RE: bastille in lenny

To: "debian security list" <debian-security@lists.debian.org>
Subject: RE: bastille in lenny
From: "Joseph Abbotts" <jabbotts@ismp-canada.org>
Date: Thu, 9 Jul 2009 08:07:11 -0400
Message-id: <[🔎] 0E3CF6141BA2EB448EA3BED164154C9E4F329C@ismpex.ismp.local>
In-reply-to: <[🔎] 4621e3520907081654x6caa6d03t56501f48b9fc632d@mail.gmail.com>
References: <[🔎] 4621e3520907081654x6caa6d03t56501f48b9fc632d@mail.gmail.com>

Matt,

It works perfectly on Lenny after two quick edits:

Edit API.pm. Search "DB4". Add "DB5.0" in same format:
... "DB3.1", "DB4.0", "DB5.0",

Edit IOLoader.pm. Search "DB4". Add "DB5.0" in same format:
... = 'DB2.2 DB3.0 DB3.1 DB4.0 DB5.0';

IntaractiveBastille -c

Good to hear it's fixed in the next generation. It's something that's
seemed an outstanding bug in Lenny which should be fixed as either a
program dysfunctional bug or security need. Still, it's something one
can fix themselves in ten seconds unless there is something deeper than
those two files. The only other snag I've hit is Bastille favoring
syslogd rather than rsyslog when configuring PSAD. Bastille wants a
syslog.conf it can confirm the kern.info fifo in which is another ten
second or less fix. Do this or drop it in your setup scripts (I do a
Bash build script for replication or recovery installs):

Echo "kern.info | /var/lib/psad/psadfifo" > /etc/rsyslog.d/psadfifo.conf
Echo "kern.info | /var/lib/psad/psadfifo" > /etc/syslog.conf

Bastille should run like a champ for you after the version edit and psad
setup. Great baseline for your security config though shouldn't be
considered the final step. Also, if you haven't before, look at creating
a /etc/Bastille/firewall.d/post-rule-setup.sh for your custom iptables
rules. I don't open ssh port 22 through Bastille preferring to do
specific accept exceptions for the few valid sources which have reason
to connect in.

Now.. Since my SSH is up to date, I'll go back to lurking until that
issue is found to effect more than 4.3.

Joe

-----Original Message-----
From: Matt Richardson [mailto:shortpath@gmail.com] 

Running Bastille in Lenny revealed that Bastille won't run in Lenny, it
complains about an unsupported OS version.  The latest version in the
supported OS list is 4.0 (/usr/lib/Bastille/API.pm).  There were some
bug reports filed on dating back to January and it was closed in March
by the maintainer [1].  Problem is, the fixes were applied to the
version in unstable.  Has anyone tried to add entries for debian 5.0 to
the lists?  If so, does the rest of 2.1.1-19 work ok with lenny?  I've
got a config from an etch box I want to use on quite a few machines, so
if I can get away with running 'bastille -b' after making a couple of
changes, I'll be happy.  Otherwise, I guess my dreams of a pure lenny
system will be dashed and I'll have to pin the newer version.

Reply to:

Follow-Ups:
- Re: bastille in lenny
  - From: Matt Richardson <shortpath@gmail.com>

References:
- bastille in lenny
  - From: Matt Richardson <shortpath@gmail.com>

Prev by Date: Re: HEAD's UP: possible 0day SSH exploit in the wild
Next by Date: Re: HEAD's UP: possible 0day SSH exploit in the wild
Previous by thread: Re: bastille in lenny
Next by thread: Re: bastille in lenny
Index(es):
- Date
- Thread