FILE: Patches.pm

LABEL: spc_run
SHORT_EXP: "Patching known security vulnerabilities is one of the most
important steps in securing a system.  Security Patch Check is
a tool which will analyze the software installed on this system.  It will
report if any relevant security patches have been announced by Hewlett
Packard that are not currently installed on this system.  Bastille has
detected that this tool is installed.  The output of running this tool
will be appended to a file and referenced by Bastille's generated TODO list
so you can apply the necessary patches.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
LONG_EXP: "Patching known security vulnerabilities is one of the most
important steps in securing a system.  Security Patch Check is
a tool which will analyze the software installed on this system.  When
Security Patch Check runs, it will report several types of
problems.  It will (1) report any patches which are installed on the system
but have had warnings (recalls) issued by HP (2) report any security patches
that have been announced by Hewlett Packard that will fix installed software on
the system, but have not been applied, and (3) report if any currently
installed patches are not in the proper, \"configured\" state.  Security
Patch Check can download an up-to-date catalog from HP with security and
patch-warning information.  It can also work through a proxy-type
firewall.  This tool will only report patches; it will not indicate
manual actions described in HP Security Bulletins/Advisories. 
Also, security patches require vigilance, since new vulnerabilities are
found and fixed on a regular basis.  It is recommended that this tool be
run frequently, such as in a cron job each night (A separate question
will cover this).  It is also recommended that you subscribe to the HP
Security Bulletin mailing list.

The output of running this tool will be appended to Bastille's generated
TODO list so that you can apply the necessary patches.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Should Bastille run Security Patch Check for you?"
DEFAULT_ANSWER: "Y"
NO_CHILD: spc_cron_norun
YES_CHILD: spc_cron_run
SKIP_CHILD: spc_cron_norun
YN_TOGGLE: 1
REQUIRE_DISTRO: HP-UX11.00 HP-UX11.11
REQUIRE_FILE_EXISTS: spc
REG_EXP: "^Y$|^N$"
PROPER_PARENT: Title_Screen

LABEL: spc_cron_run
SHORT_EXP: "Bastille can configure Security Patch Check to run on a daily
basis using cron.  Keeping a system secure requires constant
vigilance.  Staying up-to-date on patches issued by Hewlett Packard is
critical, and Security Patch Check is the easiest way to make sure
this system's patches are up-to-date.  In addition, a subscription to
HP's security advisory mailing list is valuable to find the latest security fixes
from HP, including both patched and manual fixes.  Note: this question is
asked whether or not you have Security Patch Check installed so
that Bastille can preconfigure cron to run the tool after you have
installed it.

You may also consider getting notified of all HP security bulletins by
going to http://www.itrc.hp.com and registering for them by clicking on
\"maintenance and support,\" then selecting \"support information
digests.\""
QUESTION: "Should Bastille set up a cron job to run Security Patch Check?"
DEFAULT_ANSWER: "Y"
YN_TOGGLE: 1
NO_CHILD: spc_proxy_yn
YES_CHILD: spc_cron_time
SKIP_CHILD: generalperms_1_1
REQUIRE_FILE_EXISTS: spc
REQUIRE_DISTRO: HP-UX
REG_EXP: "^Y$|^N$"
PROPER_PARENT: spc_run

LABEL: spc_cron_norun
SHORT_EXP: "Bastille can configure Security Patch Check to run daily
using cron.  Keeping a system secure requires constant vigilance.
Staying up-to-date on patches issued by Hewlett Packard is critical, and
Security Patch Check is the easiest way to make sure that this system's
patches are up-to-date.  In addition, a subscription to HP's security
advisory mailing list is valuable to find the latest security fixes
from HP, including both patched and manual fixes.  Note: this question is
asked whether or not you have Security Patch Check installed so
that Bastille can preconfigure cron to run the tool after you have
installed it."
QUESTION: "Should Bastille set up a cron job to run Security Patch Check?"
YN_TOGGLE: 1
DEFAULT_ANSWER: "Y"
NO_CHILD: generalperms_1_1
YES_CHILD: spc_cron_time
SKIP_CHILD: generalperms_1_1
REQUIRE_DISTRO: HP-UX
REG_EXP: "^Y$|^N$"
PROPER_PARENT: spc_run

LABEL: spc_cron_time
SHORT_EXP: "Specify a number between 0 and 23, corresponding to the hour
in your time zone that is most convenient to run Security Patch Check."
LONG_EXP: "Specify a number between 0 and 23, corresponding to the hour
in your time zone that is most convenient to run Security Patch Check. 
For example, if you specify 0, Security Patch Check will run sometime
between 12:00am and 12:59am in your local time zone.  If you specify 23,
Security Patch Check will run some time between 11:00pm and 11:59pm.  You
can change this by running crontab -e as root.

See crontab(1)"
QUESTION: "During which hour would you like to schedule Security Patch Check?"
YN_TOGGLE: 0
DEFAULT_ANSWER:
EXPL_ANS: "11"
YES_CHILD: spc_proxy_yn
SKIP_CHILD: generalperms_1_1
REQUIRE_DISTRO: HP-UX
PROPER_PARENT: spc_run
REG_EXP: "^[0-9]$|^1[0-9]$|^2[0-3]$"

LABEL: spc_proxy_yn
SHORT_EXP:  "If this machine is behind a proxy type
firewall, security patch check needs to be configured to traverse
that firewall.  For example, the proxy might be specified as
\"http://myproxy.mynet.com:8088\"  If this machine can ftp directly to
the Internet without a proxy, answer no to this question."
QUESTION:  "Does this machine require a proxy to ftp to the Internet?"
YN_TOGGLE: 1
DEFAULT_ANSWER: "N"
NO_CHILD: generalperms_1_1
YES_CHILD: spc_proxy
SKIP_CHILD: generalperms_1_1
REQUIRE_DISTRO: HP-UX
PROPER_PARENT: spc_run
REG_EXP: "^Y$|^N$"

LABEL: spc_proxy
SHORT_EXP:  "To use the auto-download feature of Security Patch Check
from behind a proxy type firewall, Security Patch Check needs to be
configured to traverse that firewall.

The URL for the proxy must be in the form

<protocol of firewall>://address:port

For example:
    http://myproxy.mynet.com:8088

A web proxy generally uses the http protocol.  This answer should
correspond closely to settings one would make in a web browser
to point to a proxy server, but use the above syntax.

If you asked Bastille to run Security Patch Check itself and/or in cron,
it will use this proxy value."
QUESTION:  "Please enter the URL for the web proxy."
YN_TOGGLE: 0
DEFAULT_ANSWER:
EXPL_ANS: "http://yourproxy.yournet.com:8088"
NO_CHILD: generalperms_1_1
YES_CHILD: generalperms_1_1
SKIP_CHILD: generalperms_1_1
REQUIRE_DISTRO: HP-UX
PROPER_PARENT: spc_proxy_yn
REG_EXP: "^http:\/\/.+\:.+$"

FILE: FilePermissions.pm

LABEL: generalperms_1_1
SHORT_EXP: "In general, the default file permissions set by most vendors are
fairly secure.  To make them more secure, though, you can
remove non-root user access to some administrator functions."
LONG_EXP: "In general, the default file permissions set by most vendors are
fairly secure.  To make them more secure, though, you can remove non-root
user access to some administrator functions.

If you choose this option, you'll be changing the permissions on
some common system administration utilities so that they're not readable or
executable by users other than root.  These utilities (which include linuxconf,
fsck, ifconfig, runlevel and portmap) are ones that most users should never
have a need to access.  This option will increase your system security, but
there's a chance it will inconvenience your users."
QUESTION: "Would you like to set more restrictive permissions on the
administration utilities? [N]"
REQUIRE_DISTRO: RH MN DB SE TB
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
DEFAULT_ANSWER: "N"
REG_EXP: "^Y$|^N$"
YES_CHILD: world_writeable
NO_CHILD: world_writeable
PROPER_PARENT: spc_run

LABEL: world_writeable
SHORT_EXP: "Bastille can scan your system for world-writeable directories,
including base OS, 3rd party applications, and user directories.
Bastille will then create a script which you can edit to suit your needs
and then run to tighten these permissions.

Changing the permissions of directories in this way has the potential to
break compatibility with some applications and requires testing in
your environment.

Note: The changes made by this script are NOT supported by HP.  They have
a low likelihood of breaking things in a single purpose environment, but
are known to break some applications in very subtle ways in a general purpose
environment (For example, applications which rely on unique process id's in
/tmp when run by different users may break when the process id's are recycled,
or programs which are run by different users but create logs in a common
directory may fail.  Other examples are listed in the long explanation.)

As you run the script, it will create a \"revert-directory-perms.sh\"
script which will allow you to revert to a supported state (independent of
the rest of the HP-UX Bastille configurations, which are supported). 
Running \'bastille -r\' will revert all bastille changes, including
running the revert-directory-perms.sh script.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
LONG_EXP: "Bastille can scan your system for world-writeable directories,
including base OS, 3rd party applications, and user directories.
Bastille will then create a script which you can edit to suit your needs
and then run to tighten these permissions.

Changing the permissions of directories in this way has the potential to
break compatibility with some applications and requires testing in
your environment.

Note: The changes made by this script are NOT supported by HP.  They have
a low likelihood of breaking things in a single purpose environment, but
are known to break some applications in very subtle ways in a general purpose
environment.  Here are some examples of known issues:

 - /tmp and /var/tmp having the sticky bit: applications which rely on unique
process id\'s in /tmp when run by different users may break when the process
id\'s are recycled (cleaning tmp directories regularly may alleviate this
problem)

 - Log directories (most of which are named with the word \"log\" in them): 
Programs which are run by different users but create and/or write logs in
a common directory may fail to log actions.  This includes GUI error logs
in some versions of HP-UX diagnostic tools.

 - \"cat\" directories such as those in /usr/share/man are used by the
\"man\" command to write pre-processed man pages.  Eliminating the
world-writeable bit will cause a degradation in performance because
the man page will have to be reformatted every time it is accessed.

 - Some directories may have incorrect owners and/or groups.  Eliminating
world-writeable permisions on these directories have no effect if the
owner/group is set properly.  For example, one problem with HP Openview
running without world-writeable directories was corrected by the following:

/usr/bin/chown root:sys /var/opt/OV/analysis/ovrequestd/config

This change has not been fully tested by the Openview team, but was shown
to work when tested in a limited, single-purpose environment by the HP-UX
Bastille development team.

 - Change the directory /var/obam/translated may have an impact on non-root
users viewing help in obam (the GUI library used by swinstall, SAM,
ServiceControl Manager, and others)

 - Eliminating the world-writeable permissions on socket directories has been
shown to stop the X server from operating properly.  However, setting the
sticky bit instead (what this script will do by default) did not have the
same effects.

 - There are several other directories which have world-writeable permissions.
Some of these are shipped with HP-UX, others are shipped with 3rd party
products, and others may have been created by users without an appropriate
umask set.  Bastille will help you find those directories so that you can
make appropriate decisions for your environment.  The full impact of making
these changes has not been analyzed.

As you run the script, it will create a \"revert-directory-perms.sh\"
script which will allow you to revert to a supported state (independent of
the rest of the HP-UX Bastille configurations, which are supported). 
Because of the potential for very subtle breakages, you should also keep
a record of any changes which you make manually to your system so that
you can revert them to help debug any problems which you run into.
Running \'bastille -r\' will revert all bastille changes, including
running the revert-directory-perms.sh script, but it may not revert
changes you have made manually.

The fact that a directory is world-writeable does not imply that a
vulnerability exists, because it depends on how the data stored in that
directory is used.  Still, it is a security best-practice to allow all users
to write to ONLY temporary directories, such as /tmp and /var/tmp, and to
set the \"sticky\" bit on those directories.  By default, the generated
script will set the \"sticky\" bit on all world-writeable directories.

If the \"sticky\" bit is set on a directory, only the file owner, directory
owner, and superuser are allowed to rename or delete (and thus replace)
the file, regardless of the group and world write permissions on the directory. 
The ownerships and permissions of the files and subdirectories in that
directory determine how those files and subdirectories can be modified,
respectively.  You can tell that the \"sticky\" bit is set if there is a
\"t\" in the last permissions column.  (e.g.: drwxrwxrwt).  Left unedited,
the created script will set the \"sticky\" bit on any world-writeable
directory.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
YES_EXP: "If you find a new security vulnerability in an HP product, you should
report it to security-alert@hp.com.   Please encrypt any exploit
information using the security-alert PGP key, available from your local
key server, or by sending a message with a -subject- (not body) of 'get
key' (no quotes) to security-alert@hp.com.

If you find an application which requires world-writeable directories to operate
properly, you should report it to the vendor of that application, as well as to
the Bastille development team so we can inform other users. 
(bastille-feedback@fc.hp.com)"
NO_EXP: "If you find a new security vulnerability in an HP product, you should
report it to security-alert@hp.com.   Please encrypt any exploit
information using the security-alert PGP key, available from your local
key server, or by sending a message with a -subject- (not body) of 'get
key' (no quotes) to security-alert@hp.com."
QUESTION:  "Should Bastille scan for world-writeable directories?"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_CHILD: generalperms_suse
NO_CHILD: generalperms_suse
PROPER_PARENT: generalperms_1_1
REQUIRE_DISTRO: HP-UX
REG_EXP: "^Y$|^N$"

LABEL: generalperms_suse
SHORT_EXP: "UnitedLinux supports different sets of file permissions
depending on your security requirements. Different permission profiles
are defined in /etc/permissions and related files; please select one of
the following levels:

easy - this will leave all permissions as defined by the installed
packages. This is the most convenient but also the most
insecure configuration.

secure - this will take away the setuid bits from a large number
of programs not needed for everyday operation by most
operators.

paranoid - this will take away almost all setuid bits. Beware -
the resulting system may not be fully usable. You can
override some of the choices made by this setting
by adding your preferred permissions to
/etc/permissions.local."
QUESTION: "Which permission profile should I use? [secure]"
DEFAULT_ANSWER: secure
REQUIRE_DISTRO: SE
YES_CHILD: suid
NO_CHILD: suid
PROPER_PARENT: generalperms_1_1

LABEL: suid
SHORT_EXP: "The following questions all pertain to disabling \"SUID root\"
permission for particular programs. This permission allows non-root users to run
these programs, increasing convenience but decreasing security.  If a
security weakness or vulnerability is found in these programs, it can be
exploited to gain root-level access to your computer through any user
account.

If you answer \"Yes\" and then realize later that you do need SUID permissions
on a specific program, you can always turn it back on later with chmod u+s <file name>."
QUESTION:
REQUIRE_DISTRO: LINUX DB SE TB
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD:suidmount
NO_CHILD:suidmount
PROPER_PARENT: world_writeable

LABEL:suidmount
SHORT_EXP: "Mount and umount are used for mounting (activating) and
unmounting (deactivating) drives that were not automatically mounted at
boot time.  This can include floppy and CD-ROM drives.  Disabling SUID would
still allow anyone with the root password to mount and unmount drives."
REQUIRE_IS_SUID: mount umount smbmnt
QUESTION: "Would you like to disable SUID status for mount/umount?"
REQUIRE_DISTRO: LINUX DB SE TB
YN_TOGGLE: 1
DEFAULT_ANSWER: Y
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidping
NO_CHILD: suidping
PROPER_PARENT:suid

LABEL:suidping
SHORT_EXP: "Ping is used for testing network connectivity.  Specifically it's for
testing the  ability of the network to get a packet from this machine to
another and back.  The ping program is SUID since only the root user can
open a raw socket. Since, however, it is often used only by the person responsible
for networking the host, who normally has root access, we recommend
disabling SUID status for it."
QUESTION: "Would you like to disable SUID status for ping? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: ping
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suiddump
NO_CHILD: suiddump
PROPER_PARENT:suidmount

LABEL: suiddump
SHORT_EXP: "Dump and restore are used for backing up file systems and
restoring them from disk.  If used by an attacker, they could be used to
construct an alternate file system in place.  Further, anyone who backs up
the machine and restores from backup should have authorization and special
access granted by the administrator.  It's extremely unlikely that there will
be any problems with disabling SUID for dump and restore."
QUESTION: "Would you like to disable SUID status for dump and restore? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: dump restore
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidcard
NO_CHILD: suidcard
PROPER_PARENT: suidping

LABEL: suidcard
SHORT_EXP: "Cardctl is used for controlling PCMCIA devices, primarily found
in laptop or notebook computers.  Non-admins shouldn't have rights to
modify hardware or devices, so you should probably disable SUID status for
this utility even if this is a notebook or laptop.  If this isn't a laptop or
notebook computer, then you probably don't have any PCMCIA devices, and
you should definitely disable this."
QUESTION: "Would you like to disable SUID status for cardctl? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: cardctl
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidat
NO_CHILD: suidat
PROPER_PARENT: suiddump

LABEL: suidat
SHORT_EXP: "\"at\" is used for scheduling an individual task to run at a single
later time. There have historically been many exploits that take advantage of
weaknesses in \"at\". Virtually all of the necessary functionality of \"at\"
can be found in cron (and removing cron is not practical) so there is
no need to retain privileged access for \"at\"."
QUESTION: "Would you like to disable SUID status for at? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: at
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suiddos
NO_CHILD: suiddos
PROPER_PARENT:suidcard

LABEL: suiddos
SHORT_EXP: "DOSEMU is a DOS emulator used to run older DOS programs. 
Any use of a second operating system, or emulation, opens up a whole new
area of security problems.  We recommend that only root have access to
this type of application, unless your users have a pressing need for it."
QUESTION: "Would you like to disable SUID status for DOSEMU? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: dos
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidnews
NO_CHILD: suidnews
PROPER_PARENT: suidat

LABEL: suidnews
SHORT_EXP: "Ordinary users should not be able to start (or stop) the news
server.  For this reason, we'd like to disable SUID status for the INN news
server tools inndstart and startinnfeed."
QUESTION: "Would you like to disable SUID status for news server tools? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: inndstart startinnfeed
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidprint
NO_CHILD: suidprint
PROPER_PARENT: suiddos

LABEL: suidprint
SHORT_EXP: "If this machine is not going to be using printers, then you should
disable the SUID status of the printing utilities.  These utilities have
a history of security vulnerabilities.  This will disallow local, non-root
users from initiating, modifying, and canceling print requests.  Later,
we'll ask about disabling printing entirely including stopping the print
scheduler."
QUESTION: "Would you like to disable SUID status for printing utilities? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: lpr lpq lprm lpalt
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidrtool
NO_CHILD: suidrtool
PROPER_PARENT: suidnews

LABEL: suidrtool
SHORT_EXP: "The BSD r-tools (rsh/remsh, rcp, rlogin, rdist, etc.) have
traditionally been used to make remote connections to other machines. 
They rely on IP addresses for authentication and transmit data in clear
text (including passwords).  Tools are now available which allow you to
spoof (fake) IP addresses as well as to monitor and/or hijack protocols
which use cleartext.  All of the same functionality can be found with the more
secure replacement commands ssh and scp.  Because of these insecurities,
ordinary users should not be allowed to use the r-tools, and admins should
use them only in cases where there are no other connection methods
available.

Bastille can remove the permissions on the r-tools so that ordinary users
cannot run them and admins will have to take additional steps to re-enable
them when needed.  This will disable the \"client\" side of these tools,
so that people cannot use them to connect to other machines.

Things known to not work if this is disabled:

  - use models of Ignite-UX which use remsh (HP-UX)"
LONG_EXP: "The BSD r-tools (rsh/remsh, rcp, rlogin, rdist, etc.) have
traditionally been used to make remote connections to other machines. 
They rely on IP-based authentication, which means
that you can allow anyone with (for instance) root access on 192.168.1.1 to
have root access on 192.168.1.2.  Administrators and other users have
traditionally found this useful, as it lets them connect from one host to
another without having to retype a password.

The problem with IP-based authentication, however, is that an intruder can
craft \"spoofed\" or faked packets which claim to be from a trusted machine. 
Since the r-tools rely entirely on IP addresses for authentication, a spoofed
packet will be accepted as real, and any hacker who claims to be from a
trusted host will be trusted and given access to your machine.

These tools also transmit all of your data in cleartext, including passwords.

Tools are now available which allow you to spoof (fake) IP addresses as well
as to monitor and/or hijack protocols which use cleartext.  All of the same
functionality can be found with the more secure replacement commands ssh and
scp.  Because of these insecurities, ordinary users should not be allowed
to use the r-tools, and admins should use them only in cases where there
are no other connection methods available.

Bastille can remove the permissions on the r-tools so that ordinary users
cannot run them and admins will have to take additional steps to re-enable
them when needed.  This will disable the \"client\" side of these tools,
so that people cannot use them to connect to other machines."
QUESTION: "Would you like to disable the r-tools? [Y]"
REQUIRE_DISTRO:	LINUX DB SE TB
REQUIRE_IS_SUID: rcp rlogin rsh rdist rexec
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidusernetctl
NO_CHILD: suidusernetctl
PROPER_PARENT: suidprint

LABEL: suidusernetctl
SHORT_EXP: "usernetctl is a utility that allows ordinary users to control the
network interfaces.  In general, there's no reason for anyone other than the
system administrator to control network interfaces."
QUESTION: "Would you like to disable SUID status for usernetctl? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: usernetctl
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidtrace
NO_CHILD: suidtrace
PROPER_PARENT: suidrtool

LABEL: suidtrace
SHORT_EXP: "The traceroute utility is used to test network connectivity. 
It is useful for debugging network problems, but it is generally not necessary,
especially for non-privileged users.  If non-root users will be needing to
debug network connections, you can leave the SUID bit on traceroute. 
Otherwise, you should disable it."
QUESTION: "Would you like to disable SUID status for traceroute? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_IS_SUID: traceroute
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidXwrapper
NO_CHILD: suidXwrapper
PROPER_PARENT: suidusernetctl

LABEL: suidXwrapper
SHORT_EXP: "The Xwrapper program is a Set-UID root wrapper written so that
the X server binaries wouldn't all have to be Set-UID.

This program does not need to be Set-UID if you won't be using this machine
as a graphical workstation at all.  One specific case where you can very
safely answer yes is when this system will be running without a monitor of
any kind."
QUESTION: "Would you like to disable SUID status for Xwrapper? [N]"
REQUIRE_DISTRO: LINUX
REQUIRE_IS_SUID: Xwrapper
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: suidXFree86
NO_CHILD: suidXFree86
PROPER_PARENT: suidtrace


LABEL: suidXFree86
SHORT_EXP: "The XFree86 program is the X server binary in XFree86 4.  For
ordinary users to run X, this binary (or a world-executable wrapper) must
be Set-UID root.  In this system's case, the XFree86 binary is Set-UID.

This program does not need to be Set-UID if you won't be using this machine
as a graphical workstation at all.  One specific case where you can very
safely answer yes is when this system will be running without a monitor of
any kind."
QUESTION: "Would you like to disable SUID status for XFree86? [N]"
REQUIRE_DISTRO: LINUX
REQUIRE_IS_SUID: XFree86
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: protectrhost
NO_CHILD: protectrhost
PROPER_PARENT: suidXwrapper


FILE: AccountSecurity.pm

LABEL: protectrhost
SHORT_EXP: "As mentioned earlier, the r-tools (rlogin, rcp, rsh/remsh, etc)
are now considered insecure because they use IP-based authentication
methods which can be easily fooled.  Unfortunately, many users and admins
are not aware of this danger.  Bastille can prevent users and other
admins from opening up dangerous holes in your system security by
restricting rhosts by modifying PAM files(if applicable), removing
execute permission from rshd/remshd and rlogind, and commenting out the
services in your inetd.conf file.  This will disable both the \"client\"
and \"server\" sides of these tools."
LONG_EXP: "The BSD r-tools rely on IP-based authentication, which means
that you can allow anyone with (for instance) root access on 192.168.1.1
have root access on 192.168.1.2.  Administrators and other users have
traditionally found this useful, as it lets them connect from one host to
another without having to retype a password.  The .rhosts file contains the
names of the accounts and machines that are considered to be trusted.

The problem with IP-based authentication, however, is that an intruder can
craft \"spoofed\" or faked packets which claim to be from a trusted user
on a trusted machine.  Since the r-tools rely entirely on IP addresses
(and remote username) for authentication, a spoofed packet will be
accepted as real.

Some of your users, or even possibly other administrators for this machine,
might not be aware of the security problems with the BSD r-tools.  If this is
the case, they might create .rhosts files that would potentially allow
crackers access to the machine.  This option will disable the use of those
r-tools both from your machine and as a means of logging into your machine."
QUESTION: "Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: rsh
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: passwdage
NO_CHILD: passwdage
PROPER_PARENT: suidXFree86


LABEL: passwdage
SHORT_EXP: "We can set the default password aging on accounts here, such
that accounts are disabled if the password has not changed within the last
180 days.  At some point before the 180 days are up, the user will be
prompted to change his or her password.  This measure keeps passwords
fresh and also prevents inactive accounts from being attacked by system
crackers."
LONG_EXP: "Your operating system's default behavior, which we would
change here, is to disable an account when the password hasn't changed
in 99,999 days.  This interval is too long to be useful.  We can set the
default to 180 days.  At some point before the 180 days have passed, the
system will ask the user to change his or her password.  At the end of the
180 days, if the password has not been changed, the account will be
temporarily disabled.  We would make this change in /etc/login.defs."
QUESTION: "Would you like to enforce password aging? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: cronuser
NO_CHILD: cronuser
PROPER_PARENT: protectrhost

LABEL: cronuser
SHORT_EXP: "Cron allows users to submit jobs for the system to do at a
particular, possibly recurring time.  It can be very useful, but also has a very
real potential for abuse by either users or system crackers.  If you choose
to restrict the use of cron to system administrators, you will still be able to
allow individual users the use of cron at a later date."
LONG_EXP: "Cron can be particularly useful for admins, giving them the ability
to have the system check logs every night at midnight or confirm file
integrity every hour.  On the other hand, being able to execute jobs later or
automatically represents an abusable privilege for users and also makes
their actions slightly harder to track.

Many sites choose to restrict cron to administrative accounts.  We suggest
this action to new admins especially, until they understand more about how
cron can be abused and know more about which users need access to cron.
We would like to create the /etc/cron.allow file of users who may use cron.
You can add to that later.  If we don't create this file, all users will be
allowed to use cron."
QUESTION: "Would you like to restrict the use of cron to administrative
accounts? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: umaskyn
NO_CHILD: umaskyn
PROPER_PARENT: passwdage

LABEL: umaskyn
SHORT_EXP: "The umask sets a default permission for files that you create. 
Bastille can set one of several umasks in the default
login configuration files.  These cover standard shells like csh and most
bourne shell variants like bash, sh, and ksh.  If you
are going to install other shells, you may have to configure them
yourself.  The only reason not to set at least a minimal default umask
is if you are sure that you have already set one."
QUESTION: "Do you want to set a default umask? [Y]"
DEFAULT_ANSWER: 077
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: umask
NO_CHILD: rootttylogins
PROPER_PARENT: cronuser
REG_EXP: "^Y$|^N$"

LABEL: umask
SHORT_EXP: "The umask sets a default permission for files that you
create.  Bastille can set one of several umasks in the default
login configuration files.  These cover most shells including csh and
most of the bourne shell variants like bash, sh, bsh, and ksh. 
Note that if you are going to install other shells, you may have to
configure them yourself.  Please select one of the following or create your own:

002  - Everyone can read your files & people in your group can alter them.

022  - Everyone can read your files, but no one can write to them.

077  - No one on the system can read or write your files."
LONG_EXP: "The umask sets a default permission for files that you create. 
Bastille can set one of several umasks.  Please select one of the following
or create your own:

002  - Everyone can read your files & people in your group can alter them. 

022  - Everyone can read your files, but no one can write to them.

027  - Only people in your group can read your files, no one can write to them.

077  - No one on the system can read or write your files."
QUESTION: "What umask would you like to set for users on the system? [077]"
DEFAULT_ANSWER: 077
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: rootttylogins
NO_CHILD: rootttylogins
PROPER_PARENT: cronuser
REG_EXP: "^[0-7][0-7][0-7]$"

LABEL: rootttylogins
SHORT_EXP: "You can restrict which tty's root can login on.  Some sites choose
to restrict root logins, so that an admin must login with an ordinary user
account and then use su to become root."
LONG_EXP: "You can restrict which tty's root can login on.  Some sites choose
to restrict root logins, so that an admin must login with an ordinary user
account and then use su to become root.

This can stop an attacker who has only been able to steal the root password
from logging in directly.  He has to steal a second account's password to
make use of the root password via the ttys."
QUESTION: "Should we disallow root login on tty's 1-6? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: create_securetty
NO_CHILD: create_securetty
PROPER_PARENT: umask

LABEL: create_securetty
SHORT_EXP: "Bastille can restrict root from logging in to a tty over the network. 
This will force administrators to log in first as a non-root user, then
su to become root.  Root logins will still be permitted on the console and
through services that do not use tty's ( e.g. HP-UX Secure Shell ).

This can stop an attacker who has only been able to steal the root password
from logging in directly to a tty.  He has to steal a second account's password to
make use of the root password via the network.

MAKE SURE that you can login using a non-root account before you do this,
or you will obviously need access to the console to login."
QUESTION: "Should Bastille disallow root logins from network tty's? [N]"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: forbiduserview
NO_CHILD: forbiduserview
PROPER_PARENT: rootttylogins

LABEL: forbiduserview
SHORT_EXP: "By default in Linux-Mandrake, when using the graphical login,
you can see a list of all users who login to the system.  This can be a
minor security issue, as it lets an attacker know about every user account
on the system.  We can turn this feature off."
LONG_EXP: "By default in Linux-Mandrake, when using the graphical login,
you can see a list of all users who login to the system.  This can be a
minor security issue, as it lets an attacker know about every user account
on the system.  We can turn this feature off."
QUESTION: "Should we deactivate the graphical login's user list display? [N]"
REQUIRE_DISTRO: MN TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: protectgrub
NO_CHILD: protectgrub
PROPER_PARENT: create_securetty

FILE: BootSecurity.pm

LABEL: protectgrub
SHORT_EXP: "If an attacker has physical access to this machine, and
particularly to the keyboard, s/he could get superuser access through the
Grand Unified Bootloader (GRUB) command line.  We will look at other ways
to prevent this later, but one easy way is to password-protect the GRUB
prompt.  If GRUB is password-protected, any user can reboot the machine
normally, but only users with the password can pass arguments to the GRUB
prompt.

Note that this option can interfere dual-booting with a second operating
system, since dual booting often requires that type an O/S name to boot
one of the two operating systems.  If this machine sits in a general
purpose lab and dual boots, you probably shouldn't choose this option.

Otherwise, this is strongly recommended for general use workstations and
servers which are not locked away in their own room."
QUESTION: "Would you like to password-protect the GRUB prompt? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: grub.conf
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: protectgrub_password
NO_CHILD: protectlilo
SKIP_CHILD: protectlilo
PROPER_PARENT: forbiduserview

LABEL: protectgrub_password
SHORT_EXP: "You've elected to password protect the GRUB prompt.  Please enter
a GRUB password.

WARNING: Please do not make this the root password for this computer, as the
         GRUB password will be stored unencrypted on the machine."
QUESTION: "Enter GRUB password, please.   []"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: grub.conf
DEFAULT_ANSWER:
YN_TOGGLE: 0
YES_CHILD: protectlilo
NO_CHILD: protectlilo
PROPER_PARENT: protectgrub

LABEL: protectlilo
SHORT_EXP: "If an attacker has physical access to this machine, and
particularly to the keyboard, s/he could get superuser access through the
Linux Loader (LILO) command line.  We will look at other ways to prevent this
later, but one easy way is to password-protect the LILO prompt.  If LILO is
password-protected, any user can reboot the machine normally, but only
users with the password can pass arguments to the LILO prompt.

Note that this option can interfere dual-booting with a second operating
system, since dual booting often requires that type an O/S name to boot
one of the two operating systems.  If this machine sits in a general
purpose lab and dual boots, you probably shouldn't choose this option.

Otherwise, this is strongly recommended for general use workstations and
servers which are not locked away in their own room."
QUESTION: "Would you like to password-protect the LILO prompt? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: lilo.conf
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: protectlilo_password
NO_CHILD: lilodelay
SKIP_CHILD: lilodelay
PROPER_PARENT: protectgrub

LABEL: protectlilo_password
SHORT_EXP: "You've elected to password protect the LILO prompt.  Please enter
a LILO password.

WARNING: Please do not make this the root password for this computer, as the
         LILO password will be stored unencrypted on the machine."
QUESTION: "Enter LILO password, please.   []"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: lilo.conf
DEFAULT_ANSWER:
YN_TOGGLE: 0
YES_CHILD: lilodelay
NO_CHILD: lilodelay
PROPER_PARENT: protectlilo

LABEL: lilodelay
SHORT_EXP: "We can further protect the system by taking away the
attacker's chance to type anything at the LILO prompt.  This is not
dependent on the previous option, nor is it exclusive of it.  If you chose the
previous option, this will make your configuration even tighter, as some
machines will allow an attacker to place keystrokes into the keyboard buffer
before he or she reaches the LILO prompt."
QUESTION: "Would you like to reduce the LILO delay time to zero? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: lilo.conf
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: lilosub_drive
NO_CHILD: lilosub_drive
PROPER_PARENT: protectlilo

LABEL: lilosub_drive
SHORT_EXP: "If you selected \"yes\" on either of the previous options (password-protecting the LILO prompt or reducing its delay to zero), then you need to now write the changes to your LILO configuration.

Do you boot from your hard drive? That is, is LILO installed on your hard
drive?"
QUESTION: "Do you ever boot Linux from the hard drive? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: lilo.conf
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: lilosub_floppy
NO_CHILD: lilosub_floppy
PROPER_PARENT: protectlilo

LABEL: lilosub_floppy
SHORT_EXP: "If you have a Linux boot floppy, either for normal booting or for emergency use, you should also write these LILO changes to that floppy.  If you do not already have a customized Linux boot floppy, or if you did not choose to make any changes to your LILO configuration, you should answer \"no\" here."
QUESTION: "Would you like to write the LILO changes to a boot floppy? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: lilo.conf
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: lilosub_writefloppy
NO_CHILD: secureinittab
SKIP_CHILD: secureinittab
PROPER_PARENT: protectlilo

LABEL: lilosub_writefloppy
SHORT_EXP: "Please place the boot floppy to be modified in a floppy drive, preferably the first drive, called \"fd0\" or \"a:\".

Now, type in the Linux name of the drive device, like so:

	    fd0          floppy drive 1
	    fd1          floppy drive
"
QUESTION: "Floppy drive device name: [fd0]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: lilo.conf
DEFAULT_ANSWER: fd0
YN_TOGGLE: 0
YES_EXP: "We will write to this disk when we actually make changes.  Please
leave this disk in the drive."
NO_EXP:
YES_CHILD: secureinittab
NO_CHILD: secureinittab
PROPER_PARENT: lilosub_floppy

LABEL: secureinittab
SHORT_EXP:  "In the default configuration, while in
console mode (non-graphical), any user at the keyboard can reboot the
machine by pressing CTRL-ALT-DELETE.  This is an unlikely method of attack,
and disabling CTRL-ALT-DELETE is only a useful precaution in cases where the
attacker would have access to the keyboard but not the power supply; if this
is not the case, it might be a better idea to not disable CTRL-ALT-DELETE."
LONG_EXP: "Disabling CTRL-ALT-DELETE rebooting is designed to prevent an
attacker with access to the machine's keyboard from being able to reboot
the machine.  A reboot done in this manner should not damage the
file system, as it shuts the machine down cleanly, writing out all pending data
in the disk cache to disk first.  Even with this functionality disabled,
however, an attacker could just power cycle machine or pull the power cord.

Unless the power line, switch and case of the machine can
be physically protected, this precaution is wholly unnecessary.  Given the
fact that the attacker _can_ reboot the machine, would you prefer that
s/he do it in a way potentially damages the file system? Think carefully here,
as maintaining the integrity of the machine's file system may be secondary to
the goal of keeping an attacker off, in which case it is better to answer yes
here, since having to repair/ignore the damage and wait for file system
checks may slow the attacker down."
QUESTION: "Would you like to disable CTRL-ALT-DELETE rebooting? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: passsum
NO_CHILD: passsum
PROPER_PARENT: lilodelay

LABEL: passsum
SHORT_EXP: "As we mentioned earlier, anyone who can get to the console on
your machine can bring your machine up in \"single user mode\", where s/he is
given root privileges and everyone else is locked out of the system.  If you
password protect single user mode, you won't have to remember yet
another password--single user mode, or \"root\" mode, will require the root
password.

We HIGHLY recommend that you password protect single user mode."
QUESTION: "Would you like to password protect single-user mode? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: disable_autologin
NO_CHILD: disable_autologin
PROPER_PARENT: secureinittab

LABEL: disable_autologin
SHORT_EXP: "Autologin logs you in as a particular user without a password. 
This option is an extremely low security feature, intended to make
Mandrake Linux easier to use."
LONG_EXP:  "Autologin logs you in as a particular user without a password. 
This option is an extremely low security feature, intended to make
Mandrake Linux easier to use.

While the Autologin is rather convenient, it can also be a
security risk when other people can obtain physical access to your computer.
We'd suggest that you deactivate this feature."
QUESTION: "May we disable Autologin? [Y]"
DEFAULT_ANSWER: Y
REQUIRE_DISTRO: MN7.0 MN7.1 MN7.2 MN8.0 MN8.1
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: inetd_off
NO_CHILD: inetd_off
PROPER_PARENT: passsum

FILE: SecureInetd.pm

LABEL: inetd_off
SHORT_EXP: "Not recommended for most users:

Bastille can turn off inetd completely. This will disable all inetd based
services."
LONG_EXP: "Not recommended for most users:

Bastille can turn off inetd completely. This will disable all inetd based
services, such as finger, rlogin, rsh, telnet and likely ftp, but all other
network services such as sshd will not be affected by this."
QUESTION: Turn off inetd?
DEFAULT_ANSWER: N
REQUIRE_DISTRO: SE8.0 SE8.1
YN_TOGGLE: 1
YES_CHILD: banners
NO_CHILD: tcpd_default_deny
SKIP_CHILD: tcpd_default_deny
PROPER_PARENT: disable_autologin

LABEL: tcpd_default_deny
SHORT_EXP: "Not recommended for most users:

If you would like, Bastille can configure a default policy for all inetd,
xinetd, and TCP Wrappers-aware services to deny all connection attempts.
While you might have already chosen to install Bastille's firewall, setting
a default deny policy for these services gives more defense in depth.

This will also configure xinetd so that the currently-installed xinetd
services will use xinetd's more flexible access control and *not*
/etc/hosts.allow.  All other wrappers-based programs, like sshd, will
obey the default-deny."
LONG_EXP: "Not recommended for most users:

Many network services can be configured to restrict access
to certain network addresses (and in the case of 'xinetd' services in
Linux-Mandrake 8.0 and Red Hat 7.x, other criteria as well). For services
running under the older 'inetd' super-server (found in older versions of
Linux-Mandrake and Red Hat, and current versions of some other distributions),
some standalone services like OpenSSH, and --unless otherwise configured--
services running under Red Hat's xinetd super-server, you can configure
restrictions based on network address in /etc/hosts.allow. The services
using inetd or xinetd typically include telnet, ftp, pop, imap, finger,
and a number of other services.

If you would like, Bastille can configure a default policy for all inetd,
xinetd, and TCP Wrappers-aware services to deny all connection attempts.
While you might have already chosen to install Bastille's firewall, setting
a default deny policy for these services gives more defense in depth.

This will also configure xinetd so that the currently-installed xinetd
services will use xinetd's more flexible access control and *not*
/etc/hosts.allow.  All other wrappers-based programs, like sshd, will
obey the default-deny."
QUESTION: "Would you like to set a default-deny on TCP Wrappers and xinetd? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: deactivate_telnet
NO_CHILD: deactivate_telnet
PROPER_PARENT: inetd_off

LABEL: deactivate_telnet
SHORT_EXP: "Telnet is not secure.

Telnet is shipped on most operating systems for backward compatibility,
and it should not be used in an untrusted network.

Telnet is a cleartext protocol, meaning that any data transferred,
including passwords, can be monitored by anyone else on your network (even if you
use a switching router, as switches were designed for performance, not
security).  Other networks can monitor this information too if the
telnet session crosses multiple LANs.

There are also other more active attacks.  For example, anyone who can
eavesdrop can usually take over your telnet session, using a tool like
Hunt or Ettercap.

The standard practice among security-conscious sites is to migrate as rapidly
as possible from telnet to secure shell (ssh).  We'd advise you to make this
move as soon as possible.  Secure shell implementations are available from 
openssh.org and ssh.com.  Most Operating System vendors also distribute a 
version of secure shell,
so check with your vender first to see if there is a version that has been
tested with your OS."
QUESTION: "Should Bastille ensure the telnet service does not run on this system? [y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: deactivate_ftp
NO_CHILD: deactivate_ftp
PROPER_PARENT: tcpd_default_deny


LABEL: deactivate_ftp
SHORT_EXP: "Ftp is another problematic protocol.  First, it is a cleartext
protocol, like telnet -- this allows an attacker to eavesdrop on sessions and
steal passwords. This also allows an attacker to take over an FTP session,
using a cleartext-takeover tool like Hunt or Ettercap.  Second, it can make
effective firewalling difficult.  Third, every major FTP daemon has had a
long history of security vulnerability -- they represent one of the major
successful attack vectors for remote root attacks.

FTP can often be replaced by Secure Shell's scp and sftp programs.

NOTE: this will also prevent the use of this machine as an anonymous ftp
server."
QUESTION: "Should Bastille ensure the FTP service does not run on this system? [y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: deactivate_rtools
NO_CHILD: deactivate_rtools
PROPER_PARENT: deactivate_telnet

LABEL: deactivate_rtools
SHORT_EXP: "The login, shell, and exec services make use of r-tools,
that is rlogind, remshd, and rexecd respectively, which use IP based
authentication. This form of authentication can be easily defeated via
forging packets that suggest the connecting machine is a trusted host
when in fact it may be an arbitrary machine on the network.
Administrators in the past have found these services useful but
many are unaware of the security ramifications of leaving these services
enabled.  

We suggest disabling these services unless this machine's use
model requires the services present.

Some use models of Ignite-UX require the remshd service"
QUESTION: "Should Bastille ensure that the login, shell, and exec services do not run on this system?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: banners
NO_CHILD: banners
PROPER_PARENT: deactivate_ftp

LABEL: banners
SHORT_EXP: "At this point you can create \"Authorized Use Only\" messages for
your site. These may be very helpful in prosecuting system crackers you
may catch trying to break into your system.  Bastille can make default
messages which you may then later edit.  This is sort of like an
\"anti-welcome mat\" for your computer."
QUESTION: "Would you like to display \"Authorized Use\" messages at log-in time? [Y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "A default login/telnet/ftp \"Authorized Use Only\" banner will be
created, and will be found in /etc/issue.  You should modify this banner to
apply more specifically to your organization (for instance, adding any 
site-specific information to the default warnings).  If this is a corporate site,
check with your corporate counsel to determine the most appropriate
warning for the banner.  These banners, according to CIAC's bulletin

   (http://ciac.llnl.gov/ciac/bulletins/j-043.shtml)

may make it much easier to prosecute intruders.  By including this default
banner, neither the Bastille development team nor Hewlett-Packard Company
take any responsibility for your ability to prosecute system crackers.
Please, especially if you run a corporate site, review/replace this with
more specific language."
NO_EXP:
YES_CHILD: owner
NO_CHILD: log_inetd
PROPER_PARENT: deactivate_ftp

LABEL: owner
SHORT_EXP: "Bastille will start to make the banner more specific by
telling the user who is responsible for this machine.  This will state
explicitly from whom the user needs to obtain authorization to use this
machine.  Please type in the name of the company, person, or other
organization who owns or is responsible for this machine."
QUESTION: "Who is responsible for granting authorization to use this machine?"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
DEFAULT_ANSWER: "its owner"
YN_TOGGLE: 0
YES_CHILD: log_inetd
NO_CHILD: log_inetd
SKIP_CHILD: log_inetd
PROPER_PARENT: banners

LABEL: log_inetd
SHORT_EXP: "It is a good idea to log connection attempts to inetd services.
The only reasons not to do this are if you are extremely limited on disk
space in your \"var\" partition or concerned that an attacker may try to fill
up the system log partition in a determined denial-of-service attack."
QUESTION: "Should Bastille enable logging for all inetd connections?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: inetd_general
NO_CHILD: inetd_general
SKIP_CHILD: inetd_general
PROPER_PARENT: banners

LABEL: inetd_general
SHORT_EXP: "In addition to the previously mentioned services, one should
also disable other unneeded inetd services.  The aim is to only leave
those services running that are critical to the operation of
this machine.  This is an example of the frequent tradeoff
between security and functionality.  The most secure
machine is usually not very useful.  For the most secure, but useful
system, you will need to enable only those services which this system
needs to fulfill its intended purpose.

You can further restrict access using the inetd.sec file or a program
like tcpwrappers.  If you answer \"Y\" to this question, Bastille will
also point you to information on how to configure these tools.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Should Bastille tell you to disable unneeded inetd services in the TODO list?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: secure_sshd
NO_CHILD: secure_sshd
SKIP_CHILD: secure_sshd
PROPER_PARENT: banners

FILE: Ssh.pm

LABEL: secure_sshd
SHORT_EXP: "This option changes the configuration of your SSH daemon
to more secure defaults (if the configuration is already secure, this
doesn't do anything). Changes include disallowing .rhosts based
authentication, as well as users logging in as root directly, or
loggin into an account without password."
LONG_EXP:
QUESTION: "Would you like Bastille to change your SSH daemon configuration?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REQUIRE_DISTRO: SE
REQUIRE_FILE_EXISTS: sshd_config
YES_CHILD: compiler
NO_CHILD: compiler
SKIP_CHILD: compiler
PROPER_PARENT: log_inetd

FILE: DisableUserTools.pm

LABEL: compiler
SHORT_EXP: "The most common technique for the bulk of the system
crackers out there is to gain access to your system, often through a regular
user account, and then use that access to compile exploits against your
system or other systems.  Disabling the gcc compiler on your system will slow
these crackers down, and may even prevent some attacks entirely.

If this machine is a dedicated server/firewall, which does not have users who
need to compile programs, this action is strongly recommended.  Otherwise,
you should very carefully consider whether you will be inconveniencing your
users by disabling the compiler.  If you do chose to disable it, we'll do so by
only allowing root access to the compiler."
QUESTION: "Would you like to disable the gcc compiler? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: gcc
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: limitsconf
NO_CHILD: limitsconf
PROPER_PARENT: inetd_general

FILE: ConfigureMiscPAM.pm

LABEL: limitsconf
SHORT_EXP: "In certain kinds of system attacks, known as Denial of Service
(DoS) attacks, the goal is not to gain access but instead to disrupt the
normal operation of the computer.  You can protect against certain types of
denial of service attacks by setting limits on the resources available to each
user.

Though you should customize this setting later if you're running a high-
output production server, we recommend this action for all machines and
configurations."
LONG_EXP:  "Denial of Service attacks are often very difficult to defend
against, since they don't require access of any kind to the target machine.
Since several major daemons, including the web, name, and FTP servers, may
run as a particular user, you can limit the effectiveness of many Denial of
Service attacks by modifying /etc/security/limits.conf.  If you restrict the
resources available in this manner, you can effectively cripple most Denial of
Service attacks.

If you choose this option, you'll be setting the following initial limits on
resource usage:
	
   - Creation of core files is turned off.  Core files (also known as
     core dumps) are created when an application crashes. They
     can be useful for diagnosing system problems, but they are very
     large files and can be exploited by an attacker to fill up your
     file system.

   - Individual users are limited to 150 processes each.  This should
     be more than enough for normal system usage, and is not enough
     to bring down your machine.

   - Individual files are limited to a size of 100MB.  Again, this
     should be more than enough for normal system usage.

All of these values can be edited later."
QUESTION: "Would you like to put limits on system resource usage? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "System resource limits have been set in the file
/etc/security/limits.conf, which you can edit later as necessary."
NO_EXP:
YES_CHILD: consolelogin
NO_CHILD: consolelogin
PROPER_PARENT: compiler

LABEL: consolelogin
SHORT_EXP: "Under some distributions, users logged in at the console have
some special access rights (like the ability to mount the CD-ROM drive).  You
can disable this special access entirely, but a more flexible option is to
restrict console access to a small group of trusted user accounts."
QUESTION: "Should we restrict console access to a small group of user accounts? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: consolelogin_accounts
NO_CHILD: morelogging
SKIP_CHILD: morelogging
PROPER_PARENT: limitsconf

LABEL: consolelogin_accounts
SHORT_EXP: "Please enter in the account names that should be able to login
via the console, placing a space between each name."
QUESTION: "Which accounts should be able to login at console? [root]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: root
YN_TOGGLE: 0
YES_CHILD: morelogging
NO_CHILD: morelogging
PROPER_PARENT: consolelogin


FILE: Logging.pm

LABEL: morelogging
SHORT_EXP: "We would like to configure additional logging for your system.
We will give you the option to log to a remote host, if your site already
has one.  We will add two additional logging files to the default setup and
will also log some status messages to the 7th and 8th virtual terminals
(the ones you'll see when you hit ALT-F7 and ALT-F8).  This additional
logging will not change the existing log files at all, so this is by no means
a \"risky\" move."
QUESTION: "Would you like to add additional logging? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "This script is adding additional logging files:

/var/log/kernel       --    kernel messages

/var/log/syslog       --    messages of severity \"warning\" and \"error\"

Also, if you check the 7th and 8th TTY's, by hitting ALT-F7 or ALT-F8,
you'll find that we are now logging to virtual TTY's as well.  If you
try this, remember that you can use ALT-F1 to get back to the first
virtual TTY."
NO_EXP:
YES_CHILD: remotelog
NO_CHILD: pacct
SKIP_CHILD: pacct
PROPER_PARENT: consolelogin

LABEL: remotelog
SHORT_EXP: "If you already have a remote logging host, we can set this
machine to log to it."
QUESTION: "Do you have a remote logging host? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: remotelog_host
NO_CHILD: pacct
SKIP_CHILD: pacct
PROPER_PARENT: morelogging

LABEL: remotelog_host
SHORT_EXP: "What is the IP address of the machine you normally log to?
Remember, this should be a machine already configured to accept logging.
If you have no such machine, select <Back> and change your answer.

Note: we ask for an IP address because this is safer -- it avoids DNS cache
      poisoning attacks on logging.  You may use a hostname, but it should be
      added to your /etc/hosts file..."
QUESTION: "What is the IP address of the machine you want to log to? [127.0.0.1]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: 127.0.0.1
YN_TOGGLE: 0
YES_CHILD: pacct
NO_CHILD: pacct
PROPER_PARENT: remotelog

LABEL: pacct
SHORT_EXP: "Linux has the ability to log which commands are run when and by
whom.  This is extremely useful in trying to reconstruct what a potential
cracker actually ran.  The drawbacks are that the logs get large quickly (a
log rotate module is included to offset this), the parameters to commands
are not recorded, and, like all log files, the accounting log is removable if the
attacker has root.

As this is rather disk and CPU intensive, please choose NO unless you have
carefully considered this option."
QUESTION: "Would you like to set up process accounting? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: accton
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: minimalism
NO_CHILD: minimalism
PROPER_PARENT: morelogging

FILE: MiscellaneousDaemons.pm

LABEL: minimalism
SHORT_EXP: "To make the operating system more secure, we try to deactivate all
system daemons, especially those running at a high/unlimited level of
privilege.  Each active system daemon serves as a potential point of
break-in, which might allow an attacker illegitimate access to your
system.  An attacker can use these system daemons to gain access if they
are later found to have a bug or security vulnerability.

We practice a minimalism principle here: minimize the number of privileged
system daemons and you can decrease your chances of being a victim should
one of the standard daemons be found later to have a vulnerability.  This
section will require careful attention, but if you have doubts, you should
be able to safely select the default value in most cases."
QUESTION:
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: apmd
NO_CHILD: apmd
PROPER_PARENT: pacct

LABEL: apmd
SHORT_EXP: "apmd is used to monitor battery power and is used almost
exclusively by notebook/laptop computers."
QUESTION: "Would you like to disable apmd? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_apmd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: remotefs
NO_CHILD: remotefs
PROPER_PARENT: minimalism

LABEL: remotefs
SHORT_EXP: "We would like to disable the network file systems NFS (Network
File System, common to most Unix variants) and SMB (Samba, which comes with
most Linux distributions).  We strongly recommend that you disable both of
these.  NFS has a history of major security vulnerabilities; Samba is slightly
better, but it is still a shared file system and still raises potentially
severe security concerns.  Both services use cleartext, meaning that any
data transferred can be monitored by anyone else on your network (even if you
use a switching router, as switches were designed for performance, not
security).  Transferred data includes file handles, which can then be used to
modify files.

These services are safer if you can set your firewall to block
packets for either of them from entering or leaving your network, but it's
probably best to deactivate them until you can investigate whether or not
you need them and how to best secure them."
QUESTION: "Would you like to deactivate NFS and Samba? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_nfs
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: nfs_server
NO_CHILD: nfs_server
PROPER_PARENT: apmd

LABEL: nfs_server
SHORT_EXP: "An NFS (Network File System) server allows it's host machine to
export file systems onto other designated machines on a network.  NFS has
a history of major security vulnerabilities, as well as being a clear-text
protocol and relying on the presented username for authentication.  Any
data transferred by NFS can be monitored by any other network machine.
Transferred data includes file handles, which can then be used to
modify files.

This service can be made safer if it is locked behind a firewall that will
block NFS packets from entering or leaving your network.  It is best to
deactivate it until you can investigate whether or not you need NFS and
how to best secure it.

One alternative is CIFS/9000 (similar to Samba).  It is still a cleartext,
shared file system and therefore still raises security concerns, but unlike
NFS, CIFS/9000 at least requires the user to authenticate (prove they are who
they say they are) before reading or writing to files.  Other alternatives
include tunneling NFS through IPSec or Secure Shell, but this can take
quite a bit of effort to setup and may degrade performance."
QUESTION: "Would you like to deactivate the NFS server on this system? [Y]"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: chkconfig_nfs_server
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: nfs_client
NO_CHILD: nfs_client
PROPER_PARENT: remotefs

LABEL: nfs_client
SHORT_EXP: "NFS (Network File System) client daemons are by default running
on the system.  These include automount, which allows normal users to mount
nfs file systems, and biod,  block I/O daemons which are used on an NFS client
to handle read-ahead and write-behind buffer caching.  Automount for example,
allows any user to perform an operation that is normally restricted to root.
There is an inherent security benefit to removing privileges from non root
accounts.  NFS has a history of major security vulnerabilities, as well as
being a clear-text protocol.  Any data transferred by NFS can be monitored
by any other network machine.  Transferred data includes file handles, which
can then be used to modify files.

The daemons to be deactivated are automount, autofs. and biod.  These services
can be made safer if they are locked behind a firewall that will block NFS
packets from entering or leaving your network.  It is best to deactivate them
until you can investigate whether or not you need NFS and how to best secure it."
QUESTION: "Would you like to deactivate NFS client daemons? [Y]"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: chkconfig_nfs_client
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: pcmcia
NO_CHILD: pcmcia
PROPER_PARENT: nfs_server

LABEL: automount
SHORT_EXP: "automount is a daemon that automatically and transparently
mounts NFS file systems as needed.  It monitors attempts to access
directories that are associated with an automount map, along with any
directories or files that reside under them.  When a file is to be
accessed, the daemon mounts the appropriate NFS file system.  Maps can
be assigned to a directory by using an entry in a direct automount map,
or by specifying an indirect map on the command line.

This of course has security implications, as automount will allow system
users to mount any NFS file systems that has been exported to that
system.  For more granular control of the file systems that are to be
mounted on the system, disable automount.
"
QUESTION: "Would you like to deactivate automount daemon? [Y]"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: chkconfig_nfs_client
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: pcmcia
NO_CHILD: pcmcia
PROPER_PARENT: nfs_client

LABEL: pcmcia
SHORT_EXP: "If this machine is not a notebook, it probably has no PCMCIA
ports.  PCMCIA ports allow the use of easily removable credit-card-sized
devices.  If this machine has no PCMCIA ports, you should be able to disable
PCMCIA services without any problems."
QUESTION: "Would you like to disable PCMCIA services? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_pcmcia
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: dhcpd
NO_CHILD: dhcpd
PROPER_PARENT: remotefs

LABEL: dhcpd
SHORT_EXP: "DHCP servers are used to distribute temporary IP (Internet)
addresses to other machines.  An organization generally only has one or two
DHCP servers, if any.  Unless this machine is going to be a DHCP server, you
should deactivate the DHCP daemon.  Deactivating the daemon will not
prevent you from running DHCP as a client."
QUESTION: "Would you like to disable the DHCP daemon? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_dhcpd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: gpm
NO_CHILD: gpm
PROPER_PARENT: pcmcia

LABEL: gpm
SHORT_EXP: "GPM is used in console (text) mode to add mouse support to
text mode. If you will be using this machine in console mode and will want
mouse support, leave GPM on."
QUESTION: "Would you like to disable GPM? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_gpm
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: innd
NO_CHILD: innd
PROPER_PARENT: dhcpd

LABEL: innd
SHORT_EXP: "innd is the standard internet news server, used to make the
news network. You should only leave it turned on if this machine will serve as
the  organization's news server."
LONG_EXP: "Very few people need to create their own news server, as your
ISP or university usually provides one.  Further, they require a great deal
of disk space, processor power, bandwidth and maintenance.  In all but the
rarest of cases, you should disable the news server daemon."
QUESTION: "Would you like to disable the news server daemon? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_innd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: disable_routed
NO_CHILD: disable_routed
PROPER_PARENT: gpm

LABEL: disable_routed
SHORT_EXP: "Unless this machine is serving as a router, you should turn off
the routing daemons (routed, gated, and zebra).  Even if the machine is
serving as a router, you should probably disable routed because gated
is newer and considered more secure."
LONG_EXP: "Very few machines need to be running routing daemons.  If your
machine is only connected to the internet through one method, you can
disable routing protocols. If this machine is at an ISP or major networking
center, you should still use gated instead of routed.  Bastille only helps
make your machine more secure, so if this machine is currently a router
using routed, you should leave this on, then migrate to gated manually later.
(Bastille will not enable gated for you.)"
QUESTION: "Would you like to deactivate routed? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_routed
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: disable_gated
NO_CHILD: disable_gated
SKIP_CHILD: nis_server
PROPER_PARENT: innd

LABEL: disable_gated
SHORT_EXP: "Unless this machine is serving as a router, you should turn off
the routing daemons (routed, gated, and zebra)."
LONG_EXP: "Very few machines need to be running routing daemons.  If your
machine is only connected to the internet through one method, you can
disable routing protocols.  If this machine is acting as a router, then
you should leave gated on."
QUESTION: "Would you like to deactivate gated? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_gated
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: disable_zebra
NO_CHILD: disable_zebra
PROPER_PARENT: disable_routed

LABEL: disable_zebra
SHORT_EXP: "Unless this machine is serving as a router, you should turn off
the routing daemons (routed, gated, and zebra)."
LONG_EXP: "Very few machines need to be running routing daemons.  If your
machine is only connected to the internet through one method, you can
disable routing protocols.  If this machine is acting as a router, then
you should leave gated on."
QUESTION: "Would you like to deactivate zerba? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_zebra
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: nis_server
NO_CHILD: nis_server
PROPER_PARENT: disable_zebra

LABEL: nis_server
SHORT_EXP: "An NIS (Network Information System) server is used to distribute
network naming and administration information to other machines on a network

NIS is a system used for synchronizing key host information,
including account names and passwords.  It is a clear-text protocol, and can be
easily compromised to gain access to accounts on the system.  If you are
really interested in using NIS, you should configure your firewall to block NIS
traffic going in or out of the network.

On many systems, including trusted-mode HP-UX systems, passwords are not only
encrypted but also readable only by the super-user.  This defense measure was
taken because encrypted passwords can be decrypted fairly quickly with today's
computers.  When you use NIS, the encrypted password is transmitted in clear-text
and made available to anyone on the network, compromising this defense
measure.  Because of this, HP-UX trusted mode, a security feature that Bastille
can enable, is incompatible with NIS.  If you choose to convert to trusted-mode,
you should also disable NIS.

We recommend that you deactivate NIS server programs.
Alternatives include NIS+, LDAP, and Kerberos servers."
QUESTION: "Would you like to deactivate NIS server programs? [Y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
REQUIRE_FILE_EXISTS: ypserv
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: nis_client
NO_CHILD: nis_client
PROPER_PARENT: disable_gated

LABEL: nis_client
SHORT_EXP: "An NIS (Network Information System) client is used to recieve
network naming and administration information from a server machine on its
network.

NIS is a system used for synchronizing key host information, including account
names and passwords.  It is a clear-text protocol, and can be easily compromised
to gain access to accounts on the system.  If you are really interested in using
NIS, you should configure your firewall to block NIS traffic going in or out of
the network.

On many systems, including trusted-mode HP-UX systems, passwords are not only
encrypted but also readable only by the super-user.  This defense measure was
taken because encrypted passwords can be decrypted fairly quickly with today's
computers.  When you use NIS, the encrypted password is transmitted in clear-text
and made available to anyone on the network, compromising this defense measure.
Because of this, HP-UX trusted mode, a security feature that Bastille can enable,
is incompatible with NIS.  If you choose to convert to trusted-mode, you should
also disable NIS.

We recommend that you deactivate NIS client programs.
Alternatives include NIS+, LDAP, and Kerberos servers"
QUESTION: "Would you like to deactivate NIS client programs? [Y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_ypbind
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: snmpd
NO_CHILD: snmpd
PROPER_PARENT: nis_server

LABEL: snmpd
SHORT_EXP: "SNMP, or the simple network management protocol, is
used to aid in management of machines over the network.  This
can be a powerful method of monitoring and administering
a set of networked machines.  If you use network management
software to maintain the computers on your network then you
should audit the way in which SNMP is used by that software.
You should (1) use SNMPv3 wherever possible, (2) set restrictive
access control lists, and (3) block SNMP traffic at your firewall.
Otherwise it makes sense to disable the SNMP daemons.

The average home user has no reason to run these daemons and
depending on their default configuration, could be a major
security risk.  Alternatively if configured correctly, and used
in conjunction with management software these daemons could be
used to dramatically improve accessibility and response time to
problems when they occur.

Things known to not work if this is disabled:

Network management software, such as HP Openview, which relies
on SNMP"
QUESTION: "Would you like to disable SNMPD? [Y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_snmpd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: minimize_chkconfig
NO_CHILD: minimize_chkconfig
PROPER_PARENT: nis

LABEL: minimize_chkconfig
SHORT_EXP: "For the extra paranoid, we can disable all of the chkconfig'd
services, with the exception of:

	  cron, syslog, keytable, network, gpm, xfs, pcmcia

This is pretty minimalist and should only be undertaken if you understand
how and when to turn the remaining services on."
LONG_EXP: "For the extra paranoid, we can disable all of the chkconfig'd
services, with the exception of:

	  cron, syslog, keytable, network, gpm, xfs, pcmcia

This is pretty minimalist and should only be undertaken if you understand
how and when to turn the remaining services on."
QUESTION: "Should we disable most chkconfig'd services?"
REQUIRE_DISTRO: MN7.0 MN7.1 MN7.2 MN8.0 MN8.1
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
PROPER_PARENT: snmpd
YES_CHILD:disable_ptydaemon
NO_CHILD: disable_ptydaemon
SKIP_CHILD: disable_ptydaemon

LABEL: disable_ptydaemon
SHORT_EXP: "The ptydaemon is used by the shell layers (shl) software.
shl is a historical alternative to job control.  If no one on your system
is going to use shl, you should be able to safely turn the ptydaemon off.

If you disable and remove ptydaemon, Bastille will also disable
vtdaemon since it depends on ptydaemon to operate.

These are both used for very old protocols.  If you don't know what uucp
is, you probably don't need these.  If you want a history lesson, you
can look at the man pages for \"vt\", \"vtdaemon\", \"uucp\" and \"shl\".

The security benefit of turning these off is based on the principle of
minimalism.  These daemons do run as root and accept input from a normal
user.  There is probably a low security risk associated with leaving these
daemons running, but there is little reason to expose yourself to that
risk unnecessarily."
QUESTION: "Would you like to disable both the ptydaemon and vtdaemon?"
DEFAULT_ANSWER: "Y"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: disable_pwgrd
NO_CHILD: disable_pwgrd
SKIP_CHILD: disable_pwgrd
REQUIRE_DISTRO: HP-UX
PROPER_PARENT: minimize_chkconfig


LABEL: disable_pwgrd
SHORT_EXP:"pwgrd is the Password and Group Hashing and Caching daemon.

pwgrd provides accelerated lookup of password and group information
for libc routines like getpwuid and getgrname. However, on systems
with normal sized (less than 50 entries) password files, pwgrd will
probably slow down lookups, due to the overhead presented by pwgrd's
use of Unix domain sockets.

The security benefit of turning these off is also based on the principle
of minimalism.  These daemons do run as root and accept input from
non-privileged users."
QUESTION: "Would you like to disable pwgrd?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: disable_rbootd
NO_CHILD: disable_rbootd
SKIP_CHILD: disable_rbootd
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: chkconfig_pwgrd
PROPER_PARENT: disable_ptydaemon

LABEL: disable_rbootd
SHORT_EXP: "The rbootd daemon is used for a protocol called RMP, which is a
predecessor to the \"bootp\" protocol (which serves DHCP).  Basically, unless
you are using this machine to serve dynamic IP addresses to very old
HP-UX systems (prior to 10.0, or older than s712's), you have
no reason to have this running."
QUESTION: "Should Bastille deactivate rbootd?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: xaccess
NO_CHILD: xaccess
SKIP_CHILD: xaccess
REQUIRE_DISTRO: HP-UX
PROPER_PARENT: disable_pwgrd

LABEL: xaccess
SHORT_EXP: "XDMCP is a protocol which allows remote connections to an
X server.  This protocol is commonly used by dumb graphics terminals and PC-based
X-emulation software to bring up a remote login and desktop.

Using this protocol, someone can get a remote login prompt
even if you have turned off telnet."
QUESTION: "Would you like to disallow remote X logins?"
DEFAULT_ANSWER: "Y"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: sendmail_eight_twelve
NO_CHILD: sendmail_eight_twelve
SKIP_CHILD: sendmail_eight_twelve
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: Xconfig
PROPER_PARENT: disable_pwgrd

FILE: Sendmail.pm

LABEL: sendmail_eight_twelve
SHORT_EXP: "Running sendmail in daemon mode makes your system more
vulnerable to sendmail-based attacks, of which there have been many (and
almost certainly more to come).
Unless this machine is a mailserver, you should either restrict
sendmail by refusing all connections not originating from the local
host, or turn off the daemon completely."
LONG_EXP:"Running sendmail in daemon mode makes your system more
vulnerable to sendmail-based attacks, of which there have been many (and
almost certainly more to come).

Starting with version 8.12 however, you must run a sendmail daemon
for local mail processing. There are two ways to deal with sendmail
in this case; one is to accept only SMTP connections originating from
the local host, or to shut down sendmail completely. Note that in
this case, you completely lose the ability to deliver any mail through
sendmail, even to local accounts. (That is, unless you install a different
mail transfer agent, such as postfix.)

It is recommended to not disable the sendmail daemon completely, because
there are various system services that occiasionally want to send mail to
e.g. the root account.

If you answer \"No\", Bastille will ask you whether you want to restrict
access to the SMTP port."
QUESTION: "Do you want to stop sendmail from running in daemon mode? [Y]"
REQUIRE_DISTRO: SE8.0 SE8.1
REQUIRE_FILE_EXISTS: sysconfig_sendmail
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: chrootbind
NO_CHILD: sendmailrestrict
SKIP_CHILD: sendmaildaemon
PROPER_PARENT: xaccess

LABEL: sendmailrestrict
SHORT_EXP:"If you answer \"Yes\", Bastille will configure sendmail
to reject all incoming connections from addresses other than
localhost."
LONG_EXP:
QUESTION: "Do you want sendmail to reject any connection from remote hosts? [Y]"
REQUIRE_DISTRO: SE8.0 SE8.1
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_CHILD: vrfyexpn
NO_CHILD: vrfyexpn
PROPER_PARENT: sendmaildaemon


LABEL: sendmaildaemon
SHORT_EXP: "Running sendmail in daemon mode makes your system more
vulnerable to sendmail-based attacks, of which there have been many (and
almost certainly more to come).  Unless this machine is a mail server,
you probably do not need sendmail to run in daemon mode.

Note: This will not affect outgoing mail from this machine."
LONG_EXP: "You do not need to have sendmail running in daemon mode to send
and receive email, and unless you have a constant network connection,
you probably cannot run sendmail in daemon mode.  Daemon mode means that
sendmail is constantly listening on a network connection waiting to
receive mail.

If you disable daemon mode, Bastille will ask you if you would like to
run sendmail every few minutes to process the queue of outgoing mail.
Most programs which send mail will still do so immediately, and
processing the queue will take care of transient errors.

If you receive all of your email via a POP/IMAP  mailbox provided by your ISP,
you may have no need of daemon-mode sendmail, unless you're running a
special fetchmail-style POP/IMAP based retrieval program.  For instance, you
can turn daemon mode  off if you read your mail via Netscape's common
POP/IMAP read  functionality.  The only reason to run sendmail in daemon
mode is if you are running a mail server."
QUESTION: "Do you want to stop sendmail from running in daemon mode? [Y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
REQUIRE_FILE_EXISTS: sysconfig_sendmail
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: sendmailcron
NO_CHILD: vrfyexpn
PROPER_PARENT: xaccess

LABEL: sendmailcron
SHORT_EXP: "Should sendmail run every 15 minutes to process
the mail queue, processing and sending out e-mail?  If this machine does
not run sendmail in daemon mode, you may want to do this to make
your outbound mail more reliable.

Most of the time, this is not required since most mailer programs activate sendmail to
process their particular message.  A message usually only gets written to
the queue (and thus needs a cron entry) if sendmail has trouble
delivering it.  Example: the receiving mail server is down.

Please note that the 15 min. interval can be easily changed later, see crontab(1)."
QUESTION: "Would you like to run sendmail via cron to process the queue? [N]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
REQUIRE_FILE_EXISTS: sysconfig_sendmail
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: vrfyexpn
NO_CHILD: vrfyexpn
PROPER_PARENT: sendmaildaemon

LABEL: vrfyexpn
SHORT_EXP: "An attacker can use sendmail's vrfy (verify recipient existence)
and expn (expand recipient alias/list contents) commands to learn more
about accounts on the system.  The expn command, for instance, could be
used to find out who the \"postmaster\" and \"abuse\" aliases redirect mail to,
which identifies which user account belongs to the system administrator.

These sendmail commands can probably be disabled without breaking anything
and will make the system cracker's job more difficult.  The only reasons
to leave them on are (1) you are running an old-fashioned, friendly site,
(2) you are using them to debug your own mail server, or (3) the very small
chance that some software you use relies on this."
QUESTION: "Would you like to disable the VRFY and EXPN sendmail commands? [Y]"
REQUIRE_DISTRO: LINUX HP-UX DB SE TB
REQUIRE_FILE_EXISTS: sendmail.cf
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: chrootbind
NO_CHILD: chrootbind
PROPER_PARENT: sendmailcron

FILE: DNS.pm

LABEL: chrootbind
SHORT_EXP: "The name server, \"named\", needs to run with privileged access,
and was traditionally given full root access.  This allows \"named\" to function
correctly, but increases the security risk if any vulnerabilities are found.
We can decrease this risk by running \"named\" as a non-privileged user and
by putting its files in a restricted file system (called a chroot jail).

HP-UX Note: The general structure of the jail will be created but several
entries will be added to Bastille's generated TODO list which require
MANUAL ACTION on your part.  (HP-UX does not ship with a name server
configured by default, so much of this depends on how your system's name
server is configured.)

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
LONG_EXP:  "The name server, \"named\", needs to run with privileged access,
and was traditionally given full root access.  This allows \"named\" to function
correctly, but increases the security risk if any vulnerabilities are found.
We can decrease this risk by running \"named\" as a non-privileged user and
by putting its files in a restricted file system (called a chroot jail).

For security reasons, it would be ideal to restrict every process which
is listening to untrusted data as much as possible.  This is especially true
of network daemons, such as bind.  If a vulnerability is found in the
daemon, then a chroot jail will contain any intrusions.   Only a root process
can break out of a chroot jail, so Bastille will ensure that \"named\" is
not running as root.  A successful attack on \"named\" in a chroot jail
running as a non-privileged user will allow the attacker to modify only
files owned or writeable by that non-privileged user and protect the
rest of the system.

HP-UX Note: The general structure of the jail will be created but several
entries will be added to Bastille's generated TODO list which require
MANUAL ACTION on your part.  (HP-UX does not ship with a name server
configured by default, so much of this depends on how your system's name
server is configured.)

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Would you like to chroot named and set it to run as a non-root user? [N]"
REQUIRE_DISTRO: LINUX HP-UX SE
REQUIRE_FILE_EXISTS: named
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "You've changed the name server, named, to run in a safer mode,
one in which it is restricted to operating within the directory /var/named
or /home/dns on Redhat and Mandrake systems and /var/jail/bind on HP-UX
systems.

This \"chroot jail\" stops an attacker from using named to do more extensive
damage to the system if s/he is able to compromise the named.  This
should be mostly transparent to you, except in two respects:

  1) All of your configuration edits for named must occur in the jaildir.

  2) If you use ndc to control named, you will need to use

           ndc -c /<jail-dir>/var/run/ndc

  3) Again, all of your configuration files must be moved to the jaildir.
"
NO_EXP:
YES_CHILD: namedoff
NO_CHILD: namedoff
PROPER_PARENT: vrfyexpn

LABEL: namedoff
SHORT_EXP: "Until you configure your name (DNS) server, we would like to
temporarily turn it off.  In almost all cases, you should only need your own
name server if you own your own domain and you want this _particular_
machine to answer DNS queries.

This is especially important as there have been dangerous remote-root
vulnerabilities in several recent versions of BIND.  The security
principle of Minimalism applies here: minimize the number of possible
attack points to be least vulnerable to attack.

Even if you plan on setting up a name server on this machine, you should
deactivate it for now until you get the configuration files setup.   You
can reactivate it then by typing, as root:     /sbin/chkconfig named on  "
QUESTION: "Would you like to deactivate named, at least for now? [Y]"
REQUIRE_DISTRO: LINUX SE
REQUIRE_FILE_EXISTS: chkconfig_named
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: apacheoff
NO_CHILD: apacheoff
PROPER_PARENT: chrootbind

FILE: Apache.pm

LABEL: apacheoff
SHORT_EXP: "Will you be using the Apache web server immediately? Again,
minimalism is a critical part of a good site security.  If you don't
need to run a web server, at least not right now, you should deactivate it.
You can restart the web server later by typing:

      /sbin/chkconfig httpd on
"
QUESTION: "Would you like to deactivate the Apache web server? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: chkconfig_httpd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "Even though you've deactivated the Apache web server, there are
still a few more questions related to it.  It's good to take the precautions in
the next steps even if you've turned off the web server, since it might get
turned on again later."
NO_EXP:
YES_CHILD: bindapachelocal
NO_CHILD: bindapachelocal
PROPER_PARENT: namedoff

LABEL: bindapachelocal
SHORT_EXP: "When the web server is on, you may want to have it listen on
only the local interface, or on the local interface and a particular network
interface (like an ethernet card that's only connected to a bank of local
computers, none of which are attached to the internet).  This is a
particularly good option for web developers."
LONG_EXP: "If you bind the apache web server to the local interface, so that
it isn't accessible to other machines, it can still serve up pages to
browsers/web clients on this machine. This is ideal for many web
developers, who don't need a worldwide accessible web server, but would
like to edit a web site locally before uploading to another server.  To
access the server, you would simply use, as a URL in your browser:

        http://localhost/
and
        http://localhost/some_page.html
	
Even if you fully deactivated the web server in the previous step, this
option still makes sense: if you or someone else turns the server back on,
it doesn't represent as great a risk if it isn't set to allow
connections from the entire internet."
QUESTION: "Would you like to bind the web server to listen only to the localhost? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: generalweb
NO_CHILD: bindapachenic
SKIP_CHILD: generalweb
PROPER_PARENT: apacheoff

LABEL: bindapachenic
SHORT_EXP: "We can bind the web server to a specific IP address on your
machine.  On a machine with multiple network interfaces (like ppp and ethernet)
this has the effect of letting you only allow your internal LAN access to your
web server.  This is highly recommended if you're building an internal-only
web server."
QUESTION: "Would you like to bind the web server to a particular interface? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: bindapacheaddress
NO_CHILD: generalweb
SKIP_CHILD: generalweb
PROPER_PARENT: bindapachelocal

LABEL: bindapacheaddress
SHORT_EXP: "Please enter in the IP address for apache to listen to.  Include the
port it should listen on--the default port is port 80.  For example:

     192.168.1.1:80
 or
     10.0.0.1:8080"
QUESTION: "Address to bind the web server to? [127.0.0.1]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
YN_TOGGLE: 0
DEFAULT_ANSWER: 127.0.0.1
YES_CHILD: generalweb
NO_CHILD: generalweb
PROPER_PARENT: bindapachenic

LABEL: generalweb
SHORT_EXP:" There are a few other changes that we recommend you make to
the web server's configuration.  There are very few intrinsic security flaws
in the Apache web server, but there are two important ones:

  As with all web servers, it is generally required to send and receive
  information to and from anyone on the internet.

  In many environments, the people telling the server how to behave are
  not knowledgeable system administrators by trade.  Before you discount
  this fact, take account of the wide proliferation of configurations
  under which any user on the system can instruct the server to execute
  arbitrary code for anyone who comes to the site, via CGI scripts."
QUESTION:
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: symlink
NO_CHILD: symlink
PROPER_PARENT: bindapachenic

LABEL: symlink
SHORT_EXP: "In general, you should try to limit which information on the web
server's host can be accessed by the myriad of people who may connect to
the web server.

We will prevent the web server from following symbolic links.  Apache runs
as user \"nobody\", and so it can potentially change/read any world
writeable/readable file on the system.  If we don't deactivate this option,
a user could potentially allow a web site visitor to view files not in the
web page directories.  Deactivating \"follow symbolic links\" will help
prevent this.  Further, deactivation can lessen the probability that a future
vulnerability in Apache could be exploited to alter world writeable files
on the system."
QUESTION: "Would you like to deactivate the following of symbolic links? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ssi
NO_CHILD: ssi
PROPER_PARENT: generalweb

LABEL: ssi
SHORT_EXP: "You might also want to deactivate server-side includes. If you
don't know what they are, you should probably turn them off until you do.  In
essence, they are another way for a web server to execute code to modify
web pages, but they represent a security risk you may not want to take until
you better understand the Apache web server."
QUESTION: "Would you like to deactivate server-side includes? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: cgi
NO_CHILD: cgi
PROPER_PARENT: symlink

LABEL: cgi
SHORT_EXP: "As mentioned earlier, one of the few inherent weaknesses in Apache,
true of web servers in general, is that CGI scripts allow any user on the
system to allow anyone who can access the web site (which is usually the
entire internet) to run programs on the web server's host.  This has inherent
problems, but may be required at your site.  We recommend disabling
CGI script execution for now, while you take the time to read more about the
dangers and install some kind of protection."
LONG_EXP: "One security precaution that you should look into is using a
wrapper program that only allows certain users to execute CGI
programs.  You may even have your site's security administrator audit each
script before allowing it onto the system.  CGI scripts are not inherently
dangerous, but they need to be very carefully controlled by people who
understand the dangers."
QUESTION: "Would you like to disable CGI scripts, at least for now? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: apacheindex
NO_CHILD: apacheindex
PROPER_PARENT: ssi

LABEL: apacheindex
SHORT_EXP: "Apache, by default, is configured to generate \"index\" files for
any web directories that don't have them.  These index files basically create
a link to every file in the directory, whether one was intended or not.  This
step isn't necessary, but may be helpful."
LONG_EXP: "This can be mildly problematic, for example, when a user places a
sensitive data file that's required by a CGI script in a web directory.  The
data file must be readable by user \"nobody\", which generally means it must
be world-readable.  Without the automatically generated index file, a
web site visitor couldn't ordinarily read the data file unless they could
guess its name.  Still, this example is weak, as it illustrates the
flawed, yet all-too-common, principle of \"security through obscurity.\"
No examples were obvious to the authors of this script that didn't rely on
breaking the most obvious rule of web site creation, \"don't put any sensitive
files in a web directory with world readable permissions!\" "
QUESTION: "Would you like to disable indexes? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: httpd
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: chrootapache
NO_CHILD: chrootapache
PROPER_PARENT: cgi

LABEL: chrootapache
SHORT_EXP: "Apache 1.3.19 and higher for HP-UX have a chroot script built
into the distribution.  This script makes a copy of Apache and related
binaries and libraries and places them inside of a chroot jail.  This
allows Apache to run with limited file system access.  If you are not
currently running the Apache web server then answer no to this question.

Note: If you have a 1.3.x version of apache installed as well as a 2.x
version, then both will be chrooted.

Note: This chroot script was written to give a fully functioning web server
inside of a chroot'ed environment.  For additional security remove unneeded
libraries and compilers as they may not all be used by your Apache server.
"
LONG_EXP: "Apache 1.3.19 and higher for HP-UX have a chroot script built
into the distribution.  Bastille has detected that your version of Apache
has this functionality.  This script makes a copy of Apache and related
binaries and libraries and places them inside of a chroot jail.  This
allows Apache to run with limited file system access.  If you are not
currently running the Apache web server then answer no to this question.

The apache server, httpd, is given access to several compilers and system
libraries so that it can process cgi's, login attempts, etc... One way to
lessen the risk presented by this special status is to lock the daemon
(httpd) into a \"chroot jail.\"  In this case, the daemon has access to
only a small segment of the file system, a directory created specifically for
the purpose of giving the daemon access to only the files it needs.

The adjective \"chroot'ed\" is derived from \"change root\", since
Bastille sets the daemon's root directory ( / ) to some child node in the
directory tree.  Note, for experts: a root process can break out of a
chroot jail, but this is still an effective deterrent, especially since
Bastille will limit the number of root processes running in the jail.

Note: If you have a 1.3.x version of apache installed as well as a 2.x
version, then both will be chrooted.

Note: This chroot script was written to provide for a fully functional web
server inside of a chroot'ed environment.  For additional security remove
unneeded libraries and compilers as they may not all be used by your
Apache server.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Would you like to chroot your Apache Server? [N]"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: chroot_os_cp.sh chroot_os_cp.sh2
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
SKIP_CHILD: updateapache
YES_CHILD: printing
NO_CHILD: printing
PROPER_PARENT: apacheindex

LABEL: updateapache
SHORT_EXP: "Apache 1.3.19 and higher for HP-UX have a chroot script built
into the distribution.  This script makes a copy of Apache and related
binaries and libraries and places them inside of a chroot jail.  This
allows Apache to run with limited file system access, so that even if
someone breaks into your web server, they can't access anything outside
of the dedicated web server file system unless there is an additional
root vulnerability inside the jail.  Bastille has detected that your
version of Apache is missing this functionality.

Note:  If you are not currently running the Apache web server then you
should probably look into why it is configured, as Bastille has detected
an httpd.conf file.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Would you like a reminder in the TODO list to get the latest
version of Apache?"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: httpd.conf
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: printing
NO_CHILD: printing
PROPER_PARENT: chrootapache

FILE: Printing.pm

LABEL: printing
SHORT_EXP: "If this machine is not going to need to print, you should stop
the print scheduler and restrict the permissions on all the printing
utilities.

This is only recommended if this machine will not be used for printing
in the near future."
LONG_EXP: "If this machine is not going to need to print, you should stop
the print scheduler and restrict the permissions on all the printing
utilities.

You could revert this later by typing on Linux:

 # /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm

 # /sbin/chkconfig lpd on

This is only recommended if this machine will not be used for printing
in the near future.  If you deactivate this, you might want to write
down the commands above in case you decide to re-enable printing later."
QUESTION: "Would you like to disable printing? [N]"
REQUIRE_DISTRO: LINUX
REQUIRE_FILE_EXISTS: lpr
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ftpgeneral
NO_CHILD: ftpgeneral
PROPER_PARENT: chrootapache

FILE: FTP.pm

LABEL: ftpgeneral
SHORT_EXP:"FTP is widely considered to be fairly dangerous, but even
security-conscious sites might still run it because of the perceived
difficulty in educating users about alternatives.  Available
alternatives include:

 - secure copy, which encrypts names, passwords and traffic
 - web-based file archives, a much safer way of offering files to the public

The lack of widespread, free, Windows-based secure copy clients only
exacerbates the problem.  FTP is dangerous for several reasons, including:

 1) All passwords travel in the clear across the connection, allowing any
    intermediate hosts (and usually every host on the source and destination's
    local area network) to \"sniff\" unencrypted passwords.

 2) Ftp daemons typically need to run with root privileges, and most of the
    common ones have been found to have a multitude of security vulnerabilities
    over the course of their existence.  For instance, the ftp daemon included
    with RedHat 6.0 has had two major updates to close security holes since
    RH6.0 was released.  Earlier in this session, we updated your wu-ftp to
    the most recent one that Redhat advertises
"
REQUIRE_FILE_EXISTS: ftpaccess
QUESTION:
REQUIRE_DISTRO: LINUX DB SE TB
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: userftp
NO_CHILD: userftp
PROPER_PARENT: printing

LABEL: userftp
SHORT_EXP:  "Allowing users to access the FTP server from anywhere on the
Internet present a security problem, and you should disallow this access if
possible.  The problem is that many users feel they need FTP access.  You
can disable user use of the ftp daemon, leaving anonymous download still
possible.  We do not recommend this for most site admins, unless they have
management's approval and are prepared to educate their users."
LONG_EXP: "The least safe configuration for an ftp daemon is one which
allows anyone to connect (via \"anonymous\" mode) and upload files.  Most of
the attacks that let an intruder gain root access on your box require that
s/he is able to upload files.  If you don't have anonymous ftp with upload
capability, the intruder cannot use those attacks unless s/he can get a user
name and password.  For the sake of safety, this mode is shut off by default
in most wu-ftpd configurations.

The next least safe configuration is the one in which users with accounts
on the system are allowed to access the server from the entire Internet.
The dangers stem from 1) clear text passwords being sniffed on the Internet
and 2) common vulnerabilities in ftp daemons that are allowed if anyone has
upload privileges.

Unfortunately, disabling this configuration is difficult, as this is what
many sites feel a need to use their ftp server for.  With a well
educated user base (and secure copy clients for their platforms), this
functionality is unnecessary.  Unfortunately, educating your user base may
be impossible at your site, especially if there are a large number of users.
If this is a 3 account server, that kind of user education may be quite
possible."
QUESTION: "Would you like to disable user privileges on the FTP daemon? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: ftpaccess
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: anonftp
NO_CHILD: anonftp
PROPER_PARENT: ftpgeneral

LABEL: anonftp
SHORT_EXP: "The last major FTP server functionality that we allow you to
disable in the name of site security is anonymous download access.  As we have
noted before, this functionality can be mimicked via the traditionally more
secure Apache web server.  Any files that you want accessible to the world
can be placed on an easy-to-configure web server."
QUESTION: "Would you like to disable anonymous download? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
REQUIRE_FILE_EXISTS: ftpaccess
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: ftpusers
NO_CHILD: ftpusers
SKIP_CHILD: ftpusers
PROPER_PARENT: userftp

LABEL: ftpusers
SHORT_EXP:  "ftpusers file allows the administrator to set accounts that shall not
be allowed to log in via the ftpd.  Default system users should not normally be
allowed access to the system through the ftpd, as it sends the username and
password in clear text over the network.  Bastille will disallow ftp logins from
the following users: root, daemon, bin, sys, adm, uucp, lp, nuucp, hpdb, and guest.
If you have a compelling reason to allow these users ftp access, then answer
no to this question."
QUESTION: "Would you like to disallow ftpd system account logins?"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_CHILD: stack_execute
NO_CHILD: stack_execute
SKIP_CHILD: stack_execute
PROPER_PARENT: anonftp


FILE: HP_UX.pm

LABEL: stack_execute
SHORT_EXP: "A common way to gain privileged access is to provide some type
of out-of-bounds input that is not checked by a program.  This input can be
used to overflow the stack in a way that leaves some cleverly written
instructions stored in a place that will be executed by the program.  The
HP-UX kernel has the ability to disallow execution of commands from the
stack.  This will contain many of these types of attacks, making them
completely useless.

Changing the kernel parameter \"executable_stack\" requires Bastille to recompile the kernel.
Ensure that the current running kernel is /stand/vmunix.  A backup of the old
kernel will be placed in /stand/vmunix.prev and /stand/dlkm.vmunix.prev.
If you answer yes to this question, you must reboot your system for this
change to take effect.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
LONG_EXP: "A common way to gain privileged access is to provide some type
of out-of-bounds input that is not checked by a program.  This input can be
used to overflow the stack in a way that leaves some cleverly written
instructions stored in a place that will be executed by the program.  The
HP-UX kernel has the ability to disallow execution of commands from the
stack.  This will contain many of these types of attacks, making them
completely useless.  Because this is done at the kernel level, it is
independent of any application which may have a vulnerability of this type.
Note that this will also break some applications (Example: Java 1.2 programs
will fail if using JDK/JRE 1.2.2 versions older than 1.2.2.06) which
were designed to execute code off of the stack.  However, you can run
\"chatr +es <executeable_file>\" to override this for individual
programs if they break.

Changing the kernel parameter \"executable_stack\" requires Bastille to recompile the kernel.
Ensure that the current running kernel is /stand/vmunix.  A backup of the old
kernel will be placed in /stand/vmunix.prev and /stand/dlkm.vmunix.prev.
If you answer yes to this question, you must reboot your system for this
change to take effect.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION:  "Would you like to enable kernel-based stack execute protection?"
REQUIRE_DISTRO: HP-UX11.11
DEFAULT_ANSWER: "Y"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: system_is_trusted
NO_CHILD: system_is_trusted
PROPER_PARENT: anonftp

LABEL: system_is_trusted
REQUIRE_DISTRO: HP-UX
SKIP_CHILD:trusted_system
YES_CHILD:  single_user_password
PROPER_PARENT: stack_execute
REQUIRE_FILE_EXISTS: devassign

LABEL: trusted_system
SHORT_EXP: "This system can be configured as a trusted system which
removes the hashed passwords from the /etc/passwd file and provides
other useful security features such as auditing and login passwords
with lengths greater than 8 characters.  Also, more options are
available, such as password length requirements, and password
aging.  (This, combined with other criteria, mean that HP-UX in
trusted mode is \"C2 compliant.\")

Also, certain programs which rely on implementation specific authentication
may not be compatible with this change.  Specific lookups in
/etc/passwd will not work because the encrypted password is no longer
stored in that file.  For example, some versions of the tool \"sudo\" were
incompatible with trusted mode HP-UX.

Note:   The Access Control List feature available on trusted systems is
not supported on older versions of the JFS filesystem.  (You will need at
least version 3.3 of JFS if you want to use this feature).

WARNING: If you have a large number of accounts on this system, the
conversion may take up to several minutes.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Would you like to convert to a trusted system?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
SKIP_CHILD: single_user_password
YES_CHILD: single_user_password
NO_CHILD: restrict_swacls
PROPER_PARENT: stack_execute

LABEL: single_user_password
SHORT_EXP: "Trusted HP-UX has the ability to password protect single user
mode.  This will provide limited protection against anyone who has
physical access to the machine, because they cannot simply reboot and
have root access without typing the password.  However, if an attacker has
physical access to the machine and enough time, there is very little you
can do to prevent unauthorized access.  This may be more of a pain in the
case when an authorized administrator messes up the machine and can't
remember the password."
QUESTION: "Would you like to password protect single user mode?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP: "If you are running on PA-RISC hardware, note that most
PA-RISC systems have a secure boot option for security which
takes significant effort to disable.  Bastille cannot set this
option for you because it has to be done manually at the boot prompt.
Be careful if you do this, because to disable it, you will have to
open your case, physically disconnect all disk drives and other media
from your cpu, just like an attacker would.

If you want to set this on most PA-RISC systems, reboot your machine
and hit the ESC key.  You will be presented with the BCH prompt.
Type \"CO\" to change BCH configuration, then type \"SEC\" to turn
on secure boot.  Once again, bear in mind that this is very painful
to undo if you ever need to access the BCH prompt again."
REQUIRE_DISTRO: HP-UX
YES_CHILD: restrict_swacls
NO_CHILD: restrict_swacls
PROPER_PARENT: trusted_system

LABEL: restrict_swacls
SHORT_EXP:  "The swagentd daemon allows for remote access to list and
install software on your system.  This is a great feature for remote
administration.  Security Patch Check even uses this when it queries
remote machines.  Unfortunately, it can also be a security risk since
it makes patch and other critical system information available
to anyone inside that system's firewall.  For that reason, we
recommend that you disallow swagentd's default, remote read access."
QUESTION: "Would you like to restrict remote access to swlist?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: ndd
NO_CHILD:  ndd
PROPER_PARENT: trusted_system

LABEL: ndd
SHORT_EXP: "ndd is a utility for getting and setting network device parameters.
Would you like Bastille to change the network settings to improve security?
These settings are based upon the recommendations given in the \"HP-UX
Bastion Host Whitepaper\" available at: http://people.hp.se/stevesk/bastion.html

Note: If you already have some non-default settings in effect, you will need to
merge the settings manually, and a reminder will be added to your TODO list.

(MANUAL ACTION MAY BE REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
LONG_EXP: "ndd is a utility for getting and setting network device parameters.

The following is a list of some ndd parameters which the \"HP-UX Bastion Host
Whitepaper\" suggests that you change for greater security:

                                                Default => Suggested
-----------------------------------------------------------------------
ip_forward_directed_broadcasts                            1   =>   0
ip_forward_src_routed					  1   =>   0
ip_forwarding						  2   =>   0
ip_ire_gw_probe						  1   =>   0
ip_pmtu_strategy					  2   =>   1
ip_send_redirects					  1   =>   0
ip_send_source_quench					  1   =>   0
tcp_conn_request_max					 20   =>   4096
tcp_syn_rcvd_max					500   =>   1000

For more information on each of these parameters, run

ndd -h

Note: If you already have some non-default settings in effect, you will need to
merge the settings manually, and a reminder will be added to your TODO list.

(MANUAL ACTION MAY BE REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Would you like Bastille to make the suggested ndd changes?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD:scan_ports
NO_CHILD: scan_ports
PROPER_PARENT: restrict_swacls

LABEL: scan_ports
SHORT_EXP:  "One of the final steps in lockdown is to verify that only the
services you need are still running.  Several tools exist to do this,
including \"netstat\" which is included with HP-UX, and \"lsof\" (LiSt Open
Files), which is a free downloadable tool that can give you a lot of good
information about all the processes running on your system.  If there are
processes running that you don't recognize, you might take this as an
opportunity to do some research and learn about them.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION:  "Would you like instructions in your TODO list on how to run a
port scan?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: is_ipfilter_installed
NO_CHILD: is_ipfilter_installed
SKIP_CHILD: is_ipfilter_installed
PROPER_PARENT: ndd

LABEL: is_ipfilter_installed
SHORT_EXP: "Firewalls generally make up the first line of defense in any
network security architecture.  IPFilter is a free host-based firewall
which is available for HP-UX.  It looks like you have IPFilter installed,
but that does not necessarily mean that it has been configured (Bastille
cannot detect whether or not the ruleset is appropriate for your unique needs).

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Would you like a reminder to make sure IPFilter is configured?"
YN_TOGGLE: 1
DEFAULT_ANSWER: Y
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
REQUIRE_FILE_EXISTS: ipf.conf
SKIP_CHILD: ipfilter
YES_CHILD: other_tools
NO_CHILD: other_tools
PROPER_PARENT: scan_ports

LABEL: ipfilter
SHORT_EXP: "Firewalls generally make up the first line of defense in any
network security architecture.  IPFilter is a free host-based firewall
which is available for HP-UX.  Using IPFilter, you can write rules which
allow only the right types of network traffic into your computer.
This can dramatically improve your system's overall resistance to network
attacks by limiting the number of ways your system could be attacked in
the first place.  Note that it can take a lot of work and expertise to
properly configure and maintain firewall rules, and the installation
process loads a kernel module and requires a reboot.

(MANUAL ACTION REQUIRED TO COMPLETE THIS CONFIGURATION,
see TODO list for details)"
QUESTION: "Would you like information on how to get a copy of IPFilter?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
YES_CHILD: other_tools
NO_CHILD: other_tools
SKIP_CHILD: other_tools
PROPER_PARENT: scan_ports

LABEL: other_tools
SHORT_EXP: "Although Bastille can help you configure a lot of the security
relevant features of your Operating System, it is not a substitute for a
complete security solution.  Such a solution includes properly configured
firewalls, network topologies, intrusion detection, policies, and user
education.  Hewlett Packard has tools and resources to help with many
aspects of security."
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
REQUIRE_DISTRO: HP-UX
DEFAULT_ANSWER: Y
QUESTION: "Would you like information about other security tools that HP has to offer?"
YES_CHILD: mail_config
NO_CHILD: mail_config
SKIP_CHILD: mail_config
PROPER_PARENT: scan_ports

LABEL: mail_config
SHORT_EXP: "The HP-UX Bastille development team would like to know how you
are using Bastille.  Based on how you answered these questions, HP can meet
your needs better.  You can help by sending your configuration and
TODO files back to HP.  Answering \"yes\" to this question will do
that for you automatically.  If you feel that your hostname or your security
configuration is in any way confidential, then you should answer
\"no\" to this question, since the information will be sent
unencrypted over the public internet.  Also, if outbound mail is
unable to reach the internet from this machine, you should answer \"no.\"

If you have suggestions for improvements, new questions, code, and/or tests,
you can discuss these on the Bastille Linux discussion list.  You can
subscribe at:

http://lists.sourceforge.net/mailman/listinfo/bastille-linux-discuss

You can also provide feedback concerning the HP-UX version of Bastille
directly to bastille-feedback@fc.hp.com.  Please do send comments, even
if it's just to say you like the tool.  We want to hear from you."
QUESTION: "Are you willing to mail your configuration and TODO list to HP?"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
REQUIRE_DISTRO: HP-UX
YES_CHILD: tmpdir
NO_CHILD: tmpdir
PROPER_PARENT: other_tools

FILE: TMPDIR.pm

LABEL: tmpdir
SHORT_EXP: "Many programs use the /tmp directory in ways that are dangerous
on multi-user systems. Many of those programs will use an alternate directory
if one is specified with the TMPDIR or TMP environment variables. We can
install scripts that will be run when users log in that safely create
suitable temporary directories and set the TMPDIR and TMP environment
variables. This depends on your system supporting /etc/profile.d scripts."
QUESTION: "Would you like to install TMPDIR/TMP scripts? [N]"
REQUIRE_DISTRO: LINUX SE TB
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ip_intro
NO_CHILD: ip_intro
PROPER_PARENT: mail_config

FILE: Firewall.pm

LABEL: ip_intro
SHORT_EXP: "Using the packet filtering script, you will be able to do packet
filtering/modification via the Linux kernel.  You can use this to block certain types
of connections to or from your machine, to turn your machine into a small firewall,
and to do Network Address Translation (also known as \"IP masquerading\"), which lets
several machines share a single IP address.

If you install the packet filtering script, it will create firewalling instructions for you.
You will be prompted to make various choices (with suggested defaults), but you may
need to edit it for your particular site and WILL need to individually activate it.

This script supports both kernel 2.2 (ipchains) and 2.4 (iptables if available, otherwise ipchains)."
QUESTION: "Would you like to run the packet filtering script? [N]"
REQUIRE_DISTRO: LINUX DB TB
SKIP_CHILD: End_Screen
DEFAULT_ANSWER: N
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ip_detail_level_kludge
NO_CHILD: End_Screen
PROPER_PARENT: tmpdir

LABEL: ip_detail_level_kludge
QUESTION:
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_exp_type
DEFAULT_ANSWER: Y
YN_TOGGLE: 0
YES_CHILD: ip_exp_type
PROPER_PARENT: ip_intro


LABEL: ip_exp_type
SHORT_EXP: "You will be asked to choose initial settings for the firewall script. The
defaults are generally the minimal recommended settings. To accept the default (shown
in brackets), press RETURN. To change a non-empty default to an empty value, enter
some white space before pressing RETURN.

Your responses should be white space delimited lists of items. IP addresses may be
entered in plain \"dotted-quad\" notation, with or without netmasks.  For instance,
\"10.0.0.0/8\" \"10.0.0.0/255.0.0.0\" \"10.0.0.0\" will all be read as legitimate ways
to express the 10.*.*.* \"class A\" network space.  If you have \"unexpected\"
networks like \"10.0.0.0/255.255.255.0\" or \"192.168.1.0/255.255.255.128\", you will
need to specify that explicitly.

Services can be entered as names (\"smtp\") or numbers (\"25\").  Be warned that any
names must explicitly match one of those listed in /etc/services. Ranges may be
specified with colons, e.g. \"1024:\" indicates all ports >= 1024, \"6000:6020\"
indicates ports 6000 to 6020, inclusive.

Unless you really understand networking, you should ask for more information on most
of the options in this script."
QUESTION:
REQUIRE_DISTRO: LINUX DB SE TB
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_advnetwork	
NO_CHILD: ip_advnetwork
PROPER_PARENT: ip_intro

LABEL: ip_advnetwork
SHORT_EXP: "Do you need the advanced networking options?  If this is a standalone
workstation or server with a single network interface (e.g. may connect to one of
several PPP servers, but is never connected to two different networks simultaneously),
then you do not need advanced networking options.

If this is a server that deals with multiple interfaces or provides IP
Masquerading/NAT service, then you do need the advanced networking options."
QUESTION: "Do you need the advanced networking options?"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_dns
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_dns
NO_CHILD: ip_b_dns
PROPER_PARENT: ip_exp_type

LABEL: ip_s_dns
SHORT_EXP: "This controls what external servers you can use for DNS lookups. For
regular workstations, this should contain all your name server addresses, separated by
spaces. If you want to run a caching name server and/or run your own DNS, leave this at
\"0.0.0.0/0\" so you can query any DNS server. If you set this to an empty value, the
firewall script will read the current name servers from /etc/resolv.conf when it is
run, which is the recommended configuration. This default is designed to ensure
functionality.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
LONG_EXP: "DNS servers are used to translate names like \"example.org\" into addresses
like \"10.1.2.3\". You need to configure DNS for many pieces of software to function
properly. Your system administrator or Internet Service Provider should be able to
provide you with this information. Most users should simply leave this at
\"0.0.0.0/0\" (or make it blank) so the firewall script will be more forgiving (or do
the right thing automatically). For instance, DHCP clients often re-write
/etc/resolv.conf when obtaining a new lease. (This means you may want to configure
your system to run the firewall script both before _and_ after setting up your
DHCP-configured interface if you set this to the safest value, an empty string.)

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "DNS servers: [0.0.0.0/0]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_trustiface
DEFAULT_ANSWER: 0.0.0.0/0
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_trustiface
NO_CHILD:
PROPER_PARENT: ip_advnetwork

LABEL: ip_s_trustiface
SHORT_EXP: "List the interface names of all interfaces you want to have unrestricted
access to this machine. You should at least trust \"lo\", the \"loopback\" interface."
LONG_EXP: "Interface names normally look like \"eth0\" for the first Ethernet card,
\"ppp0\" for a PPP connection, etc. Any traffic coming from the interfaces listed here
will be allowed by the kernel (though TCP Wrappers or the application itself may end
up denying the connection attempt). Basically, you will have no kernel-level firewall
protecting you from traffic on these interfaces, and should therefore think carefully
before changing the default.

List the interface names of all interfaces you want to have unrestricted
access to this machine. You should at least trust \"lo\", the \"loopback\" interface."
QUESTION: "Trusted interface names: [lo]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_publiciface
DEFAULT_ANSWER: lo
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_publiciface
NO_CHILD:
PROPER_PARENT: ip_s_dns

LABEL: ip_s_publiciface
SHORT_EXP:"List names of all interfaces connected to public/untrusted networks. The
\"+\" character is a wildcard, e.g. \"ppp+\" matches any interface name beginning with
\"ppp\" in case you have multiple dialup profiles."
LONG_EXP: "List names of all interfaces connected to public/untrusted networks. The
\"+\" character is a wildcard, e.g. \"ppp+\" matches any interface name beginning with
\"ppp\" in case you have multiple dialup profiles.

Using the \"+\" suffix allows you to configure more interfaces (for
instance, more PPP dialup entries) without having to modify the firewall script. "
QUESTION: "Public interfaces: [eth+ ppp+ slip+]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_internaliface
DEFAULT_ANSWER: eth+ ppp+ slip+
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_internaliface
NO_CHILD:
PROPER_PARENT: ip_s_trustiface

LABEL: ip_s_internaliface
SHORT_EXP: "This is for servers that will act as NAT / IP Masq firewalls between
local, but not fully trusted, networks and public networks like the Internet. List
names of all \"internal\" interfaces that might have full ability to use NAT / IP Masq
to contact public networks, but only limited access to services running on this
machine. Do not use \"+\" characters; name each interface explicitly."
LONG_EXP: "This is for servers that will act as NAT / IP Masq firewalls between
local, but not fully trusted, networks and public networks like the Internet. List
names of all \"internal\" interfaces that might have full ability to use NAT / IP Masq
to contact public networks, but only limited access to services running on this
machine. Do not use \"+\" characters; name each interface explicitly.

Normal workstations should leave this as the empty default. "
QUESTION: "Internal interfaces: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_tcpaudit
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_tcpaudit
NO_CHILD:
PROPER_PARENT: ip_s_publiciface

LABEL: ip_s_tcpaudit
SHORT_EXP: "List any TCP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces."
LONG_EXP: "List any TCP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.

If you have \"syslog\" configured to log \"kern\" messages of \"info\"
level, the kernel will automatically log connection attempts from the \"public\"
interfaces (only the \"public\" interfaces) to these ports and/or services. This is
useful to spot possible probes or attacks. The default setting records connection
attempts to several services, although you may not have them installed or enabled. "
QUESTION: "TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login
linuxconf ssh]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_udpaudit
DEFAULT_ANSWER: telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_udpaudit
NO_CHILD:
PROPER_PARENT: ip_s_internaliface

LABEL: ip_s_udpaudit
SHORT_EXP: "List any UDP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  The default here is port
31337, the standard port for the infamous \"Back Orifice\" trojan/remote-control app
for Windows systems."
LONG_EXP: "List any UDP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  The default here is port
31337, the standard port for the infamous \"Back Orifice\" trojan/remote-control app
for Windows systems.

While attackers probing for Back Orifice may not pose a threat to your
Linux system, logging their attempts helps identify the \"bad guys\" "
QUESTION: "UDP services to audit: [31337]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_icmpaudit
DEFAULT_ANSWER: 31337
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_icmpaudit
NO_CHILD:
PROPER_PARENT: ip_s_tcpaudit

LABEL: ip_s_icmpaudit
SHORT_EXP: "List any ICMP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  These should be specified
as types, not numbers. One example is \"echo-request\" which is used by Microsoft ping
and tracert [sic] clients."
QUESTION: "ICMP services to audit: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_publictcp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_publictcp
NO_CHILD:
PROPER_PARENT: ip_s_udpaudit

LABEL: ip_s_publictcp
SHORT_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"public\" interfaces. Typical workstations will not want to make any services
available, though admins may want to enable something like secure shell (default port: 22) for
remote administration. Those running caching or \"real\" DNS servers on this machine
will want to enable domain (or port 53). If you want to make FTP available to clients
on the \"public\" interfaces, you will want to allow the range of ports used
for \"passive\" FTP connections."
LONG_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"public\" interfaces. Typical workstations will not want to make any services
available, though admins may want to enable something like secure shell (default port: 22) for
remote administration. Those running caching or \"real\" DNS servers on this machine
will want to enable domain (or port 53). If you want to make FTP available to clients
on the \"public\" interfaces, you will want to allow the range of IP addresses used
for \"passive\" FTP connections.

You will need to list the names or port numbers of any services running on
this machine that you want hosts on the \"public\" network to access. For instance, if
you have a local Web server you want to share, add \"80\" for the normal HTTP port.
Not doing so means you will be able to access the service locally, but \"public\"
hosts will not."
QUESTION: "TCP service names or port numbers to allow on public interfaces:[ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_publicudp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_publicudp
NO_CHILD:
PROPER_PARENT: ip_s_icmpaudit

LABEL: ip_s_publicudp
SHORT_EXP: "List names or port numbers on which to accept UDP connection attempts from
the \"public\" interfaces. Again, typical workstations will not want to make any
services  available, but if you're running caching or real DNS servers, you will need
to enable domain (port 53)."
QUESTION: "UDP service names or port numbers to allow on public interfaces:[ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_internaltcp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_internaltcp
NO_CHILD:
PROPER_PARENT: ip_s_publictcp

LABEL: ip_s_internaltcp
SHORT_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"internal\" interfaces.  Note that the \"public\" services will not be made
available to \"internal\" hosts unless you also specify those services again here. If
you want to make FTP available to clients on the \"internal\" interfaces, you will
want to allow the range of IP addresses used for \"passive\" FTP connections. "
LONG_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"internal\" interfaces.  Note that the \"public\" services will not be made
available to \"internal\" hosts unless you also specify those services again here. If
you want to make FTP available to clients on the \"internal\" interfaces, you will
want to allow the range of IP addresses used for \"passive\" FTP connections.

For instance, a corporate firewall/mailserver might have \"smtp\" enabled
on the public side to accept outside mail, and for \"internal\" interfaces it might
allow both \"smtp\" and \"imap\" so local users can both send and get mail; in that
case you would set this value to \"smtp imap\". This does not affect IP Masquerading's
ability to let masq'ed users access any services on outside/Internet hosts. "
QUESTION: "TCP service names or port numbers to allow on private interfaces: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_internaludp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_internaludp
NO_CHILD:
PROPER_PARENT: ip_s_publicudp

LABEL: ip_s_internaludp
SHORT_EXP: "List names or port numbers on which to accept UDP connection attempt from
the \"internal\" interfaces. Note that the \"public\" services will not be made
available to \"internal\" hosts unless you also specify those services again here."
LONG_EXP: "List names or port numbers on which to accept UDP connection attempt from
the \"internal\" interfaces. Note that the \"public\" services will not be made
available to \"internal\" hosts unless you also specify those services again here.

As with internal TCP. You do not need to enable domain service if the
internal clients are using IP Masq to query outside DNS servers. "
QUESTION: "UDP service names or port numbers to allow on private interfaces: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_passiveftp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_passiveftp
NO_CHILD:
PROPER_PARENT: ip_s_internaltcp

LABEL: ip_s_passiveftp
SHORT_EXP: "This has nothing to do with whether you are running an FTP _server_ on
this machine; this has to do with how clients running on this machine will talk to
_other_ machines running FTP servers reachable through the \"public\" interfaces. By
forcing your local FTP clients to use \"passive\" mode, you will not have to be as
cautious about blocking specific \"high\" TCP services. Set to \"Y\" to force
\"passive\" FTP; the default \"N\" will allow you to use normal, \"active\" FTP.
Forcing passive mode (\"Y\") is recommended, but less convenient."
LONG_EXP: "This has nothing to do with whether you are running an FTP _server_ on
this machine; this has to do with how clients running on this machine will talk to
_other_ machines running FTP servers reachable through the \"public\" interfaces. By
forcing your local FTP clients to use \"passive\" mode, you will not have to be as
cautious about blocking specific \"high\" TCP services. Set to \"Y\" to force
\"passive\" FTP; the default \"N\" will allow you to use normal, \"active\" FTP.
Forcing passive mode (\"Y\") is recommended, but less convenient.

Forcing passive FTP will make using some FTP clients more of a hassle, as
you may need to manually tell them to use passive mode, but many clients such as
Netscape Navigator have no problem with passive FTP. If you have problems with FTP,
this is the first place to look.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "Force passive mode? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_tcpblock
NO_CHILD: ip_s_tcpblock
PROPER_PARENT: ip_s_internaludp

LABEL: ip_s_tcpblock
SHORT_EXP: "Specify TCP services to block.  These rules take effect _after_ the TCP
services to make public. If you allow the use of \"active\" FTP clients
(FORCE_PASV_FTP at its default of \"0\"), you will need to be careful here, and will
want to make sure you block all TCP services listening on high ports. If you are
forcing \"passive\" FTP, you may ignore this setting."
LONG_EXP: "Specify TCP services to block.  These rules take effect _after_ the TCP
services to make public. If you allow the use of \"active\" FTP clients
(FORCE_PASV_FTP at its default of \"0\"), you will need to be careful here, and will
want to make sure you block all TCP services listening on high ports. If you are
forcing \"passive\" FTP, you may ignore this setting.

We have listed the services we have observed. To be more cautious, you
should look at the output of 'lsof -i' (run as root) once the system is up and all
services are running.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "TCP services to block: [2049 2065:2090 6000:6020 7100]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_udpblock
DEFAULT_ANSWER: 2049 2065:2090 6000:6020 7100
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_udpblock
NO_CHILD:
PROPER_PARENT: ip_s_passiveftp

LABEL: ip_s_udpblock
SHORT_EXP: "Specify UDP services to block.  As with the TCP services, the UDP services
to make public will take precedence. The high UDP services that you do not block will
be reachable by any allowed NTP or DNS server. Sites with more such \"high UDP\"
services, or global DNS availability (as is the default, DNS_SERVERS=\"0.0.0.0/0\"),
will want to be sure they have all such high UDP services listed.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "UDP services to block: [2049 6770]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_icmpallowed
DEFAULT_ANSWER: 2049 6770
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_icmpallowed
NO_CHILD:
PROPER_PARENT: ip_s_tcpblock

LABEL: ip_s_icmpallowed
SHORT_EXP: "Specify the ICMP allowed types.  The default suggestion allows you to
probe other hosts with ping and traceroute. Minimally you will need to allow
\"destination-unreachable\"."
LONG_EXP: "Specify the ICMP allowed types.  The default suggestion allows you to
probe other hosts with ping and traceroute. Minimally you will need to allow
\"destination-unreachable\".

\"destination-unreachable\" lets other machines' servers tell your system
when things aren't right; don't disable this unless you really know what you're
getting into. If you don't allow \"echo-reply\" and \"time-exceeded\", you won't be
able to use ping and traceroute to debug issues on the \"public\" networks. "
QUESTION: "ICMP allowed types: [destination-unreachable echo-reply time-exceeded]"
SKIP_CHILD: ip_s_srcaddr
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: destination-unreachable echo-reply time-exceeded
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_srcaddr
NO_CHILD:
PROPER_PARENT: ip_s_udpblock

LABEL: ip_s_srcaddr
SHORT_EXP: "Do you want to enable source address verification? This configures the
kernel to block traffic likely to have spoofed IP addresses. Set to \"N\" to disable.
The default (\"Y\") is highly recommended."
LONG_EXP: "Do you want to enable source address verification? This configures the
kernel to block traffic likely to have spoofed IP addresses. Set to \"N\" to disable.
The default (\"Y\") is highly recommended.

This is a standard, and highly recommended, precaution. "
QUESTION: "Enable source address verification? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: Y
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_ipmasq
NO_CHILD: ip_s_ipmasq
PROPER_PARENT: ip_s_icmpallowed

LABEL: ip_s_ipmasq
SHORT_EXP: "If this machine will be used as an IP Masquerading / Network Address
Translation gateway, enter the networks to be masqueraded (from trusted interfaces).
Example: \"10.0.0.0\". If you will not be using IP Masq / NAT, leave this as the empty
default."
LONG_EXP: "If this machine will be used as an IP Masquerading / Network Address
Translation gateway, enter the networks to be masqueraded (from trusted interfaces).
Example: \"10.0.0.0\". If you will not be using IP Masq / NAT, leave this as the empty
default.

If this machine will be used as an IP Masquerading / Network Address
Translation gateway, enter the networks to be masqueraded (from trusted interfaces).
Example: \"10.0.0.0\". If you will not be using IP Masq / NAT, leave this as the empty
default.

Note this expects _network_ addresses (either with 0's on the end or with
explicit netmasks), _not_ interface names. "
QUESTION: "Masqueraded networks: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_kernelmasq
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_kernelmasq
NO_CHILD:
PROPER_PARENT: ip_s_srcaddr

LABEL: ip_s_kernelmasq
SHORT_EXP: "Do you want to set any kernel modules to do IP masquerading?  Special
kernel modules are required to provide certain services via IP Masquerading. Possible
modules include cuseeme, ftp, irc, quake, raudio, and vdolive. The script assumes each
name should have the usual prefix, e.g. \"raudio\" will cause the script to load the
\"ip_masq_raudio\" module."
QUESTION: "Kernel modules to masquerade: [ftp raudio vdolive]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_rejectmethod
DEFAULT_ANSWER: ftp raudio vdolive
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_rejectmethod
NO_CHILD:
PROPER_PARENT: ip_s_ipmasq

LABEL: ip_s_rejectmethod
SHORT_EXP: "You need to set how the kernel rejects blocked traffic. \"REJECT\" is
friendly, lets the remote host know you're blocking their attempt (and can therefore
be used to prove you're on the network). \"DENY\" is unfriendly, simply drops the
connection attempt, leaving the remote host to wait, and probably give up after some
time. (Note you may specify \"DENY\" or \"DROP\" and the  packet filter will
use the appropriate keyword (DENY for kernel 2.2/ipchains, DROP for 2.4/iptables.)"
LONG_EXP: "You need to set how the kernel rejects blocked traffic. \"REJECT\" is
friendly, lets the remote host know you're blocking their attempt (and can therefore
be used to prove you're on the network). \"DENY\" is unfriendly, simply drops the
connection attempt, leaving the remote host to wait, and probably give up after some
time.

There's no definite right answer here. With DENY, your machine will be less
visible, especially if using kernel 2.4/iptables. "
QUESTION: "Reject method: [DENY]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_dhcpiface
DEFAULT_ANSWER: DENY
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_dhcpiface
NO_CHILD:
PROPER_PARENT: ip_s_kernelmasq

LABEL: ip_s_dhcpiface
SHORT_EXP: "List the names of any interfaces this machine will need to make DHCP
_queries_ on to configure _its own_ interfaces. For example, a cable modem user with a
single ethernet interface might need to set this to \"eth0\".

Systems that use regular PPP modem dialups may leave this blank.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "Interfaces for DHCP queries: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_ntpsrv
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_ntpsrv
NO_CHILD:
PROPER_PARENT: ip_s_rejectmethod

LABEL: ip_s_ntpsrv
SHORT_EXP: "If you want to queries NTP time servers to synchronize your system time,
enter IP addresses or networks for those servers here. If you don't intend to make NTP
queries, leave this as the empty default.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
LONG_EXP: "If you want to queries NTP time servers to synchronize your system time,
enter IP addresses or networks for those servers here. If you don't intend to make NTP
queries, leave this as the empty default.

The same warnings about blocked UDP services and DNS servers apply here;
the hosts and networks you list here can connect to any high UDP port not explicitly
blocked.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "NTP servers to query: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_s_icmpout
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_icmpout
NO_CHILD:
PROPER_PARENT: ip_s_dhcpiface

LABEL: ip_s_icmpout
SHORT_EXP: "Do you want to disable any outbound ICMP types?  If you disable the types
listed in the default, your machine will not be visible to normal traceroute probes
from hosts on your \"public\" interfaces."
LONG_EXP: "Do you want to disable any outbound ICMP types?  If you disable the types
listed in the default, your machine will not be visible to normal traceroute probes
from hosts on your \"public\" interfaces.

\"destination-unreachable\" is (ab)used by the traceroute program to check
routing to individual hosts. "
QUESTION: "ICMP types to disallow outbound: [destination-unreachable time-exceeded]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_enable_firewall
DEFAULT_ANSWER: destination-unreachable time-exceeded
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_enable_firewall
NO_CHILD:
PROPER_PARENT: ip_s_ntpsrv

LABEL: ip_b_dns
SHORT_EXP: "This controls what external servers you can use for DNS lookups. For
regular workstations, this should contain all your name server addresses, separated by
spaces. If you want to run a caching name server and/or run your own DNS, leave this at
\"0.0.0.0/0\" so you can query any DNS server. If you set this to an empty value, the
firewall script will read the current name servers from /etc/resolv.conf when it is
run, which is the recommended configuration. This default is designed to ensure
functionality.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
LONG_EXP: "This controls what external servers you can use for DNS lookups. For
regular workstations, this should contain all your name server addresses, separated by
spaces. If you want to run a caching name server and/or run your own DNS, leave this at
\"0.0.0.0/0\" so you can query any DNS server. If you set this to an empty value, the
firewall script will read the current name servers from /etc/resolv.conf when it is
run, which is the recommended configuration. This default is designed to ensure
functionality.

DNS servers are used to translate names like \"example.org\" into addresses
like \"10.1.2.3\". You need to configure DNS for many pieces of software to function
properly. Your system administrator or Internet Service Provider should be able to
provide you with this information. Most users should simply leave this at
\"0.0.0.0/0\" (or make it blank) so the firewall script will be more forgiving (or do
the right thing automatically). For instance, DHCP clients often re-write
/etc/resolv.conf when obtaining a new lease. (This means you may want to configure
your system to run the firewall script both before _and_ after setting up your
DHCP-configured interface if you set this to the safest value, an empty string.)

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "DNS Servers: [0.0.0.0/0]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_trustiface
DEFAULT_ANSWER: 0.0.0.0/0
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_trustiface
NO_CHILD:
PROPER_PARENT: ip_advnetwork

LABEL: ip_b_trustiface
DEFAULT_ANSWER: lo
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_publiciface
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_publiciface
NO_CHILD:
PROPER_PARENT: ip_b_dns

LABEL: ip_b_publiciface
SHORT_EXP:"List names of all interfaces connected to public/untrusted networks. The
\"+\" character is a wildcard, e.g. \"ppp+\" matches any interface name beginning with
\"ppp\" in case you have multiple dialup profiles."
LONG_EXP: "List names of all interfaces connected to public/untrusted networks. The
\"+\" character is a wildcard, e.g. \"ppp+\" matches any interface name beginning with
\"ppp\" in case you have multiple dialup profiles.

Using the \"+\" suffix allows you to configure more interfaces (for
instance, more PPP dialup entries) without having to modify the firewall script. "
QUESTION: "Public interfaces: [eth+ ppp+ slip+]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_internaliface
DEFAULT_ANSWER: eth+ ppp+ slip+
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_internaliface
NO_CHILD:
PROPER_PARENT: ip_b_dns

LABEL: ip_b_internaliface
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_tcpaudit
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_tcpaudit
NO_CHILD:
PROPER_PARENT: ip_b_publiciface

LABEL: ip_b_tcpaudit
SHORT_EXP: "List any TCP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces."
LONG_EXP: "List any TCP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.

If you have \"syslog\" configured to log \"kern\" messages of \"info\"
level, the kernel will automatically log connection attempts from the \"public\"
interfaces (only the \"public\" interfaces) to these ports and/or services. This is
useful to spot possible probes or attacks. The default setting records connection
attempts to several services, although you may not have them installed or enabled. "
QUESTION: "TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login
linuxconf ssh]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_udpaudit
DEFAULT_ANSWER: telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_udpaudit
NO_CHILD:
PROPER_PARENT: ip_b_publiciface

LABEL: ip_b_udpaudit
SHORT_EXP: "List any UDP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  The default here is port
31337, the standard port for the infamous \"Back Orifice\" trojan/remote-control app
for Windows systems."
LONG_EXP: "List any UDP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  The default here is port
31337, the standard port for the infamous \"Back Orifice\" trojan/remote-control app
for Windows systems.

While attackers probing for Back Orifice may not pose a threat to your
Linux system, logging their attempts helps identify the \"bad guys\" "
QUESTION: "UDP services to audit: [31337]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_icmpaudit
DEFAULT_ANSWER: 31337
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_icmpaudit
NO_CHILD:
PROPER_PARENT: ip_b_tcpaudit

LABEL: ip_b_icmpaudit
SHORT_EXP: "List any ICMP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  These should be specified
as types, not numbers. One example is \"echo-request\" which is used by Microsoft ping
and tracert [sic] clients."
QUESTION: "ICMP services to audit: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_publictcp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_publictcp
NO_CHILD:
PROPER_PARENT: ip_b_udpaudit

LABEL: ip_b_publictcp
SHORT_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"public\" interfaces. Typical workstations will not want to make any services
available, though admins may want to enable something like secure shell (default port: 22) for
remote administration. Those running caching or \"real\" DNS servers on this machine
will want to enable domain (or port 53). If you want to make FTP available to clients
on the \"public\" interfaces, you will want to allow the range of ports used
for \"passive\" FTP connections."
LONG_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"public\" interfaces. Typical workstations will not want to make any services
available, though admins may want to enable something like secure shell (default port: 22) for
remote administration. Those running caching or \"real\" DNS servers on this machine
will want to enable domain (or port 53). If you want to make FTP available to clients
on the \"public\" interfaces and are using kernel 2.2/ipchains, you will want to allow the range of IP addresses used
for \"passive\" FTP connections.

You will need to list the names or port numbers of any services running on
this machine that you want hosts on the \"public\" network to access. For instance, if
you have a local Web server you want to share, add \"80\" for the normal HTTP port.
Not doing so means you will be able to access the service locally, but \"public\"
hosts will not."
QUESTION: "TCP service names or port numbers to allow on public interfaces: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_publicudp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_publicudp
NO_CHILD:
PROPER_PARENT: ip_b_icmpaudit

LABEL: ip_b_publicudp
SHORT_EXP: "List names or port numbers on which to accept UDP connection attempts from
the \"public\" interfaces. Again, typical workstations will not want to make any
services  available, but if you're running caching or real DNS servers, you will need
to enable domain (port 53)."
QUESTION: "UDP service names or port numbers to allow on public interfaces: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_passiveftp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_internaltcp
NO_CHILD:
PROPER_PARENT: ip_b_publictcp

LABEL: ip_b_internaltcp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_internaludp
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_internaludp
NO_CHILD:
PROPER_PARENT: ip_b_publicudp

LABEL: ip_b_internaludp
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_passiveftp
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_passiveftp
NO_CHILD:
PROPER_PARENT: ip_b_publicudp

LABEL: ip_b_passiveftp
SHORT_EXP: "This has nothing to do with whether you are running an FTP _server_ on
this machine; this has to do with how clients running on this machine will talk to
_other_ machines running FTP servers reachable through the \"public\" interfaces. By
forcing your local FTP clients to use \"passive\" mode, you will not have to be as
cautious about blocking specific \"high\" TCP services. Set to \"Y\" to force
\"passive\" FTP; the default \"N\" will allow you to use normal, \"active\" FTP.
Forcing passive mode (\"Y\") is recommended, but less convenient.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
LONG_EXP: "This has nothing to do with whether you are running an FTP _server_ on
this machine; this has to do with how clients running on this machine will talk to
_other_ machines running FTP servers reachable through the \"public\" interfaces. By
forcing your local FTP clients to use \"passive\" mode, you will not have to be as
cautious about blocking specific \"high\" TCP services. Set to \"Y\" to force
\"passive\" FTP; the default \"N\" will allow you to use normal, \"active\" FTP.
Forcing passive mode (\"Y\") is recommended, but less convenient.

Forcing passive FTP will make using some FTP clients more of a hassle, as
you may need to manually tell them to use passive mode, but many clients such as
Netscape Navigator have no problem with passive FTP. If you have problems with FTP,
this is the first place to look.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "Force passive mode? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: N
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_tcpblock
NO_CHILD: ip_b_tcpblock
PROPER_PARENT: ip_b_publicudp

LABEL: ip_b_tcpblock
SHORT_EXP: "Specify TCP services to block.  These rules take effect _after_ the TCP
services to make public. If you allow the use of \"active\" FTP clients
(FORCE_PASV_FTP at its default of \"0\"), you will need to be careful here, and will
want to make sure you block all TCP services listening on high ports. If you are
forcing \"passive\" FTP, you may ignore this setting.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
LONG_EXP: "Specify TCP services to block.  These rules take effect _after_ the TCP
services to make public. If you allow the use of \"active\" FTP clients
(FORCE_PASV_FTP at its default of \"0\"), you will need to be careful here, and will
want to make sure you block all TCP services listening on high ports. If you are
forcing \"passive\" FTP, you may ignore this setting.

We have listed the services we have observed. To be more cautious, you
should look at the output of 'lsof -i' (run as root) once the system is up and all
services are running.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "TCP services to block: [2049 2065:2090 6000:6020 7100]"
DEFAULT_ANSWER: 2049 2065:2090 6000:6020 7100
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_udpblock
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_udpblock
NO_CHILD:
PROPER_PARENT: ip_b_passiveftp

LABEL: ip_b_udpblock
SHORT_EXP: "Specify UDP services to block.  As with the TCP services, the UDP services
to make public will take precedence. The high UDP services that you do not block will
be reachable by any allowed NTP or DNS server. Sites with more such \"high UDP\"
services, or global DNS availability (as is the default, DNS_SERVERS=\"0.0.0.0/0\"),
will want to be sure they have all such high UDP services listed.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "UDP services to block: [2049 6770]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_icmpallowed
DEFAULT_ANSWER: 2049 6770
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_icmpallowed
NO_CHILD:
PROPER_PARENT: ip_b_tcpblock

LABEL: ip_b_icmpallowed
SHORT_EXP: "Specify the ICMP allowed types.  The default suggestion allows you to
probe other hosts with ping and traceroute. Minimally you will need to allow
\"destination-unreachable\"."
LONG_EXP: "Specify the ICMP allowed types.  The default suggestion allows you to
probe other hosts with ping and traceroute. Minimally you will need to allow
\"destination-unreachable\".

\"destination-unreachable\" lets other machines' servers tell your system
when things aren't right; don't disable this unless you really know what you're
getting into. If you don't allow \"echo-reply\" and \"time-exceeded\", you won't be
able to use ping and traceroute to debug issues on the \"public\" networks. "
QUESTION: "ICMP allowed types: [destination-unreachable echo-reply time-exceeded]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_srcaddr
DEFAULT_ANSWER: destination-unreachable echo-reply time-exceeded
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_srcaddr
NO_CHILD:
PROPER_PARENT: ip_b_udpblock

LABEL: ip_b_srcaddr
SHORT_EXP: "Do you want to enable source address verification? This configures the
kernel to block traffic likely to have spoofed IP addresses. Set to \"N\" to disable.
The default (\"Y\") is highly recommended."
LONG_EXP: "Do you want to enable source address verification? This configures the
kernel to block traffic likely to have spoofed IP addresses. Set to \"N\" to disable.
The default (\"Y\") is highly recommended.

This is a standard, and highly recommended, precaution. "
QUESTION: "Enable source address verification? [Y]"
REQUIRE_DISTRO: LINUX DB SE TB
DEFAULT_ANSWER: Y
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_ipmasq
NO_CHILD: ip_b_ipmasq
PROPER_PARENT: ip_b_icmpallowed

LABEL: ip_b_ipmasq
DEFAULT_ANSWER:
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_kernelmasq
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_kernelmasq
NO_CHILD:
PROPER_PARENT: ip_b_srcaddr

LABEL: ip_b_kernelmasq
DEFAULT_ANSWER: ftp raudio vdolive
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_rejectmethod
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_rejectmethod
NO_CHILD:
PROPER_PARENT: ip_b_srcaddr

LABEL: ip_b_rejectmethod
SHORT_EXP: "You need to set how the kernel rejects blocked traffic. \"REJECT\" is
friendly, lets the remote host know you're blocking their attempt (and can therefore
be used to prove you're on the network). \"DENY\" is unfriendly, simply drops the
connection attempt, leaving the remote host to wait, and probably give up after some
time."
LONG_EXP: "You need to set how the kernel rejects blocked traffic. \"REJECT\" is
friendly, lets the remote host know you're blocking their attempt (and can therefore
be used to prove you're on the network). \"DENY\" is unfriendly, simply drops the
connection attempt, leaving the remote host to wait, and probably give up after some
time.

There's no definite right answer here. You will probably not be
_completely_ invisible, even if you choose \"DENY\", but with \"DENY\" and _no_ public
services, you will not be visible to casual probes. "
QUESTION: "Reject method: [DENY]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_dhcpiface
DEFAULT_ANSWER: DENY
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_dhcpiface
NO_CHILD:
PROPER_PARENT: ip_b_srcaddr

LABEL: ip_b_dhcpiface
SHORT_EXP: "List the names of any interfaces this machine will need to make DHCP
_queries_ on to configure _its own_ interfaces. For example, a cable modem user with a
single ethernet interface might need to set this to \"eth0\".

Systems that use regular PPP modem dialups may leave this blank.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "Interfaces for DHCP queries: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_ntpsrv
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_ntpsrv
NO_CHILD:
PROPER_PARENT: ip_b_rejectmethod

LABEL: ip_b_ntpsrv
SHORT_EXP: "If you want to queries NTP time servers to synchronize your system time,
enter IP addresses or networks for those servers here. If you don't intend to make NTP
queries, leave this as the empty default.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
LONG_EXP: "If you want to queries NTP time servers to synchronize your system time,
enter IP addresses or networks for those servers here. If you don't intend to make NTP
queries, leave this as the empty default.

The same warnings about blocked UDP services and DNS servers apply here;
the hosts and networks you list here can connect to any high UDP port not explicitly
blocked.

What you answer is important if you use kernel 2.2/ipchains, but makes no
difference if you use kernel 2.4 and iptables."
QUESTION: "NTP servers to query: [ ]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_b_icmpout
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_icmpout
NO_CHILD:
PROPER_PARENT: ip_b_dhcpiface

LABEL: ip_b_icmpout
SHORT_EXP: "Do you want to disable any outbound ICMP types?  If you disable the types
listed in the default, your machine will not be visible to normal traceroute probes
from hosts on your \"public\" interfaces."
LONG_EXP: "Do you want to disable any outbound ICMP types?  If you disable the types
listed in the default, your machine will not be visible to normal traceroute probes
from hosts on your \"public\" interfaces.

\"destination-unreachable\" is (ab)used by the traceroute program to check
routing to individual hosts. "
QUESTION: "ICMP types to disallow outbound: [destination-unreachable time-exceeded]"
REQUIRE_DISTRO: LINUX DB SE TB
SKIP_CHILD: ip_enable_firewall
DEFAULT_ANSWER: destination-unreachable time-exceeded
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_enable_firewall
NO_CHILD:
PROPER_PARENT: ip_b_ntpsrv

LABEL: ip_enable_firewall
SHORT_EXP: "The firewall is controlled by /etc/rc.d/init.d/bastille-firewall.  The
configuration file is /etc/Bastille/bastille-firewall.cfg, which you may modify.
After it has been installed, you can then test the firewall by using
      /etc/rc.d/init.d/bastille-firewall start
and (to remove all firewall rules)
      /etc/rc.d/init.d/bastille-firewall stop

 Once you have a configuration that will work on your system, you can make it
 run at every normal boot-up by typing
     /sbin/chkconfig --add bastille-firewall
     /sbin/chkconfig bastille-firewall reset

If you are confident of your selections, Bastille can start the firewall
and configure it to run at boot time for you.

** It is strongly recommended that you answer N if you are not logged in to
   the system's console, as your network access my be blocked by the firewall. **"
QUESTION: "Should Bastille run the firewall and enable it at boot time? [N]"
REQUIRE_DISTRO: LINUX DB SE TB
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
DEFAULT_ANSWER: N
YES_CHILD: psad_config
NO_CHILD: psad_config
PROPER_PARENT: ip_advnetwork

FILE: PSAD.pm

LABEL: psad_config
SHORT_EXP: "Bundled with Bastille is the Port Scan Attack Detector (PSAD), which
analyzes information gathered in firewall logs to determine whether or not someone
is scanning your machine.  Psad features a set of flexible thresholds (with sensible
defaults provided) that are used to define what constitutes a port scan, detection
for advanced port scans (syn, fin, Xmas) that are easily leveraged against a machine
via nmap, email alerts that contain the source and destination ip addresses, the
range of scanned ports, begin and end times, tcp flags set in the scanning packets
(2.4.x kernels only), reverse dns and whois information, and more.

NOTE: For psad to be effective, it is required that the firewall is active."
QUESTION: "Would you like to setup PSAD?"
REQUIRE_DISTRO: LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
YES_CHILD: psad_check_interval
SKIP_CHILD: End_Screen
NO_CHILD: End_Screen
PROPER_PARENT: ip_advnetwork

LABEL: psad_check_interval
SHORT_EXP: "This controls how often psad checks for packet that have been denied by
the firewall. A good default is 15 seconds.

It is important to not set this value too high because psad alerts are sent when the
interval ends and it is important to determine when your machine is being scanned as
quickly as possible.  Also, setting the value too low can make psad quickly generate
alerts and utilize much of your systems resources if your machine is subjected to a
high-traffic scan."
QUESTION: "psad check interval: [15]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: 15
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_port_range_scan_threshold
NO_CHILD: psad_port_range_scan_threshold
SKIP_CHILD: psad_port_range_scan_threshold
PROPER_PARENT: psad_config

LABEL: psad_port_range_scan_threshold
SHORT_EXP: "Psad has been designed to allow the administrator to define what network
traffic constitutes a port scan. This value determines a minimum range of ports that
must be scanned from interval to interval before an alert will be sent.  For example,
if this value is set to 0, psad will consider that multiple packets to the same port
qualify as a port scan. However if this value is set to 10 then there must be a
difference of 10 ports in a scan before psad considers it as such.

The default is 1 which means that unless at least two ports are scanned psad will
ignore the traffic. This also implies that multiple packets sent to the same port do
not qualify as a port scan."
QUESTION: "Port range scan threshold: [1]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: 1
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_enable_persistence
NO_CHILD: psad_enable_persistence
SKIP_CHILD: psad_enable_persistence
PROPER_PARENT: psad_check_interval

LABEL: psad_enable_persistence
SHORT_EXP: "Detecting port scans is all about setting thresholds for the number of
ports scanned within a fixed period of time. Hence, an attacker can try to slip beneath
the threshold by using a long time interval (hours or even days) between scanning each
port on a target machine. Setting this value to Y will configure psad to keep a
summary of all scanned ports indefinitely within memory for each ip so that port scans
do not expire over time.

The default is N since most scans are easily recognizable within a short time interval
which is configured in the next question box if you leave this value as N."
QUESTION: "Enable scan persistence?"
REQUIRE_DISTRO:  LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
YES_CHILD: psad_show_all_signatures
NO_CHILD: psad_scan_timeout
SKIP_CHILD: psad_scan_timeout
PROPER_PARENT: psad_port_range_scan_threshold

LABEL: psad_scan_timeout
SHORT_EXP: "This will allow you to define the length of time psad considers data about
a port scan or potential port scan to be important. If this length of time passes after
an initial port scan is detected, the ip from which the scan originated is purged from
psad's memory space along with the scan data.

The default is 3600 seconds (one hour)."
QUESTION: "Scan timeout: [3600]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: 3600
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_show_all_signatures
NO_CHILD: psad_show_all_signatures
SKIP_CHILD: psad_show_all_signatures
PROPER_PARENT: psad_enable_persistence

LABEL: psad_show_all_signatures
SHORT_EXP: "Psad makes use of many tcp and udp signatures included within the Snort
Intrusion Detection System to detect scans for various back doors and/or trojans (Back
Orifice, SubSeven, etc.), DDoS tools (mstream, shaft) and advanced port scans (SYN,
FIN, XMAS, NULL). Over the course of a scan psad keeps track of all signatures that
have been matched and if this value is set to Y, all matched signatures will be
printed with every alert email instead of just the most recently matched ones.

The default is N since the email record will already contain just the most recently
matched signatures."
QUESTION: "Show all scan signatures?"
REQUIRE_DISTRO: LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
YES_CHILD: psad_danger_levels
NO_CHILD: psad_danger_levels
SKIP_CHILD: psad_danger_levels
PROPER_PARENT: psad_scan_timeout

LABEL: psad_danger_levels
SHORT_EXP: "As port scans are detected by psad they are assigned a danger level from
1 to 5 based on the number of packets and whether they match a specific signature
(iptables only).

The default number of packets for each danger level are as follows:
Danger Level 1 = 5 packets
Danger Level 2 = 50 packets
Danger Level 3 = 1000 packets
Danger Level 4 = 5000 packets
Danger Level 5 = 10000 packets"
QUESTION: "Danger Levels: [5 50 1000 5000 10000]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: 5 50 1000 5000 10000
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_enable_email_alerts
NO_CHILD: psad_enable_email_alerts
SKIP_CHILD: psad_enable_email_alerts
PROPER_PARENT: psad_show_all_signatures

LABEL: psad_enable_email_alerts
SHORT_EXP: "Psad does not have to send an email alert when a scan is detected
but it is highly recommended. Psad stores newly discovered scan data in the psad
logfile (/var/log/psad/scanlog) but receiving an email notification is better than
having to watch this file."
QUESTION: "Enable email alerts?"
REQUIRE_DISTRO: LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: Y
YES_EXP:
NO_EXP:
YES_CHILD: psad_email_alert_addresses
NO_CHILD: psad_enable_auto_ids
SKIP_CHILD: psad_enable_auto_ids
PROPER_PARENT: psad_danger_levels

LABEL: psad_email_alert_addresses
SHORT_EXP: "Psad supports sending email alerts to multiple email addresses. You can
specify as many email addresses as you like; just enter them one right after another
without any commas.

The default email address is root@localhost."
QUESTION: "Email addresses: [root@localhost]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: root@localhost
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_email_alert_danger_level
NO_CHILD: psad_email_alert_danger_level
SKIP_CHILD: psad_email_alert_danger_level
PROPER_PARENT: psad_enable_email_alerts

LABEL: psad_email_alert_danger_level
SHORT_EXP: "Psad can be configured to send an email alert for a scan only after the
scan has reached a certain danger level. For example, if you don't want psad to alert
you about a scan until it has reached the highest danger level (5), then you would set
this value to 5.

The default danger level is 1."
QUESTION: "Email alert danger level: [1]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: 1
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_alert_all
NO_CHILD: psad_alert_all
SKIP_CHILD: psad_alert_all
PROPER_PARENT: psad_email_alert_addresses

LABEL: psad_alert_all
SHORT_EXP: "Throughout the course of a scan, new packets may be sent to your machine
that don't trip the next danger threshold and hence psad will not alert you unless
the value is set to Y.

The default is Y since once a scan reaches the threshold assigned in the previous
section you will probably want as much information on it as psad can produce."
QUESTION: "Alert on all new packets?"
REQUIRE_DISTRO: LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: Y
YES_EXP:
NO_EXP:
YES_CHILD: psad_enable_auto_ids
NO_CHILD: psad_enable_auto_ids
SKIP_CHILD: psad_enable_auto_ids
PROPER_PARENT: psad_email_alert_danger_level

LABEL: psad_enable_auto_ids
SHORT_EXP: "Psad has the capability of automatically blocking any IP address that
has scanned your machine if the scan trips a certain threshold. WARNING: This feature
has the potential to create the ability for anyone to commit a Denial of Service
against your machine/network and cause psad to block all access to any website of the
attacker's choosing. For example, suppose that an attacker wants to make psad block
access to www.yahoo.com. Then all the attacker would need to do is spoof a port scan
from www.yahoo.com's IP address(es) and make sure the scan is comprehensive enough to
trip the automatic blocking threshold.

The default is N for the reason given above, but if the requirements for your site
outweigh this possibility then answering Y will enable the automatic blocking
feature and the next section will ask you to define a corresponding danger
threshold."
QUESTION: "Enable automatic blocking of scanning IPs?"
REQUIRE_DISTRO: LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
YES_CHILD: psad_auto_ids_danger_level
NO_CHILD: psad_enable_at_boot
SKIP_CHILD: psad_enable_at_boot
PROPER_PARENT: psad_enable_email_alerts

LABEL: psad_auto_ids_danger_level
SHORT_EXP: "This controls at what danger level a scan must reach before it is
automatically blocked by psad. Normally this value should be set to a relatively high
value so that only IP addresses that leverage really comprehensive scans will be
blocked.

The default danger level is 5."
QUESTION: "Auto blocking danger level: [5]"
REQUIRE_DISTRO: LINUX
DEFAULT_ANSWER: 5
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: psad_enable_at_boot
NO_CHILD: psad_enable_at_boot
SKIP_CHILD: psad_enable_at_boot
PROPER_PARENT: psad_enable_auto_ids

LABEL: psad_enable_at_boot
SHORT_EXP: "The Port Scan Attack Detector is controlled by a standard Sys V style
init script, /etc/rc.d/init.d/psad.  To start the psad daemons, simply execute
        /etc/rc.d/init.d/psad start
and to stop psad, execute
        /etc/rc.d/init.d/psad stop

Bastille can configure your system to start psad at boot time by executing
        chkconfig psad on."
QUESTION: "Should Bastille enable psad at boot time? [N]"
REQUIRE_DISTRO: LINUX
YN_TOGGLE: 1
REG_EXP: "^Y$|^N$"
YES_EXP:
NO_EXP:
DEFAULT_ANSWER: N
YES_CHILD: End_Screen
NO_CHILD: End_Screen
SKIP_CHILD: End_Screen
PROPER_PARENT: psad_enable_auto_ids

