Re: [Bastille-linux-discuss] routing daemons
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
From: Sweth C. <bas...@as...> - 2002-04-25 14:06:26
|
On Thu, Apr 25, 2002 at 09:47:33AM -0400, BUCK,KEITH (HP-FtCollins,ex1) wrote: > Can anyone tell me what this is supposed to do? (not what it does > do; I can read the code myself) > > Basically, the way I read it, it disables gated no matter what you > answered in the questions. > > The applicable questions read: > > "Unless this machine is serving as a router, you should turn off > the routing daemons (routed and gated)." > > <so we should turn off both, right> > > if no, then: > "You've chosen for this machine to act as a router. In that case, > we recommend using only the gated daemon, which is more secure than the > routed daemon." > > <so if they answer "N", what behavior do you expect?> Just to clarify, the actual questions are: $ perl -ne '(/LABEL: routing/../QUESTION/)&&/QUESTION/and print' Questions.txt QUESTION: "Would you like to deactivate the routing daemons? [Y]" $ perl -ne '(/LABEL: gated/../QUESTION/)&&/QUESTION/and print' Questions.txt QUESTION: "Would you like to use gated instead of routed? [Y]" . So I think what's intended below is that, if the person has answered N to "routing" and N to "gated", then they have elected to have some sort of routing enabled, and to not have that routing be gated; therefore, gated should be shut off, as it is here: > Here's the code: > > sub DeactivateRoutingDaemons { > > # Disable gated if they're not running a router... Otherwise, disable > # either gated or routed. > > &ActionLog("# sub DeactivateRoutingDaemons\n"); > > if (&getGlobalConfig("MiscellaneousDaemons","routing") eq "Y") { > &B_chkconfig_off ("gated"); > &B_chkconfig_off ("routed"); > } > elsif (&getGlobalConfig("MiscellaneousDaemons","gated") eq "Y") { > &B_chkconfig_off ("routed"); > } > else { > &B_chkconfig_off ("gated"); > } . The way the questions are phrased, I think it would also make sense to have Bastille make sure that routed/gated are enabled after disabling the unwanted one, but I don't like the idea of Bastille enabling non-security-related services. Maybe we can clarify by changing the LONG_EXP to indicate that answering Y for the "gated" question will disable routed, but that it is the admin's responsibility to enable gated if necessary, and that, similarly, answering N will disable gated, but the admin will still need to enable routed manually if so desired. -- Sweth. -- Sweth Chandramouli Idiopathic Systems Consulting sv...@id... http://www.idiopathic.net/ |