* [PATCH 0/6] [meta-security] Bastille bug fixes and enhancements
@ 2013-08-27 22:13 mulhern
2013-08-27 22:14 ` [PATCH 1/6] Bastille: Preliminary cleanup of existing patches mulhern
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: mulhern @ 2013-08-27 22:13 UTC (permalink / raw)
To: yocto, mulhern
The patches in this set consist of a number of actual bug fixes and a few
enhancements. The two enhancements are:
1) A change in the semantics of the -l flag so that it lists configuration
files even if Bastille has not been run previously.
2) A change in the distributions are inferred, specified, and observed so that
a distribution can always be specified and so that a specified distribution
overrides an inferred distribution when they are different.
At this point, the Bastille screens will show the appropriate questions and
when the questions have been responded to it will write out the responses to
the config file.
The two significant things that it cannot do, but that the documentation claims
that it does are:
1) Test the system on which it is run for answers to the questions.
2) Make changes to the system based on those answers.
Clearly, code has at one time been written to effect those changes on some
systems. But the following things don't work, and appear to be due to bugs
in the existing code base rather than errors in the set-up.
1) After the answers have been given InteractiveBastille is supposed to
not only write out the responses to the config file but invoke BastilleBackEnd
so that it makes the changes. The implementation does not do this correctly.
The method that is invoked for this purpose is
Run_Bastille_with_Config. The definition of this comment has above it the
comment "Not used in HP-UX. Run_Bastille_with_Config may be dead code in all
OS-s." which does not inspire confidence. The invocation has been removed,
so that the screen flicker that it causes will go away.
2) If it were the case that "bastille -b" were effective, i.e., if bastille
could be run so as to apply the contents of the config file to the system,
problem (1) would not be so serious. But this is not the case. Instead,
Bastille encounters a variety of fatal errors in the Bastille source, arising,
at least in part, from a propensity to invoke HP-UX specific code regardless
of the distro.
3) Bastille is quite unable even to assess the status of a system with regard
to the questions asked. In its current state, the result of an assessment is
a file with no entries. This can be changed with relative ease, so that the
code that will attempt to discover the answers to the relevant questions is
executed. However, in that case, the same fatal errors as described in point
(2) are encountered.
4) Generally speaking, the code appears to be bug-ridden. Attempting to fix it
to the point that it actually works might actually be more expensive and less
rewarding than starting from scratch.
Perhaps this version of Bastille could be kept as a record of
decisions made about the appropriate issues to address for security on
Yocto distributions, but no further effort be made to fix it. Instead, some
other alternative could be found to achieve the same results. Here are two
possibilities:
1) OpenScap's oscap tool (open-scap.org). This tool is all about security
and the source code repository was last updated a few days ago. It might
work nicely with the Script Check Engine for XCCDF which is described at
pvrabec.livejournal.com/887.html.
2) Puppet (puppetlabs.com) is more general and is about configuring anything
at all for various purposes. It has some associated applications, including
Facter (which finds out facts about the system on which it is running). These
applications have been written in Ruby.
The following changes since commit 600a74468bf6d2e2f865e7d7c70e68c60c829234:
lib-perl: Change description to match package. (2013-08-20 08:39:35 -0700)
are available in the git repository at:
git://git.yoctoproject.org/poky-contrib mulhern/bastille-final
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=mulhern/bastille-final
mulhern (6):
Bastille: Preliminary cleanup of existing patches.
Bastille: Miscellaneous fixes to the Bastille code base.
Bastille: change in behavior of bastille -l.
Bastille: accept and observe --os flag in multiple situations.
Bastille: set Yocto specific questions via config file.
Bastille: document the current status and usability of the Bastille
install.
README | 44 +-
recipes-security/bastille/bastille_3.2.1.bb | 21 +-
.../files/Curses-and-IOLoader-changes.patch | 50 ---
.../bastille/files/accept_os_flag_in_backend.patch | 28 ++
.../bastille/files/allow_os_with_assess.patch | 37 ++
.../bastille/files/call_output_config.patch | 13 +
.../bastille/files/do_not_apply_config.patch | 34 ++
.../bastille/files/edit_usage_message.patch | 26 ++
.../bastille/files/find_existing_config.patch | 58 +++
.../files/fix_missing_use_directives.patch | 48 ++
.../bastille/files/fix_number_of_modules.patch | 32 ++
...rd-patch.patch => fixed_defined_warnings.patch} | 32 +-
.../bastille/files/organize_distro_discovery.patch | 470 ++++++++++++++++++++
.../remove_questions_text_file_references.patch | 24 +
.../bastille/files/set_required_questions.py | 135 ++++++
.../bastille/files/simplify_B_place.patch | 34 ++
.../files/upgrade_options_processing.patch | 85 ++++
17 files changed, 1080 insertions(+), 91 deletions(-)
delete mode 100644 recipes-security/bastille/files/Curses-and-IOLoader-changes.patch
create mode 100644 recipes-security/bastille/files/accept_os_flag_in_backend.patch
create mode 100644 recipes-security/bastille/files/allow_os_with_assess.patch
create mode 100644 recipes-security/bastille/files/call_output_config.patch
create mode 100644 recipes-security/bastille/files/do_not_apply_config.patch
create mode 100644 recipes-security/bastille/files/edit_usage_message.patch
create mode 100644 recipes-security/bastille/files/find_existing_config.patch
create mode 100644 recipes-security/bastille/files/fix_missing_use_directives.patch
create mode 100644 recipes-security/bastille/files/fix_number_of_modules.patch
rename recipes-security/bastille/files/{yocto-standard-patch.patch => fixed_defined_warnings.patch} (65%)
create mode 100644 recipes-security/bastille/files/organize_distro_discovery.patch
create mode 100644 recipes-security/bastille/files/remove_questions_text_file_references.patch
create mode 100755 recipes-security/bastille/files/set_required_questions.py
create mode 100644 recipes-security/bastille/files/simplify_B_place.patch
create mode 100644 recipes-security/bastille/files/upgrade_options_processing.patch
--
1.7.10.4
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/6] Bastille: Preliminary cleanup of existing patches.
2013-08-27 22:13 [PATCH 0/6] [meta-security] Bastille bug fixes and enhancements mulhern
@ 2013-08-27 22:14 ` mulhern
2013-08-27 22:14 ` [PATCH 2/6] Bastille: Miscellaneous fixes to the Bastille code base mulhern
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: mulhern @ 2013-08-27 22:14 UTC (permalink / raw)
To: yocto, mulhern
[YOCTO #3867]
Renames existing patches and removes some changes.
Curses-and-IOLoader-changes.patch is renamed to call_output_config.patch. The
new patch omits the removal of the pruning step in Load_Questions but
retains the replacement of a call to a non-existant function with a call
to an appropriate implemented function.
yocto-standard-patch.patch is renamed to fixed_defined_warnings.patch. The
new patch omits the definition of a yocto distro but includes the defined
warnings fix.
The recipe file is changed to include the new patches and also to omit a
related action in the do_install script.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
---
recipes-security/bastille/bastille_3.2.1.bb | 5 +-
.../files/Curses-and-IOLoader-changes.patch | 50 --------------------
.../bastille/files/call_output_config.patch | 13 +++++
...rd-patch.patch => fixed_defined_warnings.patch} | 32 ++++---------
4 files changed, 25 insertions(+), 75 deletions(-)
delete mode 100644 recipes-security/bastille/files/Curses-and-IOLoader-changes.patch
create mode 100644 recipes-security/bastille/files/call_output_config.patch
rename recipes-security/bastille/files/{yocto-standard-patch.patch => fixed_defined_warnings.patch} (65%)
diff --git a/recipes-security/bastille/bastille_3.2.1.bb b/recipes-security/bastille/bastille_3.2.1.bb
index 008f305..1af7b34 100644
--- a/recipes-security/bastille/bastille_3.2.1.bb
+++ b/recipes-security/bastille/bastille_3.2.1.bb
@@ -17,8 +17,8 @@ SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3
file://ServiceAdmin.pm \
file://config \
file://fix_version_parse.patch \
- file://yocto-standard-patch.patch \
- file://Curses-and-IOLoader-changes.patch \
+ file://fixed_defined_warnings.patch \
+ file://call_output_config.patch \
"
SRC_URI[md5sum] = "df803f7e38085aa5da79f85d0539f91b"
@@ -136,7 +136,6 @@ do_install () {
done
ln -s ${D}${sbindir}/RevertBastille ${D}${sbindir}/UndoBastille
- sed -i 's/3.8.11-yocto-standard/${KERNEL_VERSION}/g' ${D}${libdir}/Bastille/API.pm
}
FILES_${PN} += "${datadir}/Bastille ${libdir}/Bastille ${libdir}/perl* ${sysconfdir}/*"
diff --git a/recipes-security/bastille/files/Curses-and-IOLoader-changes.patch b/recipes-security/bastille/files/Curses-and-IOLoader-changes.patch
deleted file mode 100644
index dfe0698..0000000
--- a/recipes-security/bastille/files/Curses-and-IOLoader-changes.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From afa9a32db7f9423b45e0cff898a868de05ad3dee Mon Sep 17 00:00:00 2001
-From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
-Date: Tue, 30 Jul 2013 12:05:39 +0300
-Subject: [PATCH] Curses and IOLoader changes
-
-The linux distribution couldn't be identified when
-running Bastille, and the question pruning method
-couldn't get a match on the questions relevant to
-the repo, so it eliminated all questions.
-
-After answering the questions the checkAndSaveConfig routine
-was called which was missing. Replaced it with outputConfig
-which exists.
-
-Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
----
- Bastille/IOLoader.pm | 2 +-
- Bastille_Curses.pm | 3 ++-
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/Bastille/IOLoader.pm b/Bastille/IOLoader.pm
-index abb94d7..995d2c2 100644
---- a/Bastille/IOLoader.pm
-+++ b/Bastille/IOLoader.pm
-@@ -68,7 +68,7 @@ sub Load_Questions($) {
- my $UseRequiresRules = $_[0];
-
- my ($current_module_number,$first_question) = &parse_questions();
-- $first_question = &prune_questions($UseRequiresRules,$first_question);
-+ #$first_question = &prune_questions($UseRequiresRules,$first_question);
- $firstQuestion = $first_question;
- &B_log("DEBUG","Load Questions, first question: $first_question");
- &validate_questions();
-diff --git a/Bastille_Curses.pm b/Bastille_Curses.pm
-index 2e1eef4..a2dfb34 100644
---- a/Bastille_Curses.pm
-+++ b/Bastille_Curses.pm
-@@ -84,7 +84,8 @@ sub do_Bastille {
- }
-
- # Output answers to the script and display
-- &checkAndSaveConfig(&getGlobal('BFILE', "config"));
-+
-+ &outputConfig
-
- # Run Bastille
-
---
-1.7.9.5
-
diff --git a/recipes-security/bastille/files/call_output_config.patch b/recipes-security/bastille/files/call_output_config.patch
new file mode 100644
index 0000000..f426e1b
--- /dev/null
+++ b/recipes-security/bastille/files/call_output_config.patch
@@ -0,0 +1,13 @@
+Index: Bastille/Bastille_Curses.pm
+===================================================================
+--- Bastille.orig/Bastille_Curses.pm 2013-08-21 08:58:53.899950000 -0400
++++ Bastille/Bastille_Curses.pm 2013-08-21 09:20:20.295950005 -0400
+@@ -84,7 +84,7 @@
+ }
+
+ # Output answers to the script and display
+- &checkAndSaveConfig(&getGlobal('BFILE', "config"));
++ &outputConfig;
+
+ # Run Bastille
+
diff --git a/recipes-security/bastille/files/yocto-standard-patch.patch b/recipes-security/bastille/files/fixed_defined_warnings.patch
similarity index 65%
rename from recipes-security/bastille/files/yocto-standard-patch.patch
rename to recipes-security/bastille/files/fixed_defined_warnings.patch
index 4f78a3b..ab80eb2 100644
--- a/recipes-security/bastille/files/yocto-standard-patch.patch
+++ b/recipes-security/bastille/files/fixed_defined_warnings.patch
@@ -16,31 +16,22 @@ Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
Bastille/API.pm | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
-diff --git a/Bastille/API.pm b/Bastille/API.pm
-index 40f8c72..ebbe9f7 100644
---- a/Bastille/API.pm
-+++ b/Bastille/API.pm
-@@ -445,8 +445,8 @@ sub GetDistro() {
+Index: Bastille/Bastille/API.pm
+===================================================================
+--- Bastille.orig/Bastille/API.pm 2008-09-14 19:56:53.000000000 -0400
++++ Bastille/Bastille/API.pm 2013-08-21 08:55:26.715950001 -0400
+@@ -445,8 +445,8 @@
$release=`/usr/bin/uname -sr`;
}
else {
- print STDERR "$err Could not determine operating system version!\n";
- $distro="unknown";
-+ #print STDERR "$err Could not determine operating system version!\n";
-+ $distro="3.8.11-yocto-standard";
++ print STDERR "$err Could not determine operating system version!\n";
++ $distro="unknown"
}
# Figure out what kind of system we're on.
-@@ -537,7 +537,7 @@ sub getSupportedOSHash () {
- "DB2.2", "DB3.0",
- "RH6.0","RH6.1","RH6.2","RH7.0",
- "RH7.1","RH7.2","RH7.3","RH8.0",
-- "RH9",
-+ "RH9","3.8.11-yocto-standard",
- "RHEL5",
- "RHEL4AS","RHEL4ES","RHEL4WS",
- "RHEL3AS","RHEL3ES","RHEL3WS",
-@@ -1284,7 +1284,7 @@ sub B_write_sums {
+@@ -1284,7 +1284,7 @@
my $sumFile = &getGlobal('BFILE',"sum.csv");
@@ -49,7 +40,7 @@ index 40f8c72..ebbe9f7 100644
open( SUM, "> $sumFile") or &B_log("ERROR","Unable to open $sumFile for write.\n$!\n");
-@@ -1318,7 +1318,7 @@ sub B_check_sum($) {
+@@ -1318,7 +1318,7 @@
my $file = $_[0];
my $cksum = &getGlobal('BIN',"cksum");
@@ -58,7 +49,7 @@ index 40f8c72..ebbe9f7 100644
&B_read_sums;
}
-@@ -1375,7 +1375,7 @@ sub listModifiedFiles {
+@@ -1375,7 +1375,7 @@
sub B_isFileinSumDB($) {
my $file = $_[0];
@@ -67,6 +58,3 @@ index 40f8c72..ebbe9f7 100644
&B_log("DEBUG","Reading in DB from B_isFileinSumDB");
&B_read_sums;
}
---
-1.7.9.5
-
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/6] Bastille: Miscellaneous fixes to the Bastille code base.
2013-08-27 22:13 [PATCH 0/6] [meta-security] Bastille bug fixes and enhancements mulhern
2013-08-27 22:14 ` [PATCH 1/6] Bastille: Preliminary cleanup of existing patches mulhern
@ 2013-08-27 22:14 ` mulhern
2013-08-27 22:14 ` [PATCH 3/6] Bastille: change in behavior of bastille -l mulhern
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: mulhern @ 2013-08-27 22:14 UTC (permalink / raw)
To: yocto, mulhern
[YOCTO #3867]
Adds four additional small patches which address miscellaneous small problems
in Bastille.
The four patches are:
fix_missing_use_directives.patch: A number of use directives were missing from
several files. These were added as discovered.
fix_number_of_modules.patch: The curses interface includes a title for most
screens which gives a module, a module number, and the number of modules in the
series. Previously the last value was always 0, now it is simply
omitted. It would be more desirable to give the correct number, but this would
require a significant change to the code base.
remove_questions_text_file_references.patch: This version of Bastille does
not make use of a Questions.txt file, therefore the specification of the
location of this file in the OSMap/*.bastille files has been removed.
simplify_B_place.patch: This patch discards redundant variables, mostly
defined but not used cases, and makes the error reporting more informative.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
---
recipes-security/bastille/bastille_3.2.1.bb | 4 ++
.../files/fix_missing_use_directives.patch | 48 ++++++++++++++++++++
.../bastille/files/fix_number_of_modules.patch | 32 +++++++++++++
.../remove_questions_text_file_references.patch | 24 ++++++++++
.../bastille/files/simplify_B_place.patch | 34 ++++++++++++++
5 files changed, 142 insertions(+)
create mode 100644 recipes-security/bastille/files/fix_missing_use_directives.patch
create mode 100644 recipes-security/bastille/files/fix_number_of_modules.patch
create mode 100644 recipes-security/bastille/files/remove_questions_text_file_references.patch
create mode 100644 recipes-security/bastille/files/simplify_B_place.patch
diff --git a/recipes-security/bastille/bastille_3.2.1.bb b/recipes-security/bastille/bastille_3.2.1.bb
index 1af7b34..0165a4e 100644
--- a/recipes-security/bastille/bastille_3.2.1.bb
+++ b/recipes-security/bastille/bastille_3.2.1.bb
@@ -19,6 +19,10 @@ SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3
file://fix_version_parse.patch \
file://fixed_defined_warnings.patch \
file://call_output_config.patch \
+ file://fix_missing_use_directives.patch \
+ file://fix_number_of_modules.patch \
+ file://remove_questions_text_file_references.patch \
+ file://simplify_B_place.patch \
"
SRC_URI[md5sum] = "df803f7e38085aa5da79f85d0539f91b"
diff --git a/recipes-security/bastille/files/fix_missing_use_directives.patch b/recipes-security/bastille/files/fix_missing_use_directives.patch
new file mode 100644
index 0000000..8bc8931
--- /dev/null
+++ b/recipes-security/bastille/files/fix_missing_use_directives.patch
@@ -0,0 +1,48 @@
+Index: Bastille/Bastille/Firewall.pm
+===================================================================
+--- Bastille.orig/Bastille/Firewall.pm 2008-09-14 19:56:54.000000000 -0400
++++ Bastille/Bastille/Firewall.pm 2013-08-20 16:28:44.588378000 -0400
+@@ -21,6 +21,7 @@
+ package Bastille::Firewall;
+
+ use Bastille::API;
++use Bastille::API::AccountPermission;
+ use Bastille::API::FileContent;
+ use Bastille::API::ServiceAdmin;
+
+Index: Bastille/Bastille/SecureInetd.pm
+===================================================================
+--- Bastille.orig/Bastille/SecureInetd.pm 2008-09-14 19:56:58.000000000 -0400
++++ Bastille/Bastille/SecureInetd.pm 2013-08-20 16:45:02.252378001 -0400
+@@ -12,6 +12,7 @@
+ use lib "/usr/lib";
+
+ use Bastille::API;
++use Bastille::API::AccountPermission;
+ use Bastille::API::HPSpecific;
+ use Bastille::API::ServiceAdmin;
+ use Bastille::API::FileContent;
+Index: Bastille/Bastille/ConfigureMiscPAM.pm
+===================================================================
+--- Bastille.orig/Bastille/ConfigureMiscPAM.pm 2005-09-12 23:47:28.000000000 -0400
++++ Bastille/Bastille/ConfigureMiscPAM.pm 2013-08-20 18:36:07.340378001 -0400
+@@ -5,6 +5,7 @@
+ use lib "/usr/lib";
+
+ use Bastille::API;
++use Bastille::API::FileContent;
+
+ # To DO:
+ #
+Index: Bastille/Bastille/Printing.pm
+===================================================================
+--- Bastille.orig/Bastille/Printing.pm 2008-09-14 19:56:58.000000000 -0400
++++ Bastille/Bastille/Printing.pm 2013-08-20 19:05:01.532378002 -0400
+@@ -5,6 +5,7 @@
+ use lib "/usr/lib";
+
+ use Bastille::API;
++use Bastille::API::AccountPermission;
+ use Bastille::API::HPSpecific;
+ use Bastille::API::ServiceAdmin;
+ use Bastille::API::FileContent;
diff --git a/recipes-security/bastille/files/fix_number_of_modules.patch b/recipes-security/bastille/files/fix_number_of_modules.patch
new file mode 100644
index 0000000..7fed0bd
--- /dev/null
+++ b/recipes-security/bastille/files/fix_number_of_modules.patch
@@ -0,0 +1,32 @@
+Index: Bastille/Bastille_Curses.pm
+===================================================================
+--- Bastille.orig/Bastille_Curses.pm 2013-08-24 18:21:54.445288000 -0400
++++ Bastille/Bastille_Curses.pm 2013-08-24 18:29:16.981288000 -0400
+@@ -36,9 +36,6 @@
+ use Curses;
+ use Curses::Widgets;
+
+- # Number_Modules is the number of modules loaded in by Load_Questions
+- $Number_Modules=0;
+-
+ #
+ # Highlighted button is the button currently chosen in the button bar
+ # We preserve this from question to question...
+@@ -397,7 +394,7 @@
+ my $title;
+
+ if ($module) {
+- $title=$module . " of $Number_Modules";
++ $title=$module;
+ }
+
+ txt_field( 'window' => $window,
+@@ -488,7 +485,7 @@
+ my $title;
+
+ if ($module) {
+- $title=$module . " of $Number_Modules";
++ $title=$module;
+ }
+
+ noecho;
diff --git a/recipes-security/bastille/files/remove_questions_text_file_references.patch b/recipes-security/bastille/files/remove_questions_text_file_references.patch
new file mode 100644
index 0000000..5daf6b5
--- /dev/null
+++ b/recipes-security/bastille/files/remove_questions_text_file_references.patch
@@ -0,0 +1,24 @@
+Index: Bastille/OSMap/LINUX.bastille
+===================================================================
+--- Bastille.orig/OSMap/LINUX.bastille 2008-01-25 18:31:35.000000000 -0500
++++ Bastille/OSMap/LINUX.bastille 2013-08-22 04:48:32.677968002 -0400
+@@ -12,7 +12,6 @@
+
+ bfile,InteractiveBastille,'/usr/sbin/InteractiveBastille'
+ bfile,BastilleBackEnd,'/usr/sbin/BastilleBackEnd'
+-bfile,Questions,'/usr/share/Bastille/Questions.txt'
+ bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt'
+ bfile,TODO,'/var/log/Bastille/TODO'
+ bfile,TODOFlag,'/var/log/Bastille/TODOFlag.txt'
+Index: Bastille/OSMap/OSX.bastille
+===================================================================
+--- Bastille.orig/OSMap/OSX.bastille 2007-09-11 18:09:26.000000000 -0400
++++ Bastille/OSMap/OSX.bastille 2013-08-22 04:48:47.245968001 -0400
+@@ -10,7 +10,6 @@
+ bdir,share,'/usr/share/Bastille'
+
+ bfile,BastilleBackEnd,'/var/root/Bastille/BastilleBackEnd'
+-bfile,Questions,'/usr/share/Bastille/Questions.txt'
+ bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt'
+ bfile,TODO,'/var/log/Bastille/TODO'
+ bfile,TODOFlag,'/var/log/Bastille/TODOFlag.txt'
diff --git a/recipes-security/bastille/files/simplify_B_place.patch b/recipes-security/bastille/files/simplify_B_place.patch
new file mode 100644
index 0000000..7c874f5
--- /dev/null
+++ b/recipes-security/bastille/files/simplify_B_place.patch
@@ -0,0 +1,34 @@
+Index: Bastille/Bastille/API.pm
+===================================================================
+--- Bastille.orig/Bastille/API.pm 2013-08-21 08:59:17.939950001 -0400
++++ Bastille/Bastille/API.pm 2013-08-21 08:59:30.983950001 -0400
+@@ -1679,24 +1679,22 @@
+
+ use File::Copy;
+
+- my $original_source=$source;
+ $source = &getGlobal('BDIR', "share") . $source;
+- my $original_target=$target;
+
+ if ( -e $target and -f $target ) {
+- &B_backup_file($original_target);
+- &B_log("ACTION","About to copy $original_source to $original_target -- had to backup target\n");
++ &B_backup_file($target);
++ &B_log("ACTION","About to copy $source to $target -- had to backup target\n");
+ $had_to_backup_target=1;
+ }
+ $retval=copy($source,$target);
+ if ($retval) {
+- &B_log("ACTION","placed file $original_source as $original_target\n");
++ &B_log("ACTION","placed file $source as $target\n");
+ #
+ # We want to add a line to the &getGlobal('BFILE', "created-files") so that the
+ # file we just put at $original_target gets deleted.
+- &B_revert_log(&getGlobal('BIN',"rm") . " $original_target\n");
++ &B_revert_log(&getGlobal('BIN',"rm") . " $target\n");
+ } else {
+- &B_log("ERROR","Failed to place $original_source as $original_target\n");
++ &B_log("ERROR","Failed to place $source as $target\n");
+ }
+
+ # We add the file to the GLOBAL_SUMS hash if it is not already present
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/6] Bastille: change in behavior of bastille -l.
2013-08-27 22:13 [PATCH 0/6] [meta-security] Bastille bug fixes and enhancements mulhern
2013-08-27 22:14 ` [PATCH 1/6] Bastille: Preliminary cleanup of existing patches mulhern
2013-08-27 22:14 ` [PATCH 2/6] Bastille: Miscellaneous fixes to the Bastille code base mulhern
@ 2013-08-27 22:14 ` mulhern
2013-08-27 22:14 ` [PATCH 4/6] Bastille: accept and observe --os flag in multiple situations mulhern
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: mulhern @ 2013-08-27 22:14 UTC (permalink / raw)
To: yocto, mulhern
[YOCTO #3867]
bastille -l now reports existing configuration file paths even if it has
not previously been run. Previously, it exited with an error if it detected
an absence of log files indicating a previous run.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
---
recipes-security/bastille/bastille_3.2.1.bb | 1 +
.../bastille/files/find_existing_config.patch | 58 ++++++++++++++++++++
2 files changed, 59 insertions(+)
create mode 100644 recipes-security/bastille/files/find_existing_config.patch
diff --git a/recipes-security/bastille/bastille_3.2.1.bb b/recipes-security/bastille/bastille_3.2.1.bb
index 0165a4e..c8d0103 100644
--- a/recipes-security/bastille/bastille_3.2.1.bb
+++ b/recipes-security/bastille/bastille_3.2.1.bb
@@ -23,6 +23,7 @@ SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3
file://fix_number_of_modules.patch \
file://remove_questions_text_file_references.patch \
file://simplify_B_place.patch \
+ file://find_existing_config.patch \
"
SRC_URI[md5sum] = "df803f7e38085aa5da79f85d0539f91b"
diff --git a/recipes-security/bastille/files/find_existing_config.patch b/recipes-security/bastille/files/find_existing_config.patch
new file mode 100644
index 0000000..73e346f
--- /dev/null
+++ b/recipes-security/bastille/files/find_existing_config.patch
@@ -0,0 +1,58 @@
+Index: Bastille/bin/bastille
+===================================================================
+--- Bastille.orig/bin/bastille 2013-06-20 14:58:01.065796000 -0400
++++ Bastille/bin/bastille 2013-08-20 15:16:18.472378000 -0400
+@@ -102,8 +102,9 @@
+ # defines OS specific file locations based on uname
+ systemFileLocations
+
++ config_files=`find $config_repository -type f -name \*config 2>/dev/null`
++
+ if [ -f $last_config ]; then
+- config_files=`find $config_repository -type f -name \*config 2>/dev/null`
+ for config_cursor in `echo $config_files`
+ do
+ if /usr/bin/diff $last_config $config_cursor >/dev/null 2>&1
+@@ -112,8 +113,8 @@
+ fi
+ done
+ if [ -n "$match" ]; then
+- echo "The last bastille run corresponds to the following profiles:"
+- echo "$match"
++ printf "The last Bastille run corresponds to the following profiles:\n"
++ printf "$match"
+ else
+ cat >&2 << EOF
+ NOTE: The last config file applied,
+@@ -122,18 +123,28 @@
+ $ERRSPACES $config_repository.
+ $ERRSPACES This probably means that Bastille was last run interactively and
+ $ERRSPACES changes were made to the config file, but they have not yet been
+-$ERRSPACES applied, or that the source config file was moved. If you do have pending
++$ERRSPACES applied, or that the source config file was moved. If you do have pending
+ $ERRSPACES changes in a config file, you can apply them by running
+ $ERRSPACES 'bastille -b -f <config file>.'
+ EOF
+
+ fi
+ else
+- echo "NOTE: The system is in its pre-bastilled state.\n"
++ for config_cursor in `echo $config_files`
++ do
++ match="$match $config_cursor\n"
++ done
++ if [ -n "$match" ]; then
++ printf "The following Bastille profiles were located:\n"
++ printf "$match"
++ else
++ printf "No Bastille profiles were located.\n"
++ fi
++ printf "No log files of profiles from previous executions of Bastille have been found. It is likely that Bastille has not been run on this machine.\n"
+ fi
+-
+ }
+
++
+ # First, make sure we're root
+ if [ `PATH="/usr/bin:/bin"; id -u` -ne 0 ]; then
+ echo "ERROR: Bastille must be run as root user" >&2
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/6] Bastille: accept and observe --os flag in multiple situations.
2013-08-27 22:13 [PATCH 0/6] [meta-security] Bastille bug fixes and enhancements mulhern
` (2 preceding siblings ...)
2013-08-27 22:14 ` [PATCH 3/6] Bastille: change in behavior of bastille -l mulhern
@ 2013-08-27 22:14 ` mulhern
2013-08-27 22:14 ` [PATCH 5/6] Bastille: set Yocto specific questions via config file mulhern
2013-08-27 22:14 ` [PATCH 6/6] Bastille: document the current status and usability of the Bastille install mulhern
5 siblings, 0 replies; 7+ messages in thread
From: mulhern @ 2013-08-27 22:14 UTC (permalink / raw)
To: yocto, mulhern
[YOCTO #3867]
Five additional patches which cause the --os flag to be accepted and observed
are added. An additional distro, Yocto, is added. The individual patches
are described below.
upgrade_options_processing.patch: Changes setOptions procedure so that it
accepts named parameters for greater flexibility and adjusts all invocations
accordingly. Uses more precise specifications in invocatiosn of
Getop::Long::GetOptions. Omits code associated with a commented out flag.
accept_os_flag_in_backend.patch: Accepts and observes an additional --os
flag in BastilleBackEnd.
allow_os_with_assess.patch: No longer print a usage message and quit if
--assess or its related flags are specified along with the --os flag.
edit_usage_message.patch: Edit usage message to include the specification of
an --os flag with the specification of an --assess flag.
organize_distro_discovery.patch: Separates inferring the distro from
specifying the distro. Adds a "Yocto" distro among the other Linux
distros. Causes the specified distro to override the inferred
distro with a warning message when they are different. Previously if
either the inferred distro or the specified distro was not among supported
distros Bastille would quit with an error.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
---
recipes-security/bastille/bastille_3.2.1.bb | 5 +
.../bastille/files/accept_os_flag_in_backend.patch | 28 ++
.../bastille/files/allow_os_with_assess.patch | 37 ++
.../bastille/files/edit_usage_message.patch | 26 ++
.../bastille/files/organize_distro_discovery.patch | 470 ++++++++++++++++++++
.../files/upgrade_options_processing.patch | 85 ++++
6 files changed, 651 insertions(+)
create mode 100644 recipes-security/bastille/files/accept_os_flag_in_backend.patch
create mode 100644 recipes-security/bastille/files/allow_os_with_assess.patch
create mode 100644 recipes-security/bastille/files/edit_usage_message.patch
create mode 100644 recipes-security/bastille/files/organize_distro_discovery.patch
create mode 100644 recipes-security/bastille/files/upgrade_options_processing.patch
diff --git a/recipes-security/bastille/bastille_3.2.1.bb b/recipes-security/bastille/bastille_3.2.1.bb
index c8d0103..8969f6b 100644
--- a/recipes-security/bastille/bastille_3.2.1.bb
+++ b/recipes-security/bastille/bastille_3.2.1.bb
@@ -24,6 +24,11 @@ SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3
file://remove_questions_text_file_references.patch \
file://simplify_B_place.patch \
file://find_existing_config.patch \
+ file://upgrade_options_processing.patch \
+ file://accept_os_flag_in_backend.patch \
+ file://allow_os_with_assess.patch \
+ file://edit_usage_message.patch \
+ file://organize_distro_discovery.patch \
"
SRC_URI[md5sum] = "df803f7e38085aa5da79f85d0539f91b"
diff --git a/recipes-security/bastille/files/accept_os_flag_in_backend.patch b/recipes-security/bastille/files/accept_os_flag_in_backend.patch
new file mode 100644
index 0000000..ee6ef0f
--- /dev/null
+++ b/recipes-security/bastille/files/accept_os_flag_in_backend.patch
@@ -0,0 +1,28 @@
+Index: Bastille/BastilleBackEnd
+===================================================================
+--- Bastille.orig/BastilleBackEnd 2013-08-21 12:40:54.000000000 -0400
++++ Bastille/BastilleBackEnd 2013-08-21 12:43:21.895950001 -0400
+@@ -52,11 +52,13 @@
+ my $force = 0;
+ my $debug = 0;
+ my $alternate_config=undef;
++my $os_version=undef;
+
+ if( Getopt::Long::GetOptions( "n" => \$nodisclaim,
+ "v" => \$verbose,
+ "force" => \$force,
+ "f=s" => \$alternate_config,
++ "os=s" => \$os_version,
+ "debug" => \$debug) ) {
+ $error = 0; # no parse error
+
+@@ -66,7 +68,8 @@
+
+ &setOptions(
+ debug => $debug,
+- verbose => $verbose);
++ verbose => $verbose,
++ os => $os_version);
+ &ConfigureForDistro;
+
+ if ( $error ) { # GetOptions couldn't parse all of the args
diff --git a/recipes-security/bastille/files/allow_os_with_assess.patch b/recipes-security/bastille/files/allow_os_with_assess.patch
new file mode 100644
index 0000000..252d0a0
--- /dev/null
+++ b/recipes-security/bastille/files/allow_os_with_assess.patch
@@ -0,0 +1,37 @@
+Index: Bastille/bin/bastille
+===================================================================
+--- Bastille.orig/bin/bastille 2013-08-21 08:59:06.647950000 -0400
++++ Bastille/bin/bastille 2013-08-21 15:55:53.193631711 -0400
+@@ -195,7 +195,6 @@
+ systemFileLocations
+
+ isAssessing='no'
+-nonXArg='no'
+
+ if [ $PERL_V_MAJ -eq $MIN_V_MAJ -a $PERL_V_MIN -lt $MIN_V_MIN -o $PERL_V_MAJ -lt $MIN_V_MAJ ]; then # invalid Perl
+ printErr
+@@ -316,12 +315,10 @@
+ '--os')
+ options_left="$options_left --os"
+ optarg='yes'
+- nonXArg='yes'
+ ;;
+ '-f')
+ options_left="$options_left -f"
+ optarg='yes'
+- nonXArg='yes'
+ ;;
+ # Non-exclusive (undocumented and unsupported) options follow:
+ # There is no validity/combination checking done with these.
+@@ -345,11 +342,6 @@
+ fi
+ done
+
+-#Detect case where -f or --os attempted use with --assess
+- if [ \( x$nonXArg = xyes \) -a \( x$isAssessing = xyes \) ]; then
+- printUsage
+- exit 2
+- fi
+
+ # We have a valid version of perl! Verify that all the required
+ # modules can be found.
diff --git a/recipes-security/bastille/files/edit_usage_message.patch b/recipes-security/bastille/files/edit_usage_message.patch
new file mode 100644
index 0000000..1c2cae4
--- /dev/null
+++ b/recipes-security/bastille/files/edit_usage_message.patch
@@ -0,0 +1,26 @@
+Index: Bastille/bin/bastille
+===================================================================
+--- Bastille.orig/bin/bastille 2013-08-25 14:16:35.614779001 -0400
++++ Bastille/bin/bastille 2013-08-25 14:16:38.674779000 -0400
+@@ -60,7 +60,7 @@
+ printUsage () {
+ cat >&2 << EOF
+ $ERRSPACES Usage: bastille [ -b | -c | -x ] [ --os <version>] [ -f <alternate config> ]
+-$ERRSPACES bastille [-r | -l | -h | --assess | --assessnobrowser ]
++$ERRSPACES bastille [-r | -l | -h | --assess | --assessnobrowser ] [ --os <version> ]
+ $ERRSPACES -b : use a saved config file to apply changes
+ $ERRSPACES directly to system
+ $ERRSPACES -c : use the Curses (non-X11) GUI, not available on HP-UX
+Index: Bastille/Bastille/API.pm
+===================================================================
+--- Bastille.orig/Bastille/API.pm 2013-08-25 08:15:40.266779002 -0400
++++ Bastille/Bastille/API.pm 2013-08-25 14:18:22.750778811 -0400
+@@ -206,7 +206,7 @@
+ #options before interactive or Bastille runs, so this check is often redundant
+ $GLOBAL_ERROR{"usage"}="\n".
+ "$spc Usage: bastille [ -b | -c | -x ] [ --os <version> ] [ -f <alternate config> ]\n".
+- "$spc bastille [ -r | --assess | --assessnobowser ]\n\n".
++ "$spc bastille [ -r | --assess | --assessnobowser ] [ --os <version> ]\n\n".
+ "$spc --assess : check status of system and report in browser\n".
+ "$spc --assessnobrowser : check status of system and list report locations\n".
+ "$spc -b : use a saved config file to apply changes\n".
diff --git a/recipes-security/bastille/files/organize_distro_discovery.patch b/recipes-security/bastille/files/organize_distro_discovery.patch
new file mode 100644
index 0000000..a38bae4
--- /dev/null
+++ b/recipes-security/bastille/files/organize_distro_discovery.patch
@@ -0,0 +1,470 @@
+Index: Bastille/Bastille/API.pm
+===================================================================
+--- Bastille.orig/Bastille/API.pm 2013-08-22 04:32:38.269968002 -0400
++++ Bastille/Bastille/API.pm 2013-08-22 11:29:53.137968002 -0400
+@@ -141,7 +141,7 @@
+ checkProcsForService
+
+
+- $GLOBAL_OS $GLOBAL_ACTUAL_OS $CLI
++ $CLI
+ $GLOBAL_LOGONLY $GLOBAL_VERBOSE $GLOBAL_DEBUG $GLOBAL_AUDITONLY $GLOBAL_AUDIT_NO_BROWSER $errorFlag
+ %GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE
+ %GLOBAL_BDIR %GLOBAL_BFILE
+@@ -198,7 +198,7 @@
+ my $err ="ERROR: ";
+ my $spc =" ";
+ my $GLOBAL_OS="None";
+-my $GLOBAL_ACTUAL_OS="None";
++my $GLOBAL_INFERRED_OS="None";
+ my %GLOBAL_SUMS=();
+ my $CLI='';
+
+@@ -306,7 +306,7 @@
+
+ ###########################################################################
+ #
+-# GetDistro checks to see if the target is a known distribution and reports
++# InferDistro checks to see if the target is a known distribution and reports
+ # said distribution.
+ #
+ # This is used throughout the script, but also by ConfigureForDistro.
+@@ -314,205 +314,194 @@
+ #
+ ###########################################################################
+
+-sub GetDistro() {
++sub InferDistro() {
+
+ my ($release,$distro);
+
+- # Only read files for the distro once.
+- # if the --os option was used then
+- if ($GLOBAL_OS eq "None") {
+- if ( -e "/etc/mandrake-release" ) {
+- open(MANDRAKE_RELEASE,"/etc/mandrake-release");
+- $release=<MANDRAKE_RELEASE>;
+-
+- if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) {
+- $distro="MN$1";
+- }
+- elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) {
+- $distro="MN$1";
+- }
+- else {
+- print STDERR "$err Couldn't determine Mandrake/Mandriva version! Setting to 10.1!\n";
+- $distro="MN10.1";
+- }
+-
+- close(MANDRAKE_RELEASE);
+- }
+- elsif ( -e "/etc/immunix-release" ) {
+- open(IMMUNIX_RELEASE,"/etc/immunix-release");
+- $release=<IMMUNIX_RELEASE>;
+- unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) {
+- print STDERR "$err Couldn't determine Immunix version! Setting to 6.2!\n";
+- $distro="RH6.2";
+- }
+- else {
+- $distro="RH$1";
+- }
+- close(*IMMUNIX_RELEASE);
+- }
+- elsif ( -e '/etc/fedora-release' ) {
+- open(FEDORA_RELEASE,'/etc/fedora-release');
+- $release=<FEDORA_RELEASE>;
+- close FEDORA_RELEASE;
+- if ($release =~ /^Fedora Core release (\d+\.?\d*)/) {
+- $distro = "RHFC$1";
+- }
+- elsif ($release =~ /^Fedora release (\d+\.?\d*)/) {
+- $distro = "RHFC$1";
+- }
+- else {
+- print STDERR "$err Could not determine Fedora version! Setting to Fedora Core 8\n";
+- $distro='RHFC8';
+- }
++ if ( -e "/etc/mandrake-release" ) {
++ open(MANDRAKE_RELEASE,"/etc/mandrake-release");
++ $release=<MANDRAKE_RELEASE>;
++
++ if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) {
++ $distro="MN$1";
++ }
++ elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) {
++ $distro="MN$1";
++ }
++ else {
++ print STDERR "$err Could not infer Mandrake/Mandriva version! Setting to 10.1!\n";
++ $distro="MN10.1";
++ }
++
++ close(MANDRAKE_RELEASE);
++ }
++ elsif ( -e "/etc/immunix-release" ) {
++ open(IMMUNIX_RELEASE,"/etc/immunix-release");
++ $release=<IMMUNIX_RELEASE>;
++ unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) {
++ print STDERR "$err Could not infer Immunix version! Setting to 6.2!\n";
++ $distro="RH6.2";
++ }
++ else {
++ $distro="RH$1";
+ }
+- elsif ( -e "/etc/redhat-release" ) {
+- open(*REDHAT_RELEASE,"/etc/redhat-release");
+- $release=<REDHAT_RELEASE>;
+- if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) {
+- $distro="RH$1";
+- }
+- elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) {
+- $distro="RHEL$1$2";
+- }
+- elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) {
+- $distro="RHEL$2$1";
++ close(*IMMUNIX_RELEASE);
++ }
++ elsif ( -e '/etc/fedora-release' ) {
++ open(FEDORA_RELEASE,'/etc/fedora-release');
++ $release=<FEDORA_RELEASE>;
++ close FEDORA_RELEASE;
++ if ($release =~ /^Fedora Core release (\d+\.?\d*)/) {
++ $distro = "RHFC$1";
++ }
++ elsif ($release =~ /^Fedora release (\d+\.?\d*)/) {
++ $distro = "RHFC$1";
++ }
++ else {
++ print STDERR "$err Could not infer Fedora version! Setting to Fedora Core 8\n";
++ $distro='RHFC8';
++ }
++ }
++ elsif ( -e "/etc/redhat-release" ) {
++ open(*REDHAT_RELEASE,"/etc/redhat-release");
++ $release=<REDHAT_RELEASE>;
++ if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) {
++ $distro="RH$1";
++ }
++ elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) {
++ $distro="RHEL$1$2";
++ }
++ elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) {
++ $distro="RHEL$2$1";
++ }
++ elsif ($release =~ /^CentOS release (\d+\.\d+)/) {
++ my $version = $1;
++ if ($version =~ /^4\./) {
++ $distro='RHEL4AS';
+ }
+- elsif ($release =~ /^CentOS release (\d+\.\d+)/) {
+- my $version = $1;
+- if ($version =~ /^4\./) {
+- $distro='RHEL4AS';
+- }
+- elsif ($version =~ /^3\./) {
+- $distro='RHEL3AS';
+- }
+- else {
+- print STDERR "$err Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS.\n";
+- $distro='RHEL4AS';
+- }
+- }
+- else {
+- # JJB/HP - Should this be B_log?
+- print STDERR "$err Couldn't determine Red Hat version! Setting to 9!\n";
+- $distro="RH9";
+- }
+- close(REDHAT_RELEASE);
+-
+- }
+- elsif ( -e "/etc/debian_version" ) {
+- $stable="3.1"; #Change this when Debian stable changes
+- open(*DEBIAN_RELEASE,"/etc/debian_version");
+- $release=<DEBIAN_RELEASE>;
+- unless ($release =~ /^(\d+\.\d+\w*)/) {
+- print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n";
+- $distro="DB$stable";
++ elsif ($version =~ /^3\./) {
++ $distro='RHEL3AS';
+ }
+ else {
+- $distro="DB$1";
+- }
+- close(DEBIAN_RELEASE);
+- }
+- elsif ( -e "/etc/SuSE-release" ) {
+- open(*SUSE_RELEASE,"/etc/SuSE-release");
+- $release=<SUSE_RELEASE>;
+- if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) {
+- $distro="SE$1";
+- }
+- elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) {
+- $distro="SESLES$1";
+- }
+- elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) {
+- $distro="SESLES$1";
+- }
+- elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) {
+- $distro="SE$1";
++ print STDERR "$err Could not infer CentOS version! Setting to Red Hat Enterprise 4 AS.\n";
++ $distro='RHEL4AS';
+ }
+- else {
+- print STDERR "$err Couldn't determine SuSE version! Setting to 10.3!\n";
+- $distro="SE10.3";
+- }
+- close(SUSE_RELEASE);
+- }
+- elsif ( -e "/etc/turbolinux-release") {
+- open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release");
+- $release=<TURBOLINUX_RELEASE>;
+- unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) {
+- print STDERR "$err Couldn't determine TurboLinux version! Setting to 7.0!\n";
+- $distro="TB7.0";
+- }
+- else {
+- $distro="TB$1";
+- }
+- close(TURBOLINUX_RELEASE);
++ }
++ else {
++ # JJB/HP - Should this be B_log?
++ print STDERR "$err Could not infer Red Hat version! Setting to 9!\n";
++ $distro="RH9";
++ }
++ close(REDHAT_RELEASE);
++
++ }
++ elsif ( -e "/etc/debian_version" ) {
++ $stable="3.1"; #Change this when Debian stable changes
++ open(*DEBIAN_RELEASE,"/etc/debian_version");
++ $release=<DEBIAN_RELEASE>;
++ unless ($release =~ /^(\d+\.\d+\w*)/) {
++ print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n";
++ $distro="DB$stable";
++ }
++ else {
++ $distro="DB$1";
++ }
++ close(DEBIAN_RELEASE);
++ }
++ elsif ( -e "/etc/SuSE-release" ) {
++ open(*SUSE_RELEASE,"/etc/SuSE-release");
++ $release=<SUSE_RELEASE>;
++ if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) {
++ $distro="SE$1";
++ }
++ elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) {
++ $distro="SESLES$1";
++ }
++ elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) {
++ $distro="SESLES$1";
++ }
++ elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) {
++ $distro="SE$1";
++ }
++ else {
++ print STDERR "$err Could not infer SuSE version! Setting to 10.3!\n";
++ $distro="SE10.3";
+ }
++ close(SUSE_RELEASE);
++ }
++ elsif ( -e "/etc/turbolinux-release") {
++ open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release");
++ $release=<TURBOLINUX_RELEASE>;
++ unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) {
++ print STDERR "$err Could not infer TurboLinux version! Setting to 7.0!\n";
++ $distro="TB7.0";
++ }
+ else {
+- # We're either on Mac OS X, HP-UX or an unsupported O/S.
+- if ( -x '/usr/bin/uname') {
++ $distro="TB$1";
++ }
++ close(TURBOLINUX_RELEASE);
++ }
++ else {
++ # We're either on Mac OS X, HP-UX or an unsupported O/S.
++ if ( -x '/usr/bin/uname') {
+ # uname is in /usr/bin on Mac OS X and HP-UX
+- $release=`/usr/bin/uname -sr`;
+- }
+- else {
+- print STDERR "$err Could not determine operating system version!\n";
+- $distro="unknown"
+- }
+-
+- # Figure out what kind of system we're on.
+- if ($release ne "") {
+- if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) {
+- if ($1 == 6 ) {
+- $distro = "OSX10.2";
+- }
+- elsif ($1 == 7) {
+- $distro = "OSX10.3";
+- }
+- elsif ($1 == 8) {
+- $distro = "OSX10.3";
+- }
+- else {
+- $distro = "unknown";
+- }
++ $release=`/usr/bin/uname -sr`;
++ }
++ else {
++ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n";
++ $distro="unknown";
++ }
++
++ # Figure out what kind of system we're on.
++ if ($release ne "") {
++ if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) {
++ if ($1 == 6 ) {
++ $distro = "OSX10.2";
+ }
+- elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) {
+- $distro="$1$2";
++ elsif ($1 == 7) {
++ $distro = "OSX10.3";
+ }
++ elsif ($1 == 8) {
++ $distro = "OSX10.3";
++ }
+ else {
+- print STDERR "$err Could not determine operating system version!\n";
+- $distro="unknown";
++ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n";
++ $distro = "unknown";
+ }
+ }
++ elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) {
++ $distro="$1$2";
++ }
++ else {
++ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n";
++ $distro="unknown";
++ }
+ }
+-
+- $GLOBAL_OS=$distro;
+- } elsif (not (defined $GLOBAL_OS)) {
+- print "ERROR: GLOBAL OS Scoping Issue\n";
+- } else {
+- $distro = $GLOBAL_OS;
+ }
+-
+ return $distro;
+ }
+
+ ###################################################################################
+-# &getActualDistro; #
++# &getInferredDistro; #
+ # #
+ # This subroutine returns the actual os version in which is running on. This #
+ # os version is independent of the --os switch feed to bastille. #
+ # #
+ ###################################################################################
+-sub getActualDistro {
+- # set local variable to $GLOBAL_OS
++sub getInferredDistro {
++ if ($GLOBAL_INFERRED_OS eq "None") {
++ $GLOBAL_INFERRED_OS = &InferDistro;
++ }
++ return $GLOBAL_INFERRED_OS;
++}
+
+- if ($GLOBAL_ACTUAL_OS eq "None") {
+- my $os = $GLOBAL_OS;
+- # undef GLOBAL_OS so that the GetDistro routine will return
+- # the actualDistro, it might otherwise return the distro set
+- # by the --os switch.
+- $GLOBAL_OS = "None";
+- $GLOBAL_ACTUAL_OS = &GetDistro;
+- # reset the GLOBAL_OS variable
+- $GLOBAL_OS = $os;
++sub GetDistro {
++ if ($GLOBAL_OS eq "None") {
++ return &getInferredDistro;
+ }
+- return $GLOBAL_ACTUAL_OS;
++ return $GLOBAL_OS;
+ }
++
+ # These are helper routines which used to be included inside GetDistro
+ sub is_OS_supported($) {
+ my $os=$_[0];
+@@ -556,7 +545,8 @@
+ "SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1",
+ "SE9.2","SE9.3","SE10.0","SE10.1","SE10.2","SE10.3",
+ "SESLES8","SESLES9","SESLES10",
+- "TB7.0"
++ "TB7.0",
++ "Yocto"
+ ],
+
+ "HP-UX" => [
+@@ -882,23 +872,19 @@
+ ###########################################################################
+ sub ConfigureForDistro {
+
+- my $retval=1;
+-
+- # checking to see if the os version given is in fact supported
+ my $distro = &GetDistro;
+
+- # checking to see if the actual os version is in fact supported
+- my $actualDistro = &getActualDistro;
++ my $inferredDistro = &getInferredDistro;
++
++ if (! ($inferredDistro eq $distro) ) {
++ print STDERR "WARNING: Inferred distro $inferredDistro is not the same as specified distro $distro. Using specified distro.\n";
++ }
++
+ $ENV{'LOCALE'}=''; # So that test cases checking for english results work ok.
+- if ((! &is_OS_supported($distro)) or (! &is_OS_supported($actualDistro)) ) {
+- # if either is not supported then print out a list of supported versions
+- if (! &is_OS_supported($distro)) {
+- print STDERR "$err '$distro' is not a supported operating system.\n";
+- }
+- else {
+- print STDERR "$err Bastille is unable to operate correctly on this\n";
+- print STDERR "$spc $distro operating system.\n";
+- }
++
++ if (! &is_OS_supported($distro)) {
++ print STDERR "$err '$distro' is not a supported operating system.\n";
++
+ my %supportedOSHash = &getSupportedOSHash;
+ print STDERR "$spc Valid operating system versions are as follows:\n";
+
+@@ -930,7 +916,7 @@
+ # intend via setting the Perl umask
+ umask(077);
+
+- &getFileAndServiceInfo($distro,$actualDistro);
++ &getFileAndServiceInfo($distro,$distro);
+
+ # &dumpFileInfo; # great for debuging file location issues
+ # &dumpServiceInfo; # great for debuging service information issues
+@@ -942,7 +928,7 @@
+ "$spc You must use Bastille\'s -n flag (for example:\n" .
+ "$spc bastille -f -n) or \'touch $nodisclaim_file \'\n";
+
+- return $retval;
++ return 1;
+ }
+
+
+Index: Bastille/Bastille/LogAPI.pm
+===================================================================
+--- Bastille.orig/Bastille/LogAPI.pm 2013-08-22 04:32:38.269968002 -0400
++++ Bastille/Bastille/LogAPI.pm 2013-08-22 04:32:47.509968002 -0400
+@@ -111,7 +111,7 @@
+ # do this here to prevent bootstrapping problem, where we need to
+ # write an error that the errorlog location isn't defined.
+ my $logdir="/var/log/Bastille";
+- if(&getActualDistro =~ "^HP-UX"){
++ if(&getInferredDistro =~ "^HP-UX"){
+ $logdir = "/var/opt/sec_mgmt/bastille/log/";
+ }
+
diff --git a/recipes-security/bastille/files/upgrade_options_processing.patch b/recipes-security/bastille/files/upgrade_options_processing.patch
new file mode 100644
index 0000000..5889a57
--- /dev/null
+++ b/recipes-security/bastille/files/upgrade_options_processing.patch
@@ -0,0 +1,85 @@
+Index: Bastille/Bastille/API.pm
+===================================================================
+--- Bastille.orig/Bastille/API.pm 2013-08-21 11:41:09.235950000 -0400
++++ Bastille/Bastille/API.pm 2013-08-21 11:41:16.183950000 -0400
+@@ -271,9 +271,15 @@
+ # setOptions takes six arguments, $GLOBAL_DEBUG, $GLOBAL_LOGONLY,
+ # $GLOBAL_VERBOSE, $GLOBAL_AUDITONLY, $GLOBAL_AUDIT_NO_BROWSER, and GLOBAL_OS;
+ ###########################################################################
+-sub setOptions($$$$$$) {
+- ($GLOBAL_DEBUG,$GLOBAL_LOGONLY,$GLOBAL_VERBOSE,$GLOBAL_AUDITONLY,
+- $GLOBAL_AUDIT_NO_BROWSER,$GLOBAL_OS) = @_;
++sub setOptions {
++ my %opts = @_;
++
++ $GLOBAL_DEBUG = $opts{debug};
++ $GLOBAL_LOGONLY = $opts{logonly};
++ $GLOBAL_VERBOSE = $opts{verbose};
++ $GLOBAL_AUDITONLY = $opts{auditonly};
++ $GLOBAL_AUDIT_NO_BROWSER = $opts{audit_no_browser};
++ $GLOBAL_OS = $opts{os};
+ if ($GLOBAL_AUDIT_NO_BROWSER) {
+ $GLOBAL_AUDITONLY = 1;
+ }
+Index: Bastille/BastilleBackEnd
+===================================================================
+--- Bastille.orig/BastilleBackEnd 2013-08-21 11:41:09.235950000 -0400
++++ Bastille/BastilleBackEnd 2013-08-21 12:40:54.055950001 -0400
+@@ -50,15 +50,13 @@
+ my $nodisclaim = 0;
+ my $verbose = 0;
+ my $force = 0;
+-my $log_only = 0;
+ my $debug = 0;
+ my $alternate_config=undef;
+
+ if( Getopt::Long::GetOptions( "n" => \$nodisclaim,
+ "v" => \$verbose,
+ "force" => \$force,
+-# "log" => \$log_only, # broken
+- "f:s" => \$alternate_config,
++ "f=s" => \$alternate_config,
+ "debug" => \$debug) ) {
+ $error = 0; # no parse error
+
+@@ -66,7 +64,9 @@
+ $error = 1; # parse error
+ }
+
+-&setOptions($debug,$log_only,$verbose);
++&setOptions(
++ debug => $debug,
++ verbose => $verbose);
+ &ConfigureForDistro;
+
+ if ( $error ) { # GetOptions couldn't parse all of the args
+Index: Bastille/InteractiveBastille
+===================================================================
+--- Bastille.orig/InteractiveBastille 2013-08-21 11:41:09.235950000 -0400
++++ Bastille/InteractiveBastille 2013-08-21 12:40:30.531950001 -0400
+@@ -234,8 +234,8 @@
+ "a" => \$audit,
+ "force" => \$force,
+ "log" => \$log_only,
+- "os:s" => \$os_version,
+- "f:s" => \$alternate_config,
++ "os=s" => \$os_version,
++ "f=s" => \$alternate_config,
+ "debug" => \$debug) ) {
+ $error = 0; # no parse error
+ } else {
+@@ -293,7 +293,13 @@
+ $UseRequiresRules = 'N';
+ }
+
+-&setOptions($debug,$log_only,$verbose,$audit,$auditnobrowser,$os_version);
++&setOptions(
++ debug => $debug,
++ logonly => $log_only,
++ verbose => $verbose,
++ auditonly => $audit,
++ audit_no_browser => $auditnobrowser,
++ os => $os_version);
+ &ConfigureForDistro;
+
+ # ensuring mutually exclusive options are exclusive
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/6] Bastille: set Yocto specific questions via config file.
2013-08-27 22:13 [PATCH 0/6] [meta-security] Bastille bug fixes and enhancements mulhern
` (3 preceding siblings ...)
2013-08-27 22:14 ` [PATCH 4/6] Bastille: accept and observe --os flag in multiple situations mulhern
@ 2013-08-27 22:14 ` mulhern
2013-08-27 22:14 ` [PATCH 6/6] Bastille: document the current status and usability of the Bastille install mulhern
5 siblings, 0 replies; 7+ messages in thread
From: mulhern @ 2013-08-27 22:14 UTC (permalink / raw)
To: yocto, mulhern
The python script, set_required_questions.py reads the list of questions and
answers from the config file and edits the REQUIRE_DISTRO field for those
questions in the questions file so that it includes "Yocto" if it is not
already present. This has the effect of causing Bastille, when loading
questions for the Yocto distribution, to load only those that are answered
in the existing config file. Under the assumption that the exisitng config
file contains question/answer pairs that are relevant to the Yocto project,
this will cause the interactive question screen to have answers that are
relevant to the Yocto project.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
---
recipes-security/bastille/bastille_3.2.1.bb | 3 +
.../bastille/files/set_required_questions.py | 135 ++++++++++++++++++++
2 files changed, 138 insertions(+)
create mode 100755 recipes-security/bastille/files/set_required_questions.py
diff --git a/recipes-security/bastille/bastille_3.2.1.bb b/recipes-security/bastille/bastille_3.2.1.bb
index 8969f6b..1c924e7 100644
--- a/recipes-security/bastille/bastille_3.2.1.bb
+++ b/recipes-security/bastille/bastille_3.2.1.bb
@@ -139,6 +139,9 @@ do_install () {
install -m 0644 OSMap/HP-UX.service ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/OSX.bastille ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/OSX.system ${D}${datadir}/Bastille/OSMap
+
+ ${THISDIR}/files/set_required_questions.py ${WORKDIR}/config Questions
+
install -m 0777 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config
for file in `cat Modules.txt` ; do
diff --git a/recipes-security/bastille/files/set_required_questions.py b/recipes-security/bastille/files/set_required_questions.py
new file mode 100755
index 0000000..a432dc5
--- /dev/null
+++ b/recipes-security/bastille/files/set_required_questions.py
@@ -0,0 +1,135 @@
+#!/usr/bin/env python
+
+import argparse, os, shutil, sys, tempfile
+from os import path
+
+
+
+def get_config(lines):
+ """
+ From a sequence of lines retrieve the question file name, question identifier
+ pairs.
+ """
+ for l in lines:
+ if not l.startswith("#"):
+ try:
+ (coord, value) = l.split("=")
+ try:
+ (fname, ident) = coord.split(".")
+ yield fname, ident
+ except ValueError as e:
+ raise ValueError("Badly formatted coordinates %s in line %s." % (coord, l.strip()))
+ except ValueError as e:
+ raise ValueError("Skipping badly formatted line %s, %s" % (l.strip(), e))
+
+
+
+def check_contains(line, name):
+ """
+ Check if the value field for REQUIRE_DISTRO contains the given name.
+ @param name line The REQUIRE_DISTRO line
+ @param name name The name to look for in the value field of the line.
+ """
+ try:
+ (label, distros) = line.split(":")
+ return name in distros.split()
+ except ValueError as e:
+ raise ValueError("Error splitting REQUIRE_DISTRO line: %s" % e)
+
+
+
+def add_requires(the_ident, distro, lines):
+
+ """
+ Yield a sequence of lines the same as lines except that where
+ the_ident matches a question identifier change the REQUIRE_DISTRO so that
+ it includes the specified distro.
+
+ @param name the_ident The question identifier to be matched.
+ @param name distro The distribution to added to the questions REQUIRE_DISTRO
+ field.
+ @param lines The sequence to be processed.
+ """
+ for l in lines:
+ yield l
+ if l.startswith("LABEL:"):
+ try:
+ (label, ident) = l.split(":")
+ if ident.strip() == the_ident:
+ break
+ except ValueError as e:
+ raise ValueError("Unexpected line %s in questions file." % l.strip())
+ for l in lines:
+ if l.startswith("REQUIRE_DISTRO"):
+ if not check_contains(l, distro):
+ yield l.rstrip() + " " + distro + "\n"
+ else:
+ yield l
+ break;
+ else:
+ yield l
+ for l in lines:
+ yield l
+
+
+
+def xform_file(qfile, distro, qlabel):
+ questions_in = open(qfile)
+ questions_out = tempfile.NamedTemporaryFile(delete=False)
+ for l in add_requires(qlabel, distro, questions_in):
+ questions_out.write(l)
+ questions_out.close()
+ questions_in.close()
+ shutil.move(questions_out.name, qfile)
+
+
+
+def handle_args(parser):
+ parser.add_argument('config_file',
+ help = "Configuration file path.")
+ parser.add_argument('questions_dir',
+ help = "Directory containing Questions files.")
+ parser.add_argument('--distro', '-d',
+ help = "The distribution, the default is Yocto.",
+ default = "Yocto")
+ return parser.parse_args()
+
+
+
+def check_args(args):
+ args.config_file = os.path.abspath(args.config_file)
+ args.questions_dir = os.path.abspath(args.questions_dir)
+
+ if not os.path.isdir(args.questions_dir):
+ raise ValueError("Specified Questions directory %s does not exist or is not a directory." % args.questions_dir)
+
+ if not os.path.isfile(args.config_file):
+ raise ValueError("Specified configuration file %s not found." % args.config_file)
+
+
+
+def main():
+ opts = handle_args(argparse.ArgumentParser(description="A simple script that sets required questions based on the question/answer pairs in a configuration file."))
+
+ try:
+ check_args(opts)
+ except ValueError as e:
+ sys.exit("Fatal error: %s" % e)
+
+
+ try:
+ config_in = open(opts.config_file)
+ for qfile, qlabel in get_config(config_in):
+ questions_file = os.path.join(opts.questions_dir, qfile + ".txt")
+ xform_file(questions_file, opts.distro, qlabel)
+ config_in.close()
+
+ except IOError as e:
+ sys.exit("Fatal error reading config file: %s" % e)
+ except ValueError as e:
+ sys.exit("Fatal error: %s" % e)
+
+
+
+if __name__ == "__main__":
+ main()
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 6/6] Bastille: document the current status and usability of the Bastille install.
2013-08-27 22:13 [PATCH 0/6] [meta-security] Bastille bug fixes and enhancements mulhern
` (4 preceding siblings ...)
2013-08-27 22:14 ` [PATCH 5/6] Bastille: set Yocto specific questions via config file mulhern
@ 2013-08-27 22:14 ` mulhern
5 siblings, 0 replies; 7+ messages in thread
From: mulhern @ 2013-08-27 22:14 UTC (permalink / raw)
To: yocto, mulhern
The README file is updated to indicate the functionality of Bastille that is
actually available.
The recipe file is updated with a pointer to the README file.
An additional patch is added so that when Bastille is run in interactive mode
it will not attempt to make any changes to the system. This is better than
attempting to make the changes and making the screen flicker . The text on the
final screen has been updated appropriately.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
---
README | 44 +++++++++++++-------
recipes-security/bastille/bastille_3.2.1.bb | 3 ++
.../bastille/files/do_not_apply_config.patch | 34 +++++++++++++++
3 files changed, 65 insertions(+), 16 deletions(-)
create mode 100644 recipes-security/bastille/files/do_not_apply_config.patch
diff --git a/README b/README
index c9549f9..1df88b5 100644
--- a/README
+++ b/README
@@ -43,22 +43,34 @@ help for each package.
like rcp and rlogin, and helps create "chroot jails" that help limit the
vulnerability of common Internet services like Web services and DNS.
- usage : Bastille can be used via meta-security layer only in command line mode.
- To start Bastille simply write in a terminal :
-
- bastille -c
-
- If this is the first usage of Bastille on the system, the user will be
- guided through a list of questions which need to be answered. In the end,
- a config file will be created and run. After these steps, you will have a
- hardened system.
-
- If you only want to run the config file, without stepping through the
- list of questions, simply write in a terminal :
-
- bastille -b
-
- More information can be found in the package readme and manual.
+ usage : The functionality of Bastille which is available is
+ restricted to a purely informational one. The command:
+ bastille -c --os Yocto
+ will cause a series of menus containing security questions
+ about the system to be displayed to the user. For each
+ question, a default response, specified in the configuration
+ file which is installed with Bastille, will be selected.
+ The user may select an alternate response. When the user
+ has completed the sequence of menus Bastille saves the
+ responses to the configuration file.
+
+ The command:
+ bastille -l lists the configuration files that Bastille
+ is able to locate.
+
+ The other functionality which Bastille is intended to provide
+ is actually unavailable. This is not due to errors in poky
+ installation or configuration of the application. The Bastille
+ distribution is no longer supported. Significant modifications
+ would be required to make it possible to make use of the
+ functionality which is currently unavailable.
+
+
+ Additional information about Bastille can be found in the package
+ README file and other documentation.
+
+ Alternatives to Bastille include buck-security and checksecurity,
+ described elsewhere in this file.
== redhat-security ==
diff --git a/recipes-security/bastille/bastille_3.2.1.bb b/recipes-security/bastille/bastille_3.2.1.bb
index 1c924e7..06215a2 100644
--- a/recipes-security/bastille/bastille_3.2.1.bb
+++ b/recipes-security/bastille/bastille_3.2.1.bb
@@ -1,3 +1,5 @@
+#The functionality of Bastille that is actually available is restricted. Please
+#consult the README file for the meta-security layer for additional information.
SUMMARY = "Linux hardening tool"
DESCRIPTION = "Bastille Linux is a Hardening and Reporting/Auditing Program which enhances the security of a Linux box, by configuring daemons, system settings and firewalling."
LICENSE = "GPLv2"
@@ -29,6 +31,7 @@ SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3
file://allow_os_with_assess.patch \
file://edit_usage_message.patch \
file://organize_distro_discovery.patch \
+ file://do_not_apply_config.patch \
"
SRC_URI[md5sum] = "df803f7e38085aa5da79f85d0539f91b"
diff --git a/recipes-security/bastille/files/do_not_apply_config.patch b/recipes-security/bastille/files/do_not_apply_config.patch
new file mode 100644
index 0000000..f7de6f8
--- /dev/null
+++ b/recipes-security/bastille/files/do_not_apply_config.patch
@@ -0,0 +1,34 @@
+Index: Bastille/Bastille_Curses.pm
+===================================================================
+--- Bastille.orig/Bastille_Curses.pm 2013-08-27 16:43:39.130959000 -0400
++++ Bastille/Bastille_Curses.pm 2013-08-27 16:43:39.794959000 -0400
+@@ -83,11 +83,6 @@
+ # Output answers to the script and display
+ &outputConfig;
+
+- # Run Bastille
+-
+- &Run_Bastille_with_Config;
+-
+-
+ # Display Credits
+
+ open CREDITS,"/usr/share/Bastille/Credits";
+Index: Bastille/InteractiveBastille
+===================================================================
+--- Bastille.orig/InteractiveBastille 2013-08-27 16:43:39.434959000 -0400
++++ Bastille/InteractiveBastille 2013-08-27 17:18:55.758959000 -0400
+@@ -531,10 +531,10 @@
+ " Please address bug reports and suggestions to jay\@bastille-linux.org\n" .
+ "\n";
+
+- $InterfaceEndScreenDescription = "We will now implement the choices you have made here.\n\n" .
++ $InterfaceEndScreenDescription = "We will now record the choices you have made here.\n\n" .
+ "Answer NO if you want to go back and make changes!\n";
+- $InterfaceEndScreenQuestion = "Are you finished answering the questions, i.e. may we make the changes?";
+- $InterfaceEndScreenNoEpilogue = "Please use Back/Next buttons to move among the questions you wish to\nchange.\n\nChoose YES on this question later to implement your choices.\n";
++ $InterfaceEndScreenQuestion = "Are you finished answering the questions, i.e. may we record the answers and exit?";
++ $InterfaceEndScreenNoEpilogue = "Please use Back/Next buttons to move among the questions you wish to\nchange.\n\nChoose YES on this question later to record your choices.\n";
+ require Bastille_Curses;
+ } elsif ($GLOBAL_AUDITONLY) {
+
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-08-27 22:14 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-27 22:13 [PATCH 0/6] [meta-security] Bastille bug fixes and enhancements mulhern
2013-08-27 22:14 ` [PATCH 1/6] Bastille: Preliminary cleanup of existing patches mulhern
2013-08-27 22:14 ` [PATCH 2/6] Bastille: Miscellaneous fixes to the Bastille code base mulhern
2013-08-27 22:14 ` [PATCH 3/6] Bastille: change in behavior of bastille -l mulhern
2013-08-27 22:14 ` [PATCH 4/6] Bastille: accept and observe --os flag in multiple situations mulhern
2013-08-27 22:14 ` [PATCH 5/6] Bastille: set Yocto specific questions via config file mulhern
2013-08-27 22:14 ` [PATCH 6/6] Bastille: document the current status and usability of the Bastille install mulhern
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.