bastille problems ???
I have installed bastille, via dselect, woody 3.0
I had a couple of problems, so installed a .deb file from bastillion website
instead, same problems !!! so returned to woodys DVD copy...
Once installed AutomatedBastille gives
test@debian:~$ su
Password:
debian:/home/test# AutomatedBastille
Can't locate Curses/Widgets.pm in @INC (@INC contains:
/usr/local/lib/perl/5.6.1 /usr/local/share/perl/5.6.1 /usr/lib/perl5
/usr/share/perl5 /usr/lib/perl/5.6.1 /usr/share/perl/5.6.1
/usr/local/lib/site_perl .) at /usr/sbin/AutomatedBastille line 78.
BEGIN failed--compilation aborted at /usr/sbin/AutomatedBastille line 78.
debian:/home/test#
InteractiveBastille, and I know this is the prefered option, appears to work
AOK but when I try and apply the rules I get ...
test@debian:~$ su
Password:
debian:/home/test# bastille -b
Entering Critical Code Execution.
Bastille has disabled keyboard interrupts.\n\n
Executing Firewall Specific Configuration
Executing File Permissions Specific Configuration
Executing Account Security Specific Configuration
Executing Boot Security Specific Configuration
Couldn't modify hard drive's grub.conf -- couldn'tfind /etc/grub.conf
Executing Inetd Specific Configuration
Executing User Tool Specific Configuration
Executing PAM Specific Configuration
Executing Logging Specific Configuration
syntax error at /usr/lib/Bastille/Logging.pm line 122, near ") {"
syntax error at /usr/lib/Bastille/Logging.pm line 138, near "}"
Compilation failed in require at /usr/sbin/BastilleBackEnd line 143.
debian:/home/test#
A syntax error ?????
I enclose the offending perl script, any ideas ???
Dave
# Copyright (C) 1999, 2000 Jay Beale
# Licensed under the GNU General Public License
package Bastille::Logging;
use lib "/usr/lib";
use Bastille::API;
#######################################################################
## Logging ##
#######################################################################
#&ConfigureAutomatedLogWatcher
&ConfigureAdditionalLogging;
&AddProcessAccounting; # capveg 12/99
&AddSecurityChecks;
####&ConfigureAutomatedLogWatcher;
####
#### Anyone want to do this?
####
sub ConfigureAdditionalLogging {
if (&getGlobalConfig("Logging","morelogging") eq "Y") {
&ActionLog("# sub ConfigureAdditionalLogging\n");
my $logging_host=&getGlobalConfig("Logging","remotelog_host");
# Add two more logging files to RedHat's default scheme and log
# lots of data to TTY 7 and 8
# We add additional logging files:
#/var/log/kernel -- kernel messages
#/var/log/syslog -- messages of severity \"warning\" and
# \"error\"
#/var/log/loginlog -- all logins...
# NOTE: Debian, however, does by default have kernel and syslog rotation
# already
#
# Also configure the 7th and 8th TTYs for more logging.
my $var_log_syslog_lines= <<END_SYSLOG;
# Log warning and errors to the new file /var/log/syslog
*.warn;*.err\t/var/log/syslog
END_SYSLOG
my $var_log_kernel_lines= <<END_KERNEL;
# Log all kernel messages to the new file /var/log/kernel
kern.*\t/var/log/kernel
END_KERNEL
my $var_log_loginlog_lines = <<END_LOGINLOG;
# Log all logins to /var/log/loginlog
auth.*;user.*;daemon.none\t/var/log/loginlog
END_LOGINLOG
my $tty_log_lines= <<END_TTY_LOG;
# Log additional data to the Alt-F7 and Alt-F8 screens (Pseudo TTY 7 and 8)
*.info;mail.none;authpriv.none\t/dev/tty7
authpriv.*\t/dev/tty7
*.warn;*.err\t/dev/tty7
kern.*\t/dev/tty7
mail.*\t/dev/tty8
END_TTY_LOG
&B_append_line("/etc/syslog.conf","ADDITIONS","############ BASTILLE ADDITIONS BELOW : ################# \n");
if ( $distro !~ "^DB" ) {
&B_append_line("/etc/syslog.conf",'\/var\/log\/syslog',$var_log_syslog_lines);
&B_append_line("/etc/syslog.conf",'\/var\/log\/kernel',$var_log_kernel_lines);
&B_append_line("/etc/syslog.conf",'\/var\/log\/loginlog',$var_log_loginlog_lines);
}
&B_append_line("/etc/syslog.conf",'\/dev\/tty7',$tty_log_lines);
&B_append_line("/etc/syslog.conf",'\/dev\/tty12',"*.*\t/dev/tty12\n");
if ($logging_host) {
&B_append_line("/etc/syslog.conf","\\\@$logging_host","*.warn;*.err\t\@$logging_host\nauthpriv.*;auth.*\t\@$logging_host\n");
}
&B_append_line("/etc/syslog.conf","BASTILLE ADDITIONS CONCLUDED","########## BASTILLE ADDITIONS CONCLUDED : ###############\n");
&B_create_file("/var/log/syslog");
&B_create_file("/var/log/kernel");
&B_create_file("/var/log/loginlog");
#
# Configure log rotation for the new log files:
#
my $rotation_lines = <<END_NEW_ROT;
/var/log/kernel {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/syslog {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/loginlog {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
END_NEW_ROT
&B_appef ( $distro =~ "^DB" ) {
$rotation_lines = <<END_NEW_ROT;
/var/log/loginlog {
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
END_NEW_ROT
}
# Needed for Debian (since syslog is rotated in /etc/cron.d/sysklogd)
&B_create_file("/etc/logrotate.d/syslog");
&B_append_line("/etc/logrotate.d/syslog",'\bloginlog\b',$rotation_lines);
}
}
####AddProcessAccouting;
####
#### Turn on BSD style process accounting
####
#### Idea and Methodology contributed by "capveg@cs.umd.edu"
####
sub AddProcessAccounting {
&ActionLog("# sub AddProcessAccounting\n");
if ( (&getGlobalConfig("Logging","pacct") eq "Y") and (&getGlobal('BIN','accton')) ){
if ( $distro !~ "^DB" ) {
&B_append_line(&getGlobal('DIR', "rcd") . "/rc.local","pacct","# Process accounting activated by Bastille \n" . &getGlobal('BIN',"accton") . " " . &getGlobal('DIR', "log") . "/pacct\n");
&B_create_file(&getGlobal('DIR', "log") . "/pacct");
&B_chmod (0600,&getGlobal('DIR', "log") . "/pacct");
#
# Set the log rotation for process accounting
#
my $pacct_rotate_lines = <<END_PACCT_ROT;
# Added by Bastille Linux
# default to rotation schedule set in /etc/logrotate.conf
&getGlobal('DIR', "log")/pacct {
postrotate
&getGlobal('BIN',"accton") $GLOBAL_LOG/pacct
endscript
}
END_PACCT_ROT
&B_create_file("/etc/logrotate.d/pacct");
&B_append_line("/etc/logrotate.d/pacct","Bastille",$pacct_rotate_lines);
} else {
&ErrorLog("# Process Accounting is started automatically in Debian\nwhen the 'acct' package is installed and Bastille cannot (yet) enable it automatically.\n");
# TODO (jfs)
# Warning: on Debian the accounting is started automatically
# when the 'acct' package is installed. An can be enabled/disabled
# in the /etc/init.d/acct script START_ACCT variable (0 or 1)
}
}
}
sub AddSecurityChecks {
&ActionLog("# sub AddSecurityChecks\n");
if (&getGlobalConfig("Logging","security_checks") eq "Y") {
my $file = "/etc/security/msec/security.conf";
&B_append_line($file,"CHECK_SECURITY","CHECK_SECURITY=yes\n");
&B_append_line($file,"CHECK_PERMS","CHECK_PERMS=yes\n");
&B_append_line($file,"CHECK_SUID_ROOT","CHECK_SUID_ROOT=yes\n");
&B_append_line($file,"CHECK_SUID_MD5","CHECK_SUID_MD5=yes\n");
&B_append_line($file,"CHECK_SUID_GROUP","CHECK_SUID_GROUP=yes\n");
&B_append_line($file,"CHECK_WRITEABLE","CHECK_WRITEABLE=yes\n");
&B_append_line($file,"CHECK_UNOWNED","CHECK_UNOWNED=yes\n");
&B_append_line($file,"CHECK_PROMISC","CHECK_PROMISC=yes\n");
&B_append_line($file,"CHECK_OPEN_PORT","CHECK_OPEN_PORT=yes\n");
&B_append_line($file,"CHECK_PASSWD","CHECK_PASSWD=yes\n");
&B_append_line($file,"CHECK_SHADOW","CHECK_SHADOW=yes\n");
&B_append_line($file,"TTY_WARN","TTY_WARN=no\n");
&B_append_line($file,"MAIL_WARN","MAIL_WARN=yes\n");
&B_append_line($file,"MAIL_USER","MAIL_USER=root\n");
&B_append_line($file,"SYSLOG_WARN","SYSLOG_WARN=yes\n");
# Add a check for promisc devices to cron
if ( -e ${GLOBAL_PREFIX}."/usr/share/msec/promisc_check.sh" ) {
&B_append_line("/etc/crontab",'msec/promisc_check\.sh',"*/1 * * * * root /usr/share/msec/promisc_check.sh\n");
}
# Add nightly "diff" and "global security" checks to cron
if ( -e ${GLOBAL_PREFIX}."/usr/share/msec/security.sh" ) {
&B_append_line("/etc/crontab",'msec/security\.sh',"0 4 * * * root /usr/share/msec/security.sh\n");
}
}
}
1;
Reply to: