
FILE: IPChains.pm

LABEL: ip_intro
SHORT_EXP: "Using the ipchains script, you will be able to do packet
filtering/modification via the Linux kernel.  You can use this to block certain types
of connections to or from your machine, to turn your machine into a small firewall,
and to do Network Address Translation (also known as \"IP masquerading\"), which lets
several machines share a single IP address.

If you install the ipchains script, it will create firewalling instructions for you.  
You will be prompted to make various choices (with suggested defaults), but you may
need to edit it for your particular site and WILL need to individually activate it."
LONG_EXP:
QUESTION: "Would you like to run the ipchains script? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: ip_detail_level_kludge
NO_CHILD: patchdownload
PROPER_PARENT:

LABEL: ip_detail_level_kludge
SHORT_EXP:
LONG_EXP:
QUESTION:
DEFAULT_ANSWER: Y
YN_TOGGLE: 0
YES_CHILD: ip_exp_type
PROPER_PARENT: ip_intro


LABEL: ip_exp_type
SHORT_EXP: "You will be asked to choose initial settings for the firewall script. The 
defaults are generally the minimal recommended settings. To accept the default (shown
in brackets), press RETURN. To change a non-empty default to an empty value, enter
some whitespace before pressing RETURN.

Your responses should be whitespace delimited lists of items. IP addresses may be
entered in plain \"dotted-quad\" notation, with or without netmasks.  For instance,
\"10.0.0.0/8\" \"10.0.0.0/255.0.0.0\" \"10.0.0.0\" will all be read as legitimate ways
to express the 10.*.*.* \"class A\" network space.  If you have \"unexpected\"
networks like \"10.0.0.0/255.255.255.0\" or \"192.168.1.0/255.255.255.128\", you will
need to specify that explicitly.

Services can be entered as names (\"smtp\") or numbers (\"25\").  Be warned that any
names must explicitly match one of those listed in /etc/services. Ranges may be
specified with colons, e.g. \"1024:\" indicates all ports >= 1024, \"6000:6020\"
indicates ports 6000 to 6020, inclusive.

Unless you really understand networking, you should ask for more information on most
of the options in this script."
LONG_EXP:
QUESTION: 
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_advnetwork	
NO_CHILD: ip_advnetwork
PROPER_PARENT: ip_intro

LABEL: ip_advnetwork
SHORT_EXP: "Do you need the advanced networking options?  If this is a standalone
workstation or server with a single network interface (e.g. may connect to one of
several PPP servers, but is never connected to two different networks simultaneously),
then you do not need advanced networking options.

If this is a server that deals with multiple interfaces or provides IP
Masquerading/NAT service, then you do need the advanced networking options."
LONG_EXP:
QUESTION: "Do you need the advanced networking options?"
YN_TOGGLE: 1
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_dns
NO_CHILD: ip_b_dns
PROPER_PARENT: ip_exp_type

LABEL: ip_s_dns
SHORT_EXP: "This controls what external servers you can use for DNS lookups. For
regular workstations, this should contain all your nameserver addresses, separated by
spaces. If you want to run a caching nameserver and/or run your own DNS, leave this at
\"0.0.0.0/0\" so you can query any DNS server. If you set this to an empty value, the
firewall script will read the current nameservers from /etc/resolv.conf when it is
run, which is the recommended configuration. This default is designed to ensure
functionality."
LONG_EXP: "DNS servers are used to translate names like \"example.org\" into addresses
like \"10.1.2.3\". You need to configure DNS for many pieces of software to function
properly. Your system administrator or Internet Service Provider should be able to
provide you with this information. Most users should simply leave this at
\"0.0.0.0/0\" (or make it blank) so the firewall script will be more forgiving (or do
the right thing automatically). For instance, DHCP clients often re-write
/etc/resolv.conf when obtaining a new lease. (This means you may want to configure
your system to run the firewall script both before _and_ after setting up your
DHCP-configured interface if you set this to the safest value, an empty string.) "
QUESTION: "DNS servers: [0.0.0.0/0]"
DEFAULT_ANSWER: 0.0.0.0/0
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_trustiface
NO_CHILD:
PROPER_PARENT: ip_advnetwork

LABEL: ip_s_trustiface
SHORT_EXP: "List the interface names of all interfaces you want to have unrestricted
access to this machine. You should at least trust \"lo\", the \"loopback\" interface."
LONG_EXP: "Interface names normally look like \"eth0\" for the first Ethernet card,
\"ppp0\" for a PPP connection, etc. Any traffic coming from the interfaces listed here
will be allowed by the kernel (though TCP Wrappers or the application itself may end
up denying the connection attempt). Basically, you will have no kernel-level firewall
protecting you from traffic on these interfaces, and should therefore think carefully
before changing the default.

List the interface names of all interfaces you want to have unrestricted
access to this machine. You should at least trust \"lo\", the \"loopback\" interface."
QUESTION: "Trusted interface names: [lo]"
DEFAULT_ANSWER: lo
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_publiciface
NO_CHILD:
PROPER_PARENT: ip_s_dns

LABEL: ip_s_publiciface
SHORT_EXP:"List names of all interfaces connected to public/untrusted networks. The
\"+\" character is a wildcard, e.g. \"ppp+\" matches any interface name beginning with
\"ppp\" in case you have multiple dialup profiles."
LONG_EXP: "List names of all interfaces connected to public/untrusted networks. The
\"+\" character is a wildcard, e.g. \"ppp+\" matches any interface name beginning with
\"ppp\" in case you have multiple dialup profiles.

Using the \"+\" suffix allows you to configure more interfaces (for
instance, more PPP dialup entries) without having to modify the firewall script. "
QUESTION: "Public interfaces: [eth+ ppp+ slip+]"
DEFAULT_ANSWER: eth+ ppp+ slip+
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_internaliface
NO_CHILD:
PROPER_PARENT: ip_s_trustiface

LABEL: ip_s_internaliface
SHORT_EXP: "This is for servers that will act as NAT / IP Masq firewalls between
local, but not fully trusted, networks and public networks like the Internet. List
names of all \"internal\" interfaces that might have full ability to use NAT / IP Masq
to contact public networks, but only limited access to services running on this
machine. Do not use \"+\" characters; name each interface explicitly."
LONG_EXP: "This is for servers that will act as NAT / IP Masq firewalls between
local, but not fully trusted, networks and public networks like the Internet. List
names of all \"internal\" interfaces that might have full ability to use NAT / IP Masq
to contact public networks, but only limited access to services running on this
machine. Do not use \"+\" characters; name each interface explicitly.

Normal workstations should leave this as the empty default. "
QUESTION: "Internal interfaces: [ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_tcpaudit
NO_CHILD:
PROPER_PARENT: ip_s_publiciface

LABEL: ip_s_tcpaudit
SHORT_EXP: "List any TCP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces."
LONG_EXP: "List any TCP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.

If you have \"syslog\" configured to log \"kern\" messages of \"info\"
level, the kernel will automatically log connection attempts from the \"public\"
interfaces (only the \"public\" interfaces) to these ports and/or services. This is
useful to spot possible probes or attacks. The default setting records connection
attempts to several services, although you may not have them installed or enabled. "
QUESTION: "TCP services to audit: [telnet ftp imap pop-3 finger sunrpc exec login
linuxconf ssh]"
DEFAULT_ANSWER: telnet ftp imap pop-3 finger sunrpc exec login linuxconf ssh
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_udpaudit
NO_CHILD:
PROPER_PARENT: ip_s_internaliface

LABEL: ip_s_udpaudit
SHORT_EXP: "List any UDP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  The default here is port
31337, the standard port for the infamous \"Back Orifice\" trojan/remote-control app
for Windows systems."
LONG_EXP: "List any UDP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  The default here is port
31337, the standard port for the infamous \"Back Orifice\" trojan/remote-control app
for Windows systems.

While attackers probing for Back Orifice may not pose a threat to your
Linux system, logging their attempts helps identify the \"bad guys\" "
QUESTION: "UDP services to audit: [31337]"
DEFAULT_ANSWER: 31337
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_icmpaudit
NO_CHILD:
PROPER_PARENT: ip_s_tcpaudit

LABEL: ip_s_icmpaudit
SHORT_EXP: "List any ICMP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  These should be specified
as types, not numbers. One example is \"echo-request\" which is used by Microsoft ping
and tracert [sic] clients."
LONG_EXP:
QUESTION: "ICMP services to audit: [ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_publictcp
NO_CHILD:
PROPER_PARENT: ip_s_udpaudit

LABEL: ip_s_publictcp
SHORT_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"public\" interfaces. Typical workstations will not want to make any services
available, though admins may want to enable something like SSH (default port: 22) for
remote administration. Those running caching or \"real\" DNS servers on this machine
will want to enable domain (or port 53). If you want to make FTP available to clients
on the \"public\" interfaces, you will want to allow the range of IP addresses used
for \"passive\" FTP connections."
LONG_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"public\" interfaces. Typical workstations will not want to make any services
available, though admins may want to enable something like SSH (default port: 22) for
remote administration. Those running caching or \"real\" DNS servers on this machine
will want to enable domain (or port 53). If you want to make FTP available to clients
on the \"public\" interfaces, you will want to allow the range of IP addresses used
for \"passive\" FTP connections.

You will need to list the names or port numbers of any services running on
this machine that you want hosts on the \"public\" network to access. For instance, if
you have a local Web server you want to share, add \"80\" for the normal HTTP port.
Not doing so means you will be able to access the service locally, but \"public\"
hosts will not."
QUESTION: "TCP service names or port numbers to allow on public interfaces:[ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_publicudp
NO_CHILD:
PROPER_PARENT: ip_s_icmpaudit

LABEL: ip_s_publicudp
SHORT_EXP: "List names or port numbers on which to accept UDP connection attempts from
the \"public\" interfaces. Again, typical workstations will not want to make any
services  available, but if you're running caching or real DNS servers, you will need
to enable domain (port 53)."
LONG_EXP:
QUESTION: "UDP service names or port numbers to allow on public interfaces:[ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_internaltcp
NO_CHILD:
PROPER_PARENT: ip_s_publictcp
 
LABEL: ip_s_internaltcp
SHORT_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"internal\" interfaces.  Note that the \"public\" services will not be made
available to \"internal\" hosts unless you also specify those services again here. If
you want to make FTP available to clients on the \"internal\" interfaces, you will
want to allow the range of IP addresses used for \"passive\" FTP connections. "
LONG_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"internal\" interfaces.  Note that the \"public\" services will not be made
available to \"internal\" hosts unless you also specify those services again here. If
you want to make FTP available to clients on the \"internal\" interfaces, you will
want to allow the range of IP addresses used for \"passive\" FTP connections.

For instance, a corporate firewall/mailserver might have \"smtp\" enabled
on the public side to accept outside mail, and for \"internal\" interfaces it might
allow both \"smtp\" and \"imap\" so local users can both send and get mail; in that
case you would set this value to \"smtp imap\". This does not affect IP Masquerading's
ability to let masq'ed users access any services on outside/Internet hosts. "
QUESTION: "TCP service names or port numbers to allow on private interfaces: [ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_internaludp
NO_CHILD:
PROPER_PARENT: ip_s_publicudp

LABEL: ip_s_internaludp
SHORT_EXP: "List names or port numbers on which to accept UDP connection attempt from
the \"internal\" interfaces. Note that the \"public\" services will not be made
available to \"internal\" hosts unless you also specify those services again here."
LONG_EXP: "List names or port numbers on which to accept UDP connection attempt from
the \"internal\" interfaces. Note that the \"public\" services will not be made
available to \"internal\" hosts unless you also specify those services again here.

As with internal TCP. You do not need to enable domain service if the
internal clients are using IP Masq to query outside DNS servers. "
QUESTION: "UDP service names or port numbers to allow on private interfaces: [ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_passiveftp
NO_CHILD:
PROPER_PARENT: ip_s_internaltcp

LABEL: ip_s_passiveftp
SHORT_EXP: "This has nothing to do with whether you are running an FTP _server_ on
this machine; this has to do with how clients running on this machine will talk to
_other_ machines running FTP servers reachable through the \"public\" interfaces. By
forcing your local FTP clients to use \"passive\" mode, you will not have to be as
cautious about blocking specific \"high\" TCP services. Set to \"Y\" to force
\"passive\" FTP; the default \"N\" will allow you to use normal, \"active\" FTP.
Forcing passive mode (\"Y\") is recommended, but less convenient."
LONG_EXP: "This has nothing to do with whether you are running an FTP _server_ on
this machine; this has to do with how clients running on this machine will talk to
_other_ machines running FTP servers reachable through the \"public\" interfaces. By
forcing your local FTP clients to use \"passive\" mode, you will not have to be as
cautious about blocking specific \"high\" TCP services. Set to \"Y\" to force
\"passive\" FTP; the default \"N\" will allow you to use normal, \"active\" FTP.
Forcing passive mode (\"Y\") is recommended, but less convenient.

Forcing passive FTP will make using some FTP clients more of a hassle, as
you may need to manually tell them to use passive mode, but many clients such as
Netscape Navigator have no problem with passive FTP. If you have problems with FTP,
this is the first place to look. "
QUESTION: "Force passive mode? [N]" 
DEFAULT_ANSWER: N
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 1
YES_EXP: 
NO_EXP:
YES_CHILD: ip_s_tcpblock
NO_CHILD: ip_s_tcpblock
PROPER_PARENT: ip_s_internaludp

LABEL: ip_s_tcpblock
SHORT_EXP: "Specify TCP services to block.  These rules take effect _after_ the TCP
services to make public. If you allow the use of \"active\" FTP clients
(FORCE_PASV_FTP at its default of \"0\"), you will need to be careful here, and will
want to make sure you block all TCP services listening on high ports. If you are
forcing \"passive\" FTP, you may ignore this setting."
LONG_EXP: "Specify TCP services to block.  These rules take effect _after_ the TCP
services to make public. If you allow the use of \"active\" FTP clients
(FORCE_PASV_FTP at its default of \"0\"), you will need to be careful here, and will
want to make sure you block all TCP services listening on high ports. If you are
forcing \"passive\" FTP, you may ignore this setting.

We have listed the services we have observed. To be more cautious, you
should look at the output of 'lsof -i' (run as root) once the system is up and all
services are running. "
QUESTION: "TCP services to block: [2049 2065:2090 6000:6020 7100]"
DEFAULT_ANSWER: 2049 2065:2090 6000:6020 7100
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_udpblock
NO_CHILD:
PROPER_PARENT: ip_s_passiveftp

LABEL: ip_s_udpblock
SHORT_EXP: "Specify UDP services to block.  As with the TCP services, the UDP services
to make public will take precedence. The high UDP services that you do not block will
be reachable by any allowed NTP or DNS server. Sites with more such \"high UDP\"
services, or global DNS availability (as is the default, DNS_SERVERS=\"0.0.0.0/0\"),
will want to be sure they have all such high UDP services listed."
LONG_EXP:
QUESTION: "UDP services to block: [1066 2049 6770]"
DEFAULT_ANSWER: 1066 2049 6770
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_icmpallowed
NO_CHILD:
PROPER_PARENT: ip_s_tcpblock

LABEL: ip_s_icmpallowed
SHORT_EXP: "Specify the ICMP allowed types.  The default suggestion allows you to
probe other hosts with ping and traceroute. Minimally you will need to allow
\"destination-unreachable\"."
LONG_EXP: "Specify the ICMP allowed types.  The default suggestion allows you to
probe other hosts with ping and traceroute. Minimally you will need to allow
\"destination-unreachable\".

\"destination-unreachable\" lets other machines' servers tell your system
when things aren't right; don't disable this unless you really know what you're
getting into. If you don't allow \"echo-reply\" and \"time-exceeded\", you won't be
able to use ping and traceroute to debug issues on the \"public\" networks. "
QUESTION: "ICMP allowed types: [destination-unreachable echo-reply time-exceeded]"
DEFAULT_ANSWER: destination-unreachable echo-reply time-exceeded
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_srcaddr
NO_CHILD:
PROPER_PARENT: ip_s_udpblock

LABEL: ip_s_srcaddr
SHORT_EXP: "Do you want to enable source address verification? This configures the
kernel to block traffic likely to have spoofed IP addresses. Set to \"N\" to disable.
The default (\"Y\") is highly recommended."
LONG_EXP: "Do you want to enable source address verification? This configures the
kernel to block traffic likely to have spoofed IP addresses. Set to \"N\" to disable.
The default (\"Y\") is highly recommended.

This is a standard, and highly recommended, precaution. "
QUESTION: "Enable source address verification? [Y]"
DEFAULT_ANSWER: Y
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_ipmasq
NO_CHILD: ip_s_ipmasq
PROPER_PARENT: ip_s_icmpallowed

LABEL: ip_s_ipmasq
SHORT_EXP: "If this machine will be used as an IP Masquerading / Network Address
Translation gateway, enter the networks to be masqueraded (from trusted interfaces).
Example: \"10.0.0.0\". If you will not be using IP Masq / NAT, leave this as the empty
default."
LONG_EXP: "If this machine will be used as an IP Masquerading / Network Address
Translation gateway, enter the networks to be masqueraded (from trusted interfaces).
Example: \"10.0.0.0\". If you will not be using IP Masq / NAT, leave this as the empty
default.

If this machine will be used as an IP Masquerading / Network Address
Translation gateway, enter the networks to be masqueraded (from trusted interfaces).
Example: \"10.0.0.0\". If you will not be using IP Masq / NAT, leave this as the empty
default.

Note this expects _network_ addresses (either with 0's on the end or with
explicit netmasks), _not_ interface names. "
QUESTION: "Masqueraded networks: [ ]"
DEFAULT_ANSWER:
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_kernelmasq
NO_CHILD:
PROPER_PARENT: ip_s_srcaddr

LABEL: ip_s_kernelmasq
SHORT_EXP: "Do you want to set any kernel modules to do IP masquerading?  Special
kernel modules are required to provide certain services via IP Masquerading. Possible
modules include cuseeme, ftp, irc, quake, raudio, and vdolive. The script assumes each
name should have the usual prefix, e.g. \"raudio\" will cause the script to load the
\"ip_masq_raudio\" module."
LONG_EXP:
QUESTION: "Kernel modules to masquerade: [ftp raudio vdolive]"
DEFAULT_ANSWER: ftp raudio vdolive
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_rejectmethod
NO_CHILD:
PROPER_PARENT: ip_s_ipmasq

LABEL: ip_s_rejectmethod 
SHORT_EXP: "You need to set how the kernel rejects blocked traffic. \"REJECT\" is
friendly, lets the remote host know you're blocking their attempt (and can therefore
be used to prove you're on the network). \"DENY\" is unfriendly, simply drops the
connection attempt, leaving the remote host to wait, and probably give up after some
time."
LONG_EXP: "You need to set how the kernel rejects blocked traffic. \"REJECT\" is
friendly, lets the remote host know you're blocking their attempt (and can therefore
be used to prove you're on the network). \"DENY\" is unfriendly, simply drops the
connection attempt, leaving the remote host to wait, and probably give up after some
time.

There's no definite right answer here. You will probably not be
_completely_ invisible, even if you choose \"DENY\", but with \"DENY\" and _no_ public
services, you will not be visible to casual probes. "
QUESTION: "Reject method: [DENY]"
DEFAULT_ANSWER: DENY
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_dhcpiface
NO_CHILD:
PROPER_PARENT: ip_s_kernelmasq

LABEL: ip_s_dhcpiface
SHORT_EXP: "List the names of any interfaces this machine will need to make DHCP
_queries_ on to configure _its own_ interfaces. For example, a cable modem user with a
single ethernet interface might need to set this to \"eth0\"."
LONG_EXP:
QUESTION: "Interfaces for DHCP queries: [ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_ntpsrv
NO_CHILD:
PROPER_PARENT: ip_s_rejectmethod

LABEL: ip_s_ntpsrv
SHORT_EXP: "If you want to queries NTP time servers to synchronize your system time,
enter IP addresses or networks for those servers here. If you don't intend to make NTP
queries, leave this as the empty default."
LONG_EXP: "If you want to queries NTP time servers to synchronize your system time,
enter IP addresses or networks for those servers here. If you don't intend to make NTP
queries, leave this as the empty default.

The same warnings about blocked UDP services and DNS servers apply here;
the hosts and networks you list here can connect to any high UDP port not explicitly
blocked. "
QUESTION: "NTP servers to query: [ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_s_icmpout
NO_CHILD:
PROPER_PARENT: ip_s_dhcpiface

LABEL: ip_s_icmpout
SHORT_EXP: "Do you want to disable any outbound ICMP types?  If you disable the types
listed in the default, your machine will not be visible to normal traceroute probes
from hosts on your \"public\" interfaces."
LONG_EXP: "Do you want to disable any outbound ICMP types?  If you disable the types
listed in the default, your machine will not be visible to normal traceroute probes
from hosts on your \"public\" interfaces.

\"destination-unreachable\" is (ab)used by the traceroute program to check
routing to individual hosts. "
QUESTION: "ICMP types to disallow outbound: [destination-unreachable time-exceeded]"
DEFAULT_ANSWER: destination-unreachable time-exceeded
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_write_firewall
NO_CHILD:
PROPER_PARENT: ip_s_ntpsrv

LABEL: ip_b_dns
SHORT_EXP: "This controls what external servers you can use for DNS lookups. For
regular workstations, this should contain all your nameserver addresses, separated by
spaces. If you want to run a caching nameserver and/or run your own DNS, leave this at
\"0.0.0.0/0\" so you can query any DNS server. If you set this to an empty value, the
firewall script will read the current nameservers from /etc/resolv.conf when it is
run, which is the recommended configuration. This default is designed to ensure
functionality."
LONG_EXP: "This controls what external servers you can use for DNS lookups. For
regular workstations, this should contain all your nameserver addresses, separated by
spaces. If you want to run a caching nameserver and/or run your own DNS, leave this at
\"0.0.0.0/0\" so you can query any DNS server. If you set this to an empty value, the
firewall script will read the current nameservers from /etc/resolv.conf when it is
run, which is the recommended configuration. This default is designed to ensure
functionality.

DNS servers are used to translate names like \"example.org\" into addresses
like \"10.1.2.3\". You need to configure DNS for many pieces of software to function
properly. Your system administrator or Internet Service Provider should be able to
provide you with this information. Most users should simply leave this at
\"0.0.0.0/0\" (or make it blank) so the firewall script will be more forgiving (or do
the right thing automatically). For instance, DHCP clients often re-write
/etc/resolv.conf when obtaining a new lease. (This means you may want to configure
your system to run the firewall script both before _and_ after setting up your
DHCP-configured interface if you set this to the safest value, an empty string.) "
QUESTION: "DNS Servers: [0.0.0.0/0]"
DEFAULT_ANSWER: 0.0.0.0/0
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_publiciface
NO_CHILD:
PROPER_PARENT: ip_advnetwork

LABEL: ip_b_publiciface
SHORT_EXP:"List names of all interfaces connected to public/untrusted networks. The
\"+\" character is a wildcard, e.g. \"ppp+\" matches any interface name beginning with
\"ppp\" in case you have multiple dialup profiles."
LONG_EXP: "List names of all interfaces connected to public/untrusted networks. The
\"+\" character is a wildcard, e.g. \"ppp+\" matches any interface name beginning with
\"ppp\" in case you have multiple dialup profiles.

Using the \"+\" suffix allows you to configure more interfaces (for
instance, more PPP dialup entries) without having to modify the firewall script. "
QUESTION: "Public interfaces: [eth+ ppp+ slip+]"
DEFAULT_ANSWER: eth+ ppp+ slip+
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_tcpaudit
NO_CHILD:
PROPER_PARENT: ip_b_dns

LABEL: ip_b_tcpaudit
SHORT_EXP: "List any TCP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces."
LONG_EXP: "List any TCP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.

If you have \"syslog\" configured to log \"kern\" messages of \"info\"
level, the kernel will automatically log connection attempts from the \"public\"
interfaces (only the \"public\" interfaces) to these ports and/or services. This is
useful to spot possible probes or attacks. The default setting records connection
attempts to several services, although you may not have them installed or enabled. "
QUESTION: "TCP services to audit: [telnet ftp imap pop-3 finger sunrpc exec login
linuxconf ssh]"
DEFAULT_ANSWER: telnet ftp imap pop-3 finger sunrpc exec login linuxconf ssh
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_udpaudit
NO_CHILD:
PROPER_PARENT: ip_b_publiciface

LABEL: ip_b_udpaudit
SHORT_EXP: "List any UDP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  The default here is port
31337, the standard port for the infamous \"Back Orifice\" trojan/remote-control app
for Windows systems."
LONG_EXP: "List any UDP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  The default here is port
31337, the standard port for the infamous \"Back Orifice\" trojan/remote-control app
for Windows systems.

While attackers probing for Back Orifice may not pose a threat to your
Linux system, logging their attempts helps identify the \"bad guys\" "
QUESTION: "UDP services to audit: [31337]"
DEFAULT_ANSWER: 31337
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_icmpaudit
NO_CHILD:
PROPER_PARENT: ip_b_tcpaudit

LABEL: ip_b_icmpaudit
SHORT_EXP: "List any ICMP-based services (name or port number) that you want the kernel
to log connection attempts from the \"public\" interfaces.  These should be specified
as types, not numbers. One example is \"echo-request\" which is used by Microsoft ping
and tracert [sic] clients."
LONG_EXP:
QUESTION: "ICMP services to audit: [ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_publictcp
NO_CHILD:
PROPER_PARENT: ip_b_udpaudit

LABEL: ip_b_publictcp
SHORT_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"public\" interfaces. Typical workstations will not want to make any services
available, though admins may want to enable something like SSH (default port: 22) for
remote administration. Those running caching or \"real\" DNS servers on this machine
will want to enable domain (or port 53). If you want to make FTP available to clients
on the \"public\" interfaces, you will want to allow the range of IP addresses used
for \"passive\" FTP connections."
LONG_EXP: "List names or port numbers on which to accept TCP connection attempts from
the \"public\" interfaces. Typical workstations will not want to make any services
available, though admins may want to enable something like SSH (default port: 22) for
remote administration. Those running caching or \"real\" DNS servers on this machine
will want to enable domain (or port 53). If you want to make FTP available to clients
on the \"public\" interfaces, you will want to allow the range of IP addresses used
for \"passive\" FTP connections.

You will need to list the names or port numbers of any services running on
this machine that you want hosts on the \"public\" network to access. For instance, if
you have a local Web server you want to share, add \"80\" for the normal HTTP port.
Not doing so means you will be able to access the service locally, but \"public\"
hosts will not."
QUESTION: "TCP service names or port numbers to allow on public interfaces: [ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_publicudp
NO_CHILD:
PROPER_PARENT: ip_b_icmpaudit

LABEL: ip_b_publicudp
SHORT_EXP: "List names or port numbers on which to accept UDP connection attempts from
the \"public\" interfaces. Again, typical workstations will not want to make any
services  available, but if you're running caching or real DNS servers, you will need
to enable domain (port 53)."
LONG_EXP:
QUESTION: "UDP service names or port numbers to allow on public interfaces: [ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_passiveftp
NO_CHILD:
PROPER_PARENT: ip_b_publictcp
 
LABEL: ip_b_passiveftp
SHORT_EXP: "This has nothing to do with whether you are running an FTP _server_ on
this machine; this has to do with how clients running on this machine will talk to
_other_ machines running FTP servers reachable through the \"public\" interfaces. By
forcing your local FTP clients to use \"passive\" mode, you will not have to be as
cautious about blocking specific \"high\" TCP services. Set to \"Y\" to force
\"passive\" FTP; the default \"N\" will allow you to use normal, \"active\" FTP.
Forcing passive mode (\"Y\") is recommended, but less convenient."
LONG_EXP: "This has nothing to do with whether you are running an FTP _server_ on
this machine; this has to do with how clients running on this machine will talk to
_other_ machines running FTP servers reachable through the \"public\" interfaces. By
forcing your local FTP clients to use \"passive\" mode, you will not have to be as
cautious about blocking specific \"high\" TCP services. Set to \"Y\" to force
\"passive\" FTP; the default \"N\" will allow you to use normal, \"active\" FTP.
Forcing passive mode (\"Y\") is recommended, but less convenient.

Forcing passive FTP will make using some FTP clients more of a hassle, as
you may need to manually tell them to use passive mode, but many clients such as
Netscape Navigator have no problem with passive FTP. If you have problems with FTP,
this is the first place to look. "
QUESTION: "Force passive mode? [N]"
DEFAULT_ANSWER: N
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 1
YES_EXP: 
NO_EXP:
YES_CHILD: ip_b_tcpblock
NO_CHILD: ip_b_tcpblock
PROPER_PARENT: ip_b_publicudp

LABEL: ip_b_tcpblock
SHORT_EXP: "Specify TCP services to block.  These rules take effect _after_ the TCP
services to make public. If you allow the use of \"active\" FTP clients
(FORCE_PASV_FTP at its default of \"0\"), you will need to be careful here, and will
want to make sure you block all TCP services listening on high ports. If you are
forcing \"passive\" FTP, you may ignore this setting."
LONG_EXP: "Specify TCP services to block.  These rules take effect _after_ the TCP
services to make public. If you allow the use of \"active\" FTP clients
(FORCE_PASV_FTP at its default of \"0\"), you will need to be careful here, and will
want to make sure you block all TCP services listening on high ports. If you are
forcing \"passive\" FTP, you may ignore this setting.

We have listed the services we have observed. To be more cautious, you
should look at the output of 'lsof -i' (run as root) once the system is up and all
services are running. "
QUESTION: "TCP services to block: [1024 2049 2065:2090 6000:6020 7100]"
DEFAULT_ANSWER: 1024 2049 2065:2090 6000:6020 7100
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_udpblock
NO_CHILD:
PROPER_PARENT: ip_b_passiveftp

LABEL: ip_b_udpblock
SHORT_EXP: "Specify UDP services to block.  As with the TCP services, the UDP services
to make public will take precedence. The high UDP services that you do not block will
be reachable by any allowed NTP or DNS server. Sites with more such \"high UDP\"
services, or global DNS availability (as is the default, DNS_SERVERS=\"0.0.0.0/0\"),
will want to be sure they have all such high UDP services listed."
LONG_EXP:
QUESTION: "UDP services to block: [1066 2049 6770]"
DEFAULT_ANSWER: 1066 2049 6770
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_icmpallowed
NO_CHILD:
PROPER_PARENT: ip_b_tcpblock

LABEL: ip_b_icmpallowed
SHORT_EXP: "Specify the ICMP allowed types.  The default suggestion allows you to
probe other hosts with ping and traceroute. Minimally you will need to allow
\"destination-unreachable\"."
LONG_EXP: "Specify the ICMP allowed types.  The default suggestion allows you to
probe other hosts with ping and traceroute. Minimally you will need to allow
\"destination-unreachable\".

\"destination-unreachable\" lets other machines' servers tell your system
when things aren't right; don't disable this unless you really know what you're
getting into. If you don't allow \"echo-reply\" and \"time-exceeded\", you won't be
able to use ping and traceroute to debug issues on the \"public\" networks. "
QUESTION: "ICMP allowed types: [destination-unreachable echo-reply time-exceeded]"
DEFAULT_ANSWER: destination-unreachable echo-reply time-exceeded
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_srcaddr
NO_CHILD:
PROPER_PARENT: ip_b_udpblock

LABEL: ip_b_srcaddr
SHORT_EXP: "Do you want to enable source address verification? This configures the
kernel to block traffic likely to have spoofed IP addresses. Set to \"N\" to disable.
The default (\"Y\") is highly recommended."
LONG_EXP: "Do you want to enable source address verification? This configures the
kernel to block traffic likely to have spoofed IP addresses. Set to \"N\" to disable.
The default (\"Y\") is highly recommended.

This is a standard, and highly recommended, precaution. "
QUESTION: "Enable source address verification? [Y]"
DEFAULT_ANSWER: Y
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_rejectmethod
NO_CHILD: ip_b_rejectmethod
PROPER_PARENT: ip_b_icmpallowed

LABEL: ip_b_rejectmethod 
SHORT_EXP: "You need to set how the kernel rejects blocked traffic. \"REJECT\" is
friendly, lets the remote host know you're blocking their attempt (and can therefore
be used to prove you're on the network). \"DENY\" is unfriendly, simply drops the
connection attempt, leaving the remote host to wait, and probably give up after some
time."
LONG_EXP: "You need to set how the kernel rejects blocked traffic. \"REJECT\" is
friendly, lets the remote host know you're blocking their attempt (and can therefore
be used to prove you're on the network). \"DENY\" is unfriendly, simply drops the
connection attempt, leaving the remote host to wait, and probably give up after some
time.

There's no definite right answer here. You will probably not be
_completely_ invisible, even if you choose \"DENY\", but with \"DENY\" and _no_ public
services, you will not be visible to casual probes. "
QUESTION: "Reject method: [DENY]" 
DEFAULT_ANSWER: DENY
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_dhcpiface
NO_CHILD:
PROPER_PARENT: ip_b_srcaddr

LABEL: ip_b_dhcpiface
SHORT_EXP: "List the names of any interfaces this machine will need to make DHCP
_queries_ on to configure _its own_ interfaces. For example, a cable modem user with a
single ethernet interface might need to set this to \"eth0\"."
LONG_EXP:
QUESTION: "Interfaces for DHCP queries: [ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_ntpsrv
NO_CHILD:
PROPER_PARENT: ip_b_rejectmethod

LABEL: ip_b_ntpsrv
SHORT_EXP: "If you want to queries NTP time servers to synchronize your system time,
enter IP addresses or networks for those servers here. If you don't intend to make NTP
queries, leave this as the empty default."
LONG_EXP: "If you want to queries NTP time servers to synchronize your system time,
enter IP addresses or networks for those servers here. If you don't intend to make NTP
queries, leave this as the empty default.

The same warnings about blocked UDP services and DNS servers apply here;
the hosts and networks you list here can connect to any high UDP port not explicitly
blocked. "
QUESTION: "NTP servers to query: [ ]"
DEFAULT_ANSWER: 
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_b_icmpout
NO_CHILD:
PROPER_PARENT: ip_b_dhcpiface

LABEL: ip_b_icmpout
SHORT_EXP: "Do you want to disable any outbound ICMP types?  If you disable the types
listed in the default, your machine will not be visible to normal traceroute probes
from hosts on your \"public\" interfaces."
LONG_EXP: "Do you want to disable any outbound ICMP types?  If you disable the types
listed in the default, your machine will not be visible to normal traceroute probes
from hosts on your \"public\" interfaces.

\"destination-unreachable\" is (ab)used by the traceroute program to check
routing to individual hosts. "
QUESTION: "ICMP types to disallow outbound: [destination-unreachable time-exceeded]"
DEFAULT_ANSWER: destination-unreachable time-exceeded
CONFIRM_TEXT: " \nY"
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: ip_write_firewall
NO_CHILD:
PROPER_PARENT: ip_b_ntpsrv

LABEL: ip_write_firewall
SHORT_EXP: "The firewalling script is called /etc/rc.d/init.d/bastille-firewall.  Please
review its configuration for your site.  You can then test it by using

     /etc/rc.d/init.d/bastille-firewall start
and
     /etc/rc.d/init.d/bastille-firewall stop
     
Once you have a configuration that will work on your system, you can make it
run at every normal boot-up by typing 

    /sbin/chkconfig bastille-firewall on
      
"
LONG_EXP:
QUESTION:
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: patchdownload
NO_CHILD:
PROPER_PARENT: ip_advnetwork

FILE: PatchDownload.pm

LABEL: patchdownload
SHORT_EXP: "Since the release of Red Hat 6.0 and 6.1, more security
vulnerabilities have been found, mostly in system daemons.  Red Hat has
made patches for these vulnerabilities available, and we'd like to apply those
patches now.  We've taken as many precautions as we can to make sure that
these patches are secure; choose the \"additional information\" option to
find out more about the security concerns in applying patches.

If you have a fast network connection and can access web pages without a
proxy server, you should choose this option.  If you're using a phone modem
to access the Internet, or if this machine doesn't have networking, you
should choose to not apply these patches right now."  
LONG_EXP: "This script does not currently have a method for verifying that
the patches it downloads are authentic.  We download patches from a site we
consider to be generally secure and reliable (the Red Hat \"Errata\" page),
but that's not an absolute guarantee.  For instance, if the Red Hat web
server we download from was cracked, the attacker could place Trojan
horses or otherwise false RPMs on the site.  We include directions for
getting these patches manually in the README.PATCH file." 
QUESTION: "Would you like to download and install the updated RPMs? 
[Default:  No]"
YN_TOGGLE: 1
YES_EXP: "We've downloaded and installed all of the patches currently
available on the Red Hat site, but it's very important that you keep checking
back there for new patches.  The file README.PATCH contains information on
getting these patches manually."
NO_EXP: "It's extremely important to keep your system current with the
available patches.  As soon as possible, download and install the currently
available patches and keep checking the Red Hat site for new ones. 
Information on how to manually install patches can be found in the
README.PATCH file that came with Bastille Linux."
DEFAULT_ANSWER: N
YES_CHILD: generalperms
NO_CHILD: generalperms
PROPER_PARENT: ip_write_firewall

FILE: FilePermissions.pm

LABEL: generalperms
SHORT_EXP: "In general, the default file permissions set by Red Hat during the
installation are fairly secure.  To make them more secure, though, you can
remove non-root user access to some administrator functions."
LONG_EXP: "If you choose this option, you'll be changing the permissions on
some common system administration utilities so that they're not readable or
executable by users other than root.  These utilities (which include linuxconf,
fsck, ifconfig, runlevel and portmap) are ones that most users should never
have a need to access.  This option will increase your system security, but
there's a chance it will inconvenience your users."
QUESTION: "Would you like to set more restrictive permissions on the
administration utilities? [N]"
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
DEFAULT_ANSWER: N
YES_CHILD: suid
NO_CHILD: suid
PROPER_PARENT: patchdownload

LABEL: suid
SHORT_EXP: "The following questions all pertain to disabling \"SUID root\"
status for particular programs. This status allows non-root users to run
these programs, increasing convenience but decreasing security.  If a
security weakness or vulnerability is found in these programs, it can be
exploited to gain root-level access to your computer through any user
account.

If you don't know what to choose for these questions, you might want to just
answer \"Yes\"."
LONG_EXP: 
QUESTION:
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD:suidmount
NO_CHILD:suidmount
PROPER_PARENT: generalperms

LABEL:suidmount
SHORT_EXP: "Mount and umount are used for mounting (activating) and
unmounting (deactivating) drives that were not automatically mounted at
boot time.  This can include floppy and CD-ROM drives.  Disabling SUID would
still allow anyone with the root password to mount and unmount drives."
LONG_EXP:
QUESTION: "Would you like to disable SUID status for mount/umount?"
YN_TOGGLE: 1
DEFAULT_ANSWER: Y
YES_EXP:
NO_EXP:
YES_CHILD: suidping
NO_CHILD: suidping
PROPER_PARENT:suid

LABEL:suidping
SHORT_EXP: "Ping is used for testing network connectivity--that is, for
testing the  ability of the network to get a packet from this machine to
another and back.  It should probably be used only by the person responsible
for networking this host, who should have root.  Thus, we recommend
disabling SUID status for it."
LONG_EXP:
QUESTION: "Would you like to disable SUID status for ping? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: suiddump
NO_CHILD: suiddump
PROPER_PARENT:suidmount

LABEL: suiddump
SHORT_EXP: "Dump and restore are used for backing up file systems and
restoring them from disk.  If used by an attacker, they could be used to
construct an alternate filesystem in place.  Further, anyone who backs up
the machine and restores from backup should have authorization and special
access granted by the administrator.  It's extremely unlikely that there will
be any problems with disabling SUID for dump and restore."
LONG_EXP:
QUESTION: "Would you like to disable SUID status for dump and restore? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: suidcard
NO_CHILD: suidcard
PROPER_PARENT: suidping

LABEL: suidcard
SHORT_EXP: "Cardctl is used for controlling PCMCIA devices, primarily found
in laptop or notebook computers.  Non-admins shouldn't have rights to
modify hardware or devices, so you should probably disable SUID status for
this utility even if this is a notebook or laptop.  If this isn't a laptop or
notebook computer, then you probably don't have any PCMCIA devices, and
you should definitely disable this."
LONG_EXP:
QUESTION: "Would you like to disable SUID status for cardctl? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: suidat
NO_CHILD: suidat
PROPER_PARENT: suiddump

LABEL: suidat
SHORT_EXP: "at is used for scheduling an individual task to run at a single
later time. There have historically been many exploits that take advantage of
weaknesses in at.  All of the necessary functionality of at can be found in
cron, which is more secure, so there is no need to retain privileged access
for at."
LONG_EXP:
QUESTION: "Would you like to disable SUID status for at? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: suiddos
NO_CHILD: suiddos
PROPER_PARENT:suidcard

LABEL: suiddos
SHORT_EXP: "DOSEMU is a DOS emulator used to run older DOS programs. 
Any use of a second operating system, or emulation, opens up a whole new
area of security problems.  We recommend that only root have access to
this type of application, unless your users have a pressing need for it."
LONG_EXP:
QUESTION: "Would you like to disable SUID status for DOSEMU? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: suidnews
NO_CHILD: suidnews
PROPER_PARENT: suidat

LABEL: suidnews
SHORT_EXP: "Ordinary users should not be able to start (or stop) the news
server.  For this reason, we'd like to disable SUID status for the INN news
server tools inndstart and startinnfeed."
LONG_EXP:
QUESTION: "Would you like to disable SUID status for news server tools? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: suidprint
NO_CHILD: suidprint
PROPER_PARENT: suiddos

LABEL: suidprint
SHORT_EXP: "If this machine is not going to be using printers, then you should
disable the SUID status of the printing utilities.  These utilities have already
been found to have a number of security weaknesses, and may have more in
the future."
LONG_EXP:
QUESTION: "Would you like to disable SUID status for printing utilities? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: suidrtool
NO_CHILD: suidrtool
PROPER_PARENT: suidnews

LABEL: suidrtool
SHORT_EXP: "The BSD r-tools (rsh, rcp, rlogin) were often used in the past
for making remote connections to other machines.  They are now considered
insecure, however, and the same functionality can be found with the more
secure replacement tools ssh and scp.  Because of these insecurities,
ordinary users should not be allowed to use the r-tools, and admins should
use them only in cases where there are no other connection methods
available."
LONG_EXP: "The BSD r-tools rely on IP-based authentication, which means
that you can allow anyone with (for instance) root access on 192.168.1.1
have root access on 192.168.1.2.  Administrators and other users have
traditionally found this useful, as it lets them connect from one host to
another without having to retype a password.

The problem with IP-based authentication, however, is that an intruder can
craft \"spoofed\" or faked packets which claim to be from a trusted machine. 
Since the r-tools rely entirely on IP addresses for authentication, a spoofed
packet will be accepted as real."  
QUESTION: "Would you like to disable SUID status for the r-tools? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: suidusernetctl
NO_CHILD: suidusernetctl
PROPER_PARENT: suidprint

LABEL: suidusernetctl
SHORT_EXP: "usernetctl is a utility that allows ordinary users to control the
network interfaces.  In general, there's no reason for anyone other than the
system administrator to control network interfaces."
LONG_EXP:
QUESTION: "Would you like to disable SUID status for usernetctl? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: suidtrace
NO_CHILD: suidtrace
PROPER_PARENT: suidrtool

LABEL: suidtrace
SHORT_EXP: "The traceroute utility is used to test network connectivity. 
Some users find it useful, but it is generally not necessary."
LONG_EXP:
QUESTION: "Would you like to disable SUID status for traceroute? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: secondadmin
NO_CHILD: secondadmin
PROPER_PARENT: suidusernetctl

FILE: AccountSecurity.pm

LABEL: secondadmin
SHORT_EXP: "One step you can take to make it easier to track potential
system crackers is to have a second UID 0 (root) account.  The advantage of
having a second UID 0 account is that, if you always use the second account
for system administration,  it makes it easier to track the actions of
crackers who have taken control of the original root account. 

If you set up a second UID 0 account, we will also configure your system to
automatically notify you of any logins to the root account."
LONG_EXP:
QUESTION: "Would you like to set up a second UID 0 account? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: secondadmin_name
NO_CHILD: protectrhost
PROPER_PARENT: suidtrace

LABEL: secondadmin_name
SHORT_EXP: "We'll need a name for the second admin account.  Please make sure
not to use an existing account name.  Get creative!

Please, please don't choose the default here, as it will make it easier for
people to look for Bastille'd boxes."
QUESTION: "What should we name the second UID 0 account? [admin]"
DEFAULT_ANSWER: admin
YN_TOGGLE: 0
YES_EXP: "In order to use the second admin account, you'll need to change its password.  Do this by typing  passwd  <ACCTNAME>  while logged in as root."
YES_CHILD: protectrhost
NO_CHILD: protectrhost
PROPER_PARENT: secondadmin

LABEL: protectrhost
SHORT_EXP: "As mentioned earlier, the r-tools (rlogin, rcp, rsh) are now
considered insecure because they use IP-based authentication methods which
can be easily fooled.  Unfortunately, many users and admins are not aware of
this danger.  We can prevent users and other admins from opening up
dangerous holes in your system security by restricting rhosts through a 
combination of modifying PAM files and removing execute permission from rshd 
and rlogind."
LONG_EXP: "The BSD r-tools rely on IP-based authentication, which means
that you can allow anyone with (for instance) root access on 192.168.1.1
have root access on 192.168.1.2.  Administrators and other users have
traditionally found this useful, as it lets them connect from one host to
another without having to retype a password.  The .rhosts file contains the
names of the accounts and machines that are considered to be trusted.

The problem with IP-based authentication, however, is that an intruder can
craft \"spoofed\" or faked packets which claim to be from a trusted machine. 
Since the r-tools rely entirely on IP addresses for authentication, a spoofed
packet will be accepted as real.

Some of your users, or even possibly other administrators for this machine,
might not be aware of the security problems with the BSD r-tools.  If this is
the case, they might create .rhosts files that would potentially allow
crackers access to the machine.  This option will disable the use of those
r-tools using various methods."
QUESTION: "May we take strong steps to disallow the dangerous r-protocols? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: passwdage
NO_CHILD: passwdage
PROPER_PARENT: secondadmin

LABEL: passwdage
SHORT_EXP: "We can set the default password aging on accounts here, such
that accounts are disabled if the password has not changed within the last 
180 days.  At some point before the 180 days are up, the user will be
prompted to change his or her password.  This measure keeps passwords
fresh and also prevents inactive accounts from being attacked by system
crackers."
LONG_EXP: "Red Hat's default behavior, which we would change here, is to
disable an account when the password hasn't changed in 99,999 days.  In
practice, this interval is too long to be useful.  We would like to set the
default to 180 days.  At some point before the 180 days have passed, the
system will ask the user to change his or her password.  At the end of the
180 days, if the password has not been changed, the account will be
temporarily disabled.  We would make this change in /etc/login.defs."
QUESTION: "Would you like to enforce password aging? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: createuser
NO_CHILD: createuser
PROPER_PARENT: protectrhost

LABEL: createuser
SHORT_EXP: "Our next step is to create a regular user account for you.
Unless you plan to only ever log in to this machine to perform root-related
tasks, which is unlikely, you should have a user account.  Performing regular
user actions as root decreases your system security in general and greatly
increases your risk of damaging the machine." 
LONG_EXP: "To give you a trivial (but sadly common) example of the dangers
of using the root account for everyday activities:

  One day you're cleaning up directories on your system, using:

       rm -fr /poor/cache/directory
       
  to remove a cache directory.  Ahhh, but you get ahead of yourself, and
  hit the  ENTER  key right after that first slash, giving your shell
  the command rm -fr /.  As user bob, you wouldn't have done any damage.  
  As user root, you've deleted your filesystem and begun to cry.  
  
There are better examples, but you get the idea.  When you're logged in as
root, every program you interact with runs with the full privileges of root
and has more ability to muck up your system.  Please, unless you've already 
got one, create a user account, and only use root for system administration."
QUESTION: "Would you like to create a non-root user account? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: createuser_name
NO_CHILD: cronuser
PROPER_PARENT: passwdage

LABEL: createuser_name
SHORT_EXP: "Please enter a name for your non-root account.  Do not use a name
that has already been used!

WARNING: Please do not choose the default here, as it will make it easier to identify your machine as a Bastille machine."
QUESTION: "What should we name your non-root account? [dave]"
DEFAULT_ANSWER: dave
YN_TOGGLE: 0
YES_EXP: "In order to use the user account, you'll need to change its password.  Do this by typing  passwd  <ACCTNAME>  while logged in as root."
YES_CHILD: cronuser
NO_CHILD: cronuser
PROPER_PARENT: createuser

LABEL: cronuser
SHORT_EXP: "Cron allows users to submit jobs for the system to do at a
particular, possibly recurring time.  It can be very useful, but also has a very
real potential for abuse by either users or system crackers.  If you choose
to restrict the use of cron to system administrators, you will still be able to
allow individual users the use of cron at a later date."
LONG_EXP: "Cron can be particularly useful for admins, giving them the ability 
to have the system check logs every night at midnight or confirm file
integrity every hour.  On the other hand, being able to execute jobs later or
automatically represents an abusable privilege for users and also makes
their actions slightly harder to track.

Many sites choose to restrict cron to administrative accounts.  We suggest
this action to new admins especially, until they understand more about how 
cron can be abused and know more about which users need access to cron. 
We would like to create the /etc/cron.allow file of users who may use cron. 
You can add to that later.  If we don't create this file, all users will be
allowed to use cron."
QUESTION: "Would you like to restrict the use of cron to administrative
accounts? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: protectlilo
NO_CHILD: protectlilo
PROPER_PARENT: createuser

FILE: BootSecurity.pm

LABEL: protectlilo
SHORT_EXP: "If an attacker has physical access to this machine, and
particularly to the keyboard, s/he could get superuser access through the
Linux Loader (LILO) command line.  We will look at other ways to prevent this
later, but one easy way is to password-protect the LILO prompt.  If LILO is
password-protected, any user can reboot the machine normally, but only
users with the password can pass arguments to the LILO prompt.

Note that this option can interfere dual-booting with a second operating 
system, since dual booting often requires that type an O/S name to boot
one of the two operating systems.  If this machine sits in a general 
purpose lab and dual boots, you probably shouldn't choose this option.

Otherwise, this is strongly recommended for general use workstations and 
servers which are not locked away in their own room."
LONG_EXP:
QUESTION: "Would you like to password-protect the LILO prompt? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: protectlilo_password
NO_CHILD: lilodelay
PROPER_PARENT: cronuser

LABEL: protectlilo_password
SHORT_EXP: "You've elected to password protect the LILO prompt.  Please enter
a LILO password.  

WARNING: Please do not make this the root password for this computer, as the
         LILO password will be stored unencrypted on the machine."
QUESTION: "Enter LILO password, please.   []"
DEFAULT_ANSWER: 
YN_TOGGLE: 0
YES_CHILD: lilodelay
NO_CHILD: lilodelay
PROPER_PARENT: protectlilo

LABEL: lilodelay
SHORT_EXP: "We can further protect the system by taking away the
attacker's chance to type anything at the LILO prompt.  This is not
dependent on the previous option, nor is it exclusive of it.  If you chose the
previous option, this will make your configuration even tighter, as some
machines will allow an attacker to place keystrokes into the keyboard buffer
before he or she reaches the LILO prompt."
LONG_EXP:
QUESTION: "Would you like to reduce the LILO delay time to zero? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: lilosub_drive
NO_CHILD: lilosub_drive
PROPER_PARENT: protectlilo

LABEL: lilosub_drive
SHORT_EXP: "If you selected \"yes\" on either of the previous options (password-protecting the LILO prompt or reducing its delay to zero), then you need to now write the changes to your LILO configuration.  

Do you boot from your hard drive? That is, is LILO installed on your hard 
drive?"
LONG_EXP:
QUESTION: "Do you ever boot Linux from the hard drive? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: lilosub_floppy
NO_CHILD: lilosub_floppy
PROPER_PARENT: protectlilo

LABEL: lilosub_floppy
SHORT_EXP: "If you have a Linux boot floppy, either for normal booting or for emergency use, you should also write these LILO changes to that floppy.  If you do not already have a customized Linux boot floppy, or if you did not choose to make any changes to your LILO configuration, you should answer \"no\" here."
LONG_EXP:
QUESTION: "Would you like to write the LILO changes to a boot floppy? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: lilosub_writefloppy
NO_CHILD: secureinittab
PROPER_PARENT: protectlilo

LABEL: lilosub_writefloppy
SHORT_EXP: "Please place the boot floppy to be modified in a floppy drive, preferably th first drive, called \"fd0\" or \"a:\".

Now, type in the Linux name of the drive device, like so:
            
	    fd0          floppy drive 1
	    fd1          floppy drive
" 
LONG_EXP:
QUESTION: "Floppy drive device name: [fd0]"
DEFAULT_ANSWER: fd0
YN_TOGGLE: 0
YES_EXP: "We will write to this disk when we actually make changes.  Please 
leave this disk in the drive."
NO_EXP:
YES_CHILD: secureinittab
NO_CHILD: secureinittab
PROPER_PARENT: lilosub_floppy

LABEL: secureinittab
SHORT_EXP:  "In the default configuration for Red Hat 6.0 and 6.1, while in
console mode (non-graphical), any user at the keyboard can reboot the
machine by pressing CTRL-ALT-DELETE.  This is an unlikely method of attack,
and disabling CTRL-ALT-DELETE is only a useful precaution in cases where the
attacker would have access to the keyboard but not the power supply; if this
is not the case, it might be a better idea to not disable CTRL-ALT-DELETE."
LONG_EXP: "Disabling CTRL-ALT-DELETE rebooting is designed to prevent an
attacker with access to the machine's keyboard from being able to reboot
the machine.  A reboot done in this manner should not damage the
filesystem, as it shuts the machine down cleanly, writing out all pending data
in the disk cache to disk first.  Even with this functionality disabled, however,
an attacker could just force a reboot by power cycling the machine or pulling
the power cord.  

Unless the power line, switch and case of the machine can
be physically protected, this precaution is wholly unnecessary.  Given the
fact that the attacker _can_ reboot the machine, would you prefer that
s/he do it in a way potentially damages the filesystem? Think carefully here,
as maintaining the integrity of the machine's filesystem may be secondary to
the goal of keeping an attacker off, in which case it is better to answer yes
here, since having to repair/ignore the damage and wait for filesystem
checks may slow the attacker down."
QUESTION: "Would you like to disable CTRL-ALT-DELETE rebooting? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: passsum
NO_CHILD: passsum
PROPER_PARENT: lilodelay

LABEL: passsum
SHORT_EXP: "As we mentioned earlier, anyone who can get to the console on
your machine can bring your machine up in \"single user mode\", where s/he is
given root privileges and everyone else is locked out of the system.  If you
password protect single user mode, you won't have to remember yet
another password--single user mode, or \"root\" mode, will require the root
password.

We HIGHLY recommend that you password protect single user mode."
LONG_EXP:
QUESTION: "Would you like to password protect single-user mode? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: modifyinetd
NO_CHILD: modifyinetd
PROPER_PARENT: secureinittab

FILE: SecureInetd.pm

LABEL: modifyinetd
SHORT_EXP: "Many of the smaller, interactive network daemons, like telnetd
and ftpd, are run through inetd.  Inetd will normally just run whatever
program has been requested, according to the inetd configuration.  To add a
level of security to this process, Red Hat 6.0/6.1 makes use of TCP
Wrappers.  Instead of directly running the program that was requested, the
inetd daemon will call TCP Wrappers (tcpd) and pass it the request.    If set
up properly, TCP Wrappers can be used to log, block, or process requests."
LONG_EXP: "In the default configuration, inetd runs like this: when the
computer starts up under Linux, the inetd daemon will be started.  This
daemon reads the list in /etc/inetd.conf, which tells the daemon which
services it is responsible for (telnet, ftp, pop, etc.).  It then checks
/etc/services for the port numbers of each service that it is set to listen
to.  When it receives a  connection request on that port, say tcp port 23
(telnet), it runs whatever program is listed in the previously-loaded
configuration file.

TCP Wrappers can be used to make this process more secure.  Instead of
directly running the program that was requested, the inetd daemon will call
TCP Wrappers (tcpd) and pass it the request.  TCP Wrappers will check its
own configuration file to see if access to that service is allowed from the
requesting IP address.  If access isn't allowed, Wrappers will log the attempt. 
This logging can be an early warning sign of an attack or a scan.

We can make it easier to detect scans by asking inetd to pass requests for
certain seldom used services (such as tftpd) to Wrappers instead of just
refusing them.  Wrappers, if set up properly, will deny the connection and log
the attempt."
QUESTION: "Would you like to modify inetd.conf and /etc/hosts.allow to
optimize use of Wrappers? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP: 
NO_EXP:
YES_CHILD: inetdip
NO_CHILD: banners
PROPER_PARENT: passsum

LABEL: inetdip
SHORT_EXP: "You now have ways to block most methods of remote access. 
You can remove some of these roadblocks by editing /etc/hosts.allow and
following the instructions there.  Before you do this, please keep in mind that
protocols such as telnet and FTP can be very dangerous to system security."
LONG_EXP: "Please be advised that telnet is a rather dangerous protocol. All
usernames and passwords used in remote sessions via telnet can be seen by
many other computers between them.  In fact, most ethernet configurations
allow every other computer on your local area network to see the entire
session, passwords and all.  Further, there are utilities (like Hunt) in wide use
that allow one of these hosts to take over your telnet session.

Ftp has similar problems, as do non-encrypted pop and imap remote mail
retrieval protocols.  You can restore access for these protocols in
/etc/hosts.allow if you like, but keep in mind the security risks involved."
QUESTION:
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: limit_ssh
NO_CHILD: limit_ssh
PROPER_PARENT: modifyinetd

LABEL: limit_ssh
SHORT_EXP: "The secure-shell daemon, sshd, is not run through TCP Wrappers, but has been compiled to use the TCP Wrappers access-control routines (and file) to decide from where to  accept connections.  You may limit sshd to accept secure shell
connections from only certain IP addresses."
LONG_EXP:
QUESTION: "Would you like to set sshd to accept connections only from a small list of IP addresses. [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: limit_ssh_range
NO_CHILD: banners
PROPER_PARENT: modifyinetd

LABEL: limit_ssh_range
SHORT_EXP: "Enter a set of IP addresses or networks, delimited by spaces.  If you are
entering a network, like, say 192.168.1.0, where the host number in the
corresponding IP address is 1-254, use the number   192.168.1.  including the
terminating period.  To modify this later, change the file /etc/hosts.allow"
LONG_EXP:
QUESTION: "IP addresses to accept ssh from: [ ]"
DEFAULT_ANSWER:
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: banners
NO_CHILD: banners
PROPER_PARENT: limit_ssh

LABEL: banners
SHORT_EXP: "At this point you can create \"Authorized Use Only\" banners for
your site. These may be very helpful in prosecuting system crackers you
may catch trying to break into your system.  We can make you default
banners which you may then later edit."
LONG_EXP:
QUESTION: "Would you like to make \"Authorized Use\" banners? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP: "A default login/telnet/ftp \"Authorized Use Only\" banner has been
created, and can be found in /etc/motd.  You should modify this banner to
apply more specifically to your organization (for instance, adding any site-
specific information to the default warnings).  If this is a corporate site,
check with your corporate counsel to determine the most appropriate
warning for the banner.  These banners, according to CIAC's bulletin

   (http://ciac.llnl.gov/ciac/bulletins/j-043.shtml)
   
may make it much easier to prosecute intruders.  By including this default
banner, Bastille Linux takes no responsibility for your ability to
prosecute system crackers.  Please, especially if you run a corporate
site, review/replace this with more specific language."
NO_EXP:
YES_CHILD: compiler
NO_CHILD: compiler
PROPER_PARENT: limit_ssh

FILE: DisableUserTools.pm

LABEL: compiler
SHORT_EXP: "The most common modus operandi for the bulk of the system
crackers out there is to gain access to your system, often through a regular
user account, and then use that access to compile exploits against your
system or other systems.  Disabling the compiler on your system will slow
these crackers down, and may even prevent some attacks entirely.

If this machine is a dedicated server/firewall, which does not have users who
need to compile programs, this action is strongly recommended.  Otherwise,
you should very carefully consider whether you will be inconveniencing your
users by disabling the compiler.  If you do chose to disable it, we'll do so by
only allowing root access to the compiler."
LONG_EXP:
QUESTION: "Would you like to disable the compiler? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: limitsconf
NO_CHILD: limitsconf
PROPER_PARENT: banners

FILE: ConfigureMiscPAM.pm

LABEL: limitsconf
SHORT_EXP: "In certain kinds of system attacks, known as Denial of Service
(DoS) attacks, the goal is not to gain access but instead to disrupt the
normal operation of the computer.  You can protect against certain types of
denial of service attacks by setting limits on the resources available to each
user.

Though you should customize this setting later if you're running a high-
output production server, we recommend this action for all machines and
configurations."
LONG_EXP:  "Denial of Service attacks are often very difficult to defend
against, since they don't require access of any kind to the target machine. 
Since several major daemons, including the web, name, and FTP servers, may
run as a particular user, you can limit the effectiveness of many Denial of
Service attacks by modifying /etc/security/limits.conf.  If you restrict the
resources available in this manner, you can effectively cripple most Denial of
Service attacks.  

If you choose this option, you'll be setting the following initial limits on
resource usage:
	
   - The number of allowed core files will be set to zero.  Core files 
     can be useful for diagnosing system problems, but they are very 
     large files and can be exploited by an attacker to fill up your
     filesystem.

   - Individual users are limited to 150 processes each.  This should
     be more than enough for normal system usage, and is not enough 
     to bring down your machine.

   - Individual files are limited to a size of 40MB.  Again, this 
     should be more than enough for normal system usage.

All of these values can be edited later."
QUESTION: "Would you like to put limits on system resource usage? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP: "System resource limits have been set in the file
/etc/security/limits.conf, which you can edit later as necessary."
NO_EXP:
YES_CHILD: consolelogin
NO_CHILD: consolelogin
PROPER_PARENT: compiler

LABEL: consolelogin
SHORT_EXP: "Under Red Hat 6.0/6.1, users logged in at the console have
some special access rights (like the ability to mount the CD-ROM drive).  You
can disable this special access entirely, but a more flexible option is to
restrict console access to a small group of trusted user accounts."
LONG_EXP:
QUESTION: "Should we restrict console access to a small group of user accounts? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: consolelogin_accounts
NO_CHILD: morelogging
PROPER_PARENT: limitsconf

LABEL: consolelogin_accounts
SHORT_EXP: "Please enter in the account names that should be able to login
via the console, placing a space between each name."
QUESTION: "Which accounts should be able to login at console? [root]"
DEFAULT_ANSWER: root
YN_TOGGLE: 0
YES_CHILD: morelogging
NO_CHILD: morelogging
PROPER_PARENT: consolelogin


FILE: Logging.pm

LABEL: morelogging
SHORT_EXP: "We would like to configure additional logging for your system. 
We will give you the option to log to a remote host, if your site already
has one.  We will add two additional logging files to the default 
Red Hat setup and will also log some status messages to the 7th and 8th
virtual terminals (the ones you'll see when you hit ALT-F7 and ALT-F8).
This additional logging will not change the existing log files at all,
so this is by no means a \"risky\" move."
LONG_EXP:
QUESTION: "Would you like to add additional logging? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP: "This script is adding additional logging files:

/var/log/kernel       --    kernel messages
/var/log/syslog       --    messages of severity \"warning\" and \"error\"
      
Also, if you check the 7th and 8th TTY's, by hitting ALT-F7 or ALT-F8,
you'll find that we are now logging to virtual TTY's as well.  If you
try this, remember that you can use ALT-F1 to get back to the first
virtual TTY."
NO_EXP:
YES_CHILD: remotelog
NO_CHILD: pacct
PROPER_PARENT: consolelogin

LABEL: remotelog
SHORT_EXP: "If you already have a remote logging host, we can set this
machine to log to it."
LONG_EXP:
QUESTION: "Do you have a remote logging host? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: remotelog_host
NO_CHILD: pacct
PROPER_PARENT: morelogging

LABEL: remotelog_host
SHORT_EXP: "What is the IP address of the machine you normally log to?
Remember, this should be a machine already configured to accept logging.
If you have no such machine, select <Back> and change your answer.

Note: we ask for an IP address because this is safer -- it avoids DNS cache
      poisoning attacks on logging.  You may use a hostname, but it should be
      added to your /etc/hosts file..."
QUESTION: "What is the IP address of the machine you want to log to? [127.0.0.1]"
DEFAULT_ANSWER: 127.0.0.1
YN_TOGGLE: 0
YES_CHILD: pacct
NO_CHILD: pacct
PROPER_PARENT: remotelog

LABEL: pacct
SHORT_EXP: "Linux has the ability to log which commands are run when and by
whom.  This is extremely useful in trying to reconstruct what a potential
cracker actually ran.  The drawbacks are that the logs get large quickly (a
log rotate module is included to offset this), the parameters to commands
are not recorded, and, like all log files, the accounting log is removable if the 
attacker has root.

As this is rather disk and CPU intensive, please choose NO unless you have
carefully considered this option."
LONG_EXP:
QUESTION: "Would you like to set up process accounting? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: minimalism
NO_CHILD: minimalism
PROPER_PARENT: morelogging

FILE: MiscellaneousDaemons.pm

LABEL: minimalism
SHORT_EXP: "To make the operating system more secure, we try to deactivate all
system daemons, especially those running at a high/unlimited level of
privilege.  Each active system daemon serves as a potential point of
break-in, which might allow an attacker illegitimate access to your
system.  An attacker can use these system daemons to gain access if they
are later found to have a bug or security vulnerability.

We practice a minimalism principle here: minimize the number of privileged
system daemons and you can decrease your chances of being a victim should
one of the standard daemons be found later to have a vulnerability.  This
section will require careful attention, but if you have doubts, you should
be able to safely select \"Yes\" in most cases."
LONG_EXP:
QUESTION:
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: apmd
NO_CHILD: apmd
PROPER_PARENT: pacct

LABEL: apmd
SHORT_EXP: "apmd is used to monitor battery power and is used almost
exclusively by notebook/laptop computers."
LONG_EXP:
QUESTION: "Would you like to disable apmd? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: remotefs
NO_CHILD: remotefs
PROPER_PARENT: minimalism

LABEL: remotefs
SHORT_EXP: "We would like to disable the network file systems NFS and SMB
(Samba).  We strongly recommend that you disable both of these.  NFS is
known to have major security problems; Samba is slightly better, but it is
still a shared file system and still raises potentially severe security
concerns.  These services are safer if you can set your firewall to block
packets for either of them from entering or leaving your network, but it's
probably best to deactivate them until you can investigate whether or not
you need them and how to best secure them."
LONG_EXP:
QUESTION: "Would you like to deactivate NFS and Samba? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP: 
YES_CHILD: atd
NO_CHILD: atd
PROPER_PARENT: apmd

LABEL: atd
SHORT_EXP: "The at daemon (atd) allows you to run commands at a later
time.  Over time, a large number of vulnerabilities have been found in atd--
you can find exploits against them very easily on the web.  All the
functionality of at can be mimicked via cron.  We strongly recommend
disabling atd."
LONG_EXP:
QUESTION: "Would you like to disable atd? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: pcmcia
NO_CHILD: pcmcia
PROPER_PARENT: remotefs

LABEL: pcmcia
SHORT_EXP: "If this machine is not a notebook, it probably has no PCMCIA
ports.  PCMCIA ports allow the use of easily removable credit-card-sized
devices.  If this machine has no PCMCIA ports, you should be able to disable
PCMCIA services without any problems."
LONG_EXP:
QUESTION: "Would you like to disable PCMCIA services? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: dhcpd
NO_CHILD: dhcpd
PROPER_PARENT: atd

LABEL: dhcpd
SHORT_EXP: "DHCP servers are used to distribute temporary IP (Internet)
addresses to other machines.  An organization generally only has one or two
DHCP servers, if any.  Unless this machine is going to be a DHCP server, you
should deactivate the DHCP daemon.  Deactivating the daemon will not
prevent you from running DHCP as a client."
LONG_EXP:
QUESTION: "Would you like to disable the DHCP daemon? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: gpm
NO_CHILD: gpm
PROPER_PARENT: pcmcia

LABEL: gpm
SHORT_EXP: "GPM is used in console (text) mode to add mouse support to
text mode. If you will be using this machine in console mode and will want
mouse support, leave GPM on."
LONG_EXP:
QUESTION: "Would you like to disable GPM? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: innd
NO_CHILD: innd
PROPER_PARENT: dhcpd

LABEL: innd
SHORT_EXP: "innd is the standard internet news server, used to make the
news network. You should only leave it turned on if this machine will serve as
the  organization's news server."  
LONG_EXP: "Very few people need to create their own news server, as your 
ISP or university usually provides one.  Further, they require a great deal 
of disk space, processor power, bandwidth and maintenance.  In all but the 
rarest of cases, you should disable the news server daemon."
QUESTION: "Would you like to disable the news server daemon? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: routing
NO_CHILD: routing
PROPER_PARENT: gpm

LABEL: routing
SHORT_EXP: "Unless this machine is serving as a router, you should turn off
the routing daemons (routed and gated)."
LONG_EXP: "Very few machines need to be running routing daemons.  If your
machine is only connected to the internet through one method, you can
disable routing protocols. If this machine is at an ISP or major networking
center, you can leave this on, but please prepare to configure your routing
daemon."
QUESTION: "Would you like to deactivate the routing daemons? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: nis
NO_CHILD: gated
PROPER_PARENT: innd

LABEL: gated
SHORT_EXP: "You've chosen for this machine to act as a router.  In that case,
we recommend using only the gated daemon, which is more secure than the
routed daemon."
LONG_EXP:
QUESTION: "Would you like to use gated instead of routed? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: nis
NO_CHILD: nis
PROPER_PARENT: routing

LABEL: nis
SHORT_EXP: "NIS is a system used for synchronizing key host information,
including account names and passwords.  It is quite insecure, and can be
easily compromised to gain access to accounts on the system.  If you are
really interested in using NIS, you should configure your firewall to block NIS
traffic going in or out of the network.  If you don't have a firewall, you 
shouldn't be running NIS.  

We very strongly recommend that you deactivate NIS."
LONG_EXP:
QUESTION: "Would you like to deactivate NIS server and client programs? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: snmpd
NO_CHILD: snmpd
PROPER_PARENT: routing

LABEL: snmpd
SHORT_EXP: "SNMP is a protocol used to track and manage network devices,
including hosts and routers.  Unfortunately, it is very insecure and can be
used by a system cracker to gain information about (and possibly
compromise) your network.  You may be able to use it more safely by
blocking SNMP packets at your firewall, but you should always be careful
when using this protocol.

We strongly urge you to deactivate it, at least until you have read
more about it and better understand the dangers involved."
LONG_EXP:
QUESTION: "Would you like to disable SNMPD? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: sendmaildaemon
NO_CHILD: sendmaildaemon
PROPER_PARENT: nis

FILE: Sendmail.pm

LABEL: sendmaildaemon
SHORT_EXP: "Running sendmail in daemon mode makes your system more
vulnerable to sendmail-based attacks, of which there have been many (and
almost certainly more to come).  With very few exceptions, most users don't need sendmail to run in daemon mode."
LONG_EXP: "You don't need to have sendmail running in daemon mode to send and receive email, and unless you have a constant Internet connection, you probably can't
run sendmail in daemon mode.  

If you receive all of your email via a POP/IMAP  mailbox provided by your ISP,
you may have no need of daemon-mode sendmail, unless you're running a
special fetchmail-style POP/IMAP based retrieval program.  For instance, you
can turn daemon mode  off if you read your mail via Netscape's common
POP/IMAP read  functionality."
QUESTION: "Do you want to leave sendmail running in daemon mode? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: sendmailcron
NO_CHILD: sendmailcron
PROPER_PARENT: snmpd

LABEL: sendmailcron
SHORT_EXP: "Should we run sendmail via cron every 15 minutes to process
the  mail queue, processing and sending out e-mail? If this machine does
not run sendmail in daemon mode, but does have a constant internet link,
this is a possibility.  If sendmail is already running as a daemon, this is
unnecessary.  

If you do choose this option, most mailer programs will activate sendmail to
process their particular message.  A message usually only gets written to
the queue if sendmail has trouble delivering it if, say, the receiving mail
server is down."
LONG_EXP:
QUESTION: "Would you like to run sendmail via cron to process the queue? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: vrfyexpn
NO_CHILD: vrfyexpn
PROPER_PARENT: sendmaildaemon

LABEL: vrfyexpn
SHORT_EXP: "An attacker can use sendmail's vrfy (verify recipient existence)
and expn (expand recipient alias/list contents) commands to learn more
about accounts on the system.  The expn command, for instance, could be
used to find out who the \"postmaster\" and \"abuse\" aliases redirect mail to,
which identifies which user account belongs to the system administrator.

These sendmail commands can be disabled without breaking anything and will
make the system cracker's job more difficult."
LONG_EXP:
QUESTION: "Would you like to disable the VRFY and EXPN sendmail commands? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: installssh
NO_CHILD: installssh
PROPER_PARENT: sendmailcron

FILE: RemoteAccess.pm

LABEL: installssh
SHORT_EXP: "We would like to install ssh, the secure shell, on your system. 
This is highly recommended, as it is the standard, and one of the only,
methods for remote access that doesn't compromise passwords.
NOTE: You should only choose this option if your network connection is FAST.

If you don't have a functioning network connection (you're using a modem or 
your network card couldn't be configured), choose \"no\" here, as we have to 
download ssh.  Further, if you chose to not let us install patches for you, 
because of the risk of Trojanning if a server is hacked, you should also 
choose \"no\" here, as the same risk is present.

Finally, please do read about the ssh licensing.  If you are not permitted
to use ssh, please either choose No here, or uninstall it using rpm."
LONG_EXP:
QUESTION: "Would you like to download and install ssh? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
DEFAULT_ANSWER: N
YES_EXP:
NO_EXP:
YES_CHILD: chrootbind
NO_CHILD: chrootbind
PROPER_PARENT: vrfyexpn

FILE: DNS.pm

LABEL: chrootbind
SHORT_EXP: "The name server, named, needs to run with privileged access,
and is usually given full root access.  This allowed named to function
correctly, but present a security risk.  One way to lessen this risk is to
restrict named to a small segment of the filesystem, a step that still allows
named to function but minimizes the security risk.

Please DO NOT choose to do this unless you're running a Red Hat or Mandrake
box, as Bastille won't currently chroot a non-Red Hat-based name server."
LONG_EXP:  "The name server, named, is given root access so that it can
bind/unbind/listen to a \"privileged\" port to answer name queries.  One way to
lessen the risk presented by this special status is to lock the daemon
(named) into a \"chroot'ed prison.\"  In this case, the daemon has access to
only a small segment of the filesystem, a directory created specifically for
the purpose of giving the daemon access to  only the files it needs.  

The adjective \"chroot'ed\" is derived from \"change root\", since we set the
daemon's root directory ( / ) to some child node in the directory tree.  Note,
for experts: we know that a root process can break out of a chroot prison,
but this is still an effective deterrent, even if the walls aren't 
mouse-proof.

Please DO NOT choose to do this unless you're running a Red Hat or Mandrake
box, as Bastille won't currently chroot a non-Red Hat-based name server.
"
QUESTION: "Would you like to chroot named and set it to run as a non-root user? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP: "You've changed the name server, named, to run in a safer mode,
one in which it is restricted to operating within the directory /home/dns. 
This \"chroot jail\" stops an attacker from using named to do more extensive
damage to the system if s/he is able to compromise the named.  This 
should be mostly transparent to you, except in two respects:

  1) All of your configuration edits for named must occur in /home/dns
  2) If you use ndc to control named, you will need to use
           ndc -c /home/dns/var/run/ndc
  3) Again, all of your configuration files must be moved to /home/dns
"
NO_EXP:
YES_CHILD: namedoff
NO_CHILD: namedoff
PROPER_PARENT: installssh

LABEL: namedoff
SHORT_EXP: "Until you configure your name (DNS) server, we would like to
temporarily turn it off.  In almost all cases, you should only need your own
name server if you own your own domain and you want this _particular_
machine to answer dns queries.  Further, there have been dangerous
vulnerabilities in past versions of the name server and more can arise.  The
security principle of Minimalism applies here: minimize the number of possible
attack points to be least vulnerable to attack.

Even if you plan on setting up a name server on this machine, you should 
deactivate it for now until you get the configuration files setup.   You
can reactivate it then by typing, as root:     /sbin/chkconfig named on  "
LONG_EXP:
QUESTION: "Would you like to deactivate named, at least for now? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: apacheoff
NO_CHILD: apacheoff
PROPER_PARENT: chrootbind

FILE: Apache.pm

LABEL: apacheoff
SHORT_EXP: "Will you be using the Apache web server immediately? Again,
minimalism is a critical part of a good site security.  If you don't
need to run a web server, at least not right now, you should deactivate it.
You can restart the web server later by typing:

      /sbin/chkconfig httpd on
"
LONG_EXP:
QUESTION: "Would you like to deactivate the Apache web server? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP: "Even though you've deactivated the Apache web server, there are
still a few more questions related to it.  It's good to take the precautions in
the next steps even if you've turned off the web server, since it might get
turned on again later."
NO_EXP:
YES_CHILD: bindapachelocal
NO_CHILD: bindapachelocal
PROPER_PARENT: namedoff

LABEL: bindapachelocal
SHORT_EXP: "When the web server is on, you may want to have it listen on
only the local interface, or on the local interface and a particular network
interface (like an ethernet card that's only connected to a bank of local
computers, none of which are attached to the internet).  This is a
particularly good option for web developers."
LONG_EXP: "If you bind the apache web server to the local interface, so that
it isn't accessible to other machines, it can still serve up pages to
browsers/web clients on this machine. This is ideal for many web 
developers, who don't need a worldwide accessible web server, but would 
like to edit a web site locally before uploading to another server.  To
access the server, you would simply use, as a URL in your browser:

        http://localhost/
and
        http://localhost/some_page.html
	
Even if you fully deactivated the web server in the previous step, this 
option still makes sense: if you or someone else turns the server back on,
it doesn't represent as great a risk if it isn't set to allow 
connections from the entire internet."
QUESTION: "Would you like to bind the web server to listen only to the localhost? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: bindapachenic
NO_CHILD: bindapachenic
PROPER_PARENT: apacheoff

LABEL: bindapachenic
SHORT_EXP: "Would you like to bind the web server to a particular interface, such as an ethernet card? If yes, you'll need to enter the IP Address for that interface. 
If you've already chosen to listen only to localhost (127.0.0.1), choosing yes
to this option will negate that, but will still allow your machine to access the
web server, along with the other machines on this interface's network."
LONG_EXP:
QUESTION: "Would you like to bind the web server to a particular interface? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: bindapacheaddress
NO_CHILD: generalweb
PROPER_PARENT: bindapachelocal

LABEL: bindapacheaddress
SHORT_EXP: "Please enter in the IP address for apache to listen to.  Include the 
port it should listen on--the default port is port 80.  For exaple:

     192.168.1.1:80
 or
     10.0.0.1:8080"
LONG_EXP:
QUESTION: "Address to bind the web server to? [127.0.0.1]"
YN_TOGGLE: 0
DEFAULT_ANSWER: 127.0.0.1 
YES_CHILD: generalweb
NO_CHILD: generalweb
PROPER_PARENT: bindapachenic

LABEL: generalweb
SHORT_EXP:" There are a few other changes that we recommend you make to the web server's configuration.  Ther are very few intrinsic security flaws in the Apache web server, but there are two important ones:

  As with all web servers, it is generally required to send and receive
  information to and from anyone on the internet.
  
  In many environments, the people telling the server how to behave are 
  not knowledgable system administrators by trade.  Before you discount
  this fact, take account of the wide proliferation of configurations
  under which any user on the system can instruct the server to execute 
  arbitrary code for anyone who comes to the site, via CGI scripts."
LONG_EXP:
QUESTION:
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: symlink
NO_CHILD: symlink
PROPER_PARENT: bindapachenic

LABEL: symlink
SHORT_EXP: "In general, you should try to limit which information on the web
server's host can be accessed by the myriad of people who may connect to
the web server.

We will prevent the web server from following symbolic links.  Apache runs
as user \"nobody\", and so it can potentially change/read any world 
writable/readable file on the system.  If we don't deactivate this option,
a user could potentially allow a web site visitor to view files not in the
web page directories.  Deactivating \"follow symbolic links\" will help
prevent this.  Further, deactivation can lessen the probability that a future
vulnerability in Apache could be exploited to alter world writable files 
on the system."
LONG_EXP:
QUESTION: "Would you like to deactivate the following of symbolic links? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: ssi
NO_CHILD: ssi
PROPER_PARENT: generalweb

LABEL: ssi
SHORT_EXP: "You might also want to deactivate server-side includes. If you
don't know what they are, you should probably turn them off until you do.  In
essence, they are another way for a web server to execute code to modify
web pages, but they represent a security risk you may not want to take until
you better understand the Apache web server."
LONG_EXP:
QUESTION: "Would you like to deactivate server-side includes? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: cgi
NO_CHILD: cgi
PROPER_PARENT: symlink

LABEL: cgi
SHORT_EXP: "As mentioned earlier, one of the few inherent weaknesses in Apache,
true of web servers in general, is that CGI scripts allow any user on the
system to allow anyone who can access the web site (which is usually the
entire internet) to run programs on the web server's host.  This has inherent 
problems, but may be required at your site.  We recommend disabling 
CGI script execution for now, while you take the time to read more about the 
dangers and install some kind of protection."  
LONG_EXP: "One security precaution that you should look into is using a
wrapper program that only allows certain users to execute CGI 
programs.  You may even have your site's security administrator audit each 
script before allowing it onto the system.  CGI scripts are not inherently
dangerous, but they need to be very carefully controlled by people who 
understand the dangers."
QUESTION: "Would you like to disable CGI scripts, at least for now? [Y]"
DEFAULT_ANSWER: Y
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: apacheindex
NO_CHILD: apacheindex
PROPER_PARENT: ssi

LABEL: apacheindex
SHORT_EXP: "Apache, by default, is configured to generate \"index\" files for
any web directories that don't have them.  These index files basically create
a link to every file in the directory, whether one was intended or not.  This
step isn't necessary, but may be helpful."
LONG_EXP: "This can be mildly problematic, for example, when a user places a
sensitive data file that's required by a CGI script in a web directory.  The
data file must be readable by user \"nobody\", which generally means it must
be world-readable.  Without the automatically generated index file, a
web site visitor couldn't ordinarily read the data file unless they could
guess its name.  Still, this example is weak, as it illustrates the 
flawed, yet all-too-common, principle of \"security through obscurity.\"
No examples were obvious to the authors of this script that didn't rely on
breaking the most obvious rule of web site creation, \"don't put any sensitive
files in a web directory with world readable permissions!\" " 
QUESTION: "Would you like to disable indexes? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: printing
NO_CHILD: printing
PROPER_PARENT: cgi

FILE: Printing.pm

LABEL: printing
SHORT_EXP: "If this machine is not going to need to print, you should disable
lpr and lpd and will remove the SUID root (extremely high level of
privilege) setting on lpr.  You could undo this later by typing

     /bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm
     /sbin/chkconfig lpd on
	  
This is only recommended if this machine will not be used for
printing in the near future.  If you deactivate this, you should write
down the commands above, for later use."
LONG_EXP:
QUESTION: "Would you like to disable printing? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: ftpgeneral
NO_CHILD: ftpgeneral
PROPER_PARENT: apacheindex

FILE: FTP.pm

LABEL: ftpgeneral
SHORT_EXP:"FTP is widely considered to be fairly dangerous, but even 
security-conscious sites might still run it because of the perceived 
difficulty in educating users about alternatives.  Available
alternatives include:

 - secure copy, which encrypts names, passwords and traffic
 - web-based file archives, a much safer way of offering files to the public

The lack of widespread, free, Windows-based secure copy clients only 
exacerbates the problem.  FTP is dangerous for several reasons, including:

 1) All passwords travel in the clear across the connection, allowing any
    intermediate hosts (and usually every host on the source and destination's
    local area network) to \"sniff\" unencrypted passwords.
    
 2) Ftp daemons typically need to run with root privileges, and most of the
    common ones have been found to have a multitude of security vulnerabilities
    over the course of their existence.  For instance, the ftp daemon included 
    with RedHat 6.0 has had two Emajor updates to close security holes since
    RH6.0 was released.  Earlier in this session, we updated your wu-ftp to 
    the most recent one that Redhat advertises
"
LONG_EXP:
QUESTION:
YN_TOGGLE: 0
YES_EXP:
NO_EXP:
YES_CHILD: userftp
NO_CHILD: userftp
PROPER_PARENT: printing

LABEL: userftp
SHORT_EXP:  "Allowing users to access the FTP server from anywhere on the
Internet present a security problem, and you should disallow this access if
possible.  The problem is that many users feel they need FTP access.  You
can disable user use of the ftp daemon, leaving anonymous download still
possible.  We do not recommend this for most site admins, unless they have
management's approval and are prepared to educate their users."
LONG_EXP: "The least safe configuration for an ftp daemon is one which
allows anyone to connect (via \"anonymous\" mode) and upload files.  Most of
the attacks that let an intruder gain root access on your box require that
s/he is able to upload files.  If you don't have anonymous ftp with upload
capability, the intruder cannot use those attacks unless s/he can get a user
name and password.  For the sake of safety, this mode is shut off by default 
in the wu-ftpd configuration in Red Hat 6.0 and 6.1.

The next least safe configuration is the one in which users with accounts
on the system are allowed to access the server from the entire Internet.
The dangers stem from 1) cleartext passwords being sniffed on the Internet
and 2) common vulnerabilities in ftp daemons that are allowed if anyone has
upload privileges.

Unfortunately, disabling this configuration is difficult, as this is what 
many sites feel a need to use their ftp server for.  With a well 
educated user base (and secure copy clients for their platforms), this
functionality is unnecessary.  Unfortunately, educating your user base may 
be impossible at your site, especially if there are a large number of users.  If
this is a 3 account server, that kind of user education may be quite possible."
QUESTION: "Would you like to disable user privileges on the FTP daemon? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: anonftp
NO_CHILD: anonftp
PROPER_PARENT: ftpgeneral

LABEL: anonftp
SHORT_EXP: "The last major FTP server functionality that we allow you to
disable in the name of site security is anonymous download access.  As we've
noted before, this functionality can be mimicked via the traditionally more
secure Apache web server.  Any files that you want accessible to the world
can be placed on an easy-to-configure web server."
LONG_EXP:
QUESTION: "Would you like to disable anonymous download? [N]"
DEFAULT_ANSWER: N
YN_TOGGLE: 1
YES_EXP:
NO_EXP:
YES_CHILD: 
NO_CHILD: 
PROPER_PARENT: userftp

