Re: [Bastille-linux-discuss] routing daemons
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
Menu
▾
▴
Re: [Bastille-linux-discuss] routing daemons
|
From: Sweth C. <bas...@as...> - 2002-04-25 14:06:26
|
On Thu, Apr 25, 2002 at 09:47:33AM -0400, BUCK,KEITH (HP-FtCollins,ex1) wrote:
> Can anyone tell me what this is supposed to do? (not what it does
> do; I can read the code myself)
>
> Basically, the way I read it, it disables gated no matter what you
> answered in the questions.
>
> The applicable questions read:
>
> "Unless this machine is serving as a router, you should turn off
> the routing daemons (routed and gated)."
>
> <so we should turn off both, right>
>
> if no, then:
> "You've chosen for this machine to act as a router. In that case,
> we recommend using only the gated daemon, which is more secure than the
> routed daemon."
>
> <so if they answer "N", what behavior do you expect?>
Just to clarify, the actual questions are:
$ perl -ne '(/LABEL: routing/../QUESTION/)&&/QUESTION/and print' Questions.txt
QUESTION: "Would you like to deactivate the routing daemons? [Y]"
$ perl -ne '(/LABEL: gated/../QUESTION/)&&/QUESTION/and print' Questions.txt
QUESTION: "Would you like to use gated instead of routed? [Y]"
. So I think what's intended below is that, if the person
has answered N to "routing" and N to "gated", then they have elected to
have some sort of routing enabled, and to not have that routing be gated;
therefore, gated should be shut off, as it is here:
> Here's the code:
>
> sub DeactivateRoutingDaemons {
>
> # Disable gated if they're not running a router... Otherwise, disable
> # either gated or routed.
>
> &ActionLog("# sub DeactivateRoutingDaemons\n");
>
> if (&getGlobalConfig("MiscellaneousDaemons","routing") eq "Y") {
> &B_chkconfig_off ("gated");
> &B_chkconfig_off ("routed");
> }
> elsif (&getGlobalConfig("MiscellaneousDaemons","gated") eq "Y") {
> &B_chkconfig_off ("routed");
> }
> else {
> &B_chkconfig_off ("gated");
> }
. The way the questions are phrased, I think it would
also make sense to have Bastille make sure that routed/gated are enabled
after disabling the unwanted one, but I don't like the idea of Bastille
enabling non-security-related services. Maybe we can clarify by changing
the LONG_EXP to indicate that answering Y for the "gated" question will
disable routed, but that it is the admin's responsibility to enable
gated if necessary, and that, similarly, answering N will disable gated,
but the admin will still need to enable routed manually if so desired.
-- Sweth.
--
Sweth Chandramouli Idiopathic Systems Consulting
sv...@id... http://www.idiopathic.net/
|