%define name Bastille %define version 3.0.9 %define release 1.0 Autoreq: 0 Summary: Bastille tightens security on a Red Hat, Mandrake, Debian, Turbo, Gentoo, SuSE Linux, Mac OS X or HP-UX system. Name: %{name} Version: 3.0.9 Release: 2 Source0: http://www.bastille-linux.org/jay/%{name}-%{version}.tar.bz2 Group: System/Configuration/Other License: GPL BuildRoot: %{_tmppath}/%{name}-buildroot Prefix: %{_prefix} # Apparently not. -Scott #BuildArchitectures: noarch %description Bastille is a system hardening / lockdown program which enhances the security of a Unix host. It configures daemons, system settings and firewalls to be more secure. It can shut off unneeded services and r-tools, like rcp and rlogin, and helps create "chroot jails" that help limit the vulnerability of common Internet services like Web services and DNS. This tool currently hardens Red Hat Enterprise Linux, Legacy, and Fedora Core, as well as Debian, SUSE, Gentoo, Mandrake Linux, Mac OS X, and HP-UX. If run in the preferred Interactive mode, it can teach you a good deal about Security while personalizing your system security state. If run in the quicker Automated mode, it can quickly tighten your machine, but not nearly as effectively (since user/sysadmin education is an important step!) Bastille can also assess the state of a system, which may serve as an aid to security administrators, auditors and system administrators who wish to investigate the state of their system's hardening without making changes to such. To run: -bastille [(-b|-c|-r|-x|--assess|--assessnobrowser)] -b : use a saved config file to apply changes directly to system -c : use the Curses (non-X11) GUI -r : revert Bastille changes to original file versions (pre-Bastille) -x : use the Perl/Tk (X11) GUI --assess : use the assessment functionality, viewing results in a browser --assessnobrowser: use the assessment functionality without a browser %prep [ -n "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != / ] && rm -rf $RPM_BUILD_ROOT %setup -n Bastille #%patch -p0 %build %install mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT%{_libdir}/Bastille mkdir -p $RPM_BUILD_ROOT%{_libdir}/Bastille/Curses mkdir -p $RPM_BUILD_ROOT%{_datadir}/Bastille mkdir -p $RPM_BUILD_ROOT%{_datadir}/Bastille/firewall mkdir -p $RPM_BUILD_ROOT%{_datadir}/Bastille/OSMap mkdir -p $RPM_BUILD_ROOT%{_datadir}/Bastille/Questions mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/Bastille mkdir -p $RPM_BUILD_ROOT/usr/share/man/man8 mkdir -p $RPM_BUILD_ROOT/usr/share/man/man1 mkdir -p $RPM_BUILD_ROOT/usr mkdir -p $RPM_BUILD_ROOT/usr/bin mkdir -p $RPM_BUILD_ROOT/var/lock/subsys/bastille mkdir -p $RPM_BUILD_ROOT/var/log/Bastille/Audit/QuestionData cp AutomatedBastille $RPM_BUILD_ROOT%{_sbindir} #cp BastilleChooser $RPM_BUILD_ROOT%{_sbindir} cp BastilleBackEnd $RPM_BUILD_ROOT%{_sbindir} cp Bastille_Curses.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille_Tk.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille_Audit.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Curses/Widgets.pm $RPM_BUILD_ROOT%{_libdir}/Bastille/Curses cp InteractiveBastille $RPM_BUILD_ROOT%{_sbindir} cp bin/bastille $RPM_BUILD_ROOT%{_sbindir} #cp Questions.txt $RPM_BUILD_ROOT%{_datadir}/Bastille cp Credits $RPM_BUILD_ROOT%{_datadir}/Bastille cp complete.xbm $RPM_BUILD_ROOT%{_datadir}/Bastille cp incomplete.xbm $RPM_BUILD_ROOT%{_datadir}/Bastille cp docs/bastille.1m $RPM_BUILD_ROOT%{_datadir}/man/man1 cp docs/user_guide.txt $RPM_BUILD_ROOT%{_datadir}/Bastille cp firewall/portforward.sh $RPM_BUILD_ROOT%{_datadir}/Bastille/firewall/portforward.sh cp firewall/fwnotes.txt $RPM_BUILD_ROOT%{_datadir}/Bastille/firewall/fwnotes.txt cp RevertBastille $RPM_BUILD_ROOT%{_sbindir} cp bastille-firewall $RPM_BUILD_ROOT%{_datadir}/Bastille cp bastille-ipchains $RPM_BUILD_ROOT%{_datadir}/Bastille cp bastille-netfilter $RPM_BUILD_ROOT%{_datadir}/Bastille cp bastille-firewall-pre-audit.sh $RPM_BUILD_ROOT%{_datadir}/Bastille cp bastille-firewall-early.sh $RPM_BUILD_ROOT%{_sysconfdir}/Bastille cp bastille-firewall-reset $RPM_BUILD_ROOT%{_datadir}/Bastille cp bastille-firewall-schedule $RPM_BUILD_ROOT%{_datadir}/Bastille cp bastille-tmpdir-defense.sh $RPM_BUILD_ROOT%{_datadir}/Bastille cp bastille-tmpdir.csh $RPM_BUILD_ROOT%{_datadir}/Bastille cp bastille-tmpdir.sh $RPM_BUILD_ROOT%{_datadir}/Bastille cp bastille-firewall.cfg $RPM_BUILD_ROOT%{_datadir}/Bastille cp ifup-local $RPM_BUILD_ROOT%{_datadir}/Bastille cp hosts.allow $RPM_BUILD_ROOT%{_datadir}/Bastille # Fort Knox Linux configurations mkdir -p $RPM_BUILD_ROOT%{_datadir}/Bastille/FKL/configs cp FKL/configs/fkl_config_suse.cfg $RPM_BUILD_ROOT%{_datadir}/Bastille/FKL/configs cp FKL/configs/fkl_config_redhat.cfg $RPM_BUILD_ROOT%{_datadir}/Bastille/FKL/configs # Bastille Action modules cp Bastille/AccountSecurity.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/Apache.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/API.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/LogAPI.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/IOLoader.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/BootSecurity.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/ConfigureMiscPAM.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/DisableUserTools.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/DNS.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/FilePermissions.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/FTP.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/HP_API.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/OSX_API.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/HP_UX.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/Firewall.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/IPFilter.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/Logging.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/MiscellaneousDaemons.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/Patches.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/Printing.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/PSAD.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/RemoteAccess.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/SecureInetd.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/Sendmail.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/TMPDIR.pm $RPM_BUILD_ROOT%{_libdir}/Bastille # New Testing modules cp Bastille/TestAPI.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_AccountSecurity.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_Apache.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_BootSecurity.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_DisableUserTools.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_DNS.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_FilePermissions.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_FTP.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_HP_UX.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_Logging.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_MiscellaneousDaemons.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_Printing.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_SecureInetd.pm $RPM_BUILD_ROOT%{_libdir}/Bastille cp Bastille/test_Sendmail.pm $RPM_BUILD_ROOT%{_libdir}/Bastille # New OSMap files that describe file locations and startup service details on each OS cp OSMap/LINUX.bastille $RPM_BUILD_ROOT/usr/share/Bastille/OSMap cp OSMap/LINUX.system $RPM_BUILD_ROOT/usr/share/Bastille/OSMap cp OSMap/LINUX.service $RPM_BUILD_ROOT/usr/share/Bastille/OSMap cp OSMap/HP-UX.bastille $RPM_BUILD_ROOT/usr/share/Bastille/OSMap cp OSMap/HP-UX.system $RPM_BUILD_ROOT/usr/share/Bastille/OSMap cp OSMap/HP-UX.service $RPM_BUILD_ROOT/usr/share/Bastille/OSMap cp OSMap/OSX.bastille $RPM_BUILD_ROOT/usr/share/Bastille/OSMap cp OSMap/OSX.system $RPM_BUILD_ROOT/usr/share/Bastille/OSMap # New Modules.txt and Questions/ files cp Modules.txt $RPM_BUILD_ROOT/usr/share/Bastille for file in `cat Modules.txt` ; do cp Questions/$file.txt $RPM_BUILD_ROOT/usr/share/Bastille/Questions done # New Weights file(s). cp Weights.txt $RPM_BUILD_ROOT/usr/share/Bastille # Castle graphic cp bastille.jpg $RPM_BUILD_ROOT/usr/share/Bastille/ # Javascript file cp wz_tooltip.js $RPM_BUILD_ROOT/usr/share/Bastille/ %clean [ -n "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != / ] && rm -rf $RPM_BUILD_ROOT rm -fr $RPM_BUILD_ROOT/%{name} %post if [ -d /var/log/Bastille/undo ]; then if [ -d /var/log/Bastille/revert ]; then echo "WARNING: Both 'undo' and 'revert' Bastille directories exist in" echo " /var/log/Bastille. 'undo' directory will not" echo " be migrated." else mv /var/log/Bastille/undo /var/log/Bastille/revert ln -s /var/log/Bastille/revert /var/log/Bastille/undo if [ -f /var/log/Bastille/revert/undo-actions ]; then mv /var/log/Bastille/revert/undo-actions /var/log/Bastille/revert/revert-actions ln -s /var/log/Bastille/revert/revert-actions /var/log/Bastille/revert/undo-actions fi fi fi if [ -e /usr/sbin/UndoBastille ] ; then rm -f /usr/sbin/UndoBastille fi if [ -e /usr/sbin/RevertBastille ] ; then ln -s /usr/sbin/RevertBastille /usr/sbin/UndoBastille fi if [ -e /usr/lib/perl5/site_perl/Bastille_Curses.pm ] ; then rm -f /usr/lib/perl5/site_perl/Bastille_Curses.pm fi if [ -e /usr/lib/perl5/site_perl/Bastille_Tk.pm ] ; then rm -f /usr/lib/perl5/site_perl/Bastille_Tk.pm fi %preun if [ -e /usr/sbin/UndoBastille ] ; then rm -f /usr/sbin/UndoBastille fi if [ -e /etc/Bastille/bastille-firewall-early.sh.bsave ] ; then rm -f /etc/Bastille/bastille-firewall-early.sh.bsave fi if [ -e /etc/Bastille/bastille-firewall-early.sh ]; then cp -p /etc/Bastille/bastille-firewall-early.sh \ /etc/Bastille/bastille-firewall-early.sh.bsave fi %postun if [ -e /etc/Bastille/bastille-firewall-early.sh.bsave -a \( \! -e \ /etc/Bastille/bastille-firewall-early.sh \) ]; then mv /etc/Bastille/bastille-firewall-early.sh.bsave \ /etc/Bastille/bastille-firewall-early.sh fi if [ -e /etc/Bastille/bastille-firewall-early.sh.bsave ] ; then rm -f /etc/Bastille/bastille-firewall-early.sh.bsave fi %files %defattr(-,root,root,0755) %doc README docs/readme.automate docs/readme.ftp docs/readme.interfaces docs/readme.patch COPYING Credits VERSION complete.xbm incomplete.xbm %defattr(-,root,root,0600) %attr(0700,root,root) %{_sbindir}/AutomatedBastille #%attr(0700,root,root) %{_sbindir}/BastilleChooser %attr(0700,root,root) %{_sbindir}/BastilleBackEnd %{_libdir}/Bastille/Bastille_Tk.pm %{_libdir}/Bastille/Bastille_Curses.pm %{_libdir}/Bastille/Bastille_Audit.pm %{_libdir}/Bastille/Curses/Widgets.pm %attr(0700,root,root) %{_sbindir}/InteractiveBastille %attr(0700,root,root) %{_sbindir}/bastille #%{_datadir}/Bastille/Questions.txt %{_datadir}/Bastille/Credits %{_datadir}/Bastille/user_guide.txt %{_datadir}/Bastille/complete.xbm %{_datadir}/Bastille/incomplete.xbm %{_datadir}/Bastille/firewall/portforward.sh %{_datadir}/Bastille/firewall/fwnotes.txt #%attr(0700,root,root) %{_sbindir}/UndoBastille %attr(0700,root,root) %{_sbindir}/RevertBastille %{_datadir}/Bastille/bastille-firewall-pre-audit.sh %{_datadir}/Bastille/bastille-firewall-reset %{_datadir}/Bastille/bastille-firewall-schedule %{_datadir}/Bastille/bastille-tmpdir-defense.sh %{_datadir}/Bastille/bastille-tmpdir.csh %{_datadir}/Bastille/bastille-tmpdir.sh %{_datadir}/Bastille/ifup-local %{_datadir}/Bastille/hosts.allow %{_datadir}/Bastille/bastille-firewall %{_datadir}/Bastille/bastille-firewall.cfg %{_datadir}/Bastille/bastille-ipchains %attr(0700,root,root) %{_sysconfdir}/Bastille/bastille-firewall-early.sh %{_datadir}/Bastille/bastille-netfilter %{_datadir}/man/man1/bastille.1m.gz %attr(0700,root,root) %dir %{_libdir}/Bastille %attr(0700,root,root) %dir %{_sysconfdir}/Bastille %{_libdir}/Bastille/API.pm %{_libdir}/Bastille/LogAPI.pm %{_libdir}/Bastille/HP_API.pm %{_libdir}/Bastille/OSX_API.pm %{_libdir}/Bastille/HP_UX.pm %{_libdir}/Bastille/AccountSecurity.pm %{_libdir}/Bastille/Apache.pm %{_libdir}/Bastille/BootSecurity.pm %{_libdir}/Bastille/ConfigureMiscPAM.pm %{_libdir}/Bastille/DNS.pm %{_libdir}/Bastille/DisableUserTools.pm %{_libdir}/Bastille/FTP.pm %{_libdir}/Bastille/FilePermissions.pm %{_libdir}/Bastille/Firewall.pm %{_libdir}/Bastille/IPFilter.pm %{_libdir}/Bastille/Logging.pm %{_libdir}/Bastille/MiscellaneousDaemons.pm %{_libdir}/Bastille/Patches.pm %{_libdir}/Bastille/Printing.pm %{_libdir}/Bastille/PSAD.pm %{_libdir}/Bastille/RemoteAccess.pm %{_libdir}/Bastille/SecureInetd.pm %{_libdir}/Bastille/Sendmail.pm %{_libdir}/Bastille/TMPDIR.pm %{_libdir}/Bastille/IOLoader.pm # Test modules %{_libdir}/Bastille/TestAPI.pm %{_libdir}/Bastille/test_AccountSecurity.pm %{_libdir}/Bastille/test_Apache.pm %{_libdir}/Bastille/test_BootSecurity.pm %{_libdir}/Bastille/test_DisableUserTools.pm %{_libdir}/Bastille/test_DNS.pm %{_libdir}/Bastille/test_FilePermissions.pm %{_libdir}/Bastille/test_FTP.pm %{_libdir}/Bastille/test_HP_UX.pm %{_libdir}/Bastille/test_Logging.pm %{_libdir}/Bastille/test_MiscellaneousDaemons.pm %{_libdir}/Bastille/test_Printing.pm %{_libdir}/Bastille/test_SecureInetd.pm %{_libdir}/Bastille/test_Sendmail.pm # OSMap files %{_datadir}/Bastille/OSMap/LINUX.bastille %{_datadir}/Bastille/OSMap/LINUX.system %{_datadir}/Bastille/OSMap/LINUX.service %{_datadir}/Bastille/OSMap/HP-UX.bastille %{_datadir}/Bastille/OSMap/HP-UX.system %{_datadir}/Bastille/OSMap/HP-UX.service %{_datadir}/Bastille/OSMap/OSX.bastille %{_datadir}/Bastille/OSMap/OSX.system # Questions files %{_datadir}/Bastille/Modules.txt %{_datadir}/Bastille/Questions/AccountSecurity.txt %{_datadir}/Bastille/Questions/Apache.txt %{_datadir}/Bastille/Questions/BootSecurity.txt %{_datadir}/Bastille/Questions/ConfigureMiscPAM.txt %{_datadir}/Bastille/Questions/DNS.txt %{_datadir}/Bastille/Questions/DisableUserTools.txt %{_datadir}/Bastille/Questions/FTP.txt %{_datadir}/Bastille/Questions/FilePermissions.txt %{_datadir}/Bastille/Questions/Firewall.txt %{_datadir}/Bastille/Questions/HP_UX.txt %{_datadir}/Bastille/Questions/IPFilter.txt %{_datadir}/Bastille/Questions/Logging.txt %{_datadir}/Bastille/Questions/MiscellaneousDaemons.txt %{_datadir}/Bastille/Questions/Patches.txt %{_datadir}/Bastille/Questions/Printing.txt %{_datadir}/Bastille/Questions/PSAD.txt %{_datadir}/Bastille/Questions/SecureInetd.txt %{_datadir}/Bastille/Questions/Sendmail.txt %{_datadir}/Bastille/Questions/TMPDIR.txt # Weights Files %{_datadir}/Bastille/Weights.txt # Castle Image file %{_datadir}/Bastille/bastille.jpg # Javascript files %{_datadir}/Bastille/wz_tooltip.js # Fort Knox Linux files %{_datadir}/Bastille/FKL/configs/fkl_config_suse.cfg %{_datadir}/Bastille/FKL/configs/fkl_config_redhat.cfg /var/lock/subsys/bastille %changelog * Tue Apr 15 2006 Jay Beale 3.0.9-1.0 - Added support for Fedora Core 5 - Added support for SUSE 10.0 - Added support for Mandrake 10.0, 10.1, 2006... - Added support for OS X Tiger (10.4) - preliminary * Thu Apr 21 2005 Jay Beale 3.0.4-1.0 - Fixed a passwdqc item * Wed Apr 20 2005 Jay Beale 3.0.3-1.0 - Added assessment support for RHEL4 and preliminary hardening support - Fixed a bug on systems that don't have passwdqc PAM module. - Fixed a bug in our password aging parameters. - Fixed a RH6.x-specific problem with mkdir's * Tue Apr 19 2005 Jay Beale 3.0.2-1.0 - Fixed bug where Bastille tried to generate audit report in lockdown mode. * Tue Apr 19 2005 Jay Beale 3.0.1-1.0 - Renamed "auditing" to "assessment" * Mon Apr 18 2005 Jay Beale 2.3.0-0.1 - Brought Auditing code to full production capability * Wed Apr 6 2005 Jay Beale 2.3.0-0.1 - Merged in Linux auditing code * Fri Mar 25 2005 Jay Beale 2.2.8-1.0 - Corrected a bug where we try to modify /etc/rc.local on SuSE to implement process accounting. SuSE doesn't have one, so we changed the algorithm. * Thu Mar 24 2005 Jay Beale 2.2.7-1.0 - Corrected bug where Bastille would log a non-fatal error on the lack of /etc/pam.d/{kde,gdm} files when KDE or Gnome hadn't been installed. - Corrected bug where Bastille would log a non-fatal error on recent SuSE systems because we were still trying to tweak rc.config in addition to doing the normal chkconfig. * Sun Mar 20 2005 Jay Beale 2.2.6-1.0 - Added --fkl switch to automatically implement the Fort Knox Linux configuration - Fixed a bug reported by Len Lattanzi in Install-OSX.sh -- the script didn't run properly. - Added new questions for deleting extraneous users and groups. - Fixed Red Hat Fedora Core detection. - Fixed grub password detection. * Sat Mar 19 2005 Jay Beale 2.2.5-1.0 - Applied Paul Allen's patch to fix a bug in the front-end where we couldn't skip modules. * Fri Mar 18 2005 Jay Beale 2.2.4-1.0 - Fixed a bug in two questions - one wasn't asked while the other wasn't fully activating a service. * Thu Mar 17 2005 Jay Beale 2.2.3-0.1 - Fixed a showstopper bug in the less popular X Curses interface * Thu Jan 27 2005 Jay Beale 2.2.2-0.2 - Fixed two tiny typo-related bugs * Wed Jan 26 2005 Jay Beale 2.2.2-0.1 - Added a LAuS question and SLES8/9 recognition * Tue Jan 25 2005 Jay Beale 2.2.1-0.1 - First test build of new code incorporating FKL-related items * Mon Nov 15 2004 Jay Beale 2.2.0-0.2 - Fixed a chmod bug that was setting permissions too strongly. * Wed Nov 14 2004 Jay Beale 2.2.0-0.1 - Changed Questions.txt into separate Questions files for each module (Jay Beale) - Placed file locations and service names in OSMaps files (Tyler Easterling, HP) - Added more distro support * Sun Aug 29 2004 Jay Beale 2.1.3-0.2 - Fixed a Fedora-config parsing bug * Sun Aug 29 2004 Jay Beale 2.1.3-0.1 - Updated Bastille for RHEL2 and Fedora