Thursday, April 17, 2008

Bastille tried to use $GLOBAL_BIN{'ping6'} but it does not exist

A colleague of mine was having problem running Bastille to harden his RedHat Linux server. He keeps getting the following error message and cannot find any solution on the web.
ERROR: Bastille tried to use $GLOBAL_BIN{'ping6'} but it does not exist.

I heard about Bastille but have no clue how it works. Anyway, here is how I managed to provide a workaround to avoid the above error message by explicitly define the fullpath of ping6.

bastille is actually a shell script that eventually launch a Perl script to run through the hardening steps. At the beginning of the bastille script, it defines PATH and PERL5LIB. PERL5LIB is the place to explore all the other bastille perl modules (.pm). Search through all the PM files for string "GLOBAL_BIN" and I found the following files that contain the string: API.pm, API.PM.sweth and OSX_API.PM 

$ which ping6
/bin/ping6


$ cat /usr/sbin/bastille
...
...
export PATH="/bin:/usr/bin:/usr/sbin:$PATH"
export PERL5LIB="$PERL5LIB:/opt/sec_mgmt/bastille/lib:/usr/lib/perl5/site_perl:/usr/lib/Bastille:/usr/lib/perl5/site_perl/5.6.0/i386-linux"
...
...

$ cd /usr/lib/Bastille
$ grep GLOBAL_BIN *
API.pm:       %GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE
API.pm:    my %map = ("BIN"   => \%GLOBAL_BIN,
API.pm:     # type relates to the map above, type bin will map to GLOBAL_BIN
API.pm:    foreach my $hashref (\%GLOBAL_BIN,\%GLOBAL_DIR,\%GLOBAL_FILE,\%GLOBAL_BFILE,\%GLOBAL_BDIR) {
API.pm:  my %map = ("BIN"   => \%GLOBAL_BIN,
API.pm:    # i.e. Bastille tried to use $GLOBAL_BIN{'cp'} but it does not exist.
API.pm.sweth:   %GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE %GLOBAL_MISC
API.pm.sweth:         $GLOBAL_BIN{$DISTRO_FILE} = $PATH_TEMP;
API.pm.sweth:         `$GLOBAL_BIN{"cp"} -p $file $backup_file`;
API.pm.sweth:         $return=`$GLOBAL_BIN{"mknod"} $prefix $file $suffix`;
OSX_API.pm:    $GLOBAL_BIN{"md5sum"}="/usr/bin/md5sum";

In the OSX_API.pm, it is likely a PM meant for MacOSX. It also hard-coded the md5sum fullpath in the GLOBAL_BIN associative array. Hey, likely I can do the same for ping6 in the API.pm. My instinct tells me that API.pm is the generic API module and likely to be the entry point for bastille.

I explicitly define the full path of ping6 right after the package definition as shown below. Guess what, bastille runs without any error. I won't say the problem is solved, but at least I provided a workaround. 

$ cat API.pm
...
...
package Bastille::API;
$GLOBAL_BIN{'ping6'}="/bin/ping6";

...
...

Labels: ,

posted by chihungchan at 11:44 PM

0 Comments:

Post a Comment

<< Home