FILE: Patches.pm

LABEL: spc_run
SHORT_EXP: "Patching known security vulnerabilities is one of the most
important steps in securing a system.  Security Patch Check is
a tool which will analyze the software installed on this system.  It will
report if any relevant security patches have been announced by Hewlett
Packard that are not currently installed on this system.  Bastille has
detected that this tool is installed.  The output of running this tool
will be appended to a file and referenced by Bastille's generated TODO list
so you can apply the necessary patches.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
LONG_EXP: "Patching known security vulnerabilities is one of the most
important steps in securing a system.  Security Patch Check is
a tool which will analyze the software installed on this system.  When
Security Patch Check runs, it will report several types of
problems.  It will (1) report any patches which are installed on the system
but have had warnings (recalls) issued by HP (2) report any security patches
that have been announced by Hewlett Packard that will fix installed software on
the system, but have not been applied, and (3) report if any currently
installed patches are not in the proper, \"configured\" state.  Security
Patch Check can download an up-to-date catalog from HP with security and
patch-warning information.  It can also work through a proxy-type
firewall.  This tool will only report patches; it will not indicate
manual actions described in HP Security Bulletins/Advisories. 
Also, security patches require vigilance, since new vulnerabilities are
found and fixed on a regular basis.  It is recommended that this tool be
run frequently, such as in a cron job each night (A separate question
will cover this).  It is also recommended that you subscribe to the HP
Security Bulletin mailing list.

The output of running this tool will be appended to Bastille's generated
TODO list so that you can apply the necessary patches.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Should Bastille run Security Patch Check for you?"
DEFAULT_ANSWER: "Y"
NO_CHILD: spc_cron_norun
YES_CHILD: spc_cron_run
SKIP_CHILD: spc_cron_norun
YN_TOGGLE: 1
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: spc
REG_EXP: "^Y$|^N$"
PROPER_PARENT: Title_Screen

LABEL: spc_cron_run
SHORT_EXP: "Bastille can configure Security Patch Check to run on a daily
basis using the cron scheduling daemon.  Keeping a system secure requires constant
vigilance.  Staying up-to-date on security patches issued by Hewlett Packard is
critical, and Security Patch Check is the easiest way to make sure
this system's security patches are up-to-date.  In addition, a subscription to
HP's security bulletin mailing list is valuable to find the latest security fixes
from HP, including both patched and manual fixes.  Note: this question is
asked whether or not you have Security Patch Check installed so
that Bastille can pre-configure cron to run the tool after you have
installed it.

You may also consider getting notified of all HP security bulletins by
going to http://www.itrc.hp.com and registering for them by clicking on
\"maintenance and support,\" then selecting \"support information
digests.\""
QUESTION: "Should Bastille set up a cron job to run Security Patch Check?"
DEFAULT_ANSWER: "Y"
YN_TOGGLE: 1
NO_CHILD: spc_proxy_yn
YES_CHILD: spc_cron_time
SKIP_CHILD: generalperms_1_1
REQUIRE_FILE_EXISTS: spc
REQUIRE_DISTRO: HP-UX
REG_EXP: "^Y$|^N$"
PROPER_PARENT: spc_run

LABEL: spc_cron_norun
SHORT_EXP: "Bastille can configure Security Patch Check to run daily
using cron.  Keeping a system secure requires constant vigilance.
Staying up-to-date on patches issued by Hewlett Packard is critical, and
Security Patch Check is the easiest way to make sure that this system's
patches are up-to-date.  In addition, a subscription to HP's security
advisory mailing list is valuable to find the latest security fixes
from HP, including both patched and manual fixes.  Note: this question is
asked whether or not you have Security Patch Check installed so
that Bastille can pre-configure cron to run the tool after you have
installed it."
QUESTION: "Should Bastille set up a cron job to run Security Patch Check?"
YN_TOGGLE: 1
DEFAULT_ANSWER: "Y"
NO_CHILD: generalperms_1_1
YES_CHILD: spc_cron_time
SKIP_CHILD: generalperms_1_1
REQUIRE_DISTRO: HP-UX
REG_EXP: "^Y$|^N$"
PROPER_PARENT: spc_run

LABEL: spc_cron_time
SHORT_EXP: "Specify a number between 0 and 23, corresponding to the hour
in your time zone that is most convenient to run Security Patch Check."
LONG_EXP: "Specify a number between 0 and 23, corresponding to the hour
in your time zone that is most convenient to run Security Patch Check. 
For example, if you specify 0, Security Patch Check will run sometime
between 12:00am and 12:59am in your local time zone.  If you specify 23,
Security Patch Check will run some time between 11:00pm and 11:59pm.

See crontab(1)"
QUESTION: "During which hour would you like to schedule Security Patch Check?"
YN_TOGGLE: 0
DEFAULT_ANSWER:
EXPL_ANS: "11"
YES_CHILD: spc_proxy_yn
SKIP_CHILD: generalperms_1_1
REQUIRE_DISTRO: HP-UX
PROPER_PARENT: spc_run
REG_EXP: "^[0-9]$|^1[0-9]$|^2[0-3]$"

LABEL: spc_proxy_yn
SHORT_EXP:  "If this machine is behind a proxy-type
firewall, security patch check needs to be configured to traverse
that firewall.  For example, the proxy might be specified as
\"http://myproxy.mynet.com:8088\"  If this machine can ftp directly to
the Internet without a proxy, answer no to this question."
QUESTION:  "Does this machine require a proxy to ftp to the Internet?"
YN_TOGGLE: 1
DEFAULT_ANSWER: "N"
NO_CHILD: generalperms_1_1
YES_CHILD: spc_proxy
SKIP_CHILD: generalperms_1_1
REQUIRE_DISTRO: HP-UX
PROPER_PARENT: spc_run
REG_EXP: "^Y$|^N$"

LABEL: spc_proxy
SHORT_EXP:  "To use the auto-download feature of Security Patch Check
from behind a proxy type firewall, Security Patch Check needs to be
configured to traverse that firewall.

The URL for the proxy must be in the form

<protocol of firewall>://address:port

For example:
    http://myproxy.mynet.com:8088

A web proxy generally uses the http protocol.  This answer should
correspond closely to settings one would make in a web browser
to point to a proxy server, but use the above syntax.

If you asked Bastille to run Security Patch Check itself and/or in cron,
it will use this proxy value."
QUESTION:  "Please enter the URL for the web proxy."
YN_TOGGLE: 0
DEFAULT_ANSWER:
EXPL_ANS: "http://yourproxy.yournet.com:8088"
NO_CHILD: generalperms_1_1
YES_CHILD: generalperms_1_1
SKIP_CHILD: generalperms_1_1
REQUIRE_DISTRO: HP-UX
PROPER_PARENT: spc_proxy_yn
REG_EXP: "^http:\/\/.+\:.+$"

FILE: FilePermissions.pm

LABEL: generalperms_1_1
SHORT_EXP: "In general, the default file permissions set by most vendors are
fairly secure.  To make them more secure, though, you can
remove non-root user access to some administrator functions."
LONG_EXP: "In general, the default file permissions set by most vendors are
fairly secure.  To make them more secure, though, you can remove non-root
user access to some administrator functions.

If you choose this option, you'll be changing the permissions on
some common system administration utilities so that they're not readable or
executable by users other than root.  These utilities (which include linuxconf,
fsck, ifconfig, runlevel and portmap) are ones that most users should never
have a need to access.  This option will increase your system security, but
there's a chance it will inconvenience your users."
QUESTION: "Would you like to set more restrictive permissions on the
administration utilities? [N]"
REQUIRE_DISTRO: RH MN DB SE TB
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
DEFAULT_ANSWER: "N"
REG_EXP: "^Y$|^N$"
YES_CHILD: world_writeable
NO_CHILD: world_writeable
PROPER_PARENT: spc_run

LABEL: world_writeable
SHORT_EXP: "Bastille can scan your system for world-writeable directories,
including base OS, 3rd party applications, and user directories.  Bastille
will then create a script which you can edit to suit your needs and then
run to tighten these permissions.

Changing the permissions of directories in this way has the potential to
break compatibility with some applications and requires testing in
your environment.

Note: The changes made by this script are NOT supported by HP.  They have
a low likelihood of breaking things in a single purpose environment, but
are known to break some applications in very subtle ways in a general purpose
environment (For example, applications which rely on unique process id's in
/tmp when run by different users may break when the process id's are recycled,
or programs which are run by different users but create logs in a common
directory may fail.  Other examples are listed in the long explanation.)

As you run the script, it will create a \"revert-directory-perms.sh\"
script which will allow you to revert to a supported state (independent of
the rest of the HP-UX Bastille configurations, which are supported). 
Running 'bastille -r' will revert all Bastille changes, including
running the revert-directory-perms.sh script.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
LONG_EXP: "Bastille can scan your system for world-writeable directories,
including base OS, 3rd party applications, and user directories.
Bastille will then create a script which you can edit to suit your needs
and then run to tighten these permissions.

Changing the permissions of directories in this way has the potential to
break compatibility with some applications and requires testing in
your environment.

Note: The changes made by this script are NOT supported by HP.  They have
a low likelihood of breaking things in a single purpose environment, but
are known to break some applications in very subtle ways in a general purpose
environment.  Here are some examples of known issues:

 - /tmp and /var/tmp sticky bit: applications which rely on unique
process id's in /tmp when run by different users may break when the process
id's are recycled (cleaning tmp directories regularly may alleviate this
problem)

 - Log directories (most of which are named with the word \"log\" in them): 
Programs which are run by different users but create and/or write logs in
a common directory may fail to log actions.  This includes GUI error logs
in some versions of HP-UX diagnostic tools.

 - \"cat\" directories such as those in /usr/share/man are used by the
\"man\" command to write pre-processed man pages.  Eliminating the
world-writeable bit will cause a degradation in performance because
the man page will have to be reformatted every time it is accessed.

 - Some directories may have incorrect owners and/or groups.  Eliminating
world-writeable permissions on these directories have no effect if the
owner/group is set properly.  For example, one problem with HP Openview
running without world-writeable directories was corrected by the following:

/usr/bin/chown root:sys /var/opt/OV/analysis/ovrequestd/config

This change has not been fully tested, but was shown to work when tested
in a limited, single-purpose environment.

 - Change the directory /var/obam/translated may have an impact on non-root
users viewing help in obam (the GUI library used by swinstall, SAM,
older versions of ServiceControl Manager, and others)

 - Eliminating the world-writeable permissions on socket directories has been
shown to stop the X server from operating properly.  However, setting the
sticky bit instead (what this script will do by default) did not have the
same effects.

 - There are several other directories which have world-writeable permissions.
Some of these are shipped with HP-UX, others are shipped with 3rd party
products, and others may have been created by users without an appropriate
umask set.  Bastille will help you find those directories so that you can
make appropriate decisions for your environment.  The full impact of making
these changes has not been analyzed.

As you run the script, it will create a \"revert-directory-perms.sh\"
script which will allow you to revert to a supported state (independent of
the rest of the HP-UX Bastille configurations, which are supported). 
Because of the potential for very subtle breakages, you should also keep
a record of any changes which you make manually to your system so that
you can revert them to help debug any problems which you run into.
Running 'bastille -r' will revert all Bastille changes, including
running the revert-directory-perms.sh script, but it may not revert
changes you have made manually.

The fact that a directory is world-writeable does not imply that a
vulnerability exists, because it depends on how the data stored in that
directory is used.  Still, it is a security best-practice to only grant
world-write permissions on temporary directories, such as /tmp and /var/tmp,
and to set the \"sticky\" bit on those directories.  By default, the generated
script will set the \"sticky\" bit on all world-writeable directories.

If the \"sticky\" bit is set on a directory, only the file owner, directory
owner, and super-user are allowed to rename or delete (and thus replace)
the file, regardless of the group and world write permissions on the directory. 
The ownerships and permissions of the files and subdirectories in that
directory determine how those files and subdirectories can be modified,
respectively.  You can tell that the \"sticky\" bit is set if there is a
\"t\" in the last permissions column.  (e.g.: drwxrwxrwt).  Left unedited,
the created script will set the \"sticky\" bit on any world-writeable
directory.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
YES_EXP: "If you find a new security vulnerability in an HP product, you should
report it to security-alert@hp.com.   Please encrypt any exploit
information using the security-alert PGP key, available from your local
key server, or by sending a message with a -subject- (not body) of 'get
key' (no quotes) to security-alert@hp.com.

If you find an application which requires world-writeable directories to operate
properly, you should report it to the vendor of that application, as well as to
the Bastille development team so we can inform other users. 
(bastille-feedback@fc.hp.com)"
NO_EXP: "If you find a new security vulnerability in an HP product, you should
report it to security-alert@hp.com.   Please encrypt any exploit
information using the security-alert PGP key, available from your local
key server, or by sending a message with a -subject- (not body) of 'get
key' (no quotes) to security-alert@hp.com."
QUESTION:  "Should Bastille scan for world-writeable directories?"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_CHILD: suid
NO_CHILD: suid
PROPER_PARENT: generalperms_1_1
REQUIRE_DISTRO: HP-UX
REG_EXP: "^Y$|^N$"

LABEL: suid
SHORT_EXP: "The following questions all pertain to disabling \"SUID root\"
permission for particular programs. This permission allows non-root users to run
these programs, increasing convenience but decreasing security.  If a
security weakness or vulnerability is found in these programs, it can be
exploited to gain root-level access to your computer through any user
account.

If you answer \"Yes\" and then realize later that you do need SUID permissions
on a specific program, you can always turn it back on later with chmod u+s <file name>."
QUESTION:
REQUIRE_DISTRO: LINUX DB SE TB OSX
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD:suidmount
NO_CHILD:suidmount
PROPER_PARENT: world_writeable

LABEL:suidmount
SHORT_EXP: "Mount and umount are used for mounting (activating) and
unmounting (deactivating) drives that were not automatically mounted at
boot time.  This can include floppy and CD-ROM drives.  Disabling SUID would
still allow anyone with the root password to mount and unmount drives."
REQUIRE_IS_SUID: mount umount smbmnt
QUESTION: "Would you like to disable SUID status for mount/umount?"
REQUIRE_DISTRO: LINUX DB SE TB
YN_TOGGLE: 1
DEFAULT_ANSWER: Y
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidping
NO_CHILD: suidping
PROPER_PARENT:suid

LABEL:suidping
SHORT_EXP: "Ping is used for testing network connectivity.  Specifically it's for
testing the  ability of the network to get a packet from this machine to
another and back.  The ping program is SUID since only the root user can
open a raw socket. Since, however, it is often used only by the person responsible
for networking the host, who normally has root access, we recommend
disabling SUID status for it."
QUESTION: "Would you like to disable SUID status for ping? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB OSX
REQUIRE_IS_SUID: ping
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suiddump
NO_CHILD: suiddump
PROPER_PARENT:suidmount

LABEL: suiddump
SHORT_EXP: "Dump and restore are used for backing up file systems and
restoring them from disk.  If used by an attacker, they could be used to
construct an alternate file system in place.  Further, anyone who backs up
the machine and restores from backup should have authorization and special
access granted by the administrator.  It's extremely unlikely that there will
be any problems with disabling SUID for dump and restore."
QUESTION: "Would you like to disable SUID status for dump and restore? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB OSX
REQUIRE_IS_SUID: dump restore
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidcard
NO_CHILD: suidcard
PROPER_PARENT: suidping

LABEL: suidcard
SHORT_EXP: "Cardctl is used for controlling PCMCIA devices, primarily found
in laptop or notebook computers.  Non-admins shouldn't have rights to
modify hardware or devices, so you should probably disable SUID status for
this utility even if this is a notebook or laptop.  If this isn't a laptop or
notebook computer, then you probably don't have any PCMCIA devices, and
you should definitely disable this."
QUESTION: "Would you like to disable SUID status for cardctl? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: cardctl
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidat
NO_CHILD: suidat
PROPER_PARENT: suiddump

LABEL: suidat
SHORT_EXP: "\"at\" is used for scheduling an individual task to run at a single
later time. There have historically been many exploits that take advantage of
weaknesses in \"at\". Virtually all of the necessary functionality of \"at\"
can be found in cron (and removing cron is not practical) so there is
no need to retain privileged access for \"at\"."
QUESTION: "Would you like to disable SUID status for at? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB OSX
REQUIRE_IS_SUID: at
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suiddos
NO_CHILD: suiddos
PROPER_PARENT:suidcard

LABEL: suiddos
SHORT_EXP: "DOSEMU is a DOS emulator used to run older DOS programs. 
Any use of a second operating system, or emulation, opens up a whole new
area of security problems.  We recommend that only root have access to
this type of application, unless your users have a pressing need for it."
QUESTION: "Would you like to disable SUID status for DOSEMU? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: dos
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidnews
NO_CHILD: suidnews
PROPER_PARENT: suidat

LABEL: suidnews
SHORT_EXP: "Ordinary users should not be able to start (or stop) the news
server.  For this reason, we'd like to disable SUID status for the INN news
server tools inndstart and startinnfeed."
QUESTION: "Would you like to disable SUID status for news server tools? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: inndstart startinnfeed
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidprint
NO_CHILD: suidprint
PROPER_PARENT: suiddos

LABEL: suidprint
SHORT_EXP: "If this machine is not going to be using printers, then you should
disable the SUID status of the printing utilities.  These utilities have
a history of security vulnerabilities.  This will disallow local, non-root
users from initiating, modifying, and canceling print requests.  Later,
we'll ask about disabling printing entirely including stopping the print
scheduler."
QUESTION: "Would you like to disable SUID status for printing utilities? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: lpr lpq lprm lpalt
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidrtool
NO_CHILD: suidrtool
PROPER_PARENT: suidnews

LABEL: suidrtool
SHORT_EXP: "The BSD r-tools (rsh/remsh, rcp, rlogin, rdist, etc.) have
traditionally been used to make remote connections to other machines. 
They rely on IP addresses for authentication and transmit data in clear
text (including passwords).  Tools are now available which allow you to
spoof (fake) IP addresses as well as to monitor and/or hijack protocols
which use clear-text.  All of the same functionality can be found with the more
secure replacement commands ssh and scp.  Because of these insecurities,
ordinary users should not be allowed to use the r-tools, and admins should
use them only in cases where there are no other connection methods
available.

Bastille can remove the permissions on the r-tools so that non-root users
cannot run them and administrators will have to take additional steps to
re-enable them when needed.  This will disable the \"client\" side of these
tools, so that people cannot use them to connect to other machines."
LONG_EXP: "The BSD r-tools (rsh/remsh, rcp, rlogin, rdist, etc.) have
traditionally been used to make remote connections to other machines. 
They rely on IP-based authentication, which means
that you can allow anyone with (for instance) root access on 192.168.1.1 to
have root access on 192.168.1.2.  Administrators and other users have
traditionally found this useful, as it lets them connect from one host to
another without having to retype a password.

The problem with IP-based authentication, however, is that an intruder can
craft \"spoofed\" or faked packets which claim to be from a trusted machine. 
Since the r-tools rely entirely on IP addresses for authentication, a spoofed
packet will be accepted as real, and any hacker who claims to be from a
trusted host will be trusted and given access to your machine.

These tools also transmit all of your data in clear-text, including passwords.

Tools are now available which allow you to spoof (fake) IP addresses as well
as to monitor and/or hijack protocols which use clear-text.  All of the same
functionality can be found with the more secure replacement commands ssh and
scp.  Because of these insecurities, ordinary users should not be allowed
to use the r-tools, and admins should use them only in cases where there
are no other connection methods available.

Bastille can remove the permissions on the r-tools so that ordinary users
cannot run them and admins will have to take additional steps to re-enable
them when needed.  This will disable the \"client\" side of these tools,
so that people cannot use them to connect to other machines."
QUESTION: "Would you like to disable the r-tools? [Y]"
REQUIRE_DISTRO:	LINUX DB SE TB OSX
REQUIRE_IS_SUID: rcp rlogin rsh rdist rexec
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidusernetctl
NO_CHILD: suidusernetctl
PROPER_PARENT: suidprint

LABEL: suidusernetctl
SHORT_EXP: "usernetctl is a utility that allows ordinary users to control the
network interfaces.  In general, there's no reason for anyone other than the
system administrator to control network interfaces."
QUESTION: "Would you like to disable SUID status for usernetctl? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: usernetctl
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidtrace
NO_CHILD: suidtrace
PROPER_PARENT: suidrtool

LABEL: suidtrace
SHORT_EXP: "The traceroute utility is used to test network connectivity. 
It is useful for debugging network problems, but it is generally not necessary,
especially for non-privileged users.  If non-root users will be needing to
debug network connections, you can leave the SUID bit on traceroute. 
Otherwise, you should disable it."
QUESTION: "Would you like to disable SUID status for traceroute? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB OSX
REQUIRE_IS_SUID: traceroute
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidXwrapper
NO_CHILD: suidXwrapper
PROPER_PARENT: suidusernetctl

LABEL: suidXwrapper
SHORT_EXP: "The Xwrapper program is a Set-UID root wrapper written so that
the X server binaries wouldn't all have to be Set-UID.

This program does not need to be Set-UID if you won't be using this machine
as a graphical workstation at all.  One specific case where you can very
safely answer yes is when this system will be running without a monitor of
any kind."
QUESTION: "Would you like to disable SUID status for Xwrapper? [N]"
REQUIRE_DISTRO: LINUX
REQUIRE_IS_SUID: Xwrapper
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidXFree86
NO_CHILD: suidXFree86
PROPER_PARENT: suidtrace


LABEL: suidXFree86
SHORT_EXP: "The XFree86 program is the X server binary in XFree86 4.  For
ordinary users to run X, this binary (or a world-executable wrapper) must
be Set-UID root.  In this system's case, the XFree86 binary is Set-UID.

This program does not need to be Set-UID if you won't be using this machine
as a graphical workstation at all.  One specific case where you can very
safely answer yes is when this system will be running without a monitor of
any kind."
QUESTION: "Would you like to disable SUID status for XFree86? [N]"
REQUIRE_DISTRO: LINUX
REQUIRE_IS_SUID: XFree86
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: protectrhost
NO_CHILD: protectrhost
PROPER_PARENT: suidXwrapper

FILE: AccountSecurity.pm

LABEL: protectrhost
SHORT_EXP: "As mentioned earlier, the r-tools (rlogin, rcp, rsh/remsh, etc)
are now considered insecure because they use IP-based authentication
methods which can be easily fooled.  Unfortunately, many users and admins
are not aware of this danger.  Bastille can prevent users and other
admins from opening up dangerous holes in your system security by
restricting rhosts by modifying PAM files(if applicable), removing
execute permission from rshd/remshd and rlogind, and commenting out the
services in your inetd.conf file.  This will disable both the \"client\"
and \"server\" sides of these tools."
LONG_EXP: "The BSD r-tools rely on IP-based authentication, which means
that you can allow anyone with (for instance) root access on 192.168.1.1
have root access on 192.168.1.2.  Administrators and other users have
traditionally found this useful, as it lets them connect from one host to
another without having to retype a password.  The .rhosts file contains the
names of the accounts and machines that are considered to be trusted.

The problem with IP-based authentication, however, is that an intruder can
craft \"spoofed\" or faked packets which claim to be from a trusted user
on a trusted machine.  Since the r-tools rely entirely on IP addresses
(and remote username) for authentication, a spoofed packet will be
accepted as real.

Some of your users, or even possibly other administrators for this machine,
might not be aware of the security problems with the BSD r-tools.  If this is
the case, they might create .rhosts files that would potentially allow
crackers access to the machine.  This option will disable the use of those
r-tools both from your machine and as a means of logging into your machine."
QUESTION: "Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB OSX
REQUIRE_FILE_EXISTS: rsh
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: passwdage
NO_CHILD: passwdage
PROPER_PARENT: suidXFree86


LABEL: passwdage
SHORT_EXP: "We can set the default password aging on accounts here, such
that accounts are disabled if the password has not changed within the last
180 days.  At some point before the 180 days are up, the user will be
prompted to change his or her password.  This measure keeps passwords
fresh and also prevents inactive accounts from being attacked by system
crackers."
LONG_EXP: "Your operating system's default behavior, which we would
change here, is to disable an account when the password hasn't changed
in 99,999 days.  This interval is too long to be useful.  We can set the
default to 180 days.  At some point before the 180 days have passed, the
system will ask the user to change his or her password.  At the end of the
180 days, if the password has not been changed, the account will be
temporarily disabled.  We would make this change in /etc/login.defs."
QUESTION: "Would you like to enforce password aging? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: cronuser
NO_CHILD: cronuser
PROPER_PARENT: protectrhost

LABEL: cronuser
SHORT_EXP: "Cron allows users to submit jobs for the system to do at a
particular, possibly recurring time.  It can be very useful, but also has a very
real potential for abuse by either users or system crackers.  If you choose
to restrict the use of cron to system administrators, you will still be able to
allow individual users the use of cron at a later date."
LONG_EXP: "Cron can be particularly useful for admins, giving them the ability
to have the system check logs every night at midnight or confirm file
integrity every hour.  On the other hand, being able to execute jobs later or
automatically represents an abusable privilege for users and also makes
their actions slightly harder to track.

Many sites choose to restrict cron to administrative accounts.  We suggest
this action to new admins especially, until they understand more about how
cron can be abused and know more about which users need access to cron.
We would like to create the /etc/cron.allow file of users who may use cron.
You can add to that later.  If we don't create this file, all users will be
allowed to use cron."
QUESTION: "Would you like to restrict the use of cron to administrative
accounts? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB OSX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: umaskyn
NO_CHILD: umaskyn
PROPER_PARENT: passwdage

LABEL: umaskyn
SHORT_EXP: "The umask sets the default permission for files that you create. 
Bastille can set one of several umasks in the default
login configuration files.  These cover standard shells like csh and most
bourne shell variants like bash, sh, and ksh.  If you
are going to install other shells, you may have to configure them
yourself.  The only reason not to set at least a minimal default umask
is if you are sure that you have already set one."
QUESTION: "Do you want to set the default umask? [Y]"
DEFAULT_ANSWER: 077
REQUIRE_DISTRO: LINUX HP-UX DB SE TB OSX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: umask
NO_CHILD: hidepasswords
SKIP_CHILD: hidepasswords
PROPER_PARENT: cronuser
REG_EXP: "^Y$|^N$"

LABEL: umask
SHORT_EXP: "The umask sets the default permission for files that you
create.  Bastille can set one of several umasks in the default
login configuration files.  These cover most shells including csh and
most of the bourne shell variants like bash, sh, bsh, and ksh. 
Note that if you are going to install other shells, you may have to
configure them yourself.  Please select one of the following or create your own:

002  - Everyone can read your files & people in your group can alter them.

022  - Everyone can read your files, but no one can write to them.

077  - No one on the system can read or write your files."
LONG_EXP: "The umask sets a default permission for files that you create. 
Bastille can set one of several umasks.  Please select one of the following
or create your own:

002  - Everyone can read your files & people in your group can alter them. 

022  - Everyone can read your files, but no one can write to them.

027  - Only people in your group can read your files, no one can write to them.

077  - No one on the system can read or write your files.

In addition to configuring a umask for all of the user shells, HP-UX 11.22
and later has an option in the /etc/default/security file to set the default
system umask.  This parameter controls umask(2) of all sessions initiated via
pam_unix(5). 

NOTE: If your system is converted to trusted mode, this parameter
will be overridden by the trusted system default umask, which is 077."
QUESTION: "What umask would you like to set for users on the system? [077]"
DEFAULT_ANSWER: 077
REQUIRE_DISTRO: LINUX HP-UX DB SE TB OSX
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: hidepasswords
NO_CHILD: hidepasswords
PROPER_PARENT: umaskyn
REG_EXP: "^[0-7][0-7][0-7]$"

LABEL: hidepasswords
SHORT_EXP:  "Traditionally HP-UX has stored the encrypted password string
for each user inside of the /etc/passwd file.  This has the disadvantage
of allowing these encrypted strings to be viewable by anyone with access
to the /etc/ file system (normally, all users).  Given the encrypted
string an attacker can attempt to determine valid passwords for users
on your system by using dictionary or brute force password cracking programs.

This option will either convert to trusted mode HP-UX (if deemed necessary)
or convert to shadow passwords.  More information is available if you click
on the \"explain more\" button.  In short, either trusted mode or shadow
passwords can have compatibility issues for applications which do their
own authentication issues.  Trusted mode has more issues with applications
designed for other operating systems, while shadow mode has more issues
with applications designed for older versions of HP-UX.

Trusted mode will be required if any of the following are true:  (a) You
have HP-UX 11.20 or earlier, (b) You answer 'Yes' to a later question
which requires conversion to trusted mode (i.e. auditing), or (c) your
system is already in trusted mode (i.e. you convert to trusted mode
before applying this configuration).

Otherwise, Bastille will convert to shadow passwords."
LONG_EXP: "Traditionally HP-UX has stored the encrypted password string
for each user inside of the /etc/passwd file.  This has the disadvantage
of allowing these encrypted strings to be viewable by anyone with access
to the /etc/ file system (normally, all users).  Given the encrypted
string an attacker can attempt to determine valid passwords for users
on your system by using dictionary or brute force password cracking programs.

For HP-UX 11.20 and prior, the system will be converted to trusted mode
to hide the encrypted passwords.  In addition, a trusted system provides
other useful security features such as auditing and login passwords
with lengths greater than 8 characters.  Also, more options are
available, such as password length requirements, and password
aging.  (This, combined with other criteria, mean that HP-UX in
trusted mode is \"C2 compliant.\")

For HP-UX 11.22 and later, the encrypted passwords can be hidden by
converting to \"shadowed\" passwords.  The encrypted string is removed
from /etc/passwd and placed into the /etc/shadow
file.  This file is only readable and accessible by root.

Converting to trusted mode or shadow passwords may break compatibility with
some of the software on your system.  Any program that does not use the
standard interfaces to authenticate user passwords will be unable to access
the encrypted password string and therefore unable to authenticate the user. 
Shadow passwords are used on several other versions of Unix(TM), so they are
less likely to cause problems for cross-platform applications.  However,
some versions of the tool \"sudo\" were incompatible with trusted mode HP-UX.

LDAP (Lightweight directory access protocol) is compatible with shadow
passwords, but not compatible with trusted mode.  If you use LDAP, you
should not answer Yes to any question which requires trusted mode.

If you are using NIS, NIS+, or DCE authentication DO NOT convert to
shadowed passwords  Shadowed passwords are incompatible with NIS (for
good reason, since the encrypted passwords are sent in clear text over
the network anyway).  The shadow password documentation still indicates
that NIS+ and DCE are incompatible with shadowed passwords, so Bastille
will not do the conversion if a conflict is detected.  For more information
see the manual page for pwconv(1M) and nsswitch.conf(1M).

NOTE:   After converting to shadowed passwords ensure that /etc/shadow is
being backed up along with /etc/passwd.

NOTE:   The Access Control List feature available on trusted systems is
not supported on older versions of the JFS file system.  (You will need at
least version 3.3 of JFS if you want to use this feature).

WARNING: If you have a large number of accounts on this system, the
conversion may take up to several minutes.

(MANUAL ACTION MAY BE REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Would you like to hide the encrypted passwords on this system?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: single_user_password
NO_CHILD: single_user_password
PROPER_PARENT: umaskyn

LABEL: single_user_password
SHORT_EXP: "By password protecting single-user mode you will provide
limited protection against anyone who has physical access to the
machine, because they cannot simply reboot and have root access
without typing the password.  However, if an attacker has physical
access to the machine and enough time, there is very little you can
do to prevent unauthorized access.  This may be more problematic in the
case when an authorized administrator messes up the machine and can't
remember the password.

Note:   For HP-UX 11.22 and prior, this requires conversion to trusted mode.
Bastille will automatically do the conversion if you select this option.
Trusted mode is incompatible with LDAP and can cause other incompatibility
issues with applications which do their own authentication."
QUESTION: "Would you like to password protect single-user mode?"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "If you are running on PA-RISC hardware, note that most
PA-RISC systems have a secure boot option for security which
takes significant effort to disable.  Bastille cannot set this
option for you because it has to be done manually at the boot prompt.
Be careful if you do this, because to disable it, you will have to
open your case, physically disconnect all disk drives and other media
from your cpu, just like an attacker would.

If you want to set this on most PA-RISC systems, you will need to reboot
your machine and hit the ESC key.  You will be presented with the BCH prompt.
Type \"CO\" to change BCH configuration, then type \"SEC\" to turn
on secure boot.  Once again, bear in mind that this is very painful
to undo if you ever need to access the BCH prompt again."
REQUIRE_DISTRO: HP-UX
YES_CHILD: system_auditing
NO_CHILD: system_auditing
PROPER_PARENT: hidepasswords

LABEL: system_auditing
QUESTION: "Do you want basic system security auditing enabled?"
SHORT_EXP: "By enabling basic system security auditing a subset of system calls
will be logged.  The logging of these events produces system overhead so if
this system is in a very performance sensitive role, the risk of not logging
may be less than the risk of incurring a small amount of overhead.

System events, which are defined in audevent(1M) man page, to be audited will
include the admin, login, and moddac events.

All of these events generate data about security sensitive system actions but
should be rare enough that they do not generate too much overhead.

NOTE: Depending on your environment, auditing may be more or less important. 
For completeness you should review the audevent(1M) man page to determine if
you system requires more or less auditing.

This feature requires converting to trusted mode, so should not be selected
if you wish to use LDAP or NIS.  If you prefer trusted mode rather than
shadow passwords, selecting this option will force that conversion with
all currently supported versions of HP-UX."
REQUIRE_DISTRO: HP-UX
YN_TOGGLE: 1
DEFAULT_ANSWER: Y
REG_EXP: "^[YN]$"
YES_CHILD: ABORT_LOGIN_ON_MISSING_HOMEDIR
NO_CHILD: ABORT_LOGIN_ON_MISSING_HOMEDIR
PROPER_PARENT: single_user_password

LABEL: ABORT_LOGIN_ON_MISSING_HOMEDIR
QUESTION: "Do not allow logins unless the home directory exists?"
SHORT_EXP: "The ABORT_LOGIN_ON_MISSING_HOMEDIR parameter controls login
behavior if a user's home directory does not exist.  This is applicable
only for non-root users.

By default, login will use '/' as the home directory if the user's home
directory does not exist.

If you do set this parameter, the login session will exit if the user's
home directory does not exist."
DEFAULT_ANSWER: "Y"
YN_TOGGLE: 1
REG_EXP: "^[YN]$"
REQUIRE_DISTRO: HP-UX11.22 HP-UX11.23
NO_CHILD: passwordpolicies
YES_CHILD: passwordpolicies
SKIP_CHILD: passwordpolicies
PROPER_PARENT: system_auditing

LABEL: passwordpolicies
QUESTION: "Do you want to setup password policies?"
SHORT_EXP: "Weak passwords can be easily compromised using a dictionary
attack.  On the other hand, if the password policies seem too restrictive to your users,
they may end up writing the password down (a very bad security practice.)
Thus, it is important to set password policies which conform to your overall
security policies but do not unduly burden your users.

On HP-UX 11.11 and prior, this will ensure that the system is converted to
trusted mode, enable password aging and allow you to change some basic
defaults.  You should
use SAM to further configure your policies.  For HP-UX 11.22 and later,
Bastille is able to configure several of these policies on a more granular
basis, and conversion to trusted mode is unnecessary for most options. Answering
'Yes' to this question will ensure that your system is converted to shadowed
passwords on HP-UX 11.22 and later.

Trusted mode and password shadowing are incompatible with NIS (an insecure protocol),
so if you wish to use NIS passwords on this system, you should not
select this option."
DEFAULT_ANSWER: "Y"
YN_TOGGLE: 1
REG_EXP: "^[YN]$"
REQUIRE_DISTRO: HP-UX
NO_CHILD: NOLOGIN
YES_CHILD: MIN_PASSWORD_LENGTH
SKIP_CHILD: NOLOGIN
PROPER_PARENT: ABORT_LOGIN_ON_MISSING_HOMEDIR

LABEL: MIN_PASSWORD_LENGTH
QUESTION: "What should the minimum length of NEW passwords be?"
SHORT_EXP: "The MIN_PASSWORD_LENGTH parameter controls the minimum length
of new passwords.  This policy will not be enforced for the root user on an
untrusted system. 

MIN_PASSWORD_LENGTH=N   New passwords must contain at
least N characters.  For untrusted systems N can be any
value from 6 to 8.  For trusted systems N can be any
value from 6 to 80.

Long passwords are generally harder to crack than short ones, but enforcing
long passwords may also increase the chance of users writing down their
passwords (which is a very bad security practice)."
DEFAULT_ANSWER: "8"
REG_EXP: "^[6-9]$|^[1-7][0-9]$|^80$"
EXPL_ANS: "7"
YN_TOGGLE: 0
REQUIRE_DISTRO: HP-UX11.22 HP-UX11.23
YES_CHILD: PASSWORD_HISTORY_DEPTHyn
NO_CHILD: PASSWORD_HISTORY_DEPTHyn
PROPER_PARENT: passwordpolicies

LABEL: PASSWORD_HISTORY_DEPTHyn
QUESTION: "Would you like to set a password history depth?"
SHORT_EXP: "The PASSWORD_HISTORY_DEPTH parameter controls the password
history depth.  A new password is checked only against the number of
most recently used passwords stored in password history for a particular
user.  A user is not allowed to re-use a previously used password that
is stored in the history.

Answering this question 'Yes' will cause the system to be converted
to trusted mode and give you a chance to set the password history
depth."
YN_TOGGLE: 1
REG_EXP: "^[YN]$"
DEFAULT_ANSWER: "Y"
YES_CHILD: PASSWORD_HISTORY_DEPTH
NO_CHILD: PASSWORD_MAXDAYS
SKIP_CHILD: PASSWORD_MAXDAYS
PROPER_PARENT: MIN_PASSWORD_LENGTH
REQUIRE_DISTRO: HP-UX11.22 HP-UX11.23

LABEL: PASSWORD_HISTORY_DEPTH
QUESTION: "Enter the password history depth."
SHORT_EXP: "The PASSWORD_HISTORY_DEPTH parameter controls the password
history depth.  A new password is checked only against the number of
most recently used passwords stored in password history for a particular
user.  A user is not allowed to re-use a previously used password that
is stored in the history.

This will cause the system to be converted to trusted mode.

PASSWORD_HISTORY_DEPTH=N   A new password is checked against only the N
most recently used passwords for a particular user.  Valid password
history depths are between 1 and 10, inclusive."
LONG_EXP: "The PASSWORD_HISTORY_DEPTH parameter controls the password
history depth.  A new password is checked only against the number of
most recently used passwords stored in password history for a particular
user.  A user is not allowed to re-use a stored, previously used password.

This will cause the system to be converted to trusted mode.

PASSWORD_HISTORY_DEPTH=N   A new password is checked against only the N
most recently used passwords for a particular user.

A configuration of password history depth of 2 prevents users from
alternating between two passwords.  The maximum password history depth
supported is 10 and the minimum password history depth supported is 1.  A
depth configuration of more than 10 will be treated as 10, and a depth
configuration of less than 1 will be treated as 1.

The password history depth configuration is on a system basis and is
supported in trusted system for users in files repository only.  This
feature does not support the users in NIS or NISPLUS repositories.  Once
the feature is enabled, all the users on the system are subject to the
same check.  If this parameter is not configured, the password history
check feature is automatically disabled.  When the feature is disabled,
the password history check depth is set to 1.

A password change is subject to all of the other rules for a new password
including a check with the current password."
DEFAULT_ANSWER: 3
YN_TOGGLE: 0
EXPL_ANS: "1"
REG_EXP: "^[1-9]$|^10$"
REQUIRE_DISTRO: HP-UX11.22 HP-UX11.23
YES_CHILD: PASSWORD_MAXDAYS
NO_CHILD: PASSWORD_MAXDAYS
PROPER_PARENT: PASSWORD_HISTORY_DEPTHyn

LABEL: PASSWORD_MAXDAYS
QUESTION: "Enter the maximum number of days between password changes:"
SHORT_EXP: "This parameter controls the default maximum number of
days that passwords are valid.  For systems running HP-UX 11.11 and
HP-UX 11.0 setting this value will require a conversion to trusted
mode. HP-UX 11.22 and later will require shadowed password conversion.
In that case this parameter applies only to local non-root users.

PASSWORD_MAXDAYS=N   A new password is valid for up to
N days, after which the password must be changed.  Values between
0 and 441 are acceptable.

NOTE: If your system is not converted to trusted mode then this value
will be rounded up to weeks for current users."
DEFAULT_ANSWER: 182
YN_TOGGLE: 0
EXPL_ANS: "364"
REG_EXP: "^[0-9]$|^[0-9][0-9]$|^[0-3][0-9][0-9]$|^4[0-3][0-9]$|^44[01]$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: PASSWORD_MINDAYS
NO_CHILD: PASSWORD_MINDAYS
PROPER_PARENT: PASSWORD_HISTORY_DEPTHyn

LABEL: PASSWORD_MINDAYS
QUESTION: "Enter the minimum number of days between password changes."
SHORT_EXP: "This parameter controls the default minimum number of
days before a password can be changed.  For systems running HP-UX 11.11 and
HP-UX 11.0 setting this value will require a conversion to trusted
mode. HP-UX 11.22 and later will require shadowed password conversion.
In that case this parameter applies only to local non-root users.  When used with
password aging, this prevents users from immediately resetting expired passwords.

PASSWORD_MINDAYS=N   A new password cannot be changed
until at least N days since it was last changed.  Values between
0 and 441 are acceptable, but it is wise to choose a value much
less than the PASSWORD_MAXDAYS!

However, if there is ever a need to temporarily give someone your password,
(there are generally more secure alternatives) this option could prevent
changing the password immediately following.

NOTE: If your system is not converted to trusted mode then this value
will be rounded up to weeks for current users."
DEFAULT_ANSWER: "7"
YN_TOGGLE: 0
EXPL_ANS: "30"
REG_EXP: "^[0-9]$|^[0-9][0-9]$|^[0-3][0-9][0-9]$|^4[0-3][0-9]$|^44[01]$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: PASSWORD_WARNDAYS
NO_CHILD: PASSWORD_WARNDAYS
PROPER_PARENT: PASSWORD_MAXDAYS

LABEL: PASSWORD_WARNDAYS
QUESTION: "Enter the number of days a user will be warned that their password will expire."
SHORT_EXP: "This parameter controls the default number of days
before password expiration that a user is to be warned
that the password must be changed.  For systems running HP-UX 11.11 and
HP-UX 11.0 setting this value will require a conversion to trusted
mode. HP-UX 11.22 and later will require shadowed password conversion.
In that case this parameter applies only to local non-root users. 

PASSWORD_WARNDAYS=N   Users are warned N days before
their password expires.  Values between 0 and 441 are
acceptable, though it doesn't make sense for this value
to be larger than PASSWORD_MAXDAYS.

NOTE: If your system is not converted to trusted mode then this value
will be rounded up to weeks for current users."
DEFAULT_ANSWER: 28
YN_TOGGLE: 0
EXPL_ANS: "14"
REG_EXP: "^[0-9]$|^[0-9][0-9]$|^[0-3][0-9][0-9]$|^4[0-3][0-9]$|^44[01]$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: NOLOGIN
NO_CHILD: NOLOGIN
PROPER_PARENT: PASSWORD_MINDAYS

LABEL: NOLOGIN
QUESTION: "Should non-root users be disallowed from logging in if /etc/nologin
exists?"
SHORT_EXP: "The NOLOGIN parameter controls whether non-root login can be
disabled by the /etc/nologin file.

If you answer \"Y\", the NOLOGIN parameter will be set to 1.  When a non-root
user tried to login, the system will display the contents of the /etc/nologin
file and exit if the /etc/nologin file exists.

This can be useful for system maintenance or if you wish to disallow non-root
logins completely. In general this feature gives you a more granular control
of your system thus enhancing your ability to secure and validate your system
configuration before your system is threatened by local users."
DEFAULT_ANSWER: "Y"
YN_TOGGLE: 1
REG_EXP: "^[YN]$"
REQUIRE_DISTRO: HP-UX11.22 HP-UX11.23
YES_CHILD: NUMBER_OF_LOGINS_ALLOWEDyn
NO_CHILD: NUMBER_OF_LOGINS_ALLOWEDyn
PROPER_PARENT: passwordpolicies

LABEL: NUMBER_OF_LOGINS_ALLOWEDyn
QUESTION: "Do you want to set a maximum number of logins per user?"
SHORT_EXP: "The NUMBER_OF_LOGINS_ALLOWED parameter controls the number of
simultaneous logins allowed per user.  This is applicable only for non-root
users.  This may be useful in limiting the sharing of user accounts and
alerting users to a compromised account."
DEFAULT_ANSWER: "N"
YN_TOGGLE: 1
REG_EXP: "^[YN]$"
REQUIRE_DISTRO: HP-UX11.22 HP-UX11.23
YES_CHILD: NUMBER_OF_LOGINS_ALLOWED
NO_CHILD: SU_DEFAULT_PATHyn
SKIP_CHILD: SU_DEFAULT_PATHyn
PROPER_PARENT: NOLOGIN

LABEL: NUMBER_OF_LOGINS_ALLOWED
QUESTION: "Enter the maximum number of logins per user"
SHORT_EXP: "The NUMBER_OF_LOGINS_ALLOWED parameter controls the number of
simultaneous logins allowed per user.  This is applicable only for non-root
users.  This may be useful in limiting the sharing of user accounts and
alerting users to a compromised account.

NUMBER_OF_LOGINS_ALLOWED=0   Any number of logins are allowed per user.

NUMBER_OF_LOGINS_ALLOWED=N   N number of logins are allowed per user."
DEFAULT_ANSWER: 1
REQUIRE_DISTRO: HP-UX11.22 HP-UX11.23
YN_TOGGLE: 0
YES_CHILD: SU_DEFAULT_PATHyn
SKIP_CHILD: SU_DEFAULT_PATHyn
EXPL_ANS: "1"
REG_EXP: "^[0-9]+$"
PROPER_PARENT: NUMBER_OF_LOGINS_ALLOWEDyn

LABEL: SU_DEFAULT_PATHyn
QUESTION: "Do you want to set a default path for the su command?"
SHORT_EXP: "The SU_DEFAULT_PATH parameter defines a new default PATH
environment value to be set when su to a non-super-user account is
done.  Refer to su(1).

This ensures that a su session will always have a default PATH value,
preventing the inheritance of a poisoned PATH variable from your current
login session.

The PATH environment variable is set to new_PATH when the su command
is invoked.  Other environment values are not changed.  The path value
is not validated.  This parameter does not apply to a superuser account,
and is applicable only when the "-" option is not used along with su
command."
DEFAULT_ANSWER: "N"
REQUIRE_DISTRO: HP-UX11.22 HP-UX11.23
YN_TOGGLE: 1
REG_EXP: "^[YN]$"
REQUIRE_DISTRO: HP-UX11.22 HP-UX11.23
YES_CHILD: SU_DEFAULT_PATH
NO_CHILD: rootttylogins
SKIP_CHILD: rootttylogins
PROPER_PARENT: NUMBER_OF_LOGINS_ALLOWEDyn

LABEL: SU_DEFAULT_PATH
QUESTION: "Enter the new PATH upon su"
SHORT_EXP: "The SU_DEFAULT_PATH parameter defines a new default PATH
environment value to be set when su to a non-super-user account is
done.  Refer to su(1).

SU_DEFAULT_PATH=new_PATH

This ensures that a su session will always have a default PATH value,
preventing the inheritance of a poisoned PATH variable from you current
login session.

The PATH environment variable is set to new_PATH when
the su command is invoked.  Other environment values are
not changed. The path value is not validated.  This
parameter does not apply to a super-user account, and is
applicable only when the "-" option is not used along
with su command."
DEFAULT_ANSWER: "/sbin:/usr/sbin:/bin:/usr/bin"
EXPL_ANS: "/usr/bin"
REG_EXP: "^([A-Za-z\/:])*$"
REQUIRE_DISTRO: HP-UX11.22 HP-UX11.23
YES_CHILD: rootttylogins
SKIP_CHILD: rootttylogins
PROPER_PARENT: SU_DEFAULT_PATHyn

LABEL: rootttylogins
SHORT_EXP: "You can restrict which tty's root can login on.  Some sites choose
to restrict root logins, so that an admin must login with an ordinary user
account and then use su to become root."
LONG_EXP: "You can restrict which tty's root can login on.  Some sites choose
to restrict root logins, so that an admin must login with an ordinary user
account and then use su to become root.

This can stop an attacker who has only been able to steal the root password
from logging in directly.  He has to steal a second account's password to
make use of the root password via the ttys."
QUESTION: "Should we disallow root login on tty's 1-6? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: create_securetty
NO_CHILD: create_securetty
PROPER_PARENT: SU_DEFAULT_PATHyn

LABEL: create_securetty
SHORT_EXP: "Bastille can restrict root from logging into a tty over the network. 
This will force administrators to log in first as a non-root user, then
su to become root.  Root logins will still be permitted on the console and
through services that do not use tty's ( e.g. HP-UX Secure Shell ).

This can stop an attacker who has only been able to steal the root password
from logging in directly to a tty.  The attacker has to steal a second account's
password to make use of the root password via the network, or gain access to a
non-tty login mechanism.

MAKE SURE that you can login using a non-root account before you do this,
or you will obviously need access to the console or a non-tty remote login
mechanism, e.g. Secure Shell, to login."
QUESTION: "Should Bastille disallow root logins from network tty's? [N]"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: forbiduserview
NO_CHILD: forbiduserview
PROPER_PARENT: rootttylogins

LABEL: forbiduserview
SHORT_EXP: "By default in Linux-Mandrake, when using the graphical login,
you can see a list of all users who login to the system.  This can be a
minor security issue, as it lets an attacker know about every user account
on the system.  We can turn this feature off."
LONG_EXP: "By default in Linux-Mandrake, when using the graphical login,
you can see a list of all users who login to the system.  This can be a
minor security issue, as it lets an attacker know about every user account
on the system.  We can turn this feature off."
QUESTION: "Should we deactivate the graphical login's user list display? [N]"
REQUIRE_DISTRO: MN TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: protectgrub
NO_CHILD: protectgrub
PROPER_PARENT: create_securetty

FILE: BootSecurity.pm

LABEL: protectgrub
SHORT_EXP: "If an attacker has physical access to this machine, and
particularly to the keyboard, s/he could get super-user access through the
Grand Unified Bootloader (GRUB) command line.  We will look at other ways
to prevent this later, but one easy way is to password-protect the GRUB
prompt.  If GRUB is password-protected, any user can reboot the machine
normally, but only users with the password can pass arguments to the GRUB
prompt.

Note that this option can interfere dual-booting with a second operating
system, since dual booting often requires that type an O/S name to boot
one of the two operating systems.  If this machine sits in a general
purpose lab and dual boots, you probably shouldn't choose this option.

Otherwise, this is strongly recommended for general use workstations and
servers which are not locked away in their own room."
QUESTION: "Would you like to password-protect the GRUB prompt? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: grub.conf
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: protectgrub_password
NO_CHILD: protectlilo
SKIP_CHILD: protectlilo
PROPER_PARENT: forbiduserview

LABEL: protectgrub_password
SHORT_EXP: "You've elected to password protect the GRUB prompt.  Please enter
a GRUB password.

WARNING: Please do not make this the root password for this computer, as the
         GRUB password will be stored unencrypted on the machine."
QUESTION: "Enter GRUB password, please.   []"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: grub.conf
DEFAULT_ANSWER:
YN_TOGGLE: 0
YES_CHILD: protectlilo
NO_CHILD: protectlilo
PROPER_PARENT: protectgrub

LABEL: protectlilo
SHORT_EXP: "If an attacker has physical access to this machine, and
particularly to the keyboard, s/he could get super-user access through the
Linux Loader (LILO) command line.  We will look at other ways to prevent this
later, but one easy way is to password-protect the LILO prompt.  If LILO is
password-protected, any user can reboot the machine normally, but only
users with the password can pass arguments to the LILO prompt.

Note that this option can interfere dual-booting with a second operating
system, since dual booting often requires that type an O/S name to boot
one of the two operating systems.  If this machine sits in a general
purpose lab and dual boots, you probably shouldn't choose this option.

Otherwise, this is strongly recommended for general use workstations and
servers which are not locked away in their own room."
QUESTION: "Would you like to password-protect the LILO prompt? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: lilo.conf
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: protectlilo_password
NO_CHILD: lilodelay
SKIP_CHILD: lilodelay
PROPER_PARENT: protectgrub

LABEL: protectlilo_password
SHORT_EXP: "You've elected to password protect the LILO prompt.  Please enter
a LILO password.

WARNING: Please do not make this the root password for this computer, as the
         LILO password will be stored unencrypted on the machine."
QUESTION: "Enter LILO password, please.   []"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: lilo.conf
DEFAULT_ANSWER:
YN_TOGGLE: 0
YES_CHILD: lilodelay
NO_CHILD: lilodelay
PROPER_PARENT: protectlilo

LABEL: lilodelay
SHORT_EXP: "We can further protect the system by taking away the
attacker's chance to type anything at the LILO prompt.  This is not
dependent on the previous option, nor is it exclusive of it.  If you chose the
previous option, this will make your configuration even tighter, as some
machines will allow an attacker to place keystrokes into the keyboard buffer
before he or she reaches the LILO prompt."
QUESTION: "Would you like to reduce the LILO delay time to zero? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: lilo.conf
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: lilosub_drive
NO_CHILD: lilosub_drive
PROPER_PARENT: protectlilo

LABEL: lilosub_drive
SHORT_EXP: "If you selected \"yes\" on either of the previous options (password-protecting the LILO prompt or reducing its delay to zero), then you need to now write the changes to your LILO configuration.

Do you boot from your hard drive? That is, is LILO installed on your hard
drive?"
QUESTION: "Do you ever boot Linux from the hard drive? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: lilo.conf
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: lilosub_floppy
NO_CHILD: lilosub_floppy
PROPER_PARENT: lilodelay

LABEL: lilosub_floppy
SHORT_EXP: "If you have a Linux boot floppy, either for normal booting or for emergency use, you should also write these LILO changes to that floppy.  If you do not already have a customized Linux boot floppy, or if you did not choose to make any changes to your LILO configuration, you should answer \"no\" here."
QUESTION: "Would you like to write the LILO changes to a boot floppy? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: lilo.conf
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: lilosub_writefloppy
NO_CHILD: secureinittab
SKIP_CHILD: secureinittab
PROPER_PARENT: lilosub_drive

LABEL: lilosub_writefloppy
SHORT_EXP: "Please place the boot floppy to be modified in a floppy drive, preferably the first drive, called \"fd0\" or \"a:\".

Now, type in the Linux name of the drive device, like so:

	    fd0          floppy drive 1
	    fd1          floppy drive
"
QUESTION: "Floppy drive device name: [fd0]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: lilo.conf
DEFAULT_ANSWER: fd0
YN_TOGGLE: 0
YES_EXP: "We will write to this disk when we actually make changes.  Please
leave this disk in the drive."
NO_EXP:
YES_CHILD: secureinittab
NO_CHILD: secureinittab
PROPER_PARENT: lilosub_floppy

LABEL: secureinittab
SHORT_EXP:  "In the default configuration, while in
console mode (non-graphical), any user at the keyboard can reboot the
machine by pressing CTRL-ALT-DELETE.  This is an unlikely method of attack,
and disabling CTRL-ALT-DELETE is only a useful precaution in cases where the
attacker would have access to the keyboard but not the power supply; if this
is not the case, it might be a better idea to not disable CTRL-ALT-DELETE."
LONG_EXP: "Disabling CTRL-ALT-DELETE rebooting is designed to prevent an
attacker with access to the machine's keyboard from being able to reboot
the machine.  A reboot done in this manner should not damage the
file system, as it shuts the machine down cleanly, writing out all pending data
in the disk cache to disk first.  Even with this functionality disabled,
however, an attacker could just power cycle machine or pull the power cord.

Unless the power line, switch and case of the machine can
be physically protected, this precaution is wholly unnecessary.  Given the
fact that the attacker _can_ reboot the machine, would you prefer that
s/he do it in a way potentially damages the file system? Think carefully here,
as maintaining the integrity of the machine's file system may be secondary to
the goal of keeping an attacker off, in which case it is better to answer yes
here, since having to repair/ignore the damage and wait for file system
checks may slow the attacker down."
QUESTION: "Would you like to disable CTRL-ALT-DELETE rebooting? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: passsum
NO_CHILD: passsum
PROPER_PARENT: lilosub_floppy

LABEL: passsum
SHORT_EXP: "Anyone who can physically interact with your system can tell the
bootloader to bring your machine up in \"single user mode\", where s/he is 
given root privileges and everyone else is locked out of the system.  This
doesn't require a password on most Unix systems.  The method differs with
the bootloader being used, thus on each operating system revision and 
architecture.  You can test this attack on a Linux system that uses LILO by
typing "linux single" at the LILO: prompt.

Bastille can password-protect the bootprompt for you.  You won't have to 
remember another password--single user mode, or \"root\" mode, will require 
the root password.

We HIGHLY recommend that you password protect single user mode."
QUESTION: "Would you like to password protect single-user mode? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB OSX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: disable_autologin
NO_CHILD: disable_autologin
PROPER_PARENT: secureinittab

LABEL: disable_autologin
SHORT_EXP: "Autologin logs you in as a particular user without a password. 
This option is an extremely low security feature, intended to make
the operating system easier to use.

You should disable autologin unless you absolutely, positively are the 
only person with physical access to this machine."
LONG_EXP:  "Autologin logs you in as a particular user without a password. 
This option is an extremely low security feature, intended to make
the operating system easier to use.

You should disable autologin unless you absolutely, positively are the 
only person with physical access to this machine."
QUESTION: "May we disable Autologin? [Y]"
DEFAULT_ANSWER: Y
REQUIRE_DISTRO: MN7.0 MN7.1 MN7.2 MN8.0 MN8.1 OSX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: tcpd_default_deny
NO_CHILD: tcpd_default_deny
PROPER_PARENT: passsum

FILE: SecureInetd.pm

LABEL: tcpd_default_deny
SHORT_EXP: "Not recommended for most users:

If you would like, Bastille can configure a default policy for all inetd,
xinetd, and TCP Wrappers-aware services to deny all connection attempts.
While you might have already chosen to install Bastille's firewall, setting
a default deny policy for these services gives more defense in depth.

This will also configure xinetd so that the currently-installed xinetd
services will use xinetd's more flexible access control and *not*
/etc/hosts.allow.  All other wrappers-based programs, like sshd, will
obey the default-deny."
LONG_EXP: "Not recommended for most users:

Many network services can be configured to restrict access
to certain network addresses (and in the case of 'xinetd' services in
Linux-Mandrake 8.0 and Red Hat 7.x, other criteria as well). For services
running under the older 'inetd' super-server (found in older versions of
Linux-Mandrake and Red Hat, and current versions of some other distributions),
some standalone services like OpenSSH, and --unless otherwise configured--
services running under Red Hat's xinetd super-server, you can configure
restrictions based on network address in /etc/hosts.allow. The services
using inetd or xinetd typically include telnet, ftp, pop, imap, finger,
and a number of other services.

If you would like, Bastille can configure a default policy for all inetd,
xinetd, and TCP Wrappers-aware services to deny all connection attempts.
While you might have already chosen to install Bastille's firewall, setting
a default deny policy for these services gives more defense in depth.

This will also configure xinetd so that the currently-installed xinetd
services will use xinetd's more flexible access control and *not*
/etc/hosts.allow.  All other wrappers-based programs, like sshd, will
obey the default-deny."
QUESTION: "Would you like to set a default-deny on TCP Wrappers and xinetd? [N]"
REQUIRE_DISTRO: LINUX DB SE TB OSX
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: deactivate_telnet
NO_CHILD: deactivate_telnet
PROPER_PARENT: disable_autologin

LABEL: deactivate_telnet
SHORT_EXP: "Telnet is not secure.

Telnet is shipped on most operating systems for backward compatibility,
and it should not be used in an untrusted network.

Telnet is a clear-text protocol, meaning that any data transferred,
including passwords, can be monitored by anyone else on your network (even if you
use a switching router, as switches were designed for performance, not
security and can be made to broadcast).  Other networks can monitor this information too if the
telnet session crosses multiple LANs.

There are also other more active attacks.  For example, anyone who can
eavesdrop can usually take over your telnet session, using a tool like
Hunt or Ettercap.

The standard practice among security-conscious sites is to migrate as rapidly
as practical from telnet to Secure Shell (command: ssh).  We'd advise you to make this
move as soon as possible.  Secure shell implementations are available from
openssh.org and ssh.com.  Most Operating System vendors also distribute a
version of secure shell,
so check with your vendor first to see if there is a version that has been
tested with your OS.

NOTE: Deactivating the telnetd service will not affect your telnet client."
QUESTION: "Should Bastille ensure the telnet service does not run on this system? [y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: deactivate_ftp
NO_CHILD: deactivate_ftp
PROPER_PARENT: tcpd_default_deny


LABEL: deactivate_ftp
SHORT_EXP: "Ftp is another problematic protocol.  First, it is a clear-text
protocol, like telnet -- this allows an attacker to eavesdrop on sessions and
steal passwords. This also allows an attacker to take over an FTP session,
using a clear-text-takeover tool like Hunt or Ettercap.  Second, it can make
effective firewalling difficult due to the way FTP requires many ports to
stay open.  Third, every major FTP daemon has had a
long history of security vulnerability -- they represent one of the major
successful attack vectors for remote root attacks.

FTP can be replaced by Secure Shell's scp and sftp programs.

NOTE: Answering \"yes\" to this question will also prevent the use of this
machine as an anonymous ftp server."
QUESTION: "Should Bastille ensure inetd's FTP service does not run on this system? [y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: deactivate_rtools
NO_CHILD: deactivate_rtools
PROPER_PARENT: deactivate_telnet

LABEL: deactivate_rtools
SHORT_EXP: "The login, shell, and exec services make use of r-tools: rlogind,
remshd, and rexecd respectively, which use IP based
authentication.  This form of authentication can be easily defeated via
forging packets that suggest the connecting machine is a trusted host
when in fact it may be an arbitrary machine on the network.  Administrators
in the past have found these services useful but many are unaware of the
security ramifications of leaving these services enabled. 

We suggest disabling these services unless this machine's use
model requires the services present.

Remote ignition, backup, etc. using Ignite-UX requires the remshd services
for remote execution of commands."
QUESTION: "Should Bastille ensure that the login, shell, and exec services do not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: deactivate_tftp
NO_CHILD: deactivate_tftp
PROPER_PARENT: deactivate_ftp

LABEL: deactivate_tftp
SHORT_EXP: "TFTP is often used to download operating system images and
configuration data to diskless hosts. The Trivial File Transfer Protocol
(TFTP) is a UDP-based file-transfer program that provides hardly any security.
If this machine is not a boot server for diskless host/appliances or an
Ignite-UX server then TFTP should be disabled."
QUESTION: "Should Bastille ensure inetd's TFTP service does not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: deactivate_bootp
NO_CHILD: deactivate_bootp
PROPER_PARENT: deactivate_rtools

LABEL: deactivate_bootp
SHORT_EXP: "The bootpd daemon implements three functions:
a Dynamic Host Configuration Protocol (DHCP) server, an Internet Boot
Protocol (BOOTP) server, and a DHCP/BOOTP relay agent.  If this system
is not a BOOTP/DHCP server nor a DHCP/BOOTP relay agent then it is advisable
to disable this service"
QUESTION: "Should Bastille ensure inetd's bootp service does not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: deactivate_finger
NO_CHILD: deactivate_finger
PROPER_PARENT: deactivate_tftp

LABEL: deactivate_finger
SHORT_EXP: "fingerd is the server for the RFC 742 Name/Finger protocol. 
It provides a network interface to finger, which gives a status report of
users currently logged in on the system or a detailed report about a specific
user (see finger(1)).  We recommend disabling the service as fingerd provides local
system user information to remote sources, this can be useful to someone attempting
to break into your system."
QUESTION: "Should Bastille ensure inetd's finger service does not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: deactivate_uucp
NO_CHILD: deactivate_uucp
PROPER_PARENT: deactivate_bootp

LABEL: deactivate_uucp
SHORT_EXP: "UUCP (Unix to Unix copy) copies files named by the source_files argument
to the destination identified by the destination_file argument. UUCP uses clear text
transport for authentication.  It is not commonly used.  Therefore we recommend disabling
this service and using a more secure file transfer program such as scp."
QUESTION: "Should Bastille ensure inetd's uucp service does not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: deactivate_ntalk
NO_CHILD: deactivate_ntalk
PROPER_PARENT: deactivate_finger

LABEL: deactivate_ntalk
SHORT_EXP: "Ntalk is a visual communication program that predates instant messaging
applications, which copies lines from your terminal to that of another user.  Ntalk
is commonly considered a light security hazard but if not used on this machine it
should be disabled."
QUESTION: "Should Bastille ensure inetd's ntalk service does not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: deactivate_ident
NO_CHILD: deactivate_ident
PROPER_PARENT: deactivate_uucp

LABEL: deactivate_ident
SHORT_EXP: "The ident service implements the TCP/IP proposed standard IDENT
user identification protocol as specified in the RFC 1413 document.  identd
operates by looking up specific TCP/IP connections and returning the user
name of the process owning the connection.  This service could be used to
determine user information on a given machine in preparation for a
brute-force password attack like a dictionary attack.  We recommend
disabling this service unless compelled by application specific needs"
QUESTION: "Should Bastille ensure inetd's ident service does not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: deactivate_builtin
NO_CHILD: deactivate_builtin
PROPER_PARENT: deactivate_ntalk

LABEL: deactivate_builtin
SHORT_EXP: "The inetd's built-in services include chargen, daytime, discard,
and echo.  These services are rarely used and when they are it is generally
for testing.  The UDP versions of these services can be used in a Denial of
Service attack and therefore we recommend disabling these services.  A brief
definition of each service is as follows:

daytime: Sends the current date and time as a human readable character string
(RFC 867)

discard:  Throws away anything that is sent to it, similar to
/dev/null.(RFC 863)

chargen:  Character Generator sends you a stream of some
undefined data, preferably data in some recognizable pattern (RFC 862)

echo:  Simply returns the packets sent to it. (RFC 862)"
QUESTION: "Should Bastille ensure that inetd's built-in services do not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: deactivate_time
NO_CHILD: deactivate_time
PROPER_PARENT: deactivate_ident

LABEL: deactivate_time
SHORT_EXP: "The time service that is built into inetd produces machine-readable time, in
seconds since midnight on 1 January 1900 (RFC 868).  It is used for clock synchronization,
but it lacks the ability to be configured securely.  It is recommended that the time
service be disabled and for this machine to use the Network Time Protocol to synchronize
its clocks as XNTP can be configured securely, see xntpd(1m)."
QUESTION: "Should Bastille ensure that inetd's time service does not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: deactivate_ktools
NO_CHILD: deactivate_ktools
PROPER_PARENT: deactivate_builtin

LABEL: deactivate_ktools
SHORT_EXP: "The kshell and klogin services use Kerberos authentication protocols.  If
this machine is not using the Kerberos scheme then it is suggested that these services
be disabled.  Using the principle of minimalism in a security lockdowns, any service or
daemon running on the system that is not needed or used should be disabled."
QUESTION: "Should Bastille ensure that the inetd's klogin and kshell services do not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: deactivate_dttools
NO_CHILD: deactivate_dttools
PROPER_PARENT: deactivate_time

LABEL: deactivate_dttools
SHORT_EXP: "The dtspcd, ttdbserver, and cmsd services are used by CDE.  Each service
has relative merits but they are all rarely used and for the most part deprecated.
Definitions for each service are as follows:

dtspcd: 
Desktop Subprocess Control service is used to invoke a processes on other
systems.  It uses an IP based authentication that is relatively easy to beat.

cmsd: 
This is used to run Sun's Calendar Manager software database over the network.
If you don't use Sun's Calendar Manager software you will not be affected by
disabling this service. Sun's Calendar Manager will not work properly with
cmsd disabled.

ttdbserver: 
Sun's ToolTalk Database Server allows OpenWindows programs to intercommunicate. 
Disabling this service may affect some of the advanced mail features of dtmail. 
For instance, you will be unable to use the network aware mail locking feature
of dtmail.  Some third party applications may use this service as well."
QUESTION: "Should Bastille ensure that inetd's CDE helper services do not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: deactivate_recserv
NO_CHILD: deactivate_recserv
PROPER_PARENT: deactivate_ktools

LABEL: deactivate_recserv
SHORT_EXP: "HP SharedX Receiver Service is used to receive shared windows from
another machine in X without explicitly performing any xhost command.  This service
is required for MPower remote windows, if you use MPower leave this service running
on your system.  The SharedX Receiver Service is an automated wrapper around the xhost command, see
xhost(1).  This service should be disabled unless the viewing of shared windows is
something that is often done on this machine.  xhost is generally the more secure
solution as it makes all sharing of windows explicit."
QUESTION: "Should Bastille ensure that inetd's recserv service does not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: deactivate_swat
NO_CHILD: deactivate_swat
PROPER_PARENT: deactivate_dttools

LABEL: deactivate_swat
SHORT_EXP: "The swat service allows a Samba administrator to configure Samba via
a Web browser.  Also, swat allows administrators to view, change, and affect the
change all via the Web.  The drawback from a security standpoint comes from the
authentication method used for the Samba administrator.  That is, clear-text
passwords are passed through the network if a connection is initiated from an
outside source.  This form of authentication is easily defeated and therefore, it is
recommended that this machine not run the swat service."
QUESTION: "Should Bastille ensure that inetd's swat service does not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: deactivate_printer
NO_CHILD: deactivate_printer
PROPER_PARENT: deactivate_recserv

LABEL: deactivate_printer
SHORT_EXP: "The printer service is a line printer daemon that accepts remote
spool requests.  It uses the rlpdaemon to process remote print requests as well
as displaying the queue and removing jobs from the queue upon request.  If this
machine is not used as a remote print spooler then this service should be
disabled."
QUESTION: "Should Bastille ensure that inetd's printer service does not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: banners
NO_CHILD: banners
PROPER_PARENT: deactivate_swat

LABEL: banners
SHORT_EXP: "At this point you can create \"Authorized Use Only\" messages for
your site. These may be very helpful in prosecuting system crackers you
may catch trying to break into your system.  Bastille can make default
messages which you may then later edit.  This is sort of like an
\"anti-welcome mat\" for your computer."
QUESTION: "Would you like to display \"Authorized Use\" messages at log-in time? [Y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB OSX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "A default login/telnet/ftp \"Authorized Use Only\" banner will be
created, and will be found in /etc/issue.  You should modify this banner to
apply more specifically to your organization (for instance, adding any
site-specific information to the default warnings).  If this is a corporate site,
check with your corporate counsel to determine the most appropriate
warning for the banner.  These banners, according to CIAC's bulletin

   (http://ciac.llnl.gov/ciac/bulletins/j-043.shtml)

may make it much easier to prosecute intruders.  By including this default
banner, neither the Bastille development team nor Hewlett-Packard Company
take any responsibility for your ability to prosecute system crackers.
Please, especially if you run a corporate site, review/replace this with
more specific language."
NO_EXP:
YES_CHILD: owner
NO_CHILD: log_inetd
SKIP_CHILD: log_inetd
PROPER_PARENT: deactivate_printer

LABEL: owner
SHORT_EXP: "Bastille will start to make the banner more specific by
telling the user who is responsible for this machine.  This will state
explicitly from whom the user needs to obtain authorization to use this
machine.  Please type in the name of the company, person, or other
organization who owns or is responsible for this machine."
QUESTION: "Who is responsible for granting authorization to use this machine?"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB OSX
DEFAULT_ANSWER: "its owner"
YN_TOGGLE: 0
YES_CHILD: log_inetd
NO_CHILD: log_inetd
SKIP_CHILD: log_inetd
PROPER_PARENT: banners

LABEL: log_inetd
SHORT_EXP: "It is a good idea to log connection attempts to inetd services.
The only reason not to do this is the frequency of logging from inetd will
fill logs more quickly, particularly if inetd services are heavily used on
this machine."
QUESTION: "Should Bastille enable logging for all inetd connections?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: inetd_general
NO_CHILD: inetd_general
SKIP_CHILD: inetd_general
PROPER_PARENT: banners

LABEL: inetd_general
SHORT_EXP: "In addition to the previously mentioned services, one should
also disable other unneeded inetd services.  The aim is to only leave
those services running that are critical to the operation of
this machine.  This is an example of the frequent tradeoff
between security and functionality.  The most secure
machine is usually not very useful.  For the most secure, but useful
system, you will need to enable only those services which this system
needs to fulfill its intended purpose.

You can further restrict access using the inetd.sec file or a program
like tcpwrappers.  If you answer \"Y\" to this question, Bastille will
also point you to information on how to configure these tools.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Should Bastille tell you to disable unneeded inetd services in the TODO list?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: compiler
NO_CHILD: compiler
SKIP_CHILD: compiler
PROPER_PARENT: log_inetd

FILE: DisableUserTools.pm

LABEL: compiler
SHORT_EXP: "The most common technique for the bulk of the system
crackers out there is to gain access to your system, often through a regular
user account, and then use that access to compile exploits against your
system or other systems.  Disabling the gcc compiler on your system will slow
these crackers down, and may even prevent some attacks entirely.

If this machine is a dedicated server/firewall, which does not have users who
need to compile programs, this action is strongly recommended.  Otherwise,
you should very carefully consider whether you will be inconveniencing your
users by disabling the compiler.  If you do chose to disable it, we'll do so by
only allowing root access to the compiler."
QUESTION: "Would you like to disable the gcc compiler? [N]"
REQUIRE_DISTRO: LINUX DB SE TB OSX
REQUIRE_FILE_EXISTS: gcc
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: limitsconf
NO_CHILD: limitsconf
PROPER_PARENT: inetd_general

FILE: ConfigureMiscPAM.pm

LABEL: limitsconf
SHORT_EXP: "In certain kinds of system attacks, known as Denial of Service
(DoS) attacks, the goal is not to gain access but instead to disrupt the
normal operation of the computer.  You can protect against certain types of
denial of service attacks by setting limits on the resources available to each
user.

Though you should customize this setting later if you're running a high-
output production server, we recommend this action for all machines and
configurations."
LONG_EXP:  "Denial of Service attacks are often very difficult to defend
against, since they don't require access of any kind to the target machine.
Since several major daemons, including the web, name, and FTP servers, may
run as a particular user, you can limit the effectiveness of many Denial of
Service attacks by modifying /etc/security/limits.conf.  If you restrict the
resources available in this manner, you can effectively cripple most Denial of
Service attacks.

If you choose this option, you'll be setting the following initial limits on
resource usage:
	
   - The number of allowed core files will be set to zero.  Core files
     can be useful for diagnosing system problems, but they are very
     large files and can be exploited by an attacker to fill up your
     file system.  They can also be used to tune vulnerability exploitation 
     tools.  Finally, an attacker might use the core file from a crashed 
     program to obtain privileged data that was dumped by the program.

   - Individual users are limited to 150 processes each.  This should
     be more than enough for normal system usage, and is not enough
     to bring down your machine.  (Linux only)

All of these values can be edited later."
QUESTION: "Would you like to put limits on system resource usage? [N]"
REQUIRE_DISTRO: LINUX DB SE TB OSX
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "System resource limits have been set in the file
/etc/security/limits.conf, which you can edit later as necessary."
NO_EXP:
YES_CHILD: consolelogin
NO_CHILD: consolelogin
PROPER_PARENT: compiler

LABEL: consolelogin
SHORT_EXP: "Under some distributions, users logged in at the console have
some special access rights (like the ability to mount the CD-ROM drive).  You
can disable this special access entirely, but a more flexible option is to
restrict console access to a small group of trusted user accounts."
QUESTION: "Should we restrict console access to a small group of user accounts? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: consolelogin_accounts
NO_CHILD: morelogging
SKIP_CHILD: morelogging
PROPER_PARENT: limitsconf

LABEL: consolelogin_accounts
SHORT_EXP: "Please enter in the account names that should be able to login
via the console, placing a space between each name."
QUESTION: "Which accounts should be able to login at console? [root]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: root
YN_TOGGLE: 0
YES_CHILD: morelogging
NO_CHILD: morelogging
PROPER_PARENT: consolelogin


FILE: Logging.pm

LABEL: morelogging
SHORT_EXP: "We would like to configure additional logging for your system.
We will give you the option to log to a remote host, if your site already
has one.  We will add two additional logging files to the default setup and
will also log some status messages to the 7th and 8th virtual terminals
(the ones you'll see when you hit ALT-F7 and ALT-F8).  This additional
logging will not change the existing log files at all, so this is by no means
a \"risky\" move."
QUESTION: "Would you like to add additional logging? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "This script is adding additional logging files:

/var/log/kernel       --    kernel messages
/var/log/syslog       --    messages of severity \"warning\" and \"error\"

Also, if you check the 7th and 8th TTY's, by hitting ALT-F7 or ALT-F8,
you'll find that we are now logging to virtual TTY's as well.  If you
try this, remember that you can use ALT-F1 to get back to the first
virtual TTY."
NO_EXP:
YES_CHILD: remotelog
NO_CHILD: pacct
SKIP_CHILD: pacct
PROPER_PARENT: consolelogin

LABEL: remotelog
SHORT_EXP: "If you already have a remote logging host, we can set this
machine to log to it."
QUESTION: "Do you have a remote logging host? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: remotelog_host
NO_CHILD: pacct
SKIP_CHILD: pacct
PROPER_PARENT: morelogging

LABEL: remotelog_host
SHORT_EXP: "What is the IP address of the machine you normally log to?
Remember, this should be a machine already configured to accept logging.
If you have no such machine, select <Back> and change your answer.

Note: we ask for an IP address because this is safer -- it avoids DNS cache
      poisoning attacks on logging.  You may use a hostname, but it should be
      added to your /etc/hosts file..."
QUESTION: "What is the IP address of the machine you want to log to? [127.0.0.1]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: 127.0.0.1
YN_TOGGLE: 0
YES_CHILD: pacct
NO_CHILD: pacct
PROPER_PARENT: remotelog

LABEL: pacct
SHORT_EXP: "Linux has the ability to log which commands are run when and by
whom.  This is extremely useful in trying to reconstruct what a potential
cracker actually ran.  The drawbacks are that the logs get large quickly (a
log rotate module is included to offset this), the parameters to commands
are not recorded, and, like all log files, the accounting log is removable if the
attacker has root.

As this is rather disk and CPU intensive, please choose NO unless you have
carefully considered this option."
QUESTION: "Would you like to set up process accounting? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: accton
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: minimalism
NO_CHILD: minimalism
PROPER_PARENT: morelogging

FILE: MiscellaneousDaemons.pm

LABEL: minimalism
SHORT_EXP: "To make the operating system more secure, we try to deactivate all
system daemons, especially those running at a high/unlimited level of
privilege.  Each active system daemon serves as a potential point of
break-in, which might allow an attacker illegitimate access to your
system.  An attacker can use these system daemons to gain access if they
are later found to have a bug or security vulnerability.

We practice a minimalist principle here: minimize the number of privileged
system daemons and you can decrease your chances of being a victim should
one of the standard daemons be found later to have a vulnerability.  This
section will require careful attention, but if you have doubts, you should
be able to safely select the default value in most cases."
QUESTION:
REQUIRE_DISTRO: LINUX HP-UX DB SE TB OSX
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: apmd
NO_CHILD: apmd
PROPER_PARENT: pacct

LABEL: apmd
SHORT_EXP: "apmd is used to monitor battery power and is used almost
exclusively by notebook/laptop computers."
QUESTION: "Would you like to disable apmd? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_apmd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: remotefs
NO_CHILD: remotefs
PROPER_PARENT: minimalism

LABEL: remotefs
SHORT_EXP: "We would like to disable the network file systems NFS (Network
File System, common to most Unix variants) and SMB (Samba, which comes with
most Linux distributions).  We strongly recommend that you disable both of
these.  NFS has a history of major security vulnerabilities; Samba is slightly
better, but it is still a shared file system and still raises potentially
severe security concerns.  Both services use clear-text, meaning that any
data transferred can be monitored by anyone else on your network (even if you
use a switching router, as switches were designed for performance, not
security).  Transferred data includes file handles, which can then be used to
modify files.

These services are safer if you can set your firewall to block
packets for either of them from entering or leaving your network, but it's
probably best to deactivate them until you can investigate whether or not
you need them and how to best secure them."
QUESTION: "Would you like to deactivate NFS and Samba? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_nfs
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: nfs_server
NO_CHILD: nfs_server
PROPER_PARENT: apmd

LABEL: nfs_server
SHORT_EXP: "An NFS (Network File System) server allows its host machine to
export file systems onto other designated machines on a network.  NFS has
a history of major security vulnerabilities, as well as being a clear-text
protocol and relying on the presented username for authentication.  Any
data transferred by NFS can be monitored and may be tampered with by any
other network machine.  Transferred data includes file handles, which can
then be used to modify files.

This service can be made safer if it is locked behind a firewall that will
block NFS packets from entering or leaving your network.  It is best to
deactivate it until you can investigate whether or not you need NFS and
how to best secure it.

One alternative is CIFS/9000 (Samba).  It is still a clear-text,
shared file system and therefore still raises security concerns, but unlike
NFS, CIFS/9000 at least requires the user to authenticate (prove they are who
they say they are) before reading or writing to files.  Other alternatives
include tunneling NFS through IPSec or Secure Shell, but this can take
quite a bit of effort to setup and may degrade performance."
QUESTION: "Would you like to deactivate the NFS server on this system? [Y]"
REQUIRE_DISTRO: HP-UX OSX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: nfs_client
NO_CHILD: nfs_client
PROPER_PARENT: remotefs

LABEL: nfs_client
SHORT_EXP: "NFS (Network File System) client daemons include automount, autofs,
and biod on HP-UX and nfsiod and automount on Mac OS X.

automount/autofs allow non-root users to mount nfs file systems, which reduces the
burden on administrator, and allows for a more flexible operating environment.
However automount/autofs allows any user to perform an operation that is normally
restricted to root.  There is an inherent security benefit to removing
privileges from non root accounts.  

autofs is the updated version of automountd.  They have similar security properties,
but one or the other may not be applicable to your operating system version.

biod, block I/O daemons, are used on an NFS client to handle read-ahead and
write-behind buffer caching, which improves nfs mounted file systems
performance.  Turning this service off will have performance impacts if this
machine is still used as a nfs client.

nfsiod increases NFS performance on the client side, though it is not necessary.
Deactivating it costs you only performance at most, though you should primarily
choose this option if you're not mounting NFS directories.

NFS has a history of major security vulnerabilities, as well as
being a clear-text protocol.  Any data transferred by NFS can be monitored
by any other network machine.  Transferred data includes file handles, which
can then be used to modify files.  These services can be made safer if they
are locked behind a firewall that will block NFS packets from entering or
leaving your network.  It is best to deactivate them until you can investigate
whether or not you need NFS and how to best secure it."
QUESTION: "Would you like to deactivate NFS client daemons? [Y]"
REQUIRE_DISTRO: HP-UX OSX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: pcmcia
NO_CHILD: pcmcia
PROPER_PARENT: nfs_server

LABEL: pcmcia
SHORT_EXP: "If this machine is not a notebook, it probably has no PCMCIA
ports.  PCMCIA ports allow the use of easily removable credit-card-sized
devices.  If this machine has no PCMCIA ports, you should be able to disable
PCMCIA services without any problems."
QUESTION: "Would you like to disable PCMCIA services? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_pcmcia
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: dhcpd
NO_CHILD: dhcpd
PROPER_PARENT: nfs_client

LABEL: dhcpd
SHORT_EXP: "DHCP servers are used to distribute temporary IP (Internet)
addresses to other machines.  An organization generally only has one or two
DHCP servers, if any.  Unless this machine is going to be a DHCP server, you
should deactivate the DHCP daemon.  Deactivating the daemon will not
prevent you from running DHCP as a client."
QUESTION: "Would you like to disable the DHCP daemon? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_dhcpd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: gpm
NO_CHILD: gpm
PROPER_PARENT: pcmcia

LABEL: gpm
SHORT_EXP: "GPM is used in console (text) mode to add mouse support to
text mode. If you will be using this machine in console mode and will want
mouse support, leave GPM on."
QUESTION: "Would you like to disable GPM? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_gpm
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: innd
NO_CHILD: innd
PROPER_PARENT: dhcpd

LABEL: innd
SHORT_EXP: "innd is the standard internet news server, used to make the
news network. You should only leave it turned on if this machine will serve as
the  organization's news server."
LONG_EXP: "Very few people need to create their own news server, as your
ISP or university usually provides one.  Further, they require a great deal
of disk space, processor power, bandwidth and maintenance.  In all but the
rarest of cases, you should disable the news server daemon."
QUESTION: "Would you like to disable the news server daemon? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_innd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: disable_routed
NO_CHILD: disable_routed
PROPER_PARENT: gpm

LABEL: disable_routed
SHORT_EXP: "Unless this machine is serving as a router, you should turn off
the routing daemons (both routed and gated).  Even if the machine is
serving as a router, you should probably disable routed because gated
is newer and considered more secure."
LONG_EXP: "Very few machines need to be running routing daemons.  If your
machine is only connected to the internet through one method, you can
disable routing protocols. If this machine is at an ISP or major networking
center, you should still use gated instead of routed.  Bastille only helps
make your machine more secure, so if this machine is currently a router
using routed, you should leave this on, then migrate to gated manually later.
(Bastille will not enable gated for you.)"
QUESTION: "Would you like to deactivate routed? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_routed
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: disable_gated
NO_CHILD: disable_gated
PROPER_PARENT: innd

LABEL: disable_gated
SHORT_EXP: "Unless this machine is serving as a router, you should turn off
the routing daemons (both routed and gated)."
LONG_EXP: "Very few machines need to be running routing daemons.  If your
machine is only connected to the internet through one method, you can
disable routing protocols.  If this machine is acting as a router, then
you should leave gated on."
QUESTION: "Would you like to deactivate gated? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_gated
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: nis_server
NO_CHILD: nis_server
PROPER_PARENT: disable_routed

LABEL: nis_server
SHORT_EXP: "An NIS (Network Information System) server is used to distribute
network naming and administration information to other machines on a network

NIS is a system used for synchronizing key host information,
including account names and passwords.  It is a clear-text protocol, and can be
easily compromised to gain access to accounts on the system.  If you are
really interested in using NIS, you should configure your network firewall to block NIS
traffic coming in and going out of your network.

On many systems, including trusted-mode HP-UX systems, passwords are not only
encrypted but also readable only by the super-user.  This defense measure was
taken because encrypted passwords can be decrypted fairly quickly with today's
computers.  When you use NIS, the encrypted password is transmitted in clear-text
and made available to anyone on the network, compromising this defense
measure.  Because of this, the HP-UX trusted mode and password shadowing security
features that Bastille can enable, are incompatible with NIS.  If you choose to
convert to trusted-mode or shadow passwords, you should also disable NIS.

We recommend that you deactivate NIS server programs. 
Alternatives include NIS+, LDAP, and Kerberos."
QUESTION: "Would you like to deactivate NIS server programs? [Y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
REQUIRE_FILE_EXISTS: ypserv
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: nis_client
NO_CHILD: nis_client
PROPER_PARENT: disable_gated

LABEL: nis_client
SHORT_EXP: "An NIS (Network Information System) client is used to receive
network naming and administration information from a server machine on its
network.

NIS is a system used for synchronizing key host information, including account
names and passwords.  It is a clear-text protocol, and can be easily compromised
to gain access to accounts on the system.  If you are really interested in using
NIS, you should configure your firewall to block NIS traffic coming in or going
out of your network.

Also, if you plan to use a host-based network firewall, be sure to disable NIS
client.  If your NIS client is left configured but the NIS traffic is blocked at
your firewall, your machine will bog down trying to connect to the NIS server.
NIS is not a well-behaved protocol and the ports it needs are hard to
characterize.  It also needs to initiate connections from both client and server.

On many systems, including trusted-mode HP-UX systems, passwords are not only
encrypted but also readable only by the super-user.   These measures were taken
because given the encrypted string an attacker can attempt to determine valid
passwords for users on your system by using dictionary or brute force password
cracking programs.  When you use NIS, the encrypted password is transmitted in
clear-text and made available to anyone on the network, compromising this defense
measure.  Because of this, the HP-UX trusted mode and password shadowing security
features that Bastille can enable, are incompatible with NIS.  If you choose to
convert to trusted-mode or shadow passwords, you should also disable NIS.

We recommend that you deactivate NIS client programs. 
Alternatives include NIS+, LDAP, and Kerberos"
QUESTION: "Would you like to deactivate NIS client programs? [Y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: snmpd
NO_CHILD: snmpd
PROPER_PARENT: nis_server

LABEL: snmpd
SHORT_EXP: "SNMP, or the simple network management protocol, is
used to aid in management of machines over the network.  This
can be a powerful method of monitoring and administering
a set of networked machines.  If you use network management
software to maintain the computers on your network then you
should audit the way in which SNMP is used by that software.
You should (1) use SNMPv3 wherever possible, (2) set restrictive
access control lists, and (3) block SNMP traffic at your firewall.  Otherwise
it makes sense to disable the SNMP daemons.

The average home user has no reason to run these daemons and
depending on their default configuration, they could be a major
security risk.  Alternatively if configured correctly, and used
in conjunction with management software these daemons could be
used to dramatically improve accessibility and response time to
problems when they occur.

Things known to not work if this is disabled:

Network management software, such as HP Openview, which relies
on SNMP"
QUESTION: "Would you like to disable SNMPD? [Y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: minimize_chkconfig
NO_CHILD: minimize_chkconfig
PROPER_PARENT: nis_client

LABEL: minimize_chkconfig
SHORT_EXP: "For the extra paranoid, we can disable all of the chkconfig'd
services, with the exception of:

	  cron, syslog, keytable, network, gpm, xfs, pcmcia

This is pretty minimalist and should only be undertaken if you understand
how and when to turn the remaining services on."
LONG_EXP: "For the extra paranoid, we can disable all of the chkconfig'd
services, with the exception of:

	  cron, syslog, keytable, network, gpm, xfs, pcmcia

This is pretty minimalist and should only be undertaken if you understand
how and when to turn the remaining services on."
QUESTION: "Should we disable most chkconfig'd services?"
REQUIRE_DISTRO: MN7.0 MN7.1 MN7.2 MN8.0 MN8.1
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
PROPER_PARENT: snmpd
YES_CHILD:disable_ptydaemon
NO_CHILD: disable_ptydaemon
SKIP_CHILD: disable_ptydaemon

LABEL: disable_ptydaemon
SHORT_EXP: "The ptydaemon is used by the shell layers (shl) software.
shl is a historical alternative to job control.  If no one on your system
is going to use shl, you should be able to safely turn the ptydaemon off.

If you disable and remove ptydaemon, Bastille will also disable
vtdaemon since it depends on ptydaemon to operate.

These are both used for very old protocols.  If you don't know what uucp
is, you probably don't need these.  If you want a history lesson, you
can look at the man pages for \"vt\", \"vtdaemon\", \"uucp\" and \"shl\".

The security benefit of turning these off is based on the principle of
minimalism.  These daemons do run as root and accept input from a normal
user.  There is probably a low security risk associated with leaving these
daemons running, but there is little reason to expose yourself to that
risk unnecessarily."
QUESTION: "Would you like to disable both the ptydaemon and vtdaemon?"
DEFAULT_ANSWER: "Y"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: disable_pwgrd
NO_CHILD: disable_pwgrd
SKIP_CHILD: disable_pwgrd
REQUIRE_DISTRO: HP-UX
PROPER_PARENT: minimize_chkconfig


LABEL: disable_pwgrd
SHORT_EXP:"pwgrd is the Password and Group Hashing and Caching daemon.

pwgrd provides accelerated lookup of password and group information
for libc routines like getpwuid and getgrname. However, on systems
with normal sized (less than 50 entries) password files, pwgrd will
probably slow down lookups, due to the overhead presented by pwgrd's
use of Unix domain sockets.

The security benefit of turning this service off is also based on the principle
of minimalism.  This daemon does run as root and accepts input from
non-privileged users."
QUESTION: "Would you like to disable pwgrd?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: disable_rbootd
NO_CHILD: disable_rbootd
SKIP_CHILD: disable_rbootd
REQUIRE_DISTRO: HP-UX
PROPER_PARENT: disable_ptydaemon

LABEL: disable_rbootd
SHORT_EXP: "The rbootd daemon is used for a protocol called RMP, which is a
predecessor to the \"bootp\" protocol (which serves DHCP).  Basically, unless
you are using this machine to serve dynamic IP addresses to very old
HP-UX systems (prior to 10.0, or older than s712's), you have
no reason to have this running."
QUESTION: "Should Bastille deactivate rbootd?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: xaccess
NO_CHILD: xaccess
SKIP_CHILD: xaccess
REQUIRE_DISTRO: HP-UX
PROPER_PARENT: disable_pwgrd

LABEL: xaccess
SHORT_EXP: "XDMCP is an unencrypted protocol which allows remote connections to an
X server.  This protocol is commonly used by dumb graphics terminals and PC-based
X-emulation software to bring up a remote login and desktop."
QUESTION: "Would you like to disallow remote X logins?"
DEFAULT_ANSWER: "Y"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: rendezvous
NO_CHILD: rendezvous
SKIP_CHILD: rendezvous
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: Xconfig
PROPER_PARENT: disable_rbootd

LABEL: rendezvous
SHORT_EXP: "Mac OS X's Rendezvous program enables computers to find 
Internet-connected resources on the local network, automatically making
their offered resources available to the user.  To do this, Rendezvous 
broadcasts any services it might offer to other systems, like shared
directories and such.

While this promises to be an extremely useful program, more paranoid 
users may find this behavior to be overly friendly, especially if their
computer often sits on less-trusted networks.

At this time, this item simply deactivates the mDNSResponder program.

You can read more about Rendezvous here:
http://www.apple.com/macosx/jaguar/rendezvous.html"
QUESTION: "Would you like to deactivate Rendezvous?"
DEFAULT_ANSWER: "N"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: autodiskmount
NO_CHILD: autodiskmount
SKIP_CHILD: autodiskmount
REQUIRE_DISTRO: OSX
PROPER_PARENT: xaccess

LABEL: autodiskmount
SHORT_EXP: "Mac OS X's default behavior is to automatically mount any 
media that you place in its removable drives.  In some environments,
you may not want to allow ordinary users to mount removable media 
quite so easily.  One example of this might be a public computer lab
where you want to maintain stricter control on users' transfering 
external data via physical media."
QUESTION: "Would you like to disable the autodiskmount program?"
DEFAULT_ANSWER: "N"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: disable_ntpd
NO_CHILD: disable_ntpd
SKIP_CHILD: disable_ntpd
REQUIRE_DISTRO: OSX
PROPER_PARENT: rendezvous

LABEL: disable_ntpd
SHORT_EXP: "Mac OS X's ships with the Network Time Protocol daemon (ntpd)
active by default.  Bastille can deactivate it for you.  

This is a difficult decision for most security-conscious sites.  On the
one hand, incident response and forensics very much require that the clocks
at a site be syncronized to small fractions of a second.  On the other hand,
ntpd is a network-accessible root-level program, which makes it an accessible
and inviting target to attackers.

We would recommend against deactivating ntpd unless you know what you're doing."
QUESTION: "Would you like to disable the Network Time Program Daemon (ntpd)?"
DEFAULT_ANSWER: "N"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: sendmaildaemon
NO_CHILD: sendmaildaemon
SKIP_CHILD: sendmaildaemon
REQUIRE_DISTRO: OSX
PROPER_PARENT: autodiskmount

FILE: Sendmail.pm

LABEL: sendmaildaemon
SHORT_EXP: "Running sendmail in daemon mode makes your system more
vulnerable to sendmail-based attacks, of which there have been many. 
Unless this machine is a mail server, you probably do not need
sendmail to run in daemon mode.

Note: This will not affect outgoing mail from this machine except
reliability in failed message sends"
LONG_EXP: "You do not need to have sendmail running in daemon mode to send
and receive email, and unless you have a constant network connection,
you probably cannot run sendmail in daemon mode.  Daemon mode means that
sendmail is constantly listening on a network connection waiting to
receive mail.

If you disable daemon mode, Bastille will ask you if you would like to
run sendmail every few minutes to process the queue of outgoing mail. 
Most programs which send mail will still do so immediately, and
processing the queue will take care of transient errors.

If you receive all of your email via a POP/IMAP  mailbox provided by your ISP,
you may have no need of daemon-mode sendmail, unless you're running a
special fetchmail-style POP/IMAP based retrieval program.  For instance, you
can turn daemon mode  off if you read your mail via Netscape's common
POP/IMAP read  functionality.  The only reason to run sendmail in daemon
mode is if you are running a mail server."
QUESTION: "Do you want to stop sendmail from running in daemon mode? [Y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
REQUIRE_FILE_EXISTS: sysconfig_sendmail
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: sendmailcron
NO_CHILD: vrfyexpn
SKIP_CHILD: sendmailcron
PROPER_PARENT: disable_ntpd

LABEL: sendmailcron
SHORT_EXP: "Should sendmail run every 15 minutes to process
the mail queue, processing and sending out e-mail?  If this machine does
not run sendmail in daemon mode, you may want to do this to make
your outbound mail more reliable.

In most cases, mail queue processing is not required since most mailer
programs activate sendmail to process their particular message.  A message
usually only gets written to the queue (and thus needs a cron entry) if
sendmail has trouble delivering it.  Example: the receiving mail server is down.

NOTE: Sendmail will not accept inbound connections while processing the mail queue.

NOTE: The 15 minute interval can be easily changed later, see crontab(1)."
QUESTION: "Would you like to run sendmail via cron to process the queue? [N]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
REQUIRE_FILE_EXISTS: sysconfig_sendmail
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: vrfyexpn
NO_CHILD: vrfyexpn
PROPER_PARENT: sendmaildaemon

LABEL: vrfyexpn
SHORT_EXP: "An attacker can use sendmail's vrfy (verify recipient existence)
and expn (expand recipient alias/list contents) commands to learn more
about accounts on the system.  The expn command, for instance, could be
used to find out who the \"postmaster\" and \"abuse\" aliases redirect mail to,
which identifies which user account belongs to the system administrator.

These sendmail commands can probably be disabled without breaking anything
and will make the system cracker's job more difficult.  The only reasons
to leave them on are (1) you are running an old-fashioned, friendly site,
(2) you are using them to debug your own mail server, or (3) the very small
chance that some software you use relies on this."
QUESTION: "Would you like to disable the VRFY and EXPN sendmail commands? [Y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
REQUIRE_FILE_EXISTS: sendmail.cf
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: chrootbind
NO_CHILD: chrootbind
PROPER_PARENT: sendmaildaemon

FILE: DNS.pm

LABEL: chrootbind
SHORT_EXP: "The name server, \"named\", usually runs with privileged
access.  This allows \"named\" to function correctly, but increases the
security risk if any vulnerabilities are found. 
We can decrease this risk by running \"named\" as a non-privileged user and
by putting its files in a restricted file system (called a chroot jail).

NOTE:  If a security vulnerability is found in one of the files that has been
placed inside of the \"chroot jail\" then that file must be manually patched
by copying the fixed file(s) into the jail.

HP-UX Note: The general structure of the jail will be created but several
entries will be added to Bastille's generated TODO list which require
MANUAL ACTION on your part.  (HP-UX does not ship with a name server
configured by default, so much of this depends on how your system's name
server is configured.)

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
LONG_EXP:  "The name server, \"named\", usually runs with privileged
access.  This allows \"named\" to function correctly, but increases the
security risk if any vulnerabilities are found. 
We can decrease this risk by running \"named\" as a non-privileged user and
by putting its files in a restricted file system (called a chroot jail).

NOTE:  If a security vulnerability is found in one of the files that has been
placed inside of the \"chroot jail\" then that file must be manually patched
by copying the fixed file(s) into the jail.

For security reasons, it would be ideal to restrict every process which
is listening to untrusted data as much as possible.  This is especially true
of network daemons, such as bind.  If a vulnerability is found in the
daemon, then a chroot jail will contain any intrusions.   Only a root process
can break out of a chroot jail, so Bastille will ensure that \"named\" is
not running as root.  A successful attack on \"named\" in a chroot jail
running as a non-privileged user will allow the attacker to modify only
files owned or writeable by that non-privileged user and protect the
rest of the system.

HP-UX Note: The general structure of the jail will be created but several
entries will be added to Bastille's generated TODO list which require
MANUAL ACTION on your part.  (HP-UX does not ship with a name server
configured by default, so much of this depends on how your system's name
server is configured.)

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Would you like to chroot named and set it to run as a non-root user? [N]"
REQUIRE_DISTRO: LINUX HP-UX
REQUIRE_FILE_EXISTS: named
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "You've changed the name server, named, to run in a safer mode,
one in which it is restricted to operating within the directory /var/named
or /home/dns on Redhat and Mandrake systems and /var/jail/bind on HP-UX
systems.

This \"chroot jail\" stops an attacker from using named to do more extensive
damage to the system if s/he is able to compromise the named.  This
should be mostly transparent to you, except in two respects:

  1) All of your configuration edits for named must occur in the jaildir.

  2) If you use ndc to control named, you will need to use

           ndc -c /<jail-dir>/var/run/ndc

  3) Again, all of your configuration files must be moved to the jaildir.
"
NO_EXP:
YES_CHILD: namedoff
NO_CHILD: namedoff
PROPER_PARENT: vrfyexpn

LABEL: namedoff
SHORT_EXP: "Until you configure your name (DNS) server, we would like to
temporarily turn it off.  In almost all cases, you should only need your own
name server if you own your own domain and you want this _particular_
machine to answer DNS queries.

This is especially important as there have been dangerous remote-root
vulnerabilities in several recent versions of BIND.  The security
principle of Minimalism applies here: minimize the number of possible
attack points to be least vulnerable to attack.

Even if you plan on setting up a name server on this machine, you should
deactivate it for now until you get the configuration files setup.   You
can reactivate it then by typing, as root:     /sbin/chkconfig named on  "
QUESTION: "Would you like to deactivate named, at least for now? [Y]"
REQUIRE_DISTRO: LINUX
REQUIRE_FILE_EXISTS: chkconfig_named
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: deactivate_hpapache2
NO_CHILD: deactivate_hpapache2
PROPER_PARENT: chrootbind

FILE: Apache.pm

LABEL: deactivate_hpapache2
QUESTION: "Would you like to deactivate the HP-distributed Apache 2.x Web Server?"
SHORT_EXP: "If you do not plan to use this system as a web server, then
it is recommended that you deactivate your Apache 2.x web server.  Programs
that require an Apache server installed but do not bind to port 80 will still
be able start their own instances of the web server.  If you do not plan to
use your Apache 2.x server immediately, then you should deactivate it until
you need it.  Minimalism is a critical part of good site security.
NOTE: This will not turn off copies of Apache or other web servers if
they are supplied with individual products."
REQUIRE_DISTRO: HP-UX11.22 HP-UX11.23
YN_TOGGLE: 1
DEFAULT_ANSWER: Y
REG_EXP: "^Y$|^N$"
YES_CHILD: apacheoff
NO_CHILD: apacheoff
PROPER_PARENT: namedoff

LABEL: apacheoff
SHORT_EXP: "Will you be using the Apache web server immediately? Again,
minimalism is a critical part of a good site security.  If you don't
need to run a web server, at least not right now, you should deactivate it.
You can restart the web server later by typing:

      /sbin/chkconfig httpd on
"
QUESTION: "Would you like to deactivate the Apache web server? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_httpd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "Even though you've deactivated the Apache web server, there are
still a few more questions related to it.  It's good to take the precautions in
the next steps even if you've turned off the web server, since it might get
turned on again later."
NO_EXP:
YES_CHILD: bindapachelocal
NO_CHILD: bindapachelocal
PROPER_PARENT: deactivate_hpapache2

LABEL: bindapachelocal
SHORT_EXP: "When the web server is on, you may want to have it listen on
only the local interface, or on the local interface and a particular network
interface (like an ethernet card that's only connected to a bank of local
computers, none of which are attached to the internet).  This is a
particularly good option for web developers."
LONG_EXP: "If you bind the apache web server to the local interface, so that
it isn't accessible to other machines, it can still serve up pages to
browsers/web clients on this machine. This is ideal for many web
developers, who don't need a worldwide accessible web server, but would
like to edit a web site locally before uploading to another server.  To
access the server, you would simply use, as a URL in your browser:

        http://localhost/
and
        http://localhost/some_page.html
	
Even if you fully deactivated the web server in the previous step, this
option still makes sense: if you or someone else turns the server back on,
it doesn't represent as great a risk if it isn't set to allow
connections from the entire internet."
QUESTION: "Would you like to bind the web server to listen only to the localhost? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: generalweb
NO_CHILD: bindapachenic
SKIP_CHILD: generalweb
PROPER_PARENT: apacheoff

LABEL: bindapachenic
SHORT_EXP: "We can bind the web server to a specific IP address on your
machine.  On a machine with multiple network interfaces (like ppp and ethernet)
this has the effect of letting you only allow your internal LAN access to your
web server.  This is highly recommended if you're building an internal-only
web server."
QUESTION: "Would you like to bind the web server to a particular interface? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: bindapacheaddress
NO_CHILD: generalweb
SKIP_CHILD: generalweb
PROPER_PARENT: bindapachelocal

LABEL: bindapacheaddress
SHORT_EXP: "Please enter in the IP address for apache to listen to.  Include the
port it should listen on--the default port is port 80.  For example:

     192.168.1.1:80
 or
     10.0.0.1:8080"
QUESTION: "Address to bind the web server to? [127.0.0.1]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
YN_TOGGLE: 0
DEFAULT_ANSWER: 127.0.0.1
YES_CHILD: generalweb
NO_CHILD: generalweb
PROPER_PARENT: bindapachenic

LABEL: generalweb
SHORT_EXP:" There are a few other changes that we recommend you make to
the web server's configuration.  There are very few intrinsic security flaws
in the Apache web server, but there are two important ones:

  As with all web servers, it is generally required to send and receive
  information to and from anyone on the internet.

  In many environments, the people telling the server how to behave are
  not knowledgeable system administrators by trade.  Before you discount
  this fact, take account of the wide proliferation of configurations
  under which any user on the system can instruct the server to execute
  arbitrary code for anyone who comes to the site, via CGI scripts."
QUESTION:
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: symlink
NO_CHILD: symlink
PROPER_PARENT: bindapachelocal

LABEL: symlink
SHORT_EXP: "In general, you should try to limit which information on the web
server's host can be accessed by the myriad of people who may connect to
the web server.

We will prevent the web server from following symbolic links.  Apache runs
as user \"nobody\", and so it can potentially change/read any world
writeable/readable file on the system.  If we don't deactivate this option,
a user could potentially allow a web site visitor to view files not in the
web page directories.  Deactivating \"follow symbolic links\" will help
prevent this.  Further, deactivation can lessen the probability that a future
vulnerability in Apache could be exploited to alter world writeable files
on the system."
QUESTION: "Would you like to deactivate the following of symbolic links? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ssi
NO_CHILD: ssi
PROPER_PARENT: generalweb

LABEL: ssi
SHORT_EXP: "You might also want to deactivate server-side includes. If you
don't know what they are, you should probably turn them off until you do.  In
essence, they are another way for a web server to execute code to modify
web pages, but they represent a security risk you may not want to take until
you better understand the Apache web server."
QUESTION: "Would you like to deactivate server-side includes? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: cgi
NO_CHILD: cgi
PROPER_PARENT: symlink

LABEL: cgi
SHORT_EXP: "As mentioned earlier, one of the few inherent weaknesses in Apache,
true of web servers in general, is that CGI scripts allow any user on the
system to allow anyone who can access the web site (which is usually the
entire internet) to run programs on the web server's host.  This has inherent
problems, but may be required at your site.  We recommend disabling
CGI script execution for now, while you take the time to read more about the
dangers and install some kind of protection."
LONG_EXP: "One security precaution that you should look into is using a
wrapper program that only allows certain users to execute CGI
programs.  You may even have your site's security administrator audit each
script before allowing it onto the system.  CGI scripts are not inherently
dangerous, but they need to be very carefully controlled by people who
understand the dangers."
QUESTION: "Would you like to disable CGI scripts, at least for now? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: apacheindex
NO_CHILD: apacheindex
PROPER_PARENT: ssi

LABEL: apacheindex
SHORT_EXP: "Apache, by default, is configured to generate \"index\" files for
any web directories that don't have them.  These index files basically create
a link to every file in the directory, whether one was intended or not.  This
step isn't necessary, but may be helpful."
LONG_EXP: "This can be mildly problematic, for example, when a user places a
sensitive data file that's required by a CGI script in a web directory.  The
data file must be readable by user \"nobody\", which generally means it must
be world-readable.  Without the automatically generated index file, a
web site visitor couldn't ordinarily read the data file unless they could
guess its name.  Still, this example is weak, as it illustrates the
flawed, yet all-too-common, principle of \"security through obscurity.\"
No examples were obvious to the authors of this script that didn't rely on
breaking the most obvious rule of web site creation, \"don't put any sensitive
files in a web directory with world readable permissions!\" "
QUESTION: "Would you like to disable indexes? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: chrootapache
NO_CHILD: chrootapache
PROPER_PARENT: cgi

LABEL: chrootapache
SHORT_EXP: "Apache 1.3.19 and higher for HP-UX have a chroot script built
into the distribution.  This script makes a copy of Apache and related
binaries and libraries and places them inside of a chroot jail.  This
allows Apache to run with limited file system access.  If you are not
currently running the Apache web server then answer no to this question.

Note: If you have a 1.3.x version of apache installed as well as a 2.x
version, then both will be chrooted.

NOTE:  If a security vulnerability is found in one of the files that has been
placed inside of the \"chroot jail\" then that file must be manually patched
by copying the fixed file(s) into the jail.

NOTE: This chroot script was written to give a fully functioning web server
inside of a chroot'ed environment.  For additional security remove unneeded
libraries and compilers as they may not all be used by your Apache server.
"
LONG_EXP: "Apache 1.3.19 and higher for HP-UX have a chroot script built
into the distribution.  Bastille has detected that your version of Apache
has this functionality.  This script makes a copy of Apache and related
binaries and libraries and places them inside of a chroot jail.  This
allows Apache to run with limited file system access.  If you are not
currently running the Apache web server then answer no to this question.

The apache server, httpd, is given access to several compilers and system
libraries so that it can process cgi's, login attempts, etc... One way to
lessen the risk presented by this special status is to lock the daemon
(httpd) into a \"chroot jail.\"  In this case, the daemon has access to
only a small segment of the file system, a directory created specifically for
the purpose of giving the daemon access to only the files it needs.

The adjective \"chroot'ed\" is derived from \"change root\", since
Bastille sets the daemon's root directory ( / ) to some child node in the
directory tree.  Note, for experts: a root process can break out of a
chroot jail, but this is still an effective deterrent, especially since
Bastille will limit the number of common root attack vectors within the jail.

NOTE:  If a security vulnerability is found in one of the files that has been
placed inside of the \"chroot jail\" then that file must be manually patched
by copying the fixed file(s) into the jail.

NOTE: If you have a 1.3.x version of apache installed as well as a 2.x
version, then both will be chrooted.

NOTE: This chroot script was written to provide for a fully functional web
server inside of a chroot'ed environment.  For additional security remove
unneeded libraries and compilers as they may not all be used by your
Apache server.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Would you like to chroot your Apache Server? [N]"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: chroot_os_cp.sh chroot_os_cp.sh2 hpws_chroot_os_cp.sh
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: printing
NO_CHILD: printing
PROPER_PARENT: apacheindex

FILE: Printing.pm

LABEL: printing
SHORT_EXP: "If this machine is not going to need to print, you should stop
the print scheduler and restrict the permissions on all the printing
utilities.

This is only recommended if this machine will not be used for printing
in the near future."
LONG_EXP: "If this machine is not going to need to print, you should stop
the print scheduler and restrict the permissions on all the printing
utilities.

On Linux, you could revert this later by typing:

 # /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm

 # /sbin/chkconfig lpd on

This is only recommended if this machine will not be used for printing
in the near future.  If you deactivate this, you might want to write
down the commands above in case you decide to re-enable printing later."
QUESTION: "Would you like to disable printing? [N]"
REQUIRE_DISTRO: LINUX
REQUIRE_FILE_EXISTS: lpd
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: printing_cups
NO_CHILD: printing_cups
PROPER_PARENT: chrootapache

LABEL: printing_cups
SHORT_EXP: "If this machine is not going to need to print, you should stop
the print scheduler and restrict the permissions on all the printing
utilities.

This is only recommended if this machine will not be used for printing
in the near future."
LONG_EXP: "If this machine is not going to need to print, you should stop
the print scheduler and restrict the permissions on all the printing
utilities.

On Linux, you could revert this later by typing:

 # /bin/chmod 0755 /usr/bin/lpr /usr/bin/lprm /usr/bin/lpstat
 # /bin/chmod 04755 /usr/bin/lppasswd

 # /sbin/chkconfig cups on

This is only recommended if this machine will not be used for printing
in the near future.  If you deactivate this, you might want to write
down the commands above in case you decide to re-enable printing later."
QUESTION: "Would you like to disable printing? [N]"
REQUIRE_DISTRO: LINUX
REQUIRE_FILE_EXISTS: cupsd
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: printing_osx
NO_CHILD: printing_osx
PROPER_PARENT: printing


LABEL: printing_osx
SHORT_EXP: "If this machine is not going to need to print, you should stop
the print scheduler and restrict the permissions on all the printing
utilities.

This is only recommended if this machine will not be used for printing
in the near future."
LONG_EXP: "If this machine is not going to need to print, you should stop
the print scheduler and restrict the permissions on all the printing
utilities.

On Mac OS X, you could revert this later by typing:

 # /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm

and changing CUPS=-NO- to CUPS=-YES- in /etc/hostconfig.

This is only recommended if this machine will not be used for printing
in the near future.  If you deactivate this, you might want to write
down the commands above in case you decide to re-enable printing later."
QUESTION: "Would you like to disable printing? [N]"
REQUIRE_DISTRO: OSX
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ftpgeneral
NO_CHILD: ftpgeneral
PROPER_PARENT: printing_cups

FILE: FTP.pm

LABEL: ftpgeneral
SHORT_EXP:"FTP is widely considered to be fairly dangerous, but even
security-conscious sites might still run it because of the perceived
difficulty in educating users about alternatives.  Available
alternatives include:

 - secure copy, which encrypts names, passwords and traffic
 - web-based file archives, a much safer way of offering files to the public

The lack of widespread, free, Windows-based secure copy clients only
exacerbates the problem.  FTP is dangerous for several reasons, including:

 1) All passwords travel in the clear across the connection, allowing any
    intermediate hosts (and usually every host on the source and destination's
    local area network) to \"sniff\" unencrypted passwords.

 2) Ftp daemons typically need to run with root privileges, and most of the
    common ones have been found to have a multitude of security vulnerabilities
    over the course of their existence.  For instance, the ftp daemon included
    with RedHat 6.0 has had two major updates to close security holes since
    RH6.0 was released.  Earlier in this session, we updated your wu-ftp to
    the most recent one that Redhat advertises
"
REQUIRE_FILE_EXISTS: ftpaccess
QUESTION:
REQUIRE_DISTRO: LINUX DB SE TB
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: userftp
NO_CHILD: userftp
PROPER_PARENT: printing_osx

LABEL: userftp
SHORT_EXP:  "Allowing users to access the FTP server from anywhere on the
Internet present a security problem, and you should disallow this access if
possible.  The problem is that many users feel they need FTP access.  You
can disable user use of the ftp daemon, leaving anonymous download still
possible.  We do not recommend this for most site admins, unless they have
management's approval and are prepared to educate their users."
LONG_EXP: "The least safe configuration for an ftp daemon is one which
allows anyone to connect (via \"anonymous\" mode) and upload files.  Most of
the attacks that let an intruder gain root access on your box require that
s/he is able to upload files.  If you don't have anonymous ftp with upload
capability, the intruder cannot use those attacks unless s/he can get a user
name and password.  For the sake of safety, this mode is shut off by default
in most wu-ftpd configurations.

The next least safe configuration is the one in which users with accounts
on the system are allowed to access the server from the entire Internet.
The dangers stem from 1) clear text passwords being sniffed on the Internet
and 2) common vulnerabilities in ftp daemons that are allowed if anyone has
upload privileges.

Unfortunately, disabling this configuration is difficult, as this is what
many sites feel a need to use their ftp server for.  With a well
educated user base (and secure copy clients for their platforms), this
functionality is unnecessary.  Unfortunately, educating your user base may
be impossible at your site, especially if there are a large number of users.
If this is a 3 account server, that kind of user education may be quite
possible."
QUESTION: "Would you like to disable user privileges on the FTP daemon? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: ftpaccess
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: anonftp
NO_CHILD: anonftp
PROPER_PARENT: ftpgeneral

LABEL: anonftp
SHORT_EXP: "The last major FTP server functionality that we allow you to
disable in the name of site security is anonymous download access.  As we have
noted before, this functionality can be mimicked via the traditionally more
secure Apache web server.  Any files that you want accessible to the world
can be placed on an easy-to-configure web server."
QUESTION: "Would you like to disable anonymous download? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: ftpaccess
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: ftpusers
NO_CHILD: ftpusers
SKIP_CHILD: ftpusers
PROPER_PARENT: userftp

LABEL: ftpusers
SHORT_EXP:  "ftpusers file allows the administrator to set accounts that shall not
be allowed to log in via the ftpd.  Default system users should not normally be
allowed access to the system through the ftpd, as it sends the username and
password in clear text over the network.  Bastille will disallow ftp logins to
a WU-FTPD server from the following users: root, daemon, bin, sys, adm, uucp, lp,
nuucp, hpdb, and guest.  If you have a compelling reason to allow these users
ftp access, then answer no to this question.  Use this as a secondary measure
if you have already chosen to deactivate the ftp server."
QUESTION: "Would you like to disallow ftpd system account logins?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: stack_execute
NO_CHILD: stack_execute
PROPER_PARENT: anonftp

FILE: HP_UX.pm

LABEL: stack_execute
SHORT_EXP: "A common way to gain privileged access is to provide some type
of out-of-bounds input that is not checked by a program.  This input can be
used to overflow the stack in a way that leaves some cleverly written
instructions stored in a place that will be executed by the program.  The
HP-UX kernel has the ability to disallow execution of commands from the
stack.  This will contain many of these types of attacks, making them
ineffective.

On HP-UX versions prior to 11.22, changing the kernel parameter
\"executable_stack\" requires Bastille to recompile the kernel.
Ensure that the current running kernel is /stand/vmunix.  A backup of the old
kernel will be placed in the /stand directory.
If you answer yes to this question on HP-UX 11.11 or HP-UX 11.22, you must reboot your
system for this change to take effect.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION on HP-UX 11.11 and HP-UX 11.22,
see TODO list for details)"
LONG_EXP: "A common way to gain privileged access is to provide some type
of out-of-bounds input that is not checked by a program.  This input can be
used to overflow the stack in a way that leaves some cleverly written
instructions stored in a place that will be executed by the program.  The
HP-UX kernel has the ability to disallow execution of commands from the
stack.  This will contain many of these types of attacks, making them
ineffective.  Because this is done at the kernel level, it is
independent of any application which may have a vulnerability of this type.
Note that this will also break some applications (Example: Java 1.2 programs
will fail if using JDK/JRE 1.2.2 versions older than 1.2.2.06) which
were designed to execute code off of the stack.  However, you can run
\"chatr +es <executeable_file>\" to override this for individual
programs if they break.

On HP-UX versions prior to 11.22, changing the kernel parameter
\"executable_stack\" requires Bastille to recompile the kernel.
Ensure that the current running kernel is /stand/vmunix.  A backup of the old
kernel will be placed in /stand/vmunix.prev and /stand/dlkm.vmunix.prev.
If you answer yes to this question on HP-UX 11.11, you must reboot your
system for this change to take effect.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION on HP-UX 11.11,
see TODO list for details)"
QUESTION:  "Would you like to enable kernel-based stack execute protection?"
REQUIRE_DISTRO: HP-UX11.11 HP-UX11.22 HP-UX11.23
DEFAULT_ANSWER: "Y"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: restrict_swacls
NO_CHILD: restrict_swacls
PROPER_PARENT: ftpusers

LABEL: restrict_swacls
SHORT_EXP:  "The swagentd daemon allows for remote access to list and
install software on your system.  This is a great feature for remote
administration.  Security Patch Check can use this to query
remote machines.  Unfortunately, it can also be a security risk since
it makes patch and other critical system information available
to anyone inside that system's firewall.  For that reason, we
recommend that you disallow swagentd's default, remote read access."
QUESTION: "Would you like to restrict remote access to swlist?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: ndd
NO_CHILD:  ndd
PROPER_PARENT: stack_execute

LABEL: ndd
SHORT_EXP: "ndd is a utility for getting and setting network device parameters. 
Would you like Bastille to change the network settings to improve security?
These settings are based upon the recommendations given in the \"HP-UX
Bastion Host Whitepaper\" available at:

http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/building_a_bastion_host.pdf

Note: If you already have some non-default ndd settings in effect, Bastille
will make no change to your nddconf file.  Instead, you will need to merge the
recommended settings, which will appear in the TODO list, manually with
your current settings.

(MANUAL ACTION MAY BE REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
LONG_EXP: "ndd is a utility for getting and setting network device parameters.

The following is a list of ndd changes Bastille will make (which are some of
the recommendations from the \"HP-UX Bastion Host Whitepaper\"):

                                                Default => Suggested
-----------------------------------------------------------------------
ip_forward_directed_broadcasts                            1   =>   0
ip_forward_src_routed					  1   =>   0
ip_forwarding						  2   =>   0
ip_ire_gw_probe						  1   =>   0
ip_pmtu_strategy					  2   =>   1
ip_send_redirects					  1   =>   0
ip_send_source_quench					  1   =>   0
tcp_conn_request_max					 20   =>   4096
tcp_syn_rcvd_max					500   =>   1000

For more information on each of these parameters, run

ndd -h

Note: If you already have some non-default settings in effect, you will need to
merge the settings manually, and a reminder will be added to your TODO list.

(MANUAL ACTION MAY BE REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Would you like Bastille to make the suggested ndd changes?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD:scan_ports
NO_CHILD: scan_ports
PROPER_PARENT: restrict_swacls

LABEL: scan_ports
SHORT_EXP:  "One of the final steps in lockdown is to verify that only the
services you need are still running.  Several tools exist to do this,
including \"netstat\" which is included with HP-UX, and \"lsof\" (LiSt Open
Files), which is a free downloadable tool that can give you a lot of good
information about all the processes running on your system.  If there are
processes running that you don't recognize, you might take this as an
opportunity to do some research and learn about them.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION:  "Would you like instructions in your TODO list on how to run a
port scan?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: other_tools
NO_CHILD: other_tools
SKIP_CHILD: other_tools
PROPER_PARENT: ndd

LABEL: other_tools
SHORT_EXP: "Although Bastille can help you configure a lot of the security
relevant features of your operating system, it is not a substitute for a
complete security solution.  Such a solution includes properly configured
firewalls, network topologies, intrusion detection, policies, and user
education.  Hewlett Packard has tools and resources to help with many
aspects of security."
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
QUESTION: "Would you like information about other security tools that HP has to offer?"
YES_CHILD: mail_config
NO_CHILD: mail_config
SKIP_CHILD: mail_config
PROPER_PARENT: scan_ports

LABEL: mail_config
SHORT_EXP: "The HP-UX Bastille development team would like to know how you
are using Bastille.  Based on how you answered these questions, HP can meet
your needs better.  You can help by sending your configuration and
TODO files back to HP.  Answering \"yes\" to this question will do
that for you automatically.  If you feel that your hostname or your security
configuration is in any way confidential, then you should answer
\"no\" to this question, since the information will be sent
unencrypted over the public internet.  Also, if outbound mail is
unable to reach the internet from this machine, you should answer \"no.\"

If you have suggestions for improvements, new questions, code, and/or tests,
you can discuss these on the Bastille Linux discussion list.  You can
subscribe at:

http://lists.sourceforge.net/mailman/listinfo/bastille-linux-discuss

You can also provide feedback concerning the HP-UX version of Bastille
directly to bastille-feedback@fc.hp.com.  Please do send comments, even
if it's just to say you like the tool.  We want to hear from you."
QUESTION: "Are you willing to mail your configuration and TODO list to HP?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REQUIRE_DISTRO: HP-UX
YES_CHILD: configure_ipfilter
NO_CHILD: configure_ipfilter
PROPER_PARENT: other_tools

FILE: IPFilter.pm

LABEL: configure_ipfilter
SHORT_EXP: "Firewalls generally make up the first line of defense in any
network security architecture.  IPFilter is a free host-based firewall
which is available for HP-UX.  It looks like you have IPFilter installed,
but that does not necessarily mean that it has been configured (Bastille
cannot detect whether or not the rule-set is appropriate for your unique needs).

Bastille can create a very basic firewall configuration. 

WARNING: Firewalls are designed to keep people out of your machine.
Therefore, this section has the ability to keep you out too.  Please
be very careful when answering these questions and verify that you
can still login to your machine remotely (and have physical access
just in case) before logging out.

WARNING: IPfilter is only able to block traffic which is processed by
the kernel.  Network cards exist which take the processing of this traffic
out of the kernel for performance reasons.  This is referred to as TOE, or
TCP offload engine.  If you are using such a card (can be used for iSCSI
and 10Gb ethernet), configuring an IPfilter-based firewall will have no
effect for traffic processed by that card.

WARNING: This will OVERWRITE any existing firewall rules.  If you already
have sufficiently secure firewall rules in place, then you should say \"No\"
to this question.  Answering \"Yes\" to this question will create and apply
firewall rules that will:

(a) Block incoming traffic with ip options set.  These options are used
frequently by attackers and infrequently for any other purpose.

(b) Apply a custom rule-set from /etc/opt/sec_mgmt/bastille/ipf.customrules
This file as delivered with Bastille will allow all outgoing connections
and keep track of them so that traffic which corresponds to those connections
will be allowed back in.  This basic configuration will allow most local
applications to operate properly without allowing attackers in through
ports you don't use.  The delivered custom rule-set also contains rules to
not log netbios nameserver, netbios datagram, and RPC portmap network traffic,
all of which can fill up your logs rather quickly on a large network.  Later,
you can add custom rules which better fit the specific needs of your
environment.  If you modify the custom file, you should rerun the Bastille
backend (bastille -b) to apply the new rule-set.

WARNING: Changing this file has the ability to either increase or decrease
the security of your system.  After applying this custom configuration,
be sure to double-check the active rule-set and your ipf.conf file to make
sure that the result is what you intended.

(c) Block anything else, including all incoming traffic which you are not
asked about explicitly.

If this is the first time you are using Bastille to configure your firewall,
you will be asked about several service specific options if the applicable software
appears to be installed.  If you have already configured a firewall using Bastille,
you will only be asked about protocols which are currently allowed by the Bastille
configuration.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION, see TODO list for
details)"
QUESTION: "Should Bastille setup basic firewall rules with these properties?"
YN_TOGGLE: 1
DEFAULT_ANSWER: N
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
SKIP_CHILD: install_ipfilter
YES_CHILD: block_SecureShell
NO_CHILD: install_ipfilter
PROPER_PARENT: mail_config

LABEL: block_SecureShell
SHORT_EXP: "Secure Shell is the best replacement for telnet, remote shell,
and ftp.  It is authenticated and encrypted.  If you want remote access
to your machine, this is the best way to do it.  You should only block
Secure Shell access if you have an alternate, secure method to manage
your machine (such as physical access to the console or a secure terminal
server) or if you do not use Secure Shell.

OTHERWISE, ANSWER NO TO THIS QUESTION."
QUESTION: "Do you want to BLOCK incoming Secure Shell connections with IPFilter?"
YN_TOGGLE: 1
DEFAULT_ANSWER: N
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: sshd
YES_CHILD: block_wbem
NO_CHILD: block_wbem
PROPER_PARENT: configure_ipfilter

LABEL: block_wbem
SHORT_EXP: "WBEM is a multi-system management protocol which can be used instead
which features encryption and authentication.  It is much better than SNMP, which
has a history of security issues and is by default a clear-text, unauthenticated
protocol.  Like SNMP, WBEM can be a powerful aid in managing multiple  machines and
it is by default much more secure.  However, any service can be a security risk,
so you should block it if you are not going to use it.

Note that WBEM is required for many HP management applications, such as
ServiceControl Manager, ParMgr, and others.

WARNING: WBEM uses a configurable port.  IPFilter will only be able to find
this port if you have an appropriate entry for wbem-https in /etc/services."
QUESTION: "Do you want to BLOCK incoming WBEM connections with IPFilter?"
YN_TOGGLE: 1
DEFAULT_ANSWER: N
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: cimserverd
PROPER_PARENT: block_SecureShell
YES_CHILD: block_hpidsagent
NO_CHILD: block_hpidsagent
SKIP_CHILD: block_hpidsagent

LABEL: block_hpidsagent
QUESTION: "Do you want to BLOCK incoming HIDS agent connections with IPFilter?"
SHORT_EXP: "HP-UX Host Intrusion Detection System (HIDS) enhances host-level
security with near real-time automatic monitoring of each
configured host for signs of potentially damaging intrusions.

HIDS consists of a management Graphical User Interface (GUI), called the
System Management GUI, that allows the administrator to configure, control,
and monitor the HIDS system, and a host-based agent which is an intrusion
detection sensor, that gathers system data, monitors system activity, and
issues intrusion alerts.  The communication between the GUI and agents is
encrypted.  The agent listens on port 2985 for incoming connections
initiated by the GUI.

Answer YES if you are NOT running the HP-UX Host Intrusion
Detection System (HIDS) agent on this host.  Also answer YES if you ARE
running the HP-UX Host HIDS agent on this host BUT are you are running the
HP-UX Host HIDS GUI LOCALLY on this host (i.e., you are NOT remotely
managing this agent by running the GUI on a remote host).  Answer NO if
you are running an HP-UX Host HIDS agent locally on this host AND you are
remotely managing this agent with a remote HP-UX Host HIDS System Management
GUI.

NOTE:   You need to install and configure HIDS separately from
Bastille.  See http://www.hp.com/security for more information.

NOTE:  What HIDS does not do:

1. HIDS is not a replacement for comprehensive security policies and
procedures. You must define and implement such security policies and
procedures and configure HIDS to enforce them. A lack of such policies,
procedures, and configuration can result in attacks that go undetected
and/or the reporting of many false alerts; that is, HIDS will work but
your system may still be vulnerable.

2. HIDS does not prevent the onset of attacks. If your system is
vulnerable to attacks, those vulnerabilities will remain even after HIDS
is installed.

3. HIDS will not find static security flaws on a system. For example, if
the password file contained an illegitimate account before HIDS was
installed, that illegitimate account remains a vulnerability even after
HIDS is installed and operational. Furthermore, HIDS cannot authenticate
users of a valid account. For example, if users share password information,
HIDS cannot ascertain the identity of an unauthorized user gaining
access to a system via a legitimate account login."
YN_TOGGLE: 1
DEFAULT_ANSWER: N
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: idsagent
PROPER_PARENT: block_wbem
YES_CHILD: block_hpidsadmin
NO_CHILD: block_hpidsadmin
SKIP_CHILD: block_hpidsadmin

LABEL: block_hpidsadmin
QUESTION: "Do you want to BLOCK incoming connections to the HIDS GUI with IPFilter?"
SHORT_EXP: "The HP-UX Host Intrusion Detection System (HIDS)
Management Graphical User Interface (GUI) listens on port 2984
for incoming connections initiated by HIDS agents on each configured host.

Answer YES if you are NOT running the HP-UX Host HIDS GUI on this host.  Also
answer YES if you are running the HP-UX Host HIDS GUI on this host, and it
only manages one LOCAL HIDS agent running on this host (i.e., you are not
managing any HIDS agents on any remote hosts using this GUI).

Answer NO if you are running an HP-UX Host HIDS GUI on this host AND you
are managing some remote HIDS agents.

Note: You need to install and configure HIDS separately from
Bastille.  See http://www.hp.com/security for more information."
YN_TOGGLE: 1
DEFAULT_ANSWER: Y
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: idsagent
PROPER_PARENT: block_hpidsagent
YES_CHILD: block_webadmin
NO_CHILD: block_webadmin
SKIP_CHILD: block_webadmin

LABEL: block_webadmin
SHORT_EXP: "Port 1188 is used by web based tools that are replacements for
areas of SAM. 

The listener on this port is HP's release of Apache with a custom
configuration file that loads only a minimum set of modules.  It is
also restricted to use https for all communication and can only be used
to run the system management tools.  In general, this web server is
running only when in use.  It exits after a period of inactivity.

Disabling this port will mean that some system administration functions
will only be available using the command line."
QUESTION: "Do you want to BLOCK incoming web admin connections w/ IPFilter?"
YN_TOGGLE: 1
DEFAULT_ANSWER: Y
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: webadmlogin
PROPER_PARENT: block_hpidsadmin
YES_CHILD: block_DNSquery
NO_CHILD: block_webadminautostart
SKIP_CHILD: block_DNSquery

LABEL: block_webadminautostart
SHORT_EXP: "Port 1110 is used to auto start the web administration server
on port 1188.  This port is not used unless configured with the 'waconf'
command. 

The listener on this port is inetd.  When a request is made on this port,
inetd runs a program that checks for a valid url and then starts the web
administration server and redirects the requesting browser to port 1188. 

Disabling this port will keep the auto start feature from working.  Local
starting of the web administration server will continue to work.

Connections on this port are neither authenticated nor encrypted, but this
should be ok because of the limited functionality on this port.  It is
important, as is the case with all web pages, when using the autostart
feature to verify the auto-redirect URL to make sure it says 'https://'
and has the correct hostname (and a valid certificate that matches the host)."
QUESTION: "Do you want to BLOCK external webadmin tool autostarts w/ IPFilter?"
YN_TOGGLE: 1
DEFAULT_ANSWER: N
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: webadmlogin
PROPER_PARENT:  block_webadmin
YES_CHILD: block_DNSquery
NO_CHILD: block_DNSquery

LABEL: block_DNSquery
SHORT_EXP: "DNS query connections should only be allowed on DNS
servers.  If this machine is a DNS server for other machines, then you
should answer \"No\" to this question.  Otherwise, you should block
DNS queries by answering \"Yes\"."
QUESTION: "Do you want to BLOCK incoming DNS query connections with IPFilter?"
YN_TOGGLE: 1
DEFAULT_ANSWER: Y
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: named.conf
YES_CHILD: install_ipfilter
NO_CHILD: block_DNSzonetransfer
SKIP_CHILD: install_ipfilter
PROPER_PARENT: block_webadmin

LABEL: block_DNSzonetransfer
SHORT_EXP: "DNS zone transfer connections should only be allowed on master DNS
servers.  If this machine is a DNS server for other machines and has slave
DNS servers which need to be able to do zone transfers, you should
should answer \"No\" to this question.  Otherwise, you should answer \"Yes\"."
QUESTION: "Do you want to BLOCK incoming DNS zone transfers with IPFilter?"
YN_TOGGLE: 1
DEFAULT_ANSWER: Y
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: named.conf
YES_CHILD: install_ipfilter
NO_CHILD: install_ipfilter
PROPER_PARENT: block_DNSquery

LABEL: install_ipfilter
SHORT_EXP: "Firewalls generally make up the first line of defense in any
network security architecture.  IPFilter is a free host-based firewall
which is supported and available for HP-UX.  Using IPFilter, you can
write rules which allow only approved inbound and outbound network traffic
to pass through your firewall.  This can dramatically improve your system's
overall resistance to network attacks by limiting the number of ways your
system could be attacked in the first place.  Note that it can take significant
of work and expertise to properly configure and maintain firewall rules, and the
installation process loads a kernel module and requires a reboot.

If you re-run Bastille after installing IPFilter, Bastille will assist
you with your IPFilter configuration.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Would you like information on how to get a copy of IPFilter?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: tmpdir
NO_CHILD: tmpdir
SKIP_CHILD: tmpdir
PROPER_PARENT: configure_ipfilter

FILE: TMPDIR.pm

LABEL: tmpdir
SHORT_EXP: "Many programs use the /tmp directory in ways that are dangerous
on multi-user systems. Many of those programs will use an alternate directory
if one is specified with the TMPDIR or TMP environment variables. We can
install scripts that will be run when users log in that safely create
suitable temporary directories and set the TMPDIR and TMP environment
variables. This depends on your system supporting /etc/profile.d scripts."
QUESTION: "Would you like to install TMPDIR/TMP scripts? [N]"
REQUIRE_DISTRO: LINUX SE TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ip_intro
NO_CHILD: ip_intro
PROPER_PARENT: install_ipfilter

FILE: Firewall.pm

LABEL: ip_intro
SHORT_EXP: "Using the packet filtering script, you will be able to do packet
filtering/modification via the Linux kernel.  You can use this to block certain types
of connections to or from your machine, to turn your machine into a small firewall,
and to do Network Address Translation (also known as \"IP masquerading\"), which lets
several machines share a single IP address.

If you install the packet filtering script, it will create firewalling instructions for you.
You will be prompted to make various choices (with suggested defaults), but you may
need to edit it for your particular site and WILL need to individually activate it.

This script supports both kernel 2.2 (ipchains) and 2.4 (iptables if available, otherwise ipchains)."
QUESTION: "Would you like to run the packet filtering script? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: End_Screen
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ip_detail_level_kludge
NO_CHILD: End_Screen
PROPER_PARENT: tmpdir

LABEL: ip_detail_level_kludge
QUESTION:
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_exp_type
DEFAULT_ANSWER: Y
YN_TOGGLE: 0
YES_CHILD: ip_exp_type
PROPER_PARENT: ip_intro


LABEL: ip_exp_type
SHORT_EXP: "You will be asked to choose initial settings for the firewall script. The
defaults are generally the minimal recommended settings. To accept the default (shown
in brackets), press RETURN. To change a non-empty default to an empty value, enter
some white space before pressing RETURN.

Your responses should be white space delimited lists of items. IP addresses may be
entered in plain \"dotted-quad\" notation, with or without netmasks.  For instance,
\"10.0.0.0/8\" \"10.0.0.0/255.0.0.0\" \"10.0.0.0\" will all be read as legitimate ways
to express the 10.*.*.* \"class A\" network space.  If you have \"unexpected\"
networks like \"10.0.0.0/255.255.255.0\" or \"192.168.1.0/255.255.255.128\", you will
need to specify that explicitly.

Services can be entered as names (\"smtp\") or numbers (\"25\").  Be warned that any
names must explicitly match one of those listed in /etc/services. Ranges may be
specified with colons, e.g. \"1024:\" indicates all ports >= 1024, \"6000:6020\"
indicates ports 6000 to 6020, inclusive.

Unless you really understand networking, you should ask for more information on most
of the options in this script."
QUESTION:
REQUIRE_DISTRO: LINUX DB SE TB
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_advnetwork	
NO_CHILD: ip_advnetwork
PROPER_PARENT: ip_intro

LABEL: ip_advnetwork
SHORT_EXP: "Do you need the advanced networking options?  If this is a standalone
workstation or server with a single network interface (e.g. may connect to one of
several PPP servers, but is never connected to two different networks simultaneously),
then you do not need advanced networking options.

If this is a server that deals with multiple interfaces or provides IP
Masquerading/NAT service, then you do need the advanced networking options."
QUESTION: "Do you need the advanced networking options?"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_dns
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_dns
NO_CHILD: ip_b_dns
PROPER_PARENT: ip_exp_type

LABEL: ip_s_dns
SHORT_EXP: "This controls what external servers you can use for DNS lookups. For
regular workstations, this should contain all your name server addresses, separated by
spaces. If you want to run a caching name server and/or run your own DNS, leave this at
\"0.0.0.0/0\" so you can query any DNS server. If you set this to an empty value, the
firewall script will read the current name servers from /etc/resolv.conf when it is
run, which is the recommended configuration. This default is designed to ensure
functionality.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
LONG_EXP: "DNS servers are used to translate names like \"example.org\" into addresses
like \"10.1.2.3\". You need to configure DNS for many pieces of software to function
properly. Your system administrator or Internet Service Provider should be able to
provide you with this information. Most users should simply leave this at
\"0.0.0.0/0\" (or make it blank) so the firewall script will be more forgiving (or do
the right thing automatically). For instance, DHCP clients often re-write
/etc/resolv.conf when obtaining a new lease. (This means you may want to configure
your system to run the firewall script both before _and_ after setting up your
DHCP-configured interface if you set this to the safest value, an empty string.)

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "DNS servers: [0.0.0.0/0]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_trustiface
DEFAULT_ANSWER: 0.0.0.0/0
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_trustiface
NO_CHILD:
PROPER_PARENT: ip_advnetwork

LABEL: ip_s_trustiface
SHORT_EXP: "List the interface names of all interfaces you want to have unrestricted
access to this machine. You should at least trust \"lo\", the \"loopback\" interface."
LONG_EXP: "Interface names normally look like \"eth0\" for the first Ethernet card,
\"ppp0\" for a PPP connection, etc. Any traffic coming from the interfaces listed here
will be allowed by the kernel (though TCP Wrappers or the application itself may end
up denying the connection attempt). Basically, you will have no kernel-level firewall
protecting you from traffic on these interfaces, and should therefore think carefully
before changing the default.

List the interface names of all interfaces you want to have unrestricted
access to this machine. You should at least trust \"lo\", the \"loopback\" interface."
QUESTION: "Trusted interface names: [lo]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_publiciface
DEFAULT_ANSWER: lo
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_publiciface
NO_CHILD:
PROPER_PARENT: ip_s_dns

LABEL: ip_s_publiciface
SHORT_EXP:"List names of all interfaces connected to public/untrusted networks. The
\"+\" character is a wildcard, e.g. \"ppp+\" matches any interface name beginning with
\"ppp\" in case you have multiple dialup profiles."
LONG_EXP: "List names of all interfaces connected to public/untrusted networks. The
\"+\" character is a wildcard, e.g. \"ppp+\" matches any interface name beginning with
\"ppp\" in case you have multiple dialup profiles.

Using the \"+\" suffix allows you to configure more interfaces (for
instance, more PPP dialup entries) without having to modify the firewall script. "
QUESTION: "Public interfaces: [eth+ ppp+ slip+]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_internaliface
DEFAULT_ANSWER: eth+ ppp+ slip+
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_internaliface
NO_CHILD:
PROPER_PARENT: ip_s_trustiface

LABEL: ip_s_internaliface
SHORT_EXP: "This is for servers that will act as NAT / IP Masq firewalls between
local, but not fully trusted, networks and public networks like the Internet. List
names of all \"internal\" interfaces that might have full ability to use NAT / IP Masq
to contact public networks, but only limited access to services running on this
machine. Do not use \"+\" characters; name each interface explicitly."
LONG_EXP: "This is for servers that will act as NAT / IP Masq firewalls between
local, but not fully trusted, networks and public networks like the Internet. List
names of all \"internal\" interfaces that might have full ability to use NAT / IP Masq
to contact public networks, but only limited access to services running on this
machine. Do not use \"+\" characters; name each interface explicitly.

Normal workstations should leave this as the empty default. "
QUESTION: "Internal interfaces: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_tcpaudit
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_tcpaudit
NO_CHILD:
PROPER_PARENT: ip_s_publiciface

LABEL: ip_s_tcpaudit
SHORT_EXP: "List any TCP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces."
LONG_EXP: "List any TCP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.

If you have \"syslog\" configured to log \"kern\" messages of \"info\"
level, the kernel will automatically log connection attempts from the \"public\"
interfaces (only the \"public\" interfaces) to these ports and/or services. This is
useful to spot possible probes or attacks. The default setting records connection
attempts to several services, although you may not have them installed or enabled. "
QUESTION: "TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login
linuxconf ssh]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_udpaudit
DEFAULT_ANSWER: telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_udpaudit
NO_CHILD:
PROPER_PARENT: ip_s_internaliface

LABEL: ip_s_udpaudit
SHORT_EXP: "List any UDP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  The default here is port
31337, the standard port for the infamous \"Back Orifice\" trojan/remote-control app
for Windows systems."
LONG_EXP: "List any UDP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  The default here is port
31337, the standard port for the infamous \"Back Orifice\" trojan/remote-control app
for Windows systems.

While attackers probing for Back Orifice may not pose a threat to your
Linux system, logging their attempts helps identify the \"bad guys\" "
QUESTION: "UDP services to audit: [31337]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_icmpaudit
DEFAULT_ANSWER: 31337
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_icmpaudit
NO_CHILD:
PROPER_PARENT: ip_s_tcpaudit

LABEL: ip_s_icmpaudit
SHORT_EXP: "List any ICMP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  These should be specified
as types, not numbers. One example is \"echo-request\" which is used by Microsoft ping
and tracert [sic] clients."
QUESTION: "ICMP services to audit: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_publictcp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_publictcp
NO_CHILD:
PROPER_PARENT: ip_s_udpaudit

LABEL: ip_s_publictcp
SHORT_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"public\" interfaces. Typical workstations will not want to make any services
available, though admins may want to enable something like secure shell (default port: 22) for
remote administration. Those running caching or \"real\" DNS servers on this machine
will want to enable domain (or port 53). If you want to make FTP available to clients
on the \"public\" interfaces, you will want to allow the range of ports used
for \"passive\" FTP connections."
LONG_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"public\" interfaces. Typical workstations will not want to make any services
available, though admins may want to enable something like secure shell (default port: 22) for
remote administration. Those running caching or \"real\" DNS servers on this machine
will want to enable domain (or port 53). If you want to make FTP available to clients
on the \"public\" interfaces, you will want to allow the range of IP addresses used
for \"passive\" FTP connections.

You will need to list the names or port numbers of any services running on
this machine that you want hosts on the \"public\" network to access. For instance, if
you have a local Web server you want to share, add \"80\" for the normal HTTP port.
Not doing so means you will be able to access the service locally, but \"public\"
hosts will not."
QUESTION: "TCP service names or port numbers to allow on public interfaces:[ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_publicudp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_publicudp
NO_CHILD:
PROPER_PARENT: ip_s_icmpaudit

LABEL: ip_s_publicudp
SHORT_EXP: "List names or port numbers on which to accept UDP connection attempts from
the \"public\" interfaces. Again, typical workstations will not want to make any
services  available, but if you're running caching or real DNS servers, you will need
to enable domain (port 53)."
QUESTION: "UDP service names or port numbers to allow on public interfaces:[ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_internaltcp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_internaltcp
NO_CHILD:
PROPER_PARENT: ip_s_publictcp

LABEL: ip_s_internaltcp
SHORT_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"internal\" interfaces.  Note that the \"public\" services will not be made
available to \"internal\" hosts unless you also specify those services again here. If
you want to make FTP available to clients on the \"internal\" interfaces, you will
want to allow the range of IP addresses used for \"passive\" FTP connections. "
LONG_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"internal\" interfaces.  Note that the \"public\" services will not be made
available to \"internal\" hosts unless you also specify those services again here. If
you want to make FTP available to clients on the \"internal\" interfaces, you will
want to allow the range of IP addresses used for \"passive\" FTP connections.

For instance, a corporate firewall/mailserver might have \"smtp\" enabled
on the public side to accept outside mail, and for \"internal\" interfaces it might
allow both \"smtp\" and \"imap\" so local users can both send and get mail; in that
case you would set this value to \"smtp imap\". This does not affect IP Masquerading's
ability to let masq'ed users access any services on outside/Internet hosts. "
QUESTION: "TCP service names or port numbers to allow on private interfaces: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_internaludp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_internaludp
NO_CHILD:
PROPER_PARENT: ip_s_publicudp

LABEL: ip_s_internaludp
SHORT_EXP: "List names or port numbers on which to accept UDP connection attempt from
the \"internal\" interfaces. Note that the \"public\" services will not be made
available to \"internal\" hosts unless you also specify those services again here."
LONG_EXP: "List names or port numbers on which to accept UDP connection attempt from
the \"internal\" interfaces. Note that the \"public\" services will not be made
available to \"internal\" hosts unless you also specify those services again here.

As with internal TCP. You do not need to enable domain service if the
internal clients are using IP Masq to query outside DNS servers. "
QUESTION: "UDP service names or port numbers to allow on private interfaces: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_passiveftp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_passiveftp
NO_CHILD:
PROPER_PARENT: ip_s_internaltcp

LABEL: ip_s_passiveftp
SHORT_EXP: "This has nothing to do with whether you are running an FTP _server_ on
this machine; this has to do with how clients running on this machine will talk to
_other_ machines running FTP servers reachable through the \"public\" interfaces. By
forcing your local FTP clients to use \"passive\" mode, you will not have to be as
cautious about blocking specific \"high\" TCP services. Set to \"Y\" to force
\"passive\" FTP; the default \"N\" will allow you to use normal, \"active\" FTP.
Forcing passive mode (\"Y\") is recommended, but less convenient."
LONG_EXP: "This has nothing to do with whether you are running an FTP _server_ on
this machine; this has to do with how clients running on this machine will talk to
_other_ machines running FTP servers reachable through the \"public\" interfaces. By
forcing your local FTP clients to use \"passive\" mode, you will not have to be as
cautious about blocking specific \"high\" TCP services. Set to \"Y\" to force
\"passive\" FTP; the default \"N\" will allow you to use normal, \"active\" FTP.
Forcing passive mode (\"Y\") is recommended, but less convenient.

Forcing passive FTP will make using some FTP clients more of a hassle, as
you may need to manually tell them to use passive mode, but many clients such as
Netscape Navigator have no problem with passive FTP. If you have problems with FTP,
this is the first place to look.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "Force passive mode? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_tcpblock
NO_CHILD: ip_s_tcpblock
PROPER_PARENT: ip_s_internaludp

LABEL: ip_s_tcpblock
SHORT_EXP: "Specify TCP services to block.  These rules take effect _after_ the TCP
services to make public. If you allow the use of \"active\" FTP clients
(FORCE_PASV_FTP at its default of \"0\"), you will need to be careful here, and will
want to make sure you block all TCP services listening on high ports. If you are
forcing \"passive\" FTP, you may ignore this setting."
LONG_EXP: "Specify TCP services to block.  These rules take effect _after_ the TCP
services to make public. If you allow the use of \"active\" FTP clients
(FORCE_PASV_FTP at its default of \"0\"), you will need to be careful here, and will
want to make sure you block all TCP services listening on high ports. If you are
forcing \"passive\" FTP, you may ignore this setting.

We have listed the services we have observed. To be more cautious, you
should look at the output of 'lsof -i' (run as root) once the system is up and all
services are running.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "TCP services to block: [2049 2065:2090 6000:6020 7100]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_udpblock
DEFAULT_ANSWER: 2049 2065:2090 6000:6020 7100
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_udpblock
NO_CHILD:
PROPER_PARENT: ip_s_passiveftp

LABEL: ip_s_udpblock
SHORT_EXP: "Specify UDP services to block.  As with the TCP services, the UDP services
to make public will take precedence. The high UDP services that you do not block will
be reachable by any allowed NTP or DNS server. Sites with more such \"high UDP\"
services, or global DNS availability (as is the default, DNS_SERVERS=\"0.0.0.0/0\"),
will want to be sure they have all such high UDP services listed.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "UDP services to block: [2049 6770]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_icmpallowed
DEFAULT_ANSWER: 2049 6770
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_icmpallowed
NO_CHILD:
PROPER_PARENT: ip_s_tcpblock

LABEL: ip_s_icmpallowed
SHORT_EXP: "Specify the ICMP allowed types.  The default suggestion allows you to
probe other hosts with ping and traceroute. Minimally you will need to allow
\"destination-unreachable\"."
LONG_EXP: "Specify the ICMP allowed types.  The default suggestion allows you to
probe other hosts with ping and traceroute. Minimally you will need to allow
\"destination-unreachable\".

\"destination-unreachable\" lets other machines' servers tell your system
when things aren't right; don't disable this unless you really know what you're
getting into. If you don't allow \"echo-reply\" and \"time-exceeded\", you won't be
able to use ping and traceroute to debug issues on the \"public\" networks. "
QUESTION: "ICMP allowed types: [destination-unreachable echo-reply time-exceeded]"
SKIP_CHILD: ip_s_srcaddr
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: destination-unreachable echo-reply time-exceeded
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_srcaddr
NO_CHILD:
PROPER_PARENT: ip_s_udpblock

LABEL: ip_s_srcaddr
SHORT_EXP: "Do you want to enable source address verification? This configures the
kernel to block traffic likely to have spoofed IP addresses. Set to \"N\" to disable.
The default (\"Y\") is highly recommended."
LONG_EXP: "Do you want to enable source address verification? This configures the
kernel to block traffic likely to have spoofed IP addresses. Set to \"N\" to disable.
The default (\"Y\") is highly recommended.

This is a standard, and highly recommended, precaution. "
QUESTION: "Enable source address verification? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: Y
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_ipmasq
NO_CHILD: ip_s_ipmasq
PROPER_PARENT: ip_s_icmpallowed

LABEL: ip_s_ipmasq
SHORT_EXP: "If this machine will be used as an IP Masquerading / Network Address
Translation gateway, enter the networks to be masqueraded (from trusted interfaces).
Example: \"10.0.0.0\". If you will not be using IP Masq / NAT, leave this as the empty
default."
LONG_EXP: "If this machine will be used as an IP Masquerading / Network Address
Translation gateway, enter the networks to be masqueraded (from trusted interfaces).
Example: \"10.0.0.0\". If you will not be using IP Masq / NAT, leave this as the empty
default.

If this machine will be used as an IP Masquerading / Network Address
Translation gateway, enter the networks to be masqueraded (from trusted interfaces).
Example: \"10.0.0.0\". If you will not be using IP Masq / NAT, leave this as the empty
default.

Note this expects _network_ addresses (either with 0's on the end or with
explicit netmasks), _not_ interface names. "
QUESTION: "Masqueraded networks: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_kernelmasq
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_kernelmasq
NO_CHILD:
PROPER_PARENT: ip_s_srcaddr

LABEL: ip_s_kernelmasq
SHORT_EXP: "Do you want to set any kernel modules to do IP masquerading?  Special
kernel modules are required to provide certain services via IP Masquerading. Possible
modules include cuseeme, ftp, irc, quake, raudio, and vdolive. The script assumes each
name should have the usual prefix, e.g. \"raudio\" will cause the script to load the
\"ip_masq_raudio\" module."
QUESTION: "Kernel modules to masquerade: [ftp raudio vdolive]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_rejectmethod
DEFAULT_ANSWER: ftp raudio vdolive
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_rejectmethod
NO_CHILD:
PROPER_PARENT: ip_s_ipmasq

LABEL: ip_s_rejectmethod
SHORT_EXP: "You need to set how the kernel rejects blocked traffic. \"REJECT\" is
friendly, lets the remote host know you're blocking their attempt (and can therefore
be used to prove you're on the network). \"DENY\" is unfriendly, simply drops the
connection attempt, leaving the remote host to wait, and probably give up after some
time. (Note you may specify \"DENY\" or \"DROP\" and the  packet filter will
use the appropriate keyword (DENY for kernel 2.2/ipchains, DROP for 2.4/iptables.)"
LONG_EXP: "You need to set how the kernel rejects blocked traffic. \"REJECT\" is
friendly, lets the remote host know you're blocking their attempt (and can therefore
be used to prove you're on the network). \"DENY\" is unfriendly, simply drops the
connection attempt, leaving the remote host to wait, and probably give up after some
time.

There's no definite right answer here. With DENY, your machine will be less
visible, especially if using kernel 2.4/iptables. "
QUESTION: "Reject method: [DENY]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_dhcpiface
DEFAULT_ANSWER: DENY
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_dhcpiface
NO_CHILD:
PROPER_PARENT: ip_s_kernelmasq

LABEL: ip_s_dhcpiface
SHORT_EXP: "List the names of any interfaces this machine will need to make DHCP
_queries_ on to configure _its own_ interfaces. For example, a cable modem user with a
single ethernet interface might need to set this to \"eth0\".

Systems that use regular PPP modem dialups may leave this blank.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "Interfaces for DHCP queries: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_ntpsrv
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_ntpsrv
NO_CHILD:
PROPER_PARENT: ip_s_rejectmethod

LABEL: ip_s_ntpsrv
SHORT_EXP: "If you want to queries NTP time servers to synchronize your system time,
enter IP addresses or networks for those servers here. If you don't intend to make NTP
queries, leave this as the empty default.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
LONG_EXP: "If you want to queries NTP time servers to synchronize your system time,
enter IP addresses or networks for those servers here. If you don't intend to make NTP
queries, leave this as the empty default.

The same warnings about blocked UDP services and DNS servers apply here;
the hosts and networks you list here can connect to any high UDP port not explicitly
blocked.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "NTP servers to query: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_icmpout
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_icmpout
NO_CHILD:
PROPER_PARENT: ip_s_dhcpiface

LABEL: ip_s_icmpout
SHORT_EXP: "Do you want to disable any outbound ICMP types?  If you disable the types
listed in the default, your machine will not be visible to normal traceroute probes
from hosts on your \"public\" interfaces."
LONG_EXP: "Do you want to disable any outbound ICMP types?  If you disable the types
listed in the default, your machine will not be visible to normal traceroute probes
from hosts on your \"public\" interfaces.

\"destination-unreachable\" is (ab)used by the traceroute program to check
routing to individual hosts. "
QUESTION: "ICMP types to disallow outbound: [destination-unreachable time-exceeded]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_enable_firewall
DEFAULT_ANSWER: destination-unreachable time-exceeded
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_enable_firewall
NO_CHILD:
PROPER_PARENT: ip_s_ntpsrv

LABEL: ip_b_dns
SHORT_EXP: "This controls what external servers you can use for DNS lookups. For
regular workstations, this should contain all your name server addresses, separated by
spaces. If you want to run a caching name server and/or run your own DNS, leave this at
\"0.0.0.0/0\" so you can query any DNS server. If you set this to an empty value, the
firewall script will read the current name servers from /etc/resolv.conf when it is
run, which is the recommended configuration. This default is designed to ensure
functionality.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
LONG_EXP: "This controls what external servers you can use for DNS lookups. For
regular workstations, this should contain all your name server addresses, separated by
spaces. If you want to run a caching name server and/or run your own DNS, leave this at
\"0.0.0.0/0\" so you can query any DNS server. If you set this to an empty value, the
firewall script will read the current name servers from /etc/resolv.conf when it is
run, which is the recommended configuration. This default is designed to ensure
functionality.

DNS servers are used to translate names like \"example.org\" into addresses
like \"10.1.2.3\". You need to configure DNS for many pieces of software to function
properly. Your system administrator or Internet Service Provider should be able to
provide you with this information. Most users should simply leave this at
\"0.0.0.0/0\" (or make it blank) so the firewall script will be more forgiving (or do
the right thing automatically). For instance, DHCP clients often re-write
/etc/resolv.conf when obtaining a new lease. (This means you may want to configure
your system to run the firewall script both before _and_ after setting up your
DHCP-configured interface if you set this to the safest value, an empty string.)

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "DNS Servers: [0.0.0.0/0]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_trustiface
DEFAULT_ANSWER: 0.0.0.0/0
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_trustiface
NO_CHILD:
PROPER_PARENT: ip_advnetwork

LABEL: ip_b_trustiface
DEFAULT_ANSWER: lo
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_publiciface
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_publiciface
NO_CHILD:
PROPER_PARENT: ip_b_dns

LABEL: ip_b_publiciface
SHORT_EXP:"List names of all interfaces connected to public/untrusted networks. The
\"+\" character is a wildcard, e.g. \"ppp+\" matches any interface name beginning with
\"ppp\" in case you have multiple dialup profiles."
LONG_EXP: "List names of all interfaces connected to public/untrusted networks. The
\"+\" character is a wildcard, e.g. \"ppp+\" matches any interface name beginning with
\"ppp\" in case you have multiple dialup profiles.

Using the \"+\" suffix allows you to configure more interfaces (for
instance, more PPP dialup entries) without having to modify the firewall script. "
QUESTION: "Public interfaces: [eth+ ppp+ slip+]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_internaliface
DEFAULT_ANSWER: eth+ ppp+ slip+
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_internaliface
NO_CHILD:
PROPER_PARENT: ip_b_dns

LABEL: ip_b_internaliface
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_tcpaudit
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_tcpaudit
NO_CHILD:
PROPER_PARENT: ip_b_publiciface

LABEL: ip_b_tcpaudit
SHORT_EXP: "List any TCP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces."
LONG_EXP: "List any TCP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.

If you have \"syslog\" configured to log \"kern\" messages of \"info\"
level, the kernel will automatically log connection attempts from the \"public\"
interfaces (only the \"public\" interfaces) to these ports and/or services. This is
useful to spot possible probes or attacks. The default setting records connection
attempts to several services, although you may not have them installed or enabled. "
QUESTION: "TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login
linuxconf ssh]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_udpaudit
DEFAULT_ANSWER: telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_udpaudit
NO_CHILD:
PROPER_PARENT: ip_b_publiciface

LABEL: ip_b_udpaudit
SHORT_EXP: "List any UDP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  The default here is port
31337, the standard port for the infamous \"Back Orifice\" trojan/remote-control app
for Windows systems."
LONG_EXP: "List any UDP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  The default here is port
31337, the standard port for the infamous \"Back Orifice\" trojan/remote-control app
for Windows systems.

While attackers probing for Back Orifice may not pose a threat to your
Linux system, logging their attempts helps identify the \"bad guys\" "
QUESTION: "UDP services to audit: [31337]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_icmpaudit
DEFAULT_ANSWER: 31337
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_icmpaudit
NO_CHILD:
PROPER_PARENT: ip_b_tcpaudit

LABEL: ip_b_icmpaudit
SHORT_EXP: "List any ICMP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  These should be specified
as types, not numbers. One example is \"echo-request\" which is used by Microsoft ping
and tracert [sic] clients."
QUESTION: "ICMP services to audit: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_publictcp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_publictcp
NO_CHILD:
PROPER_PARENT: ip_b_udpaudit

LABEL: ip_b_publictcp
SHORT_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"public\" interfaces. Typical workstations will not want to make any services
available, though admins may want to enable something like secure shell (default port: 22) for
remote administration. Those running caching or \"real\" DNS servers on this machine
will want to enable domain (or port 53). If you want to make FTP available to clients
on the \"public\" interfaces, you will want to allow the range of ports used
for \"passive\" FTP connections."
LONG_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"public\" interfaces. Typical workstations will not want to make any services
available, though admins may want to enable something like secure shell (default port: 22) for
remote administration. Those running caching or \"real\" DNS servers on this machine
will want to enable domain (or port 53). If you want to make FTP available to clients
on the \"public\" interfaces and are using kernel 2.2/ipchains, you will want to allow the range of IP addresses used
for \"passive\" FTP connections.

You will need to list the names or port numbers of any services running on
this machine that you want hosts on the \"public\" network to access. For instance, if
you have a local Web server you want to share, add \"80\" for the normal HTTP port.
Not doing so means you will be able to access the service locally, but \"public\"
hosts will not."
QUESTION: "TCP service names or port numbers to allow on public interfaces: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_publicudp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_publicudp
NO_CHILD:
PROPER_PARENT: ip_b_icmpaudit

LABEL: ip_b_publicudp
SHORT_EXP: "List names or port numbers on which to accept UDP connection attempts from
the \"public\" interfaces. Again, typical workstations will not want to make any
services  available, but if you're running caching or real DNS servers, you will need
to enable domain (port 53)."
QUESTION: "UDP service names or port numbers to allow on public interfaces: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_passiveftp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_internaltcp
NO_CHILD:
PROPER_PARENT: ip_b_publictcp

LABEL: ip_b_internaltcp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_internaludp
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_internaludp
NO_CHILD:
PROPER_PARENT: ip_b_publicudp

LABEL: ip_b_internaludp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_passiveftp
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_passiveftp
NO_CHILD:
PROPER_PARENT: ip_b_publicudp

LABEL: ip_b_passiveftp
SHORT_EXP: "This has nothing to do with whether you are running an FTP _server_ on
this machine; this has to do with how clients running on this machine will talk to
_other_ machines running FTP servers reachable through the \"public\" interfaces. By
forcing your local FTP clients to use \"passive\" mode, you will not have to be as
cautious about blocking specific \"high\" TCP services. Set to \"Y\" to force
\"passive\" FTP; the default \"N\" will allow you to use normal, \"active\" FTP.
Forcing passive mode (\"Y\") is recommended, but less convenient.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
LONG_EXP: "This has nothing to do with whether you are running an FTP _server_ on
this machine; this has to do with how clients running on this machine will talk to
_other_ machines running FTP servers reachable through the \"public\" interfaces. By
forcing your local FTP clients to use \"passive\" mode, you will not have to be as
cautious about blocking specific \"high\" TCP services. Set to \"Y\" to force
\"passive\" FTP; the default \"N\" will allow you to use normal, \"active\" FTP.
Forcing passive mode (\"Y\") is recommended, but less convenient.

Forcing passive FTP will make using some FTP clients more of a hassle, as
you may need to manually tell them to use passive mode, but many clients such as
Netscape Navigator have no problem with passive FTP. If you have problems with FTP,
this is the first place to look.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "Force passive mode? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_tcpblock
NO_CHILD: ip_b_tcpblock
PROPER_PARENT: ip_b_publicudp

LABEL: ip_b_tcpblock
SHORT_EXP: "Specify TCP services to block.  These rules take effect _after_ the TCP
services to make public. If you allow the use of \"active\" FTP clients
(FORCE_PASV_FTP at its default of \"0\"), you will need to be careful here, and will
want to make sure you block all TCP services listening on high ports. If you are
forcing \"passive\" FTP, you may ignore this setting.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
LONG_EXP: "Specify TCP services to block.  These rules take effect _after_ the TCP
services to make public. If you allow the use of \"active\" FTP clients
(FORCE_PASV_FTP at its default of \"0\"), you will need to be careful here, and will
want to make sure you block all TCP services listening on high ports. If you are
forcing \"passive\" FTP, you may ignore this setting.

We have listed the services we have observed. To be more cautious, you
should look at the output of 'lsof -i' (run as root) once the system is up and all
services are running.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "TCP services to block: [2049 2065:2090 6000:6020 7100]"
DEFAULT_ANSWER: 2049 2065:2090 6000:6020 7100
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_udpblock
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_udpblock
NO_CHILD:
PROPER_PARENT: ip_b_passiveftp

LABEL: ip_b_udpblock
SHORT_EXP: "Specify UDP services to block.  As with the TCP services, the UDP services
to make public will take precedence. The high UDP services that you do not block will
be reachable by any allowed NTP or DNS server. Sites with more such \"high UDP\"
services, or global DNS availability (as is the default, DNS_SERVERS=\"0.0.0.0/0\"),
will want to be sure they have all such high UDP services listed.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "UDP services to block: [2049 6770]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_icmpallowed
DEFAULT_ANSWER: 2049 6770
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_icmpallowed
NO_CHILD:
PROPER_PARENT: ip_b_tcpblock

LABEL: ip_b_icmpallowed
SHORT_EXP: "Specify the ICMP allowed types.  The default suggestion allows you to
probe other hosts with ping and traceroute. Minimally you will need to allow
\"destination-unreachable\"."
LONG_EXP: "Specify the ICMP allowed types.  The default suggestion allows you to
probe other hosts with ping and traceroute. Minimally you will need to allow
\"destination-unreachable\".

\"destination-unreachable\" lets other machines' servers tell your system
when things aren't right; don't disable this unless you really know what you're
getting into. If you don't allow \"echo-reply\" and \"time-exceeded\", you won't be
able to use ping and traceroute to debug issues on the \"public\" networks. "
QUESTION: "ICMP allowed types: [destination-unreachable echo-reply time-exceeded]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_srcaddr
DEFAULT_ANSWER: destination-unreachable echo-reply time-exceeded
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_srcaddr
NO_CHILD:
PROPER_PARENT: ip_b_udpblock

LABEL: ip_b_srcaddr
SHORT_EXP: "Do you want to enable source address verification? This configures the
kernel to block traffic likely to have spoofed IP addresses. Set to \"N\" to disable.
The default (\"Y\") is highly recommended."
LONG_EXP: "Do you want to enable source address verification? This configures the
kernel to block traffic likely to have spoofed IP addresses. Set to \"N\" to disable.
The default (\"Y\") is highly recommended.

This is a standard, and highly recommended, precaution. "
QUESTION: "Enable source address verification? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: Y
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_ipmasq
NO_CHILD: ip_b_ipmasq
PROPER_PARENT: ip_b_icmpallowed

LABEL: ip_b_ipmasq
DEFAULT_ANSWER:
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_kernelmasq
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_kernelmasq
NO_CHILD:
PROPER_PARENT: ip_b_srcaddr

LABEL: ip_b_kernelmasq
DEFAULT_ANSWER: ftp raudio vdolive
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_rejectmethod
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_rejectmethod
NO_CHILD:
PROPER_PARENT: ip_b_srcaddr

LABEL: ip_b_rejectmethod
SHORT_EXP: "You need to set how the kernel rejects blocked traffic. \"REJECT\" is
friendly, lets the remote host know you're blocking their attempt (and can therefore
be used to prove you're on the network). \"DENY\" is unfriendly, simply drops the
connection attempt, leaving the remote host to wait, and probably give up after some
time."
LONG_EXP: "You need to set how the kernel rejects blocked traffic. \"REJECT\" is
friendly, lets the remote host know you're blocking their attempt (and can therefore
be used to prove you're on the network). \"DENY\" is unfriendly, simply drops the
connection attempt, leaving the remote host to wait, and probably give up after some
time.

There's no definite right answer here. You will probably not be
_completely_ invisible, even if you choose \"DENY\", but with \"DENY\" and _no_ public
services, you will not be visible to casual probes. "
QUESTION: "Reject method: [DENY]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_dhcpiface
DEFAULT_ANSWER: DENY
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_dhcpiface
NO_CHILD:
PROPER_PARENT: ip_b_srcaddr

LABEL: ip_b_dhcpiface
SHORT_EXP: "List the names of any interfaces this machine will need to make DHCP
_queries_ on to configure _its own_ interfaces. For example, a cable modem user with a
single ethernet interface might need to set this to \"eth0\".

Systems that use regular PPP modem dialups may leave this blank.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "Interfaces for DHCP queries: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_ntpsrv
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_ntpsrv
NO_CHILD:
PROPER_PARENT: ip_b_rejectmethod

LABEL: ip_b_ntpsrv
SHORT_EXP: "If you want to queries NTP time servers to synchronize your system time,
enter IP addresses or networks for those servers here. If you don't intend to make NTP
queries, leave this as the empty default.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
LONG_EXP: "If you want to queries NTP time servers to synchronize your system time,
enter IP addresses or networks for those servers here. If you don't intend to make NTP
queries, leave this as the empty default.

The same warnings about blocked UDP services and DNS servers apply here;
the hosts and networks you list here can connect to any high UDP port not explicitly
blocked.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "NTP servers to query: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_icmpout
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_icmpout
NO_CHILD:
PROPER_PARENT: ip_b_dhcpiface

LABEL: ip_b_icmpout
SHORT_EXP: "Do you want to disable any outbound ICMP types?  If you disable the types
listed in the default, your machine will not be visible to normal traceroute probes
from hosts on your \"public\" interfaces."
LONG_EXP: "Do you want to disable any outbound ICMP types?  If you disable the types
listed in the default, your machine will not be visible to normal traceroute probes
from hosts on your \"public\" interfaces.

\"destination-unreachable\" is (ab)used by the traceroute program to check
routing to individual hosts. "
QUESTION: "ICMP types to disallow outbound: [destination-unreachable time-exceeded]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_enable_firewall
DEFAULT_ANSWER: destination-unreachable time-exceeded
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_enable_firewall
NO_CHILD:
PROPER_PARENT: ip_b_ntpsrv

LABEL: ip_enable_firewall
SHORT_EXP: "The firewall is controlled by /etc/rc.d/init.d/bastille-firewall.  The
configuration file is /etc/Bastille/bastille-firewall.cfg, which you may modify.
After it has been installed, you can then test the firewall by using
      /etc/rc.d/init.d/bastille-firewall start
and (to remove all firewall rules)
      /etc/rc.d/init.d/bastille-firewall stop

 Once you have a configuration that will work on your system, you can make it
 run at every normal boot-up by typing
     /sbin/chkconfig --add bastille-firewall
     /sbin/chkconfig bastille-firewall reset

If you are confident of your selections, Bastille can start the firewall
and configure it to run at boot time for you.

** It is strongly recommended that you answer N if you are not logged in to
   the system's console, as your network access my be blocked by the firewall. **"
QUESTION: "Should Bastille run the firewall and enable it at boot time? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
DEFAULT_ANSWER: N
YES_CHILD: psad_config
NO_CHILD: psad_config
PROPER_PARENT: ip_advnetwork

FILE: PSAD.pm

LABEL: psad_config
SHORT_EXP: "Bundled with Bastille is the Port Scan Attack Detector (PSAD), which
analyzes information gathered in firewall logs to determine whether or not someone
is scanning your machine.  Psad features a set of flexible thresholds (with sensible
defaults provided) that are used to define what constitutes a port scan, detection
for advanced port scans (syn, fin, Xmas) that are easily leveraged against a machine
via nmap, email alerts that contain the source and destination ip addresses, the
range of scanned ports, begin and end times, tcp flags set in the scanning packets
(2.4.x kernels only), reverse dns and whois information, and more.

NOTE: For psad to be effective, it is required that the firewall is active."
QUESTION: "Would you like to setup PSAD?"
REQUIRE_DISTRO: LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
YES_CHILD: psad_check_interval
NO_CHILD: End_Screen
SKIP_CHILD: End_Screen
PROPER_PARENT: ip_advnetwork

LABEL: psad_check_interval
SHORT_EXP: "This controls how often psad checks for packet that have been denied by
the firewall. A good default is 15 seconds.

It is important to not set this value too high because psad alerts are sent when the
interval ends and it is important to determine when your machine is being scanned as
quickly as possible.  Also, setting the value too low can make psad quickly generate
alerts and utilize much of your systems resources if your machine is subjected to a
high-traffic scan."
QUESTION: "psad check interval: [15]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: 15
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_port_range_scan_threshold
NO_CHILD: psad_port_range_scan_threshold
PROPER_PARENT: psad_config

LABEL: psad_port_range_scan_threshold
SHORT_EXP: "Psad has been designed to allow the administrator to define what network
traffic constitutes a port scan. This value determines a minimum range of ports that
must be scanned from interval to interval before an alert will be sent.  For example,
if this value is set to 0, psad will consider that multiple packets to the same port
qualify as a port scan. However if this value is set to 10 then there must be a
difference of 10 ports in a scan before psad considers it as such.

The default is 1 which means that unless at least two ports are scanned psad will
ignore the traffic. This also implies that multiple packets sent to the same port do
not qualify as a port scan."
QUESTION: "Port range scan threshold: [1]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: 1
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_enable_persistence
NO_CHILD: psad_enable_persistence
PROPER_PARENT: psad_check_interval

LABEL: psad_enable_persistence
SHORT_EXP: "Detecting port scans is all about setting thresholds for the number of
ports scanned within a fixed period of time. Hence, an attacker can try to slip beneath
the threshold by using a long time interval (hours or even days) between scanning each
port on a target machine. Setting this value to Y will configure psad to keep a
summary of all scanned ports indefinitely within memory for each ip so that port scans
do not expire over time.

The default is N since most scans are easily recognizable within a short time interval
which is configured in the next question box if you leave this value as N."
QUESTION: "Enable scan persistence?"
REQUIRE_DISTRO:  LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
YES_CHILD: psad_show_all_signatures
NO_CHILD: psad_scan_timeout
SKIP_CHILD: psad_scan_timeout
PROPER_PARENT: psad_port_range_scan_threshold

LABEL: psad_scan_timeout
SHORT_EXP: "This will allow you to define the length of time psad considers data about
a port scan or potential port scan to be important. If this length of time passes after
an initial port scan is detected, the ip from which the scan originated is purged from
psad's memory space along with the scan data.

The default is 3600 seconds (one hour)."
QUESTION: "Scan timeout: [3600]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: 3600
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_show_all_signatures
NO_CHILD: psad_show_all_signatures
PROPER_PARENT: psad_enable_persistence

LABEL: psad_show_all_signatures
SHORT_EXP: "Psad makes use of many tcp and udp signatures included within the Snort
Intrusion Detection System to detect scans for various back doors and/or trojans (Back
Orifice, SubSeven, etc.), DDoS tools (mstream, shaft) and advanced port scans (SYN,
FIN, XMAS, NULL). Over the course of a scan psad keeps track of all signatures that
have been matched and if this value is set to Y, all matched signatures will be
printed with every alert email instead of just the most recently matched ones.

The default is N since the email record will already contain just the most recently
matched signatures."
QUESTION: "Show all scan signatures?"
REQUIRE_DISTRO: LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
YES_CHILD: psad_danger_levels
NO_CHILD: psad_danger_levels
PROPER_PARENT: psad_scan_timeout

LABEL: psad_danger_levels
SHORT_EXP: "As port scans are detected by psad they are assigned a danger level from
1 to 5 based on the number of packets and whether they match a specific signature
(iptables only).

The default number of packets for each danger level are as follows:
Danger Level 1 = 5 packets
Danger Level 2 = 50 packets
Danger Level 3 = 1000 packets
Danger Level 4 = 5000 packets
Danger Level 5 = 10000 packets"
QUESTION: "Danger Levels: [5 50 1000 5000 10000]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: 5 50 1000 5000 10000
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_email_alert_addresses
NO_CHILD: psad_email_alert_addresses
PROPER_PARENT: psad_show_all_signatures

LABEL: psad_email_alert_addresses
SHORT_EXP: "Psad supports sending email alerts to multiple email addresses. You can
specify as many email addresses as you like; just enter them one right after another
without any commas.

The default email address is root@localhost."
QUESTION: "Email addresses: [root@localhost]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: root@localhost
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_email_alert_danger_level
NO_CHILD: psad_email_alert_danger_level
PROPER_PARENT: psad_danger_levels

LABEL: psad_email_alert_danger_level
SHORT_EXP: "Psad can be configured to send an email alert for a scan only after the
scan has reached a certain danger level. For example, if you don't want psad to alert
you about a scan until it has reached the highest danger level (5), then you would set
this value to 5.

The default danger level is 1."
QUESTION: "Email alert danger level: [1]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: 1
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_alert_all
NO_CHILD: psad_alert_all
PROPER_PARENT: psad_email_alert_addresses

LABEL: psad_alert_all
SHORT_EXP: "Throughout the course of a scan, new packets may be sent to your machine
that don't trip the next danger threshold and hence psad will not alert you unless
the value is set to Y.

The default is Y since once a scan reaches the threshold assigned in the previous
section you will probably want as much information on it as psad can produce."
QUESTION: "Alert on all new packets?"
REQUIRE_DISTRO: LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: Y
YES_EXP:
NO_EXP:
YES_CHILD: psad_enable_auto_ids
NO_CHILD: psad_enable_auto_ids
PROPER_PARENT: psad_email_alert_danger_level

LABEL: psad_enable_auto_ids
SHORT_EXP: "Psad has the capability of automatically blocking any IP address that
has scanned your machine if the scan trips a certain threshold. WARNING: This feature
has the potential to create the ability for anyone to commit a Denial of Service
against your machine/network and cause psad to block all access to any website of the
attacker's choosing. For example, suppose that an attacker wants to make psad block
access to www.yahoo.com. Then all the attacker would need to do is spoof a port scan
from www.yahoo.com's IP address(es) and make sure the scan is comprehensive enough to
trip the automatic blocking threshold.

The default is N for the reason given above, but if the requirements for your site
outweigh this possibility then answering Y will enable the automatic blocking
feature and the next section will ask you to define a corresponding danger
threshold."
QUESTION: "Enable automatic blocking of scanning IPs?"
REQUIRE_DISTRO: LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
YES_CHILD: psad_auto_ids_danger_level
NO_CHILD: psad_enable_at_boot
SKIP_CHILD: psad_enable_at_boot
PROPER_PARENT: psad_alert_all

LABEL: psad_auto_ids_danger_level
SHORT_EXP: "This controls at what danger level a scan must reach before it is
automatically blocked by psad. Normally this value should be set to a relatively high
value so that only IP addresses that leverage really comprehensive scans will be
blocked.

The default danger level is 5."
QUESTION: "Auto blocking danger level: [5]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: 5
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_enable_at_boot
NO_CHILD: psad_enable_at_boot
PROPER_PARENT: psad_enable_auto_ids

LABEL: psad_enable_at_boot
SHORT_EXP: "The Port Scan Attack Detector is controlled by a standard Sys V style
init script, /etc/rc.d/init.d/psad.  To start the psad daemons, simply execute
        /etc/rc.d/init.d/psad start
and to stop psad, execute
        /etc/rc.d/init.d/psad stop

Bastille can configure your system to start psad at boot time by executing
        chkconfig psad on."
QUESTION: "Should Bastille enable psad at boot time? [N]"
REQUIRE_DISTRO: LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
DEFAULT_ANSWER: N
YES_CHILD: End_Screen
NO_CHILD: End_Screen
PROPER_PARENT: psad_enable_auto_ids


