HPE Community
Operating System - HP-UX
1753637 Members
5647 Online
108798 Solutions
New Discussion юеВ

Re: Bastille configuration

 
SOLVED
Go to solution
Marco_67
Advisor

тАО10-10-2005 10:07 PM

тАО10-10-2005 10:07 PM

Bastille configuration

Hello,
after having installed bastille is happening an unwanted thing: now our monitoring tool (Big Brother) that is running with the bb user is producing an html page with read privilege just for bb itself so when I open the web page in a browser but with another accout than bb, I'm getting "Forbidden" message.
Yes, I can change mode on the file, but how can I set it into bastille, is there any configuration file ?
0
0 Kudos
Reply
5 REPLIES 5
GGA
Trusted Contributor

тАО10-10-2005 10:10 PM

тАО10-10-2005 10:10 PM

Solution

Re: Bastille configuration

hello

maybe this help you
http://docs.hp.com/en/5990-8172/apbs01.html
regards gga
Reply
Steven E. Protter
Exalted Contributor

тАО10-10-2005 10:24 PM

тАО10-10-2005 10:24 PM

Re: Bastille configuration

If you have allowed bastille to chroot apache, and followed the todo file, you may wish to back this out.

Otherwise you should be able to just change permissions on the file/folder or the user umask.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Marco_67
Advisor

тАО10-11-2005 03:18 AM

тАО10-11-2005 03:18 AM

Re: Bastille configuration

I've reverted the system back (bastille -r) but the problem is still there....
Now all newly created files have RW privilege for the owner only.

How can I solve it ?
0
0 Kudos
Reply
Robert Fritz
Regular Advisor

тАО10-12-2005 05:10 AM

тАО10-12-2005 05:10 AM

Re: Bastille configuration

Hi there,

Installing Bastille by itself (or one of the ITS levels) won't actually change your system. Only by going throught the interface, and requesting changes, will Bastille help configure the system.

I agree with Steven that the most likely source of issue is around the Apache chroot question. If requested, Bastille runs the /opt/hpws/apache/util/chroot_os_cp.sh, that comes from Apache.

This does a lot of the work of setting up a chroot jail for Apache, but you still have to put in the resources / files you want Apache to serve out in order to make pages functional. As Steven mentioned, these instructions are in: /var/opt/sec_mgmt/bastille/TODO.txt. Either you or another admin must have followed these instructions to get the page to work at all. The manual actions is where I'd expect the permission issue to have been introduced. There's no "configuration file" since moving the files is a manual exercise.

Now, similarly, Bastille can't "revert" actions it wasn't involved in, so if it notices a jail it helped create during a revert "-r", it undoes what it did, then gives you instructions on how to complete the rest of the revert in: /var/opt/sec_mgmt/bastille/TOREVERT.txt

I'll admit not knowing how Big Brother works... so I'll toss in one more, probably unlikely, possibility... if Big Brother uses a world-writeable directory... that also could be changed via the corresponding question in Bastille, by manually editing and running the script that Bastille generates, per teh TODO.txt instructions. Did you run this script? Was a Big Brother directory in that script?

-Hope that helps,
-Robert
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
Robert Fritz
Regular Advisor

тАО10-12-2005 05:21 AM

тАО10-12-2005 05:21 AM

Re: Bastille configuration

Another possibility:

The umask setting in Bastille would also affect permissions on newly created files. Old files would persist with their more restrictive permissions, and new files would continue to be created with the new perms even after revert, until the bb account session was logged out/in.

The umask setting can be changed granularly in Bastille (exact perms).
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.