On Friday 21 December 2007 09:13:21 am Kevin Fenzi wrote: <snip to address only Bastille> > > 5: Bastille > > Be sure to incorporate the most important Bastille fixes > > (www.bastille-linux.org). This project appears to have stalled and > > requires an older version of Fedora to run, unless you're a Perl > > ninja =) Maybe we should contact the developer (Jay Beale), and ask > > him what he needs to revive the project? Perhaps the Fedora > > community can be of assistance. > Since 2000 or so I, or people I know, have found the Bastille project stalled for a platform that it needed to be evaluated against, on at least three occasions. Pulling it up on rpmfind.net, the last changelog entry reads: * Sun Apr 16 2006 Jay Beale <email redacted> 3.0.9-1.0 - Added support for Fedora Core 5 - Added support for SUSE 10.0 - Added support for Mandrake 10.0, 10.1, 2006... - Added support for OS X Tiger (10.4) - preliminary > We should take a look I agree, but many of the things bastille did/does > are not useful these days. Disabling rsh/rlogin? Disabling compilers > (your point 4 I guess)? Setting more agressive security defaults on > some applications? Many of the things it does we should be doing in the > packages we ship, not trying to modify after install. > Usefulness depends upon what you're doing. For instance, Bastille was supported on HP-UX, though I no longer know how well. I've seen one environment where not only were the Berkeley 'r' programs were still used very heavily, but also rusers, in which case the portmapper had to be accessible. Granted, this is the sort of thing that applies mostly to non-GUI, often headless, installs. This is probably not a typical environment for Fedora, but one that definitely does happen, and with some frequency. > Would anyone be interested in culling through and coming up with a list > of items we should address that bastille does? > That would require someone who's running a distro that's pretty old. If I still had a SuSE 10.0 or FC5 box, I'd have already run Bastille in evaluation mode, just to see where it was a couple of years ago. If enough people want to see the information, I'd be willing to load FC5 on a box, on a temporary basis, after the holidays. I could also run it from the source tarball on more recent Fedoras, again in eval mode, just for some comparison data. Be advised that working alone, it could take me a couple of weeks to produce all the data. Time is somewhat limited. I've not looked at the code in some time, so I don't know if I'd have to run it against, say, a minimal, GNOME, and KDE install for each version. Also, not being familiar with the current code, it could be full of security or other bugs. The bz2 tarball is 312 KB. That's a fair amount of Perl, which may not have received a plethora of eyeballs, and I've no idea what (if any) test harnesses may have been used, etc. If there's a lot of demand for the information, hopefully someone will also come forward to split the testing load with me. If not, I can live with that, and run everything by mid-January. Actually, I'd *have* to complete it by then, and I can't offer even a cursory code review. Someone may want to take a look at the requires and provides list for some hints about that. This is down to time issues that are beyond my control. My window runs from 1/2/07 through 1/14/07, inclusive. Sorry, folks, but it's the best I can do. I have to admit that I'm not sanguine about receiving an adequate return on investment from Bastille. The periodic halts in the project could mean a fair commitment of resources to avoid future problems. I've also heard stories from people who were able to run it, but found major problems in the ability of typical end users to use it correctly. Overall quality of code is also a huge unknown. That said, I'm not wedded to my opinion. This is just my two cents. Actual data is always preferable, if the community decides to seriously explore this. Not knowing exactly how to define that, as I don't know the size of this community, I'm making an arbitrary call that if a dozen people ask me to do it, I will. If any one person volunteers to split the load, I'll do it. I should probably look for list archives, and grep around for unique posters, just to get an idea of community size. But not today. Last-minute Christmas shopping is the higher priority. Jingle bells, and best wishes, Greg -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
