Re: bastille (1119 Views)
Reply
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 1 of 22 (1,213 Views)

bastille

Got a defect identified by the testers in our newly built VM host. How to get rid of this

#> bastille -l
NOTE:    The system is in its pre-bastilled state.

#pwd

/etc/opt/sec_mgmt/bastille
#> ll
total 112
-r-xr-xr-x   1 bin        bin            209 Mar  3  2011 Modules.txt
dr-xr-xr-x   3 bin        bin           8192 Jan  7 13:55 OSMap
dr-xr-xr-x   2 bin        bin           8192 Jan  7 13:55 Questions
dr-xr-xr-x   4 bin        bin             96 Jan  7 13:55 configs
-r-xr-xr-x   1 bin        bin            814 Mar  3  2011 ipf.customrules
-r-xr-xr-x   1 bin        bin            986 Mar  3  2011 jail.bind.hpux
-r-xr-xr-x   1 bin        bin            823 Mar  3  2011 jail.bind9.hpux
-r-xr-xr-x   1 bin        bin           1643 Mar  3  2011 jail.generic.hpux
dr-xr-xr-x   2 bin        bin             96 Jan  7 13:55 mx
#>

 

 

 

In another normal server:

# pwd
/etc/opt/sec_mgmt/bastille
#

# ll
total 128
-rw-------   1 root       sys              0 Jun 20  2008 .nodisclaimer
-r-xr-xr-x   1 bin        bin            197 Dec  7  2007 Modules.txt
dr-xr-xr-x   3 bin        bin           8192 Jun 18  2008 OSMap
dr-xr-xr-x   2 bin        bin           8192 Jun 18  2008 Questions
-r----x---   1 bin        bin           6105 Jun 20  2008 config
dr-xr-xr-x   4 bin        bin             96 Jun 18  2008 configs
-r-xr-xr-x   1 bin        bin            814 Dec  7  2007 ipf.customrules
-r-xr-xr-x   1 bin        bin            986 Dec  7  2007 jail.bind.hpux
-r-xr-xr-x   1 bin        bin            823 Dec  7  2007 jail.bind9.hpux
-r-xr-xr-x   1 bin        bin           1643 Dec  7  2007 jail.generic.hpux
dr-xr-xr-x   2 bin        bin             96 Jun 18  2008 mx
# bastille -l
The last bastille run corresponds to the following profiles:
   /etc/opt/sec_mgmt/bastille/config

 

#

Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 2 of 22 (1,200 Views)

Re: bastille

/etc/opt/sec_mgmt/bastille#> bastille -b -f config
NOTE:    Entering Critical Code Execution.
         Bastille has disabled keyboard interrupts.


NOTE:    Bastille is scanning the system configuration...

FATAL:   A fatal error has occurred.  Not all of the questions
         that pertain to this system have been answered.  Rerun
         the interactive portion of Bastille on this system.
         MODULE.QUESTION=AccountSecurity.cronuser
/etc/opt/sec_mgmt/bastille#>

 

I copied config file from another server and gave it appropriate permissions but I got the above err

Can someone please suggest

Please use plain text.
Valued Contributor
Henry Fauni
Posts: 66
Registered: ‎09-24-2002
Message 3 of 22 (1,188 Views)

Re: bastille

It's possible you have a newer version of Bastille software installed on the new server, and the MODULE question it's looking for is not there.

 

Compare versions on both systems:

# swlist -l product -a revision | grep -i bastille

 

I would just do what it's suggesting: "Rerun the interactive portion of Bastille on this system."

 


 

Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 4 of 22 (1,172 Views)

Re: bastille

Hello Henry This could be of some interest

 

Normal server:

 # bastille -l
The last bastille run corresponds to the following profiles:
  # swlist -l product -a revision | grep -i bastille
  Bastille              B.3.0.31
# uname -a
HP-UX <vmhost> B.11.31 U ia64 3565873559 unlimited-user license
 #

 

Newly built server(has bastille issue):

 

:/etc/opt/sec_mgmt/bastille #> bastille -b -f config
NOTE:    Entering Critical Code Execution.
         Bastille has disabled keyboard interrupts.


NOTE:    Bastille is scanning the system configuration...

FATAL:   A fatal error has occurred.  Not all of the questions
         that pertain to this system have been answered.  Rerun
         the interactive portion of Bastille on this system.
         MODULE.QUESTION=AccountSecurity.cronuser
:/etc/opt/sec_mgmt/bastille #>

:/ #> swlist -l product -a revision | grep -i bastille
  Bastille              B.3.3.01
 #>uname -a
HP-UX <vmhost> B.11.31 U ia64 1392496050 unlimited-user license
/etc/opt/sec_mgmt/bastille #>

please suggest


 

Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 5 of 22 (1,165 Views)

Re: bastille

can we consider.... downgrading the bastille version from B.3.3.01 to B.3.0.31
but not sure if it is a simple procedure of swremove and then swinstall
pls suggest
Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 6 of 22 (1,149 Views)

Re: bastille

Henry..you said
I would just do what it's suggesting: "Rerun the interactive portion of Bastille on this system."
How would I do this...

etc/opt/sec_mgmt/bastille #> bastille
NOTE: $DISPLAY not set. Attempting Curses interface.
NOTE: Using Curses user interface module.
NOTE: Only displaying questions relevant to the current configuration.
ERROR: Could not load the 'Curses.pm' interface module.This may be due to an
invalid $DISPLAY setting,or the module not being visible to Perl.
etc/opt/sec_mgmt/bastille #>
Please use plain text.
Acclaimed Contributor
Torsten.
Posts: 23,135
Registered: ‎10-02-2001
Message 7 of 22 (1,139 Views)

Re: bastille

This is an graphical application, you need an Xserver.

Consider to download something like "mobaxterm" to your PC, run it and ssh to the server.

Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! star in the left column!   
Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 8 of 22 (1,134 Views)

Re: bastille

 
Please use plain text.
Acclaimed Contributor
Torsten.
Posts: 23,135
Registered: ‎10-02-2001
Message 9 of 22 (1,132 Views)

Re: bastille

$DISPLAY not set!

you have still this message.

Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! star in the left column!   
Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 10 of 22 (1,129 Views)

Re: bastille

[ Edited ]

trying..but failing :-(

:/ #> export DISPLAY=`hostname`
:/ #> xhost + `hostname`
xhost: unable to open display "xxx-yyy-vmhost"
:/ #>

:/ #> export DISPLAY=`hostname`:0.0
:/ #> xhost +
xhost: unable to open display "xxx-yyy-vmhost:0.0"
:/ #>

Please use plain text.
Acclaimed Contributor
Torsten.
Posts: 23,135
Registered: ‎10-02-2001
Message 11 of 22 (1,124 Views)

Re: bastille

What xserver do you have on your PC?


Try mobaxterm for example.

Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! star in the left column!   
Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 12 of 22 (1,123 Views)

Re: bastille

Need to access servers from citrix.

on citrix web page we already have exceed(humming bird)

I am using that now.

 

A while ago...I downloaded in my PC what you suggested:MobaXterm_Personal_4.2.exe but realised that to upload it onto citrixit needs to be done by citrix admins only..(and then run it and ssh the server).. So I dropped that plan and trying with exceed

Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 13 of 22 (1,119 Views)

Re: bastille

As a normal user xclock works.

As a root user, xclock doesnt work.

 

as root unable to open xhost + and xclock.

:/ #> xclock
Error: Can't open display:
Error: Couldn't find per display information
:/ #>whoami

#root

 exit
logout root

#

 

 

As a normal user xclock works but xhost + doesnt work
 # xhost +
access control disabled, clients can connect from any host
xhost:  must be on local machine to enable or disable access control.
 # whoami

axbt

Please use plain text.
Acclaimed Contributor
Torsten.
Posts: 23,135
Registered: ‎10-02-2001
Message 14 of 22 (1,115 Views)

Re: bastille

>> As a normal user xclock works.
As a root user, xclock doesnt work.


If xclock works, get the DISPLAY value.

# echo $DISPLAY

then set the same value if you are root.


Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! star in the left column!   
Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 15 of 22 (1,107 Views)

Re: bastille

Normal user(xclock works)
#> echo $DISPLAY
localhost:10.0
#> xclock
#>


root user:
root #> echo $DISPLAY
sh: DISPLAY: Parameter not set.
root #> export DISPLAY=localhost:10.0
root #> echo $DISPLAY
localhost:10.0
root #> xhost +
X connection to localhost:10.0 broken (explicit kill or server shutdown).
root #> #>
Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 16 of 22 (1,102 Views)

Re: bastille

Torsten..I showed some outputs regarding the display variable above.

Henry..can you pls suggest regarding the software version of bastille
normal (bastille working) server
Bastille B.3.0.31

our newly built server(bastille not working)
Bastille B.3.3.31

thank you
Please use plain text.
Acclaimed Contributor
Torsten.
Posts: 23,135
Registered: ‎10-02-2001
Message 17 of 22 (1,098 Views)

Re: bastille

You need to set the DISPLAY variable to the IP of your PC. localhost from the server point of view means the server, not your PC.


Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! star in the left column!   
Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 18 of 22 (1,093 Views)

Re: bastille

Thanks Torsten for all your answers..but I didnt understand the last suggestion from you. please explain....
I am working from a PC which is accessing a citrix webpage application froma citrix server. One such application is hummingbird(exceed) i am accessing a server with an IP by using secure shell.
First I logged in as a normal user. checked the display variable. assigned the same variable to root user.
Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 19 of 22 (1,090 Views)

Re: bastille

This is exceed(humming bird xTerm) using secure shell

root@:/ #> /opt/sec_mgmt/bastille/bin/bastille
NOTE: $DISPLAY not set. Attempting Curses interface.
NOTE: Using Curses user interface module.
NOTE: Only displaying questions relevant to the current configuration.
ERROR: Could not load the 'Curses.pm' interface module.This may be due to an
invalid $DISPLAY setting,or the module not being visible to Perl.
\nroot@:/ #> echo $DISPLAY
sh: DISPLAY: Parameter not set.
root@:/ #> export DISPLAY=localhost:10.0
root@:/ #> echo $DISPLAY
localhost:10.0
root@:/ #> /opt/sec_mgmt/bastille/bin/bastille
NOTE: Valid display found; defaulting to Tk (X) interface.
NOTE: Using Tk user interface module.
NOTE: Only displaying questions relevant to the current configuration.
NOTE: Bastille is scanning the system configuration...
NOTE: Config file, /etc/opt/sec_mgmt/bastille/config, found; populating
answers.
X connection to localhost:10.0 broken (explicit kill or server shutdown).
root@:/ #> bastille -l
NOTE: The system is in its pre-bastilled state.

root@:/ #>

server is not shutdown. it is OK..but bastille -l still doesnt work !
Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 20 of 22 (1,088 Views)

Re: bastille

I moved the existing /etc/opt/sec_mgmt/bastille/config file to /tmp.
Tried again...
root#> /opt/sec_mgmt/bastille/bin/bastille
NOTE: Valid display found; defaulting to Tk (X) interface.
NOTE: Using Tk user interface module.
NOTE: Only displaying questions relevant to the current configuration.
NOTE: Bastille is scanning the system configuration...
NOTE: No pre-existing config-file found at:
/etc/opt/sec_mgmt/bastille/config Bastille will set answers to default
values.
couldn't connect to display "localhost:10.0" at /opt/perl_32/lib/site_perl/5.8.8/IA64.ARCHREV_0-thread-multi/Tk/MainWindow.pm line 55.
MainWindow->new() at /opt/sec_mgmt/bastille/lib/Bastille_Tk.pm line 135
root #>
Please use plain text.
Regular Advisor
silusan
Posts: 136
Registered: ‎08-23-2011
Message 21 of 22 (1,077 Views)

Re: bastille

enabled direct root login in the server and then tried ssh from exceed(humming bird) i got the window where I can answer questions for bastille :-)
Please use plain text.
Occasional Visitor
raniyal
Posts: 1
Registered: ‎04-11-2012
Message 22 of 22 (1,037 Views)

Re: bastille

After getting Bastille GUI, go through each question, you will find detailed description against each question.

 

According to you need you can give answers.

After answering all question press "Save/Apply" button. It will save your config file and Apply that configuration file to the system.

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation