The patches in this set consist of a number of actual bug fixes and a few enhancements. The two enhancements are:
1) A change in the semantics of the -l flag so that it lists configuration files even if Bastille has not been run previously. 2) A change in the distributions are inferred, specified, and observed so that a distribution can always be specified and so that a specified distribution overrides an inferred distribution when they are different. At this point, the Bastille screens will show the appropriate questions and when the questions have been responded to it will write out the responses to the config file. The two significant things that it cannot do, but that the documentation claims that it does are: 1) Test the system on which it is run for answers to the questions. 2) Make changes to the system based on those answers. Clearly, code has at one time been written to effect those changes on some systems. But the following things don't work, and appear to be due to bugs in the existing code base rather than errors in the set-up. 1) After the answers have been given InteractiveBastille is supposed to not only write out the responses to the config file but invoke BastilleBackEnd so that it makes the changes. The implementation does not do this correctly. The method that is invoked for this purpose is Run_Bastille_with_Config. The definition of this comment has above it the comment "Not used in HP-UX. Run_Bastille_with_Config may be dead code in all OS-s." which does not inspire confidence. The invocation has been removed, so that the screen flicker that it causes will go away. 2) If it were the case that "bastille -b" were effective, i.e., if bastille could be run so as to apply the contents of the config file to the system, problem (1) would not be so serious. But this is not the case. Instead, Bastille encounters a variety of fatal errors in the Bastille source, arising, at least in part, from a propensity to invoke HP-UX specific code regardless of the distro. 3) Bastille is quite unable even to assess the status of a system with regard to the questions asked. In its current state, the result of an assessment is a file with no entries. This can be changed with relative ease, so that the code that will attempt to discover the answers to the relevant questions is executed. However, in that case, the same fatal errors as described in point (2) are encountered. 4) Generally speaking, the code appears to be bug-ridden. Attempting to fix it to the point that it actually works might actually be more expensive and less rewarding than starting from scratch. Perhaps this version of Bastille could be kept as a record of decisions made about the appropriate issues to address for security on Yocto distributions, but no further effort be made to fix it. Instead, some other alternative could be found to achieve the same results. Here are two possibilities: 1) OpenScap's oscap tool (open-scap.org). This tool is all about security and the source code repository was last updated a few days ago. It might work nicely with the Script Check Engine for XCCDF which is described at pvrabec.livejournal.com/887.html. 2) Puppet (puppetlabs.com) is more general and is about configuring anything at all for various purposes. It has some associated applications, including Facter (which finds out facts about the system on which it is running). These applications have been written in Ruby. The following changes since commit 600a74468bf6d2e2f865e7d7c70e68c60c829234: lib-perl: Change description to match package. (2013-08-20 08:39:35 -0700) are available in the git repository at: git://git.yoctoproject.org/poky-contrib mulhern/bastille-final http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=mulhern/bastille-final mulhern (6): Bastille: Preliminary cleanup of existing patches. Bastille: Miscellaneous fixes to the Bastille code base. Bastille: change in behavior of bastille -l. Bastille: accept and observe --os flag in multiple situations. Bastille: set Yocto specific questions via config file. Bastille: document the current status and usability of the Bastille install. README | 44 +- recipes-security/bastille/bastille_3.2.1.bb | 21 +- .../files/Curses-and-IOLoader-changes.patch | 50 --- .../bastille/files/accept_os_flag_in_backend.patch | 28 ++ .../bastille/files/allow_os_with_assess.patch | 37 ++ .../bastille/files/call_output_config.patch | 13 + .../bastille/files/do_not_apply_config.patch | 34 ++ .../bastille/files/edit_usage_message.patch | 26 ++ .../bastille/files/find_existing_config.patch | 58 +++ .../files/fix_missing_use_directives.patch | 48 ++ .../bastille/files/fix_number_of_modules.patch | 32 ++ ...rd-patch.patch => fixed_defined_warnings.patch} | 32 +- .../bastille/files/organize_distro_discovery.patch | 470 ++++++++++++++++++++ .../remove_questions_text_file_references.patch | 24 + .../bastille/files/set_required_questions.py | 135 ++++++ .../bastille/files/simplify_B_place.patch | 34 ++ .../files/upgrade_options_processing.patch | 85 ++++ 17 files changed, 1080 insertions(+), 91 deletions(-) delete mode 100644 recipes-security/bastille/files/Curses-and-IOLoader-changes.patch create mode 100644 recipes-security/bastille/files/accept_os_flag_in_backend.patch create mode 100644 recipes-security/bastille/files/allow_os_with_assess.patch create mode 100644 recipes-security/bastille/files/call_output_config.patch create mode 100644 recipes-security/bastille/files/do_not_apply_config.patch create mode 100644 recipes-security/bastille/files/edit_usage_message.patch create mode 100644 recipes-security/bastille/files/find_existing_config.patch create mode 100644 recipes-security/bastille/files/fix_missing_use_directives.patch create mode 100644 recipes-security/bastille/files/fix_number_of_modules.patch rename recipes-security/bastille/files/{yocto-standard-patch.patch => fixed_defined_warnings.patch} (65%) create mode 100644 recipes-security/bastille/files/organize_distro_discovery.patch create mode 100644 recipes-security/bastille/files/remove_questions_text_file_references.patch create mode 100755 recipes-security/bastille/files/set_required_questions.py create mode 100644 recipes-security/bastille/files/simplify_B_place.patch create mode 100644 recipes-security/bastille/files/upgrade_options_processing.patch -- 1.7.10.4 _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
