fax.nr.: 058 2151309 |
From: <mn...@ho...> - 2009-09-11 12:53:09
|
<p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'">Hi, I’m trying to migrate my email to a single account and Hotmail has become too big a pain and is not really user friendly.</span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'"></span> </p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'">Please send your message to my gmail account <a href="mailto:mn...@gm...">mn...@gm...</a> and update your address book with the new address. I will maintain this account for a while but eventually, it's getting the axe.</span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'"> </span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'">Thanks and sorry about the inconvenience of this matter. If Hotmail was designed a bit better the whole matter would be unnecessary.</span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'"> </span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'">Mike Nixon</span></p> <br> |
From: Johan D. <jo...@dr...> - 2009-09-11 12:52:48
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> </head> <body bgcolor="#ffffff" text="#000000"> <tt>Hello Bastille mailinglist,<br> <br> I was wondering if any of you could help me with setting up a PPTP server in combination with Bastille firewall? I am attempting to get the VPN clients to communicate between themselves... but so far Bastille seems to block this.<br> <br> I have a server on the internet that is directly connected to the internet on interface eth0. It relies on Bastille firewall to keep it fairly safe. This works well and I have configured Bastille to allow access to ports 22 and 80 and so on. I also allowed ICMP ECHO so I can ping the server from the internet.<br> <br> I decided to add a second network card in the machine at interface number eth1 with IP address 172.16.253.254 that goes to a network that does not have internet access. It leads to a set of workstations that are all on the 172.16.253.100-199 range. This all works fine, and as expected, Bastille blocks attempts to access blocked ports from both eth0 and eth1. This is good. I can't still ping the server from the eth0 and eth1 interfaces, which is also good.<br> <br> I want to be able to make a VPN connection to the network behind my server, so I installed pptpd and configured it, and I opened port 1723 in Bastille firewall so I could get a connection. I have configured PPTPD to set the server's local IP address to 172.16.253.254 (same as address on eth1) and to assign a free address to the remote VPN client in the 172.16.253.1-99 range. This works and from the client I can access the 172.16.253.254 interface.<br> <br> I wanted to allow the VPN clients to communicate with workstations in the 172.16.253.100-199 range, and also between the VPN clients themselves. I have done this before on other servers that do not use Bastille firewall. The only thing I needed to do was to enable IP forward in /etc/sysctl.conf and /proc/sys/net/ipv4/ip_forward (1). With Bastille disabled and IP forwarding enabled, this works fine - I can have communication between the VPN clients on the 172.16.253.1-99 range and to and from the 172.16.253.100-199 range and even to and from 172.16.253.254.<br> <br> However, when I did this with Bastille enabled, the traffic between the VPN client and the VPN server would work, but I could not get VPN clients to communicate between themselves nor get the VPN clients to access the 172.16.253.x workstations.<br> <br> </tt><tt>For the life of me, I can't figure out how to configure Bastille firewall to allow traffic between all 172.16.253.x interfaces. I don't even mind if Bastille still blocks ports, but I would at least like to get ICMP PING and port 80 working and such.<br> <br> </tt><tt>I don't know if this helps, but this schematic might help. To the left are two clients that are connected via a VPN connection to the PPTPD server on my internet server in the middle.<br> To the right is the network with computers in the 172.16.253.100-199 range.<br> <br> <br> </tt><tt><br> -------</tt><tt>-</tt><tt>-</tt><tt>------------ --------------------------------------<br> | PC1 (pptp client 1) | |</tt><tt> PPTPD server with Bastille firewall |</tt><tt><br> | eth0 interface: | | </tt><tt>eth0 interface: (public internet IP)</tt><tt> |<br> | 192.168.47.100 | |</tt><tt>--------------------------------------| --------------------<br> </tt><tt>| | </tt><tt>| eth1 interface: 172.16.253.254 |----| 172.16.253.100-199 |<br> </tt><tt>| ppp interface: | </tt><tt>| | | workstations |<br> </tt><tt>| 172.16.253.1 |--------| ppp0 172.16.253.1 - 172.16.253.254 | --------------------<br> --------------------- </tt><tt> |</tt><tt> (remote IP) (local IP) |<br> </tt><tt> </tt><tt> |</tt><tt> |<br> </tt><tt> </tt><tt>-------</tt><tt>-</tt><tt>-</tt><tt>------------ </tt><tt> |</tt><tt> |</tt><tt><br> | PC2 (pptp client 2) |</tt><tt> --</tt><tt>| ppp1 172.16.253.2 - 172.16.253.254 |</tt><tt><br> | eth0 interface: |</tt><tt> / |</tt><tt> (remote IP) (local IP) |<br> </tt><tt>| 10.0.0.100 |</tt><tt> / |</tt><tt> |</tt><tt><br> </tt><tt>| |</tt><tt> / --------------------------------------</tt><tt><br> </tt><tt>| ppp interface: |</tt><tt> /</tt><tt><br> </tt><tt>| 172.16.253.2 |--<br> --------------------- <br> </tt><tt><br> Anything you can do to help would be greatly appreciated!<br> </tt><br> <div class="moz-signature">-- <br> <font color="#000000">Met vriendelijke groet,<br> Johan Draaisma<br> <br> Jellema Automatisering<br> Tel.nr.: 058 2120288<br> Fax.nr.: 058 2151309<br> </font></div> </body> </html> |
From: Baker, C. H. <cb...@nu...> - 2009-08-05 13:59:29
|
Is development on going? Who is/are the primary maintainer(s) and contributor(s) these days? The main site http://www.bastille-unix.org/index.html doesn't seem to have been updated in a while and I see the last rpm update was 25 September 2008. Charles H. Baker Unix Systems Administration o. 864.331.7896 c. 864.990.1297 cb...@nu... <mailto:cb...@nu...> "Some of us learn from other people's mistakes and the rest of us have to be other people." -- Zig Ziglar, Author This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. |
From: Javier Fernandez-S. <jf...@co...> - 2009-03-06 14:44:54
|
2009/3/5 Bill Pechter <pe...@gm...>: > There appears to be nothing in the API directory. HP-Specific.pm is missing > etc. I donwloaded the source tar gz yesterday as well as the RPMs (3.2.1 if I'm not mistaken) and they looked fine.Both had the expected content in the Bastille/ directory, including API.pm and other modules. It does not seem to fully match the contents of the CVS repository however (which claims to be vesion '3.0.30'). In the Sourceforge page you can easily find the access to the CVS repository anyway. Regards Javier |
From: Albert E. W. <ae...@AB...> - 2009-03-06 02:00:23
|
Bill Pechter wrote: > There appears to be nothing in the API directory. HP-Specific.pm is > missing etc. > > Is there an archived copy of an older version around or a cvs > repository I could use to get something working. > > I wanted to demo to my management as part of coming up with an > internal standard secure linux build/kickstart. > > Bill > Bill, I have a few copies laying around. Is there something specific you are looking for? -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network and Systems Consultant ------------------------------------------------------------------------ ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants |
From: Bill P. <pe...@gm...> - 2009-03-05 21:50:48
|
There appears to be nothing in the API directory. HP-Specific.pm is missing etc. Is there an archived copy of an older version around or a cvs repository I could use to get something working. I wanted to demo to my management as part of coming up with an internal standard secure linux build/kickstart. Bill -- d|i|g|i|t|a|l had it THEN. Don't you wish you could still buy it now! pechter-at-gmail.com |
From: Rick M. <rma...@wo...> - 2008-10-20 11:24:55
|
<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="font-family: arial; font-size: 16px; ">There's also the small matter of certain agencies of the intelligence? community having easy access to Hotmail.</span><div><span class="Apple-style-span" style="font-family: arial; font-size: 16px; ">Rick<br><br><table width="100%" border="0" cellpadding="0" cellspacing="0" style="empty-cells: show; position: static; z-index: auto; "><tbody><tr><td width="0" style="font-size: 100%; "></td><td style="font-size: 100%; "><table width="100%" border="0" style="empty-cells: show; position: static; z-index: auto; "><tbody><tr><td bgcolor="#DDDDDD" nowrap="" style="font-size: 85%; "><div class="forum" style="padding-top: 0px !important; padding-right: 30px !important; padding-bottom: 0px !important; padding-left: 0px !important; position: relative; left: 0px; top: 0px; "><div style="padding-top: 0px !important; padding-right: 30px !important; padding-bottom: 0px !important; padding-left: 0px !important; "><b><a href="http://sourceforge.net/mailarchive/message.php?msg_name=BAY0-MC12-F5399F39FEF96CB65BA139A42D0%40phx.gbl" style="text-decoration: none; color: rgb(0, 51, 153); ">[Bastille-linux-discuss] Vacation reply</a></b></div><small style="white-space: normal; ">From: <mnixxon@ho...> - 2008-10-18 07:02</small><br></div></td></tr><tr><td style="font-size: 85%; ">Hi, I’m trying to migrate my email to a single account and Hotmail has become too big a pain and is not really user friendly<br>Please send your message to my gmail account "<a href="mailto:mnixxon@gm">mailto:mnixxon@gm</a>...">mnixxon@gm... and update your address book with the new address. I will maintain this account for a while but eventually, it's getting the axe.<br>Thanks and sorry about the inconvenience of this matter. If Hotmail was designed a bit better the whole matter would be unnecessary.<br>Mike Nixon</td></tr></tbody></table></td></tr></tbody></table></span></div></body></html> |
From: <mn...@ho...> - 2008-10-18 07:02:58
|
<p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'">Hi, I’m trying to migrate my email to a single account and Hotmail has become too big a pain and is not really user friendly.</span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'"></span> </p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'">Please send your message to my gmail account <a href="mailto:mn...@gm...">mn...@gm...</a> and update your address book with the new address. I will maintain this account for a while but eventually, it's getting the axe.</span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'"> </span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'">Thanks and sorry about the inconvenience of this matter. If Hotmail was designed a bit better the whole matter would be unnecessary.</span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'"> </span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'">Mike Nixon</span></p> <br> |
From: Rick M. <rma...@wo...> - 2008-10-18 07:02:35
|
I have downloaded the package and when I go into a terminal window to install it, this happens: bash-3.2$ cd Bastille && ./Install-OSX.sh Placing Bastille-related files in appropriate places... ... Do not forget to get perl-Tk installed before running Bastille. mkdir: /usr/share/Bastille: Permission denied mkdir: /usr/lib/Bastille: Permission denied mkdir: /usr/share/Bastille: No such file or directory mkdir: /usr/share/Bastille: No such file or directory usage: cp [-R [-H | -L | -P]] [-fi | -n] [-pvX] source_file target_file cp [-R [-H | -L | -P]] [-fi | -n] [-pvX] source_file ... target_directory usage: cp [-R [-H | -L | -P]] [-fi | -n] [-pvX] source_file target_file cp [-R [-H | -L | -P]] [-fi | -n] [-pvX] source_file ... target_directory cp: /usr/sbin/bastille: Permission denied cp: /usr/sbin/RevertBastille: Permission denied cp: /usr/sbin/BastilleBackEnd: Permission denied cp: /usr/sbin/InteractiveBastille: Permission denied cp: /usr/sbin/Bastille: Permission denied usage: cp [-R [-H | -L | -P]] [-fi | -n] [-pvX] source_file target_file cp [-R [-H | -L | -P]] [-fi | -n] [-pvX] source_file ... target_directory usage: cp [-R [-H | -L | -P]] [-fi | -n] [-pvX] source_file target_file cp [-R [-H | -L | -P]] [-fi | -n] [-pvX] source_file ... target_directory cp: directory /usr/share/Bastille does not exist cp: directory /usr/share/Bastille does not exist cp: directory /usr/share/Bastille does not exist cp: /usr/share/Bastille: Permission denied cp: directory /usr/share/Bastille does not exist cp: directory /usr/share/Bastille does not exist cp: /usr/share/Bastille: Permission denied If I click on the Install-OSX.sh file and then click Run, this happens: #!/bin/bash echo Placing Bastille-related files in appropriate places... echo ... echo Do not forget to get perl-Tk installed before running Bastille. mkdir /usr/share/Bastille /usr/lib/Bastille /usr/share/Bastille/ Questions /usr/share/Bastille/OSMap cp Modules.txt {,in}complete.xbm /usr/share/Bastille/ cp Bastille/*.pm Bastille_{Tk,Curses}.pm /usr/lib/Bastille/ cp InteractiveBastille BastilleBackEnd RevertBastille bin/bastille / usr/sbin/ cp bin/Bastille /usr/sbin/ cp Questions/* /usr/share/Bastille/Questions/ cp OSMap/* /usr/share/Bastille/OSMap cp Localizable.strings /usr/share/Bastille/ cp StartupParameters.plist /usr/share/Bastille/ # hosts.allow cp hosts.allow /usr/share/Bastille/ # New Weights file(s). cp Weights.txt /usr/share/Bastille # Castle graphic cp bastille.jpg /usr/share/Bastille/ # Javascript file cp wz_tooltip.js /usr/share/Bastille/ cp Credits /usr/share/Bastille Then when I go to /usr/bin/Bastille to run it, there is no Bastille folder or file in /usr/bin. I have tried starting in the top directory ( mac eqiv of /) but this always happens. Help!! Thanks, Rick |
From: Michael R. <mb...@ci...> - 2008-07-18 03:48:54
|
On Jul 16, 2008, Michael St. Laurent wrote: > Have you integrated this into your Bastille installation? Got a patch? Although I don't use the bastille-netfilter script, I've attached a patch that uses the --random option in the iptables MASQUERADE target (I'm not sure when this was first available, but it's in iptables-1.4.1.1) for all outbound DNS queries. If you have a chance, please let me know if there are any issues. You may want to verify that the UDP source port for outbound DNS queries is truly randomized on your external interface. Thanks, --Mike > -----Original Message----- > From: bas...@li... > [mailto:bas...@li...] On Behalf > Of Michael Rash > Sent: Tuesday, July 15, 2008 6:55 PM > To: bas...@li... > Subject: [Bastille-linux-discuss] DNS caching exploit defense with > iptables > > > Hi all - > > It's well known that Dan Kaminsky is going to present a significant > development regarding a caching exploit against DNS at Blackhat this > year. For anyone who has not patched their DNS servers, here is a > strategy for adding a single iptables "SNAT --random" rule to mitigate > the attack (for those DNS servers deployed on or behind a system running > Linux): > > http://www.cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-at > tacks-with-iptables.html > > -- > Michael Rash > http://www.cipherdyne.org/ > Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F > > ------------------------------------------------------------------------ > - > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge Build the coolest Linux based applications with Moblin SDK & > win great prizes Grand prize is a trip for two to an Open Source event > anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > bastille-linux-discuss mailing list > bas...@li... > https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss |
From: Michael R. <mb...@ci...> - 2008-07-16 01:54:51
|
Hi all - It's well known that Dan Kaminsky is going to present a significant development regarding a caching exploit against DNS at Blackhat this year. For anyone who has not patched their DNS servers, here is a strategy for adding a single iptables "SNAT --random" rule to mitigate the attack (for those DNS servers deployed on or behind a system running Linux): http://www.cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html -- Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F |
From: <mn...@ho...> - 2008-05-16 05:47:20
|
<p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'">Hi, I’m trying to migrate my email to a single account and Hotmail has become too big a pain and is not really user friendly.</span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'"></span> </p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'">Please send your message to my gmail account <a href="mailto:mn...@gm...">mn...@gm...</a> and update your address book with the new address. I will maintain this account for a while but eventually, it's getting the axe.</span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'"> </span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'">Thanks and sorry about the inconvenience of this matter. If Hotmail was designed a bit better the whole matter would be unnecessary.</span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'"> </span></p> <p style="background:white"><span style="font-size:10pt;color:#444444;font-family:'Verdana','sans-serif'">Mike Nixon</span></p> <br> |
From: Reza R. <rez...@gm...> - 2008-05-16 05:47:08
|
Michael: Yep, it is set to Y. Should it be N? Albert: We are still having the issue where the system goes into a "unresponsive" state a couple times per day... during those 1-2 minute incidents we get monitoring alerts that the server is unreachable, mysql connections are dropped, http pages take a long time to load, and overall slow or null performance... Another interesting tidbit is that I setup a script that attempts to connect to mysql every minute and output the result. When connecting via sql.datacolony.com or the external IP address we get those drops whenever an "incident" occurs... but when I use localhost, the issue does not occur at all. I have investigated this with my webhost (replaced NIC card, settings changed to 100/full instead of auto-neg) and they also came to the conclusion that Bastille is causing the issue such that disabling the firewall completely corrects the issue. The server does not exhibit high network, cpu, memory or disk utilization during those incidents. Thanks. Reza |
From: Albert E. W. <ae...@AB...> - 2008-05-15 19:26:24
|
I actually was working with Reza. I got the Bastille and PSAD re-configured for them. The problem is that they had SOO Many new additions to the Kernel modules, that I suspect that one of the tools which dynamicnet.net installed is misbehaving. Without getting into the details, if Reza would like to get back in touch with me, I'd be happy to continue the process. Best Regards, Michael Rash wrote: > On Mar 12, 2008, Reza Rizvi wrote: > > >> Hi all. >> > > Hi Reza - > > >> We had our web server hardened by the team at dynamicnet.net and they >> used bastille and psad in the process. >> >> Ever since we had bastille firewall installed and configured on my >> server we have been getting random MySQL connection errors. >> >> Everything runs pretty smoothly most of the time, we can carry lots of >> apache/mysql connections without any issues, server has plenty of free >> RAM and CPU is never overloaded even during peak hours. I have been >> told bastille firewall (iptables) is configured correctly, all ports >> that need to be open are open. >> >> But about twice per day we have a MySQL "disconnect" that lasts about >> 30-60 seconds per incident. For example we will start getting the >> following message via e-mail, and it will amount to 20-30 e-mails like >> this during the 30-60 second incident. After that, the e-mails and >> problems will go away, until next time. It's almost as if the port is >> being shut down for a brief period and then opens back up. >> > > Do you have the ENABLE_AUTO_IDS variable set to "Y" in the > /etc/psad/psad.conf file? > > Thanks, > > -- > Michael Rash > http://www.cipherdyne.org/ > Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F > > > >> ------- >> vBulletin Database Error! >> mysql_connect(): Can't connect to MySQL server on 'sql.datacolony.com' (4) >> /hsphere/local/home/site/site.com/forum/includes/class_core.php on line 274 >> MySQL Error : >> Error Number : >> Date : Saturday, January 26th 2008 @ 07:53:05 PM >> Script : http://site.com/forum/forumdisplay.php?f=69 >> Referrer : http://site.com/forum/showthread.php?t=17518&page=19 >> IP Address : 92.3.190.54 >> Username : >> Classname : vb_database >> ------- >> >> The server is running CentOS 4.6, PHP 4.4.7, MySQL 5.0.45. The >> vBulletin software has been patched to the latest version. The >> vBulletin people are not sure why this could be happening. >> >> Well we never believed that the firewall was causing the issue BUT it >> only started happening on the day the new firewall was installed. So >> we tried stopping the firewall for a full week and the MySQL database >> errors stopped happening, completely. So I'm convinced the problem is >> the firewall blocking MySQL connections but I can't figure out why? >> >> Also I recently setup a test script to try and connect to a separate >> MySQL database every minute. Every time we have an "incident" as >> mentioned above we get a corresponding entry in the test script: >> 2008-03-05 21:48:01 Connection failed. Reason: "Can't connect to >> MySQL server on 'sql.datacolony.com' (110)" >> >> There are no entries in the MySQL .err logs pertaining to this. Can't >> figure this out, any help or ideas is appreciated since the people who >> installed the firewall are not sure either. >> >> Thanks. >> Reza >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Microsoft >> Defy all challenges. Microsoft(R) Visual Studio 2008. >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >> _______________________________________________ >> bastille-linux-discuss mailing list >> bas...@li... >> https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss >> > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > bastille-linux-discuss mailing list > bas...@li... > https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss > > -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ------------------------------------------------------------------------ ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*. |
From: Michael R. <mb...@ci...> - 2008-05-15 15:40:41
|
On Mar 12, 2008, Reza Rizvi wrote: > Hi all. Hi Reza - > We had our web server hardened by the team at dynamicnet.net and they > used bastille and psad in the process. > > Ever since we had bastille firewall installed and configured on my > server we have been getting random MySQL connection errors. > > Everything runs pretty smoothly most of the time, we can carry lots of > apache/mysql connections without any issues, server has plenty of free > RAM and CPU is never overloaded even during peak hours. I have been > told bastille firewall (iptables) is configured correctly, all ports > that need to be open are open. > > But about twice per day we have a MySQL "disconnect" that lasts about > 30-60 seconds per incident. For example we will start getting the > following message via e-mail, and it will amount to 20-30 e-mails like > this during the 30-60 second incident. After that, the e-mails and > problems will go away, until next time. It's almost as if the port is > being shut down for a brief period and then opens back up. Do you have the ENABLE_AUTO_IDS variable set to "Y" in the /etc/psad/psad.conf file? Thanks, -- Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F > ------- > vBulletin Database Error! > mysql_connect(): Can't connect to MySQL server on 'sql.datacolony.com' (4) > /hsphere/local/home/site/site.com/forum/includes/class_core.php on line 274 > MySQL Error : > Error Number : > Date : Saturday, January 26th 2008 @ 07:53:05 PM > Script : http://site.com/forum/forumdisplay.php?f=69 > Referrer : http://site.com/forum/showthread.php?t=17518&page=19 > IP Address : 92.3.190.54 > Username : > Classname : vb_database > ------- > > The server is running CentOS 4.6, PHP 4.4.7, MySQL 5.0.45. The > vBulletin software has been patched to the latest version. The > vBulletin people are not sure why this could be happening. > > Well we never believed that the firewall was causing the issue BUT it > only started happening on the day the new firewall was installed. So > we tried stopping the firewall for a full week and the MySQL database > errors stopped happening, completely. So I'm convinced the problem is > the firewall blocking MySQL connections but I can't figure out why? > > Also I recently setup a test script to try and connect to a separate > MySQL database every minute. Every time we have an "incident" as > mentioned above we get a corresponding entry in the test script: > 2008-03-05 21:48:01 Connection failed. Reason: "Can't connect to > MySQL server on 'sql.datacolony.com' (110)" > > There are no entries in the MySQL .err logs pertaining to this. Can't > figure this out, any help or ideas is appreciated since the people who > installed the firewall are not sure either. > > Thanks. > Reza > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > bastille-linux-discuss mailing list > bas...@li... > https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss |
From: Albert E. W. <ae...@AB...> - 2008-05-15 15:21:23
|
That is the line from /etc/redhat-release, apparently the latest Bastille is not ready for this release? The API.pm modules includes the following: elsif ( -e "/etc/redhat-release" ) { open(*REDHAT_RELEASE,"/etc/redhat-release"); $release=<REDHAT_RELEASE>; if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) { $distro="RH$1"; } elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) { $distro="RHEL$1$2"; } elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) { $distro="RHEL$2$1"; } But this release is falling through the cracks to: ERROR: Couldn't determine Red Hat version! Setting to 9! -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ------------------------------------------------------------------------ ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*. |
From: Albert E. W. <ae...@AB...> - 2008-05-15 14:29:16
|
Jay, if you read this email, I would like to discuss what is going on with your domain for email hosting. There are issues which I need your assistance with. Best Regards, -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ------------------------------------------------------------------------ ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*. |
From: Reza R. <rez...@gm...> - 2008-03-12 15:18:28
|
Hi all. We had our web server hardened by the team at dynamicnet.net and they used bastille and psad in the process. Ever since we had bastille firewall installed and configured on my server we have been getting random MySQL connection errors. Everything runs pretty smoothly most of the time, we can carry lots of apache/mysql connections without any issues, server has plenty of free RAM and CPU is never overloaded even during peak hours. I have been told bastille firewall (iptables) is configured correctly, all ports that need to be open are open. But about twice per day we have a MySQL "disconnect" that lasts about 30-60 seconds per incident. For example we will start getting the following message via e-mail, and it will amount to 20-30 e-mails like this during the 30-60 second incident. After that, the e-mails and problems will go away, until next time. It's almost as if the port is being shut down for a brief period and then opens back up. ------- vBulletin Database Error! mysql_connect(): Can't connect to MySQL server on 'sql.datacolony.com' (4) /hsphere/local/home/site/site.com/forum/includes/class_core.php on line 274 MySQL Error : Error Number : Date : Saturday, January 26th 2008 @ 07:53:05 PM Script : http://site.com/forum/forumdisplay.php?f=69 Referrer : http://site.com/forum/showthread.php?t=17518&page=19 IP Address : 92.3.190.54 Username : Classname : vb_database ------- The server is running CentOS 4.6, PHP 4.4.7, MySQL 5.0.45. The vBulletin software has been patched to the latest version. The vBulletin people are not sure why this could be happening. Well we never believed that the firewall was causing the issue BUT it only started happening on the day the new firewall was installed. So we tried stopping the firewall for a full week and the MySQL database errors stopped happening, completely. So I'm convinced the problem is the firewall blocking MySQL connections but I can't figure out why? Also I recently setup a test script to try and connect to a separate MySQL database every minute. Every time we have an "incident" as mentioned above we get a corresponding entry in the test script: 2008-03-05 21:48:01 Connection failed. Reason: "Can't connect to MySQL server on 'sql.datacolony.com' (110)" There are no entries in the MySQL .err logs pertaining to this. Can't figure this out, any help or ideas is appreciated since the people who installed the firewall are not sure either. Thanks. Reza |
From: Harm V. H. <har...@fu...> - 2008-02-11 12:13:04
|
I tried, for the 1. time, bastille on a SLES10SP1 ia64. I pulled the latest from CVS, installed it an ran the conf dialogs. I got an error when activating the conf, even when defining the port for apache, B_service_restart stays undefined. When changing B_server_restart to Bastille::API::B_server_restart, it seems to work, but I think, that is not the correct solution. Please help. # bastille -b NOTE: Entering Critical Code Execution. Bastille has disabled keyboard interrupts. NOTE: Bastille is scanning the system configuration... ERROR: Bastille tried to use $GLOBAL_FILE{'cron.deny'} but it does not exist. NOTE: Bastille is now locking down your system in accordance with your answers in /etc/Bastille/config. Please be patient as some modules may take a number of minutes, depending on the speed of your machine. NOTE: Executing Firewall Specific Configuration NOTE: Executing File Permissions Specific Configuration NOTE: Executing Daemon Specific Configuration NOTE: Executing Account Security Specific Configuration NOTE: Executing Boot Security Specific Configuration NOTE: Executing Inetd Specific Configuration NOTE: Executing PAM Specific Configuration NOTE: Executing Logging Specific Configuration NOTE: Executing Apache Specific Configuration ERROR: Binding Apache to a particular IP address: no port specified, defaulting to :80 Undefined subroutine &Bastille::Apache::B_service_restart called at /usr/lib/Bastille/Apache.pm line 179, <FILE> line 3446. Compilation failed in require at /usr/sbin/BastilleBackEnd line 264, <FILE> line 3446. |
From: Charles E. <kr...@ma...> - 2007-11-01 15:37:59
|
Anyone testing with leopard? CE On Oct 31, 2007, at 3:56 PM, Debora Velarde wrote: > Is Jay the only person that is able to merge these patches and > release a > new snapshot? Does anyone else have write access to the Bastille > development tree? > > Thanks, > debora > > bas...@li... wrote on > 10/31/2007 > 02:07:28 PM: > >> Hi Dave, >> >> I would like to point you to this tracker item, where I have put the > patches >> from Debora together and included some own patches for a SLES10-aware > version >> of bastille-linux: >> >> [http://sourceforge.net/tracker/index.php? >> func=detail&aid=1768787&group_id=403&atid=100403] >> >> Greetz from Germany, >> Andy Schiller >> >> Am Mittwoch, 31. Oktober 2007 schrieb Sorenson, David: >>> Update - I think I got it working! >>> >>> Turns out the IOLoader.pm when it does the prune is using a local >>> variable to handle the changing of the $first_question value. >>> Since it >>> doesn't return that value in any way, the $first_question never > changes >>> along the way, and so it tries to run a question that's been pruned, >>> sending the initializeGUI into the loop. >>> >>> I changed the calls to skipQuestion to skipQuestion($first_question, >>> $key) and then changed skipQuestion so that it would return the >>> current/updated $first_question. >>> >>> I'd send a patch for the three changes I made, but I'm not sure how > best >>> to do that. If somebody wants to point me in the right direction, >>> I'd > be >>> happy to. >>> >>> -Dave Sorenson >>> Sr. Web Administrator >>> PGDS US One >>> Jackson National Life Insurance >>> >>> ________________________________ >>> >>> From: Sorenson, David >>> Sent: Wednesday, October 31, 2007 3:04 PM >>> To: 'bas...@li...' >>> Subject: SLES10 issues >>> >>> >>> Greetings! >>> >>> This is my first mailing, but I've used Bastille in the past, mainly > on >>> SLES8/9 and Red Hat servers. >>> >>> We're setting up a SLES10 farm, and would like to use Bastille as >>> part >>> of our server hardening routing, but I've had some issues getting it > to >>> work. >>> >>> First, I grabbed a working branch copy of the source from CVS, >>> applied >>> the patches 1-12 from this mailing list, and I couldn't get it to > work. >>> With debug turned on, it appeared that only three items were >>> making it >>> past the question pruning, and then it was getting into an infinite > loop >>> (using the Tk interface). >>> >>> So, I did a little digging and poking, and came up with the >>> following >>> change to Bastille/IOLoader.pm: >>> >>> Line 919 needed to be: >>> >>> $supported_versions = 'SESLES8 SESLES9 SESLES10'; >>> >>> This caused it to get much farther and error out in the tests, which >>> caused this change to Bastille/test_AccountSecurity.pm: >>> >>> Line 155 needed to be: >>> >>> $GLOBAL_TEST{'AccountSecurity'}{'passwdage'} = \&test_passwdage; >>> >>> At which point, it continued to run again, and went back to the > infinite >>> loop. The question list seems to have quite a few items in it when I >>> turn debug on, but it's still hanging during the initializeGUI >>> phase. >>> >>> I've attached a copy of the debug output, any help would be > appreciated! >>> >>> Thanks! >>> >>> -Dave Sorenson >>> Sr. Web Administrator >>> PGDS US One >>> Jackson National Life Insurance >> >> >> >> > ---------------------------------------------------------------------- > --- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a >> browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> bastille-linux-discuss mailing list >> bas...@li... >> https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a > browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > bastille-linux-discuss mailing list > bas...@li... > https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss Charles Edge kr...@ma... PGP Fingerprint: B199 ECC5 B90D 02FC E4DE 4E4F 4B96 9DBC E0F7 BEE8 |
From: Debora V. <dve...@us...> - 2007-10-31 22:57:45
|
Is Jay the only person that is able to merge these patches and release a new snapshot? Does anyone else have write access to the Bastille development tree? Thanks, debora bas...@li... wrote on 10/31/2007 02:07:28 PM: > Hi Dave, > > I would like to point you to this tracker item, where I have put the patches > from Debora together and included some own patches for a SLES10-aware version > of bastille-linux: > > [http://sourceforge.net/tracker/index.php? > func=detail&aid=1768787&group_id=403&atid=100403] > > Greetz from Germany, > Andy Schiller > > Am Mittwoch, 31. Oktober 2007 schrieb Sorenson, David: > > Update - I think I got it working! > > > > Turns out the IOLoader.pm when it does the prune is using a local > > variable to handle the changing of the $first_question value. Since it > > doesn't return that value in any way, the $first_question never changes > > along the way, and so it tries to run a question that's been pruned, > > sending the initializeGUI into the loop. > > > > I changed the calls to skipQuestion to skipQuestion($first_question, > > $key) and then changed skipQuestion so that it would return the > > current/updated $first_question. > > > > I'd send a patch for the three changes I made, but I'm not sure how best > > to do that. If somebody wants to point me in the right direction, I'd be > > happy to. > > > > -Dave Sorenson > > Sr. Web Administrator > > PGDS US One > > Jackson National Life Insurance > > > > ________________________________ > > > > From: Sorenson, David > > Sent: Wednesday, October 31, 2007 3:04 PM > > To: 'bas...@li...' > > Subject: SLES10 issues > > > > > > Greetings! > > > > This is my first mailing, but I've used Bastille in the past, mainly on > > SLES8/9 and Red Hat servers. > > > > We're setting up a SLES10 farm, and would like to use Bastille as part > > of our server hardening routing, but I've had some issues getting it to > > work. > > > > First, I grabbed a working branch copy of the source from CVS, applied > > the patches 1-12 from this mailing list, and I couldn't get it to work. > > With debug turned on, it appeared that only three items were making it > > past the question pruning, and then it was getting into an infinite loop > > (using the Tk interface). > > > > So, I did a little digging and poking, and came up with the following > > change to Bastille/IOLoader.pm: > > > > Line 919 needed to be: > > > > $supported_versions = 'SESLES8 SESLES9 SESLES10'; > > > > This caused it to get much farther and error out in the tests, which > > caused this change to Bastille/test_AccountSecurity.pm: > > > > Line 155 needed to be: > > > > $GLOBAL_TEST{'AccountSecurity'}{'passwdage'} = \&test_passwdage; > > > > At which point, it continued to run again, and went back to the infinite > > loop. The question list seems to have quite a few items in it when I > > turn debug on, but it's still hanging during the initializeGUI phase. > > > > I've attached a copy of the debug output, any help would be appreciated! > > > > Thanks! > > > > -Dave Sorenson > > Sr. Web Administrator > > PGDS US One > > Jackson National Life Insurance > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > bastille-linux-discuss mailing list > bas...@li... > https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss |
From: Andreas S. <as...@as...> - 2007-10-31 21:07:34
|
Hi Dave, I would like to point you to this tracker item, where I have put the patches from Debora together and included some own patches for a SLES10-aware version of bastille-linux: [http://sourceforge.net/tracker/index.php?func=detail&aid=1768787&group_id=403&atid=100403] Greetz from Germany, Andy Schiller Am Mittwoch, 31. Oktober 2007 schrieb Sorenson, David: > Update - I think I got it working! > > Turns out the IOLoader.pm when it does the prune is using a local > variable to handle the changing of the $first_question value. Since it > doesn't return that value in any way, the $first_question never changes > along the way, and so it tries to run a question that's been pruned, > sending the initializeGUI into the loop. > > I changed the calls to skipQuestion to skipQuestion($first_question, > $key) and then changed skipQuestion so that it would return the > current/updated $first_question. > > I'd send a patch for the three changes I made, but I'm not sure how best > to do that. If somebody wants to point me in the right direction, I'd be > happy to. > > -Dave Sorenson > Sr. Web Administrator > PGDS US One > Jackson National Life Insurance > > ________________________________ > > From: Sorenson, David > Sent: Wednesday, October 31, 2007 3:04 PM > To: 'bas...@li...' > Subject: SLES10 issues > > > Greetings! > > This is my first mailing, but I've used Bastille in the past, mainly on > SLES8/9 and Red Hat servers. > > We're setting up a SLES10 farm, and would like to use Bastille as part > of our server hardening routing, but I've had some issues getting it to > work. > > First, I grabbed a working branch copy of the source from CVS, applied > the patches 1-12 from this mailing list, and I couldn't get it to work. > With debug turned on, it appeared that only three items were making it > past the question pruning, and then it was getting into an infinite loop > (using the Tk interface). > > So, I did a little digging and poking, and came up with the following > change to Bastille/IOLoader.pm: > > Line 919 needed to be: > > $supported_versions = 'SESLES8 SESLES9 SESLES10'; > > This caused it to get much farther and error out in the tests, which > caused this change to Bastille/test_AccountSecurity.pm: > > Line 155 needed to be: > > $GLOBAL_TEST{'AccountSecurity'}{'passwdage'} = \&test_passwdage; > > At which point, it continued to run again, and went back to the infinite > loop. The question list seems to have quite a few items in it when I > turn debug on, but it's still hanging during the initializeGUI phase. > > I've attached a copy of the debug output, any help would be appreciated! > > Thanks! > > -Dave Sorenson > Sr. Web Administrator > PGDS US One > Jackson National Life Insurance |