Re: bastille (1560 Views)
Reply
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 1 of 22 (1,654 Views)

bastille

Got a defect identified by the testers in our newly built VM host. How to get rid of this

#> bastille -l
NOTE:    The system is in its pre-bastilled state.

#pwd

/etc/opt/sec_mgmt/bastille
#> ll
total 112
-r-xr-xr-x   1 bin        bin            209 Mar  3  2011 Modules.txt
dr-xr-xr-x   3 bin        bin           8192 Jan  7 13:55 OSMap
dr-xr-xr-x   2 bin        bin           8192 Jan  7 13:55 Questions
dr-xr-xr-x   4 bin        bin             96 Jan  7 13:55 configs
-r-xr-xr-x   1 bin        bin            814 Mar  3  2011 ipf.customrules
-r-xr-xr-x   1 bin        bin            986 Mar  3  2011 jail.bind.hpux
-r-xr-xr-x   1 bin        bin            823 Mar  3  2011 jail.bind9.hpux
-r-xr-xr-x   1 bin        bin           1643 Mar  3  2011 jail.generic.hpux
dr-xr-xr-x   2 bin        bin             96 Jan  7 13:55 mx
#>

 

 

 

In another normal server:

# pwd
/etc/opt/sec_mgmt/bastille
#

# ll
total 128
-rw-------   1 root       sys              0 Jun 20  2008 .nodisclaimer
-r-xr-xr-x   1 bin        bin            197 Dec  7  2007 Modules.txt
dr-xr-xr-x   3 bin        bin           8192 Jun 18  2008 OSMap
dr-xr-xr-x   2 bin        bin           8192 Jun 18  2008 Questions
-r----x---   1 bin        bin           6105 Jun 20  2008 config
dr-xr-xr-x   4 bin        bin             96 Jun 18  2008 configs
-r-xr-xr-x   1 bin        bin            814 Dec  7  2007 ipf.customrules
-r-xr-xr-x   1 bin        bin            986 Dec  7  2007 jail.bind.hpux
-r-xr-xr-x   1 bin        bin            823 Dec  7  2007 jail.bind9.hpux
-r-xr-xr-x   1 bin        bin           1643 Dec  7  2007 jail.generic.hpux
dr-xr-xr-x   2 bin        bin             96 Jun 18  2008 mx
# bastille -l
The last bastille run corresponds to the following profiles:
   /etc/opt/sec_mgmt/bastille/config

 

#

Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 2 of 22 (1,641 Views)

Re: bastille

/etc/opt/sec_mgmt/bastille#> bastille -b -f config
NOTE:    Entering Critical Code Execution.
         Bastille has disabled keyboard interrupts.


NOTE:    Bastille is scanning the system configuration...

FATAL:   A fatal error has occurred.  Not all of the questions
         that pertain to this system have been answered.  Rerun
         the interactive portion of Bastille on this system.
         MODULE.QUESTION=AccountSecurity.cronuser
/etc/opt/sec_mgmt/bastille#>

 

I copied config file from another server and gave it appropriate permissions but I got the above err

Can someone please suggest

Valued Contributor
Henry Fauni
Posts: 66
Registered: ‎09-24-2002
Message 3 of 22 (1,629 Views)

Re: bastille

It's possible you have a newer version of Bastille software installed on the new server, and the MODULE question it's looking for is not there.

 

Compare versions on both systems:

# swlist -l product -a revision | grep -i bastille

 

I would just do what it's suggesting: "Rerun the interactive portion of Bastille on this system."

 


 

Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 4 of 22 (1,613 Views)

Re: bastille

Hello Henry This could be of some interest

 

Normal server:

 # bastille -l
The last bastille run corresponds to the following profiles:
  # swlist -l product -a revision | grep -i bastille
  Bastille              B.3.0.31
# uname -a
HP-UX <vmhost> B.11.31 U ia64 3565873559 unlimited-user license
 #

 

Newly built server(has bastille issue):

 

:/etc/opt/sec_mgmt/bastille #> bastille -b -f config
NOTE:    Entering Critical Code Execution.
         Bastille has disabled keyboard interrupts.


NOTE:    Bastille is scanning the system configuration...

FATAL:   A fatal error has occurred.  Not all of the questions
         that pertain to this system have been answered.  Rerun
         the interactive portion of Bastille on this system.
         MODULE.QUESTION=AccountSecurity.cronuser
:/etc/opt/sec_mgmt/bastille #>

:/ #> swlist -l product -a revision | grep -i bastille
  Bastille              B.3.3.01
 #>uname -a
HP-UX <vmhost> B.11.31 U ia64 1392496050 unlimited-user license
/etc/opt/sec_mgmt/bastille #>

please suggest


 

Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 5 of 22 (1,606 Views)

Re: bastille

can we consider.... downgrading the bastille version from B.3.3.01 to B.3.0.31
but not sure if it is a simple procedure of swremove and then swinstall
pls suggest
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 6 of 22 (1,590 Views)

Re: bastille

Henry..you said
I would just do what it's suggesting: "Rerun the interactive portion of Bastille on this system."
How would I do this...

etc/opt/sec_mgmt/bastille #> bastille
NOTE: $DISPLAY not set. Attempting Curses interface.
NOTE: Using Curses user interface module.
NOTE: Only displaying questions relevant to the current configuration.
ERROR: Could not load the 'Curses.pm' interface module.This may be due to an
invalid $DISPLAY setting,or the module not being visible to Perl.
etc/opt/sec_mgmt/bastille #>
Acclaimed Contributor
Torsten.
Posts: 23,451
Registered: ‎10-02-2001
Message 7 of 22 (1,580 Views)

Re: bastille

This is an graphical application, you need an Xserver.

Consider to download something like "mobaxterm" to your PC, run it and ssh to the server.

Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 8 of 22 (1,575 Views)

Re: bastille

 
Acclaimed Contributor
Torsten.
Posts: 23,451
Registered: ‎10-02-2001
Message 9 of 22 (1,573 Views)

Re: bastille

$DISPLAY not set!

you have still this message.

Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 10 of 22 (1,570 Views)

Re: bastille

[ Edited ]

trying..but failing :-(

:/ #> export DISPLAY=`hostname`
:/ #> xhost + `hostname`
xhost: unable to open display "xxx-yyy-vmhost"
:/ #>

:/ #> export DISPLAY=`hostname`:0.0
:/ #> xhost +
xhost: unable to open display "xxx-yyy-vmhost:0.0"
:/ #>

Acclaimed Contributor
Torsten.
Posts: 23,451
Registered: ‎10-02-2001
Message 11 of 22 (1,565 Views)

Re: bastille

What xserver do you have on your PC?


Try mobaxterm for example.

Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 12 of 22 (1,564 Views)

Re: bastille

Need to access servers from citrix.

on citrix web page we already have exceed(humming bird)

I am using that now.

 

A while ago...I downloaded in my PC what you suggested:MobaXterm_Personal_4.2.exe but realised that to upload it onto citrixit needs to be done by citrix admins only..(and then run it and ssh the server).. So I dropped that plan and trying with exceed

Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 13 of 22 (1,560 Views)

Re: bastille

As a normal user xclock works.

As a root user, xclock doesnt work.

 

as root unable to open xhost + and xclock.

:/ #> xclock
Error: Can't open display:
Error: Couldn't find per display information
:/ #>whoami

#root

 exit
logout root

#

 

 

As a normal user xclock works but xhost + doesnt work
 # xhost +
access control disabled, clients can connect from any host
xhost:  must be on local machine to enable or disable access control.
 # whoami

axbt

Acclaimed Contributor
Torsten.
Posts: 23,451
Registered: ‎10-02-2001
Message 14 of 22 (1,556 Views)

Re: bastille

>> As a normal user xclock works.
As a root user, xclock doesnt work.


If xclock works, get the DISPLAY value.

# echo $DISPLAY

then set the same value if you are root.


Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 15 of 22 (1,548 Views)

Re: bastille

Normal user(xclock works)
#> echo $DISPLAY
localhost:10.0
#> xclock
#>


root user:
root #> echo $DISPLAY
sh: DISPLAY: Parameter not set.
root #> export DISPLAY=localhost:10.0
root #> echo $DISPLAY
localhost:10.0
root #> xhost +
X connection to localhost:10.0 broken (explicit kill or server shutdown).
root #> #>
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 16 of 22 (1,543 Views)

Re: bastille

Torsten..I showed some outputs regarding the display variable above.

Henry..can you pls suggest regarding the software version of bastille
normal (bastille working) server
Bastille B.3.0.31

our newly built server(bastille not working)
Bastille B.3.3.31

thank you
Acclaimed Contributor
Torsten.
Posts: 23,451
Registered: ‎10-02-2001
Message 17 of 22 (1,539 Views)

Re: bastille

You need to set the DISPLAY variable to the IP of your PC. localhost from the server point of view means the server, not your PC.


Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 18 of 22 (1,534 Views)

Re: bastille

Thanks Torsten for all your answers..but I didnt understand the last suggestion from you. please explain....
I am working from a PC which is accessing a citrix webpage application froma citrix server. One such application is hummingbird(exceed) i am accessing a server with an IP by using secure shell.
First I logged in as a normal user. checked the display variable. assigned the same variable to root user.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 19 of 22 (1,531 Views)

Re: bastille

This is exceed(humming bird xTerm) using secure shell

root@:/ #> /opt/sec_mgmt/bastille/bin/bastille
NOTE: $DISPLAY not set. Attempting Curses interface.
NOTE: Using Curses user interface module.
NOTE: Only displaying questions relevant to the current configuration.
ERROR: Could not load the 'Curses.pm' interface module.This may be due to an
invalid $DISPLAY setting,or the module not being visible to Perl.
\nroot@:/ #> echo $DISPLAY
sh: DISPLAY: Parameter not set.
root@:/ #> export DISPLAY=localhost:10.0
root@:/ #> echo $DISPLAY
localhost:10.0
root@:/ #> /opt/sec_mgmt/bastille/bin/bastille
NOTE: Valid display found; defaulting to Tk (X) interface.
NOTE: Using Tk user interface module.
NOTE: Only displaying questions relevant to the current configuration.
NOTE: Bastille is scanning the system configuration...
NOTE: Config file, /etc/opt/sec_mgmt/bastille/config, found; populating
answers.
X connection to localhost:10.0 broken (explicit kill or server shutdown).
root@:/ #> bastille -l
NOTE: The system is in its pre-bastilled state.

root@:/ #>

server is not shutdown. it is OK..but bastille -l still doesnt work !
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 20 of 22 (1,529 Views)

Re: bastille

I moved the existing /etc/opt/sec_mgmt/bastille/config file to /tmp.
Tried again...
root#> /opt/sec_mgmt/bastille/bin/bastille
NOTE: Valid display found; defaulting to Tk (X) interface.
NOTE: Using Tk user interface module.
NOTE: Only displaying questions relevant to the current configuration.
NOTE: Bastille is scanning the system configuration...
NOTE: No pre-existing config-file found at:
/etc/opt/sec_mgmt/bastille/config Bastille will set answers to default
values.
couldn't connect to display "localhost:10.0" at /opt/perl_32/lib/site_perl/5.8.8/IA64.ARCHREV_0-thread-multi/Tk/MainWindow.pm line 55.
MainWindow->new() at /opt/sec_mgmt/bastille/lib/Bastille_Tk.pm line 135
root #>
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 21 of 22 (1,518 Views)

Re: bastille

enabled direct root login in the server and then tried ssh from exceed(humming bird) i got the window where I can answer questions for bastille :-)
Occasional Visitor
raniyal
Posts: 1
Registered: ‎04-11-2012
Message 22 of 22 (1,478 Views)

Re: bastille

After getting Bastille GUI, go through each question, you will find detailed description against each question.

 

According to you need you can give answers.

After answering all question press "Save/Apply" button. It will save your config file and Apply that configuration file to the system.

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.