HPE Community
Operating System - HP-UX
1829829 Members
2007 Online
109993 Solutions
New Discussion

bastille

 
silusan
Regular Advisor

‎02-16-2012 03:25 AM

‎02-16-2012 03:25 AM

bastille

Got a defect identified by the testers in our newly built VM host. How to get rid of this

#> bastille -l
NOTE:    The system is in its pre-bastilled state.

#pwd

/etc/opt/sec_mgmt/bastille
#> ll
total 112
-r-xr-xr-x   1 bin        bin            209 Mar  3  2011 Modules.txt
dr-xr-xr-x   3 bin        bin           8192 Jan  7 13:55 OSMap
dr-xr-xr-x   2 bin        bin           8192 Jan  7 13:55 Questions
dr-xr-xr-x   4 bin        bin             96 Jan  7 13:55 configs
-r-xr-xr-x   1 bin        bin            814 Mar  3  2011 ipf.customrules
-r-xr-xr-x   1 bin        bin            986 Mar  3  2011 jail.bind.hpux
-r-xr-xr-x   1 bin        bin            823 Mar  3  2011 jail.bind9.hpux
-r-xr-xr-x   1 bin        bin           1643 Mar  3  2011 jail.generic.hpux
dr-xr-xr-x   2 bin        bin             96 Jan  7 13:55 mx
#>

 

 

 

In another normal server:

# pwd
/etc/opt/sec_mgmt/bastille
#

# ll
total 128
-rw-------   1 root       sys              0 Jun 20  2008 .nodisclaimer
-r-xr-xr-x   1 bin        bin            197 Dec  7  2007 Modules.txt
dr-xr-xr-x   3 bin        bin           8192 Jun 18  2008 OSMap
dr-xr-xr-x   2 bin        bin           8192 Jun 18  2008 Questions
-r----x---   1 bin        bin           6105 Jun 20  2008 config
dr-xr-xr-x   4 bin        bin             96 Jun 18  2008 configs
-r-xr-xr-x   1 bin        bin            814 Dec  7  2007 ipf.customrules
-r-xr-xr-x   1 bin        bin            986 Dec  7  2007 jail.bind.hpux
-r-xr-xr-x   1 bin        bin            823 Dec  7  2007 jail.bind9.hpux
-r-xr-xr-x   1 bin        bin           1643 Dec  7  2007 jail.generic.hpux
dr-xr-xr-x   2 bin        bin             96 Jun 18  2008 mx
# bastille -l
The last bastille run corresponds to the following profiles:
   /etc/opt/sec_mgmt/bastille/config

 

#

0 Kudos
Reply
21 REPLIES 21
silusan
Regular Advisor

‎02-16-2012 05:18 AM

‎02-16-2012 05:18 AM

Re: bastille

/etc/opt/sec_mgmt/bastille#> bastille -b -f config
NOTE:    Entering Critical Code Execution.
         Bastille has disabled keyboard interrupts.


NOTE:    Bastille is scanning the system configuration...

FATAL:   A fatal error has occurred.  Not all of the questions
         that pertain to this system have been answered.  Rerun
         the interactive portion of Bastille on this system.
         MODULE.QUESTION=AccountSecurity.cronuser
/etc/opt/sec_mgmt/bastille#>

 

I copied config file from another server and gave it appropriate permissions but I got the above err

Can someone please suggest

0 Kudos
Reply
Henry Fauni
Valued Contributor

‎02-16-2012 03:11 PM

‎02-16-2012 03:11 PM

Re: bastille

It's possible you have a newer version of Bastille software installed on the new server, and the MODULE question it's looking for is not there.

 

Compare versions on both systems:

# swlist -l product -a revision | grep -i bastille

 

I would just do what it's suggesting: "Rerun the interactive portion of Bastille on this system."

 


 

0 Kudos
Reply
silusan
Regular Advisor

‎02-20-2012 01:34 AM

‎02-20-2012 01:34 AM

Re: bastille

Hello Henry This could be of some interest

 

Normal server:

 # bastille -l
The last bastille run corresponds to the following profiles:
  # swlist -l product -a revision | grep -i bastille
  Bastille              B.3.0.31
# uname -a
HP-UX <vmhost> B.11.31 U ia64 3565873559 unlimited-user license
 #

 

Newly built server(has bastille issue):

 

:/etc/opt/sec_mgmt/bastille #> bastille -b -f config
NOTE:    Entering Critical Code Execution.
         Bastille has disabled keyboard interrupts.


NOTE:    Bastille is scanning the system configuration...

FATAL:   A fatal error has occurred.  Not all of the questions
         that pertain to this system have been answered.  Rerun
         the interactive portion of Bastille on this system.
         MODULE.QUESTION=AccountSecurity.cronuser
:/etc/opt/sec_mgmt/bastille #>

:/ #> swlist -l product -a revision | grep -i bastille
  Bastille              B.3.3.01
 #>uname -a
HP-UX <vmhost> B.11.31 U ia64 1392496050 unlimited-user license
/etc/opt/sec_mgmt/bastille #>

please suggest


 

0 Kudos
Reply
silusan
Regular Advisor

‎02-20-2012 03:19 AM

‎02-20-2012 03:19 AM

Re: bastille

can we consider.... downgrading the bastille version from B.3.3.01 to B.3.0.31
but not sure if it is a simple procedure of swremove and then swinstall
pls suggest
0 Kudos
Reply
silusan
Regular Advisor

‎02-20-2012 04:30 AM

‎02-20-2012 04:30 AM

Re: bastille

Henry..you said
I would just do what it's suggesting: "Rerun the interactive portion of Bastille on this system."
How would I do this...

etc/opt/sec_mgmt/bastille #> bastille
NOTE: $DISPLAY not set. Attempting Curses interface.
NOTE: Using Curses user interface module.
NOTE: Only displaying questions relevant to the current configuration.
ERROR: Could not load the 'Curses.pm' interface module.This may be due to an
invalid $DISPLAY setting,or the module not being visible to Perl.
etc/opt/sec_mgmt/bastille #>
0 Kudos
Reply
Torsten.
Acclaimed Contributor

‎02-20-2012 05:36 AM

‎02-20-2012 05:36 AM

Re: bastille

This is an graphical application, you need an Xserver.

Consider to download something like "mobaxterm" to your PC, run it and ssh to the server.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
silusan
Regular Advisor

‎02-20-2012 07:19 AM

‎02-20-2012 07:19 AM

Re: bastille

 
0 Kudos
Reply
Torsten.
Acclaimed Contributor

‎02-20-2012 07:23 AM

‎02-20-2012 07:23 AM

Re: bastille

$DISPLAY not set!

you have still this message.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
silusan
Regular Advisor

‎02-20-2012 08:09 AM - edited ‎02-20-2012 08:12 AM

‎02-20-2012 08:09 AM - edited ‎02-20-2012 08:12 AM

Re: bastille

trying..but failing :-(

:/ #> export DISPLAY=`hostname`
:/ #> xhost + `hostname`
xhost: unable to open display "xxx-yyy-vmhost"
:/ #>

:/ #> export DISPLAY=`hostname`:0.0
:/ #> xhost +
xhost: unable to open display "xxx-yyy-vmhost:0.0"
:/ #>

0 Kudos
Reply
Torsten.
Acclaimed Contributor

‎02-20-2012 08:16 AM

‎02-20-2012 08:16 AM

Re: bastille

What xserver do you have on your PC?


Try mobaxterm for example.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
silusan
Regular Advisor

‎02-20-2012 08:23 AM

‎02-20-2012 08:23 AM

Re: bastille

Need to access servers from citrix.

on citrix web page we already have exceed(humming bird)

I am using that now.

 

A while ago...I downloaded in my PC what you suggested:MobaXterm_Personal_4.2.exe but realised that to upload it onto citrixit needs to be done by citrix admins only..(and then run it and ssh the server).. So I dropped that plan and trying with exceed

0 Kudos
Reply
silusan
Regular Advisor

‎02-20-2012 08:37 AM

‎02-20-2012 08:37 AM

Re: bastille

As a normal user xclock works.

As a root user, xclock doesnt work.

 

as root unable to open xhost + and xclock.

:/ #> xclock
Error: Can't open display:
Error: Couldn't find per display information
:/ #>whoami

#root

 exit
logout root

#

 

 

As a normal user xclock works but xhost + doesnt work
 # xhost +
access control disabled, clients can connect from any host
xhost:  must be on local machine to enable or disable access control.
 # whoami

axbt

Reply
Torsten.
Acclaimed Contributor

‎02-20-2012 08:47 AM

‎02-20-2012 08:47 AM

Re: bastille

>> As a normal user xclock works.
As a root user, xclock doesnt work.


If xclock works, get the DISPLAY value.

# echo $DISPLAY

then set the same value if you are root.


Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
silusan
Regular Advisor

‎02-21-2012 01:36 AM

‎02-21-2012 01:36 AM

Re: bastille

Normal user(xclock works)
#> echo $DISPLAY
localhost:10.0
#> xclock
#>


root user:
root #> echo $DISPLAY
sh: DISPLAY: Parameter not set.
root #> export DISPLAY=localhost:10.0
root #> echo $DISPLAY
localhost:10.0
root #> xhost +
X connection to localhost:10.0 broken (explicit kill or server shutdown).
root #> #>
0 Kudos
Reply
silusan
Regular Advisor

‎02-21-2012 01:58 AM

‎02-21-2012 01:58 AM

Re: bastille

Torsten..I showed some outputs regarding the display variable above.

Henry..can you pls suggest regarding the software version of bastille
normal (bastille working) server
Bastille B.3.0.31

our newly built server(bastille not working)
Bastille B.3.3.31

thank you
0 Kudos
Reply
Torsten.
Acclaimed Contributor

‎02-21-2012 02:07 AM

‎02-21-2012 02:07 AM

Re: bastille

You need to set the DISPLAY variable to the IP of your PC. localhost from the server point of view means the server, not your PC.


Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
silusan
Regular Advisor

‎02-21-2012 02:55 AM

‎02-21-2012 02:55 AM

Re: bastille

Thanks Torsten for all your answers..but I didnt understand the last suggestion from you. please explain....
I am working from a PC which is accessing a citrix webpage application froma citrix server. One such application is hummingbird(exceed) i am accessing a server with an IP by using secure shell.
First I logged in as a normal user. checked the display variable. assigned the same variable to root user.
0 Kudos
Reply
silusan
Regular Advisor

‎02-21-2012 03:00 AM

‎02-21-2012 03:00 AM

Re: bastille

This is exceed(humming bird xTerm) using secure shell

root@:/ #> /opt/sec_mgmt/bastille/bin/bastille
NOTE: $DISPLAY not set. Attempting Curses interface.
NOTE: Using Curses user interface module.
NOTE: Only displaying questions relevant to the current configuration.
ERROR: Could not load the 'Curses.pm' interface module.This may be due to an
invalid $DISPLAY setting,or the module not being visible to Perl.
\nroot@:/ #> echo $DISPLAY
sh: DISPLAY: Parameter not set.
root@:/ #> export DISPLAY=localhost:10.0
root@:/ #> echo $DISPLAY
localhost:10.0
root@:/ #> /opt/sec_mgmt/bastille/bin/bastille
NOTE: Valid display found; defaulting to Tk (X) interface.
NOTE: Using Tk user interface module.
NOTE: Only displaying questions relevant to the current configuration.
NOTE: Bastille is scanning the system configuration...
NOTE: Config file, /etc/opt/sec_mgmt/bastille/config, found; populating
answers.
X connection to localhost:10.0 broken (explicit kill or server shutdown).
root@:/ #> bastille -l
NOTE: The system is in its pre-bastilled state.

root@:/ #>

server is not shutdown. it is OK..but bastille -l still doesnt work !
0 Kudos
Reply
silusan
Regular Advisor

‎02-21-2012 03:07 AM

‎02-21-2012 03:07 AM

Re: bastille

I moved the existing /etc/opt/sec_mgmt/bastille/config file to /tmp.
Tried again...
root#> /opt/sec_mgmt/bastille/bin/bastille
NOTE: Valid display found; defaulting to Tk (X) interface.
NOTE: Using Tk user interface module.
NOTE: Only displaying questions relevant to the current configuration.
NOTE: Bastille is scanning the system configuration...
NOTE: No pre-existing config-file found at:
/etc/opt/sec_mgmt/bastille/config Bastille will set answers to default
values.
couldn't connect to display "localhost:10.0" at /opt/perl_32/lib/site_perl/5.8.8/IA64.ARCHREV_0-thread-multi/Tk/MainWindow.pm line 55.
MainWindow->new() at /opt/sec_mgmt/bastille/lib/Bastille_Tk.pm line 135
root #>
0 Kudos
Reply
silusan
Regular Advisor

‎02-21-2012 04:50 AM

‎02-21-2012 04:50 AM

Re: bastille

enabled direct root login in the server and then tried ssh from exceed(humming bird) i got the window where I can answer questions for bastille :-)
0 Kudos
Reply
raniyal
Occasional Visitor

‎04-11-2012 04:12 AM

‎04-11-2012 04:12 AM

Re: bastille

After getting Bastille GUI, go through each question, you will find detailed description against each question.

 

According to you need you can give answers.

After answering all question press "Save/Apply" button. It will save your config file and Apply that configuration file to the system.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.