Bastille won't play, wrong OS version?

lugoteehalt · 02-27-2011, 10:26 PM

Using current stable Debian amd64. Installed the security hardening program Bastille in the normal way it said:
ERROR: 'DB6.0' is not a supported operating system.

So unpacked the *.tar.bz2 version:

Code:

$ ./InteractiveBastille 
ERROR:   'DB6.0' is not a supported operating system.
         Valid operating system versions are as follows:
         'DB2.2' 'DB3.0' 'DB3.1' 'DB4.0' 'RH6.0' 
         'RH6.1' 'RH6.2' 'RH7.0' 'RH7.1' 'RH7.2' 
         'RH7.3' 'RH8.0' 'RH9' 'MN6.0' 'MN6.1' 
         'MN7.0' 'MN7.1' 'MN7.2' 'MN8.0' 'MN8.1' 
         'MN8.2' 'HP-UX11.00' 'HP-UX11.11' 'HP-UX11.22' 'HP-UX11.23' 
         'SE7.2' 'SE7.3' 'SE8.0' 'TB7.0' 'OSX10.2.0' 
         'OSX10.2.1' 'OSX10.2.2' 'OSX10.2.3' 'OSX10.2.4' 
ERROR:   Invalid argument list:
         Usage: bastille [ -b | -c | -r | -x [ --os version ] ]
         -b : use a saved config file to apply changes
              directly to system
         -c : use the Curses (non-X11) TUI
         -r : revert all Bastille changes to-date
         -x : use the Perl/Tk (X11) GUI
         --os version : ask all questions for the given operating system
                        version.  e.g. --os RH6.0

So Bastille won't work?

The reason I ask is that I had this problem before, or similar, and someone here fixed it and Bastille worked. Thanks any help.

EDDY1 · 02-28-2011, 01:55 AM

Last release was in 2008

unSpawn · 02-28-2011, 04:24 AM

Wheezy and sid have Bastille (http://packages.debian.org/search?ar...words=bastille) so if it's only patching Bastille adding "DB6.0" to the distribution list you should be able to pull that off I think.

EDDY1 · 02-28-2011, 04:28 AM

Quote:

Wheezy and sid have Bastille (http://packages.debian.org/search?ar...words=bastille) so if it's only patching Bastille adding "DB6.0" to the distribution list you should be able to pull that off I think.

Sorry I guess my info wasn't accurate.

unixfool · 02-28-2011, 11:54 AM

Quote:

Originally Posted by EDDY1

Sorry I guess my info wasn't accurate.

Actually, you're probably right.

Here's what the Bastille pages state:

Quote:

Javier is an amazing Open Source developer who maintains both the Bastille port and the Tiger port for Debian.

Note the word Tiger...that OS version is very old!

Whoever is wrapping up the package on the Debian side may be packaging old code. Remember, Bastille is just a batch of scripts. Based on what the OP posted, either his copy of the OS/package is old or the latest code release for Bastille hasn't been updated in awhile (but code like this is relatively easy to edit).

unSpawn · 03-01-2011, 01:35 AM

Quote:

Originally Posted by unixfool

Note the word Tiger...that OS version is very old!

No, no, that's the other tiger! Javier etc, etc work[s|ed] on GNU/Tiger (www.nongnu.org/tiger/).

unixfool · 03-01-2011, 08:48 AM

Aha! I see his name (Javier) buried within that link's content, toward the bottom.

LOL!

lugoteehalt · 03-01-2011, 07:53 PM

Quote:

Originally Posted by unSpawn

Wheezy and sid have Bastille (http://packages.debian.org/search?ar...words=bastille) so if it's only patching Bastille adding "DB6.0" to the distribution list you should be able to pull that off I think.

So I use my skill and judgement to get it to allow DB6.0, just stop it from stopping without worrying why they put in that restriction.

Have tried just adding DB6.0 to a list in one file, didn't work. I'll persevere and re-post if I get it to run. Thanks.

unSpawn · 03-01-2011, 08:58 PM

Quote:

Originally Posted by lugoteehalt

didn't work

Saying that doesn't really help us.

Try these patches (3 files in the bastille-3.0.*/Bastille dir) and tell me if it does or does not work:

Code:

--- API.pm.old       2011-03-01 11:11:10.000000000 +0100
+++ API.pm   2011-03-01 11:11:11.000000000 +0100
@@ -562,7 +562,7 @@
 sub getSupportedOSHash () {
 
     my %osHash = ("LINUX" => [
-                             "DB2.2", "DB3.0", "DB3.1", "DB4.0", "DB4.1", "DB5.0",
+                             "DB2.2", "DB3.0", "DB3.1", "DB4.0", "DB4.1", "DB5.0", "DB6.0", 
                              "RH6.0","RH6.1","RH6.2","RH7.0",
                              "RH7.1","RH7.2","RH7.3","RH8.0",
                              "RH9",

Code:

--- API.pm.sweth.old 2011-03-01 11:11:10.000000000 +0100
+++ API.pm.sweth     2011-03-01 11:11:11.000000000 +0100
@@ -522,6 +522,13 @@
          "initd"             => "/etc/init.d",
          "rcd"               => "/etc/"
       },
+      "DB6.0" => {
+         "floppy"            => "/floppy",
+         "httpd.conf"        => "/etc/apache/httpd.conf",
+         "httpd_access.conf" => "/etc/apache/access.conf",
+         "initd"             => "/etc/init.d",
+         "rcd"               => "/etc/"
+      },
       "SO2.6" => {
       },
       "SO7" => {

Code:

--- IOLoader.pm.old  2011-03-01 11:11:10.000000000 +0100
+++ IOLoader.pm      2011-03-01 11:11:11.000000000 +0100
@@ -247,7 +247,7 @@
                                $data =~ s/\bMN\b/$supported_versions/;
                            }
                            if ($data =~ /\bDB\b/) {
-                               my $supported_versions = 'DB2.2 DB3.0 DB3.1 DB4.0 DB4.1 DB5.0';
+                               my $supported_versions = 'DB2.2 DB3.0 DB3.1 DB4.0 DB4.1 DB5.0 DB6.0';
                                $data =~ s/\bDB\b/$supported_versions/;
                            } 
                            if ($data =~ /\bSE\b/) {

eveningsky339 · 03-01-2011, 09:54 PM

Be sure to file a bug report so the package maintainer gets the code up to date.

unixfool · 03-01-2011, 10:15 PM

He can try but there's a good chance the package maintainer isn't doing that level of maintaining. While I was wrong about Tiger, I'm actually pretty comfortable in saying that Bastille may be at a dead-end or is awaiting for someone else to maintain it. The Bastille pages appear to be either very stagnant or dead. They are at least 3 years out of date. I actually saw several big name security vendors (when I was researching yesterday...I didn't keep track of the names but I can search again and provide them if you wish) stating that they also thought Bastille has gone the way of the dodo.

unSpawn · 03-02-2011, 04:27 AM

Quote:

Originally Posted by unixfool

He can try

Sure wouldn't hurt.

Quote:

Originally Posted by unixfool

Bastille may be at a dead-end or is awaiting for someone else to maintain it. The Bastille pages appear to be either very stagnant or dead. They are at least 3 years out of date.

Well yes and no. Yes Jay Beale may have dropped maintaining Bastille-linux but if you check the changelog you'll see Javier Fernandez-Sanguino Pena at least does maintain the Debian port and this does include vuln fixes.

lugoteehalt · 03-02-2011, 04:39 PM

Quote:

Originally Posted by unSpawn

Try these patches (3 files in the bastille-3.0.*/Bastille dir) and tell me if it does or does not work

Thanks. Will do, give me a couple of days.

EDIT: eveningsky339, thanks, I'll try to organise that.

nerdalert · 03-29-2012, 09:23 AM

Is there anything out there like Bastille that I should try?

craigevil · 03-30-2012, 02:51 AM

Everything Bastille does can be done without it. Just takes a little more work.