meta-security/recipes-security/bastille/files/HPSpecific.pm

package Bastille::API::HPSpecific;

use strict;
use Bastille::API;
use Bastille::API::FileContent;

require Exporter;
our @ISA = qw(Exporter);
our @EXPORT_OK = qw(
getIPFLocation
getGlobalSwlist
B_check_system
B_swmodify
B_load_ipf_rules
B_Schedule
B_ch_rc
B_set_value
B_chperm
B_install_jail
B_list_processes
B_list_full_processes
B_deactivate_inetd_service
B_get_rc
B_set_rc
B_chrootHPapache
isSystemTrusted
isTrustedMigrationAvailable
checkServiceOnHPUX
B_get_path
convertToTrusted
isOKtoConvert
convertToShadow
getSupportedSettings
B_get_sec_value
secureIfNoNameService
isUsingRemoteNameService
remoteServiceCheck
remoteNISPlusServiceCheck
B_create_nsswitch_file
B_combine_service_results

%priorBastilleNDD
%newNDD
);
our @EXPORT = @EXPORT_OK;



# "Constants" for use both in testing and in lock-down
our %priorBastilleNDD = (
   "ip_forward_directed_broadcasts" =>["ip",   "0"],
   "ip_forward_src_routed"          =>["ip",   "0"],
   "ip_forwarding"                  =>["ip",   "0"],
   "ip_ire_gw_probe"                =>["ip",   "0"],
   "ip_pmtu_strategy"               =>["ip",   "1"],
   "ip_respond_to_echo_broadcast"   =>["ip",   "0"],
   "ip_send_redirects"              =>["ip",   "0"],
   "ip_send_source_quench"          =>["ip",   "0"],
   "tcp_syn_rcvd_max"               =>["tcp","1000"],
   "tcp_conn_request_max"           =>["tcp","4096"] );

our %newNDD = (
   "ip_forward_directed_broadcasts" =>["ip",    "0"],
   "ip_forward_src_routed"          =>["ip",    "0"],
   "ip_forwarding"                  =>["ip",    "0"],
   "ip_ire_gw_probe"                =>["ip",    "0"],
   "ip_pmtu_strategy"               =>["ip",    "1"],
   "ip_respond_to_echo_broadcast"   =>["ip",    "0"],
   "ip_send_redirects"              =>["ip",    "0"],
   "ip_send_source_quench"          =>["ip",    "0"],
   "tcp_syn_rcvd_max"               =>["tcp","4096"],
   "tcp_conn_request_max"           =>["tcp","4096"],
   "arp_cleanup_interval"           =>["arp","60000"],
   "ip_respond_to_timestamp"        =>["ip",    "0"],
   "ip_respond_to_timestamp_broadcast" => ["ip","0"] );


####################################################################
#
#  This module makes up the HP-UX specific API routines.
#
####################################################################
#
#  Subroutine Listing:
#     &HP_ConfigureForDistro: adds all used file names to global
#                             hashes and generates a global IPD
#                             hash for SD modification lookup.
#
#     &getGlobalSwlist($):    Takes a fully qualified file name
#                             and returns product:filset info
#                             for that file.  returns undef if
#                             the file is not present in the IPD
#
#     &B_check_system:        Runs a series of system queries to
#                             determine if Bastille can be safely
#                             ran on the current system.
#
#     &B_swmodify($):         Takes a file name and runs the
#                             swmodify command on it so that the
#                             IPD is updated after changes
#
#     &B_System($$):          Takes a system command and the system
#                             command that should be used to revert
#                             whatever was done. Returns 1 on
#                             success and 0 on failure
#
#     &B_Backtick($)          Takes a command to run and returns its stdout
#                             to be used in place of the prior prevelent use
#                             of un-error-handled backticks
#
#     &B_load_ipf_rules($):   Loads a set of ipfrules into ipf, storing
#                             current rules for later reversion.
#
#     &B_Schedule($$):        Takes a pattern and a crontab line.
#                             Adds or replaces the crontab line to
#                             the crontab file, depending on if a
#                             line matches the pattern
#
#     &B_ch_rc($$):           Takes a the rc.config.d flag name and
#                             new value as well as the init script
#                             location. This will stop a services
#                             and set the service so that it will
#                             not be restarted.
#
#     &B_set_value($$$):      Takes a param, value, and a filename
#                             and sets the given value in the file.
#                             Uses ch_rc, but could be rewritten using
#                             Bastille API calls to make it work on Linux
#
#     &B_TODO($):             Appends the give string to the TODO.txt
#                             file.
#
#     &B_chperm($$$$):        Takes new perm owner and group of given
#                             file.  TO BE DEPRECATED!!!
#
#     &B_install_jail($$):    Takes the jail name and the jail config
#                             script location for a give jail...
#                             These scripts can be found in the main
#                             directory e.g. jail.bind.hpux
#
#####################################################################

##############################################################################
#
#                     HP-UX Bastille directory structure
#
##############################################################################
#
#  /opt/sec_mgmt/bastille/bin/   -- location of Bastille binaries
#  /opt/sec_mgmt/bastille/lib/   -- location of Bastille modules
#  /opt/sec_mgmt/bastille/doc/   -- location of Bastille doc files
#
#  /etc/opt/sec_mgmt/bastille/   -- location of Bastille config files
#
#  /var/opt/sec_mgmt/bastille/log         -- location of Bastille log files
#  /var/opt/sec_mgmt/bastille/revert        -- directory holding all Bastille-
#                                            created revert scripts
#  /var/opt/sec_mgmt/bastille/revert/backup -- directory holding the original
#                                            files that Bastille modifies,
#                                            with permissions intact
#
##############################################################################

sub getIPFLocation () { # Temporary until we get defined search space support
    my $ipf=&getGlobal('BIN','ipf_new');
    my $ipfstat=&getGlobal('BIN','ipfstat_new');
    if (not(-e $ipf)) { # Detect if the binaries moved
        $ipf = &getGlobal('BIN','ipf');
        $ipfstat=&getGlobal('BIN','ipfstat');
    }
    return ($ipf, $ipfstat);
}

##############################################
# Given a combination of service results, provided
# in an array, this function combines the result into
# a reasonable aggregate result
##############################################

sub B_combine_service_results(@){
    my @results = @_;
    
    #TODO: Consider greater sophistication wrt inconsistent, or not installed.
    
    foreach my $result (@results) {
        if (not(($result ==  SECURE_CAN_CHANGE) or
            ($result ==  SECURE_CANT_CHANGE) or
            ($result == NOT_INSTALLED()))) {
            return NOTSECURE_CAN_CHANGE();
        }
    }
    return SECURE_CANT_CHANGE();
}

####################################################################
# &getGlobalSwlist ($file);
#   This function returns the product and fileset information for
#   a given file or directory if it exists in the IPD otherwise
#   it returns undefined "undef"
#
#   uses $GLOBAL_SWLIST{"$FILE"}
####################################################################
sub getGlobalSwlist($){
    no strict;
    my $file = $_[0];


    if(! %GLOBAL_SWLIST) {
	# Generating swlist database for swmodify changes that will be required
	# The database will be a hash of fully qualified file names that reference
	# the files product name and fileset.  These values are required to use
	# swmodify...

	# Files tagged 'is_volatile' in the IPD are not entered in the swlist database
	# in order to avoid invoking swmodify if the file is changed later.  Attempting to 
	# swmodify 'volatile' files is both unneccessary and complicated since swverify will 
	# not evaluate volatile files anyway, and adding another value to the swlist database
	# would require complex code changes.

	# temp variable to keep swlist command /usr/sbin/swlist
	my $swlist = &getGlobal('BIN',"swlist");

	# listing of each directory and file that was installed by SD on the target machine
	my @fileList = `$swlist -a is_volatile -l file`;

	# listing of each patch and the patches that supersede each.
	# hash which is indexed by patch.fileset on the system
	my %patchSuperseded;

	my @patchList = `${swlist} -l fileset -a superseded_by *.*,c=patch 2>&1`;
	# check to see if any patches are present on the system
	if(($? >> 8) == 0) {

	    # determining patch suppression for swmodify.
	    foreach my $patchState (@patchList) {
		# removing empty lines and commented lines.
		if($patchState !~ /^\s*\#/ && $patchState !~ /^\s*$/) {

		    # removing leading white space
		    $patchState =~ s/^\s+//;
		    my @patches = split /\s+/, $patchState;
		    if($#patches == 0){
			# patch is not superseded
			$patchSuperseded{$patches[0]} = 0;
		    }
		    else {
			# patch is superseded
			$patchSuperseded{$patches[0]} = 1;
		    }
		}
	    }
	}
	else {
	    &B_log("DEBUG","No patches found on the system.\n");
	}

	if($#fileList >= 0){
	    # foreach line of swlist output
	    foreach my $fileEntry ( @fileList ){
		#filter out commented portions
		if( $fileEntry !~ /^\s*\#/ ){
		    chomp $fileEntry;
		    # split the output into three fields: product.fileset, filename, flag_isvolatile
		    my( $productInfo, $file, $is_volatile ) = $fileEntry =~ /^\s*(\S+): (\S+)\t(\S+)/ ;
		    # do not register volatile files
		    next if ($is_volatile =~ /true/);  # skip to next file entry
		    $productInfo =~ s/\s+//;
		    $file =~ s/\s+//;
		    # if the product is a patch
		    if($productInfo =~ /PH(CO|KL|NE|SS)/){
			# if the patch is not superseded by another patch
			if($patchSuperseded{$productInfo} == 0){
			    # add the patch to the list of owner for this file
			    push @{$GLOBAL_SWLIST{"$file"}}, $productInfo;
			}
		    }
		    # not a patch.
		    else {
			# add the product to the list of owners for this file
			push @{$GLOBAL_SWLIST{"$file"}}, $productInfo;
		    }

		}
	    }
	}
	else{
	    # defining GLOBAL_SWLIST in error state.
	    $GLOBAL_SWLIST{"ERROR"} = "ERROR";
	    &B_log("ERROR","Could not execute swlist.  Swmodifys will not be attempted");
	}
    }

    if(exists $GLOBAL_SWLIST{"$file"}){
	return $GLOBAL_SWLIST{"$file"};
    }
    else {
	return undef;
    }
}

###################################################################
#  &B_check_system;
#    This subroutine is called to validate that bastille may be
#    safely run on the current system.  It will check to insure
#    that there is enough file system space, mounts are rw, nfs
#    mounts are not mounted noroot, and swinstall, swremove and
#    swmodify are not running
#
#    uses ErrorLog
#
##################################################################
sub B_check_system {
    # exitFlag is one if a conflict with the successful execution
    # of bastille is found.
    my $exitFlag = 0;

    my $ignoreCheck = &getGlobal("BDIR","config") . "/.no_system_check";
    if( -e $ignoreCheck ) {
	return $exitFlag;
    }

    # first check for swinstall, swmodify, or swremove processes
    my $ps = &getGlobal('BIN',"ps") . " -el";
    my @processTable = `$ps`;
    foreach my $process (@processTable) {
	if($process =~ /swinstall/ ) {
	    &B_log("ERROR","Bastille cannot run while a swinstall is in progress.\n" .
		      "Complete the swinstall operation and then run Bastille.\n\n");
	    $exitFlag = 1;
	}

	if($process =~ /swremove/ ) {
	    &B_log("ERROR","Bastille cannot run while a swremove is in progress.\n" .
		      "Complete the swremove operation and then run Bastille.\n\n");
	    $exitFlag = 1;
	}

	if($process =~ /swmodify/ ) {
	    &B_log("ERROR","Bastille cannot run while a swmodify is in progress.\n" .
		      "Complete the swmodify operation and then run Bastille.\n\n");
	    $exitFlag = 1;
	}

    }

    # check for root read only mounts for /var /etc /stand /
    # Bastille is required to make changes to these file systems.
    my $mount = &getGlobal('BIN',"mount");
    my $rm = &getGlobal('BIN',"rm");
    my $touch = &getGlobal('BIN',"touch");

    my @mnttab = `$mount`;

    if(($? >> 8) != 0) {
	&B_log("WARNING","Unable to use $mount to determine if needed partitions\n" .
		  "are root writable, based on disk mount options.\n" .
		  "Bastille will continue but note that disk\n" .
		  "mount checks were skipped.\n\n");
    }
    else {
	foreach my $record (@mnttab) {
	    my @fields = split /\s+/, $record;
	    if ((defined $fields[0]) && (defined $fields[2]) && (defined $fields[3])) {
		my $mountPoint = $fields[0];
		my $mountType =  $fields[2];
		my $mountOptions = $fields[3];

		# checks for /stand and /var/* removed 
		if($mountPoint =~ /^\/$|^\/etc|^\/var$/) {

		    if($mountOptions =~ /^ro,|,ro,|,ro$/) {
			&B_log("ERROR","$mountPoint is mounted read-only.  Bastille needs to make\n" .
				  "modifications to this file system.  Please remount\n" .
				  "$mountPoint read-write and then run Bastille again.\n\n");
			$exitFlag = 1;
		    }
		    # looking for an nfs mounted file system
		    if($mountType =~/.+:\//){
			my $fileExisted=0;
			if(-e "$mountPoint/.bastille") {
			    $fileExisted=1;
			}

			`$touch $mountPoint/.bastille 1>/dev/null 2>&1`;

			if( (! -e "$mountPoint/.bastille") || (($? >> 8) != 0) ) {
			    &B_log("ERROR","$mountPoint is an nfs mounted file system that does\n" .
				   "not allow root to write to.  Bastille needs to make\n" .
				   "modifications to this file system.  Please remount\n" .
				   "$mountPoint giving root access and then run Bastille\n" .
				   "again.\n\n");

			    $exitFlag = 1;
			}
			# if the file did not exist befor the touch then remove the generated file
			if(! $fileExisted) {
			    `$rm -f $mountPoint/.bastille 1>/dev/null 2>&1`;
			}
		    }
		}
	    }
	    else {
		&B_log("WARNING","Unable to use $mount to determine if needed partitions\n" .
			  "are root writable, based on disk mount options.\n" .
			  "Bastille will continue but note that disk\n" .
			  "mount checks were skipped.\n\n");
	    }
	}

    }

    # checks for enough disk space in directories that Bastille writes to.
    my $bdf = &getGlobal('BIN',"bdf");
    #directories that Bastille writes to => required space in kilobytes.
    my %bastilleDirs = ( "/etc/opt/sec_mgmt/bastille" => "4", "/var/opt/sec_mgmt/bastille"=> "1000");
    for my $directory (sort keys %bastilleDirs) {
	my @diskUsage = `$bdf $directory`;

	if(($? >> 8) != 0) {
	    &B_log("WARNING","Unable to use $bdf to determine disk usage for\n" .
		   "$directory\n" .
		   "Bastille will continue but note that disk\n" .
		   "usage checks were skipped.\n\n");

	}
	else {
	    # removing bdf header line from usage information.
	    shift @diskUsage;
	    my $usageString= "";

	    foreach my $usageRecord (@diskUsage) {
		chomp $usageRecord;
	        $usageString .= $usageRecord;
	    }

	    $usageString =~ s/^\s+//;

	    my @fields = split /\s+/, $usageString;
	    if($#fields != 5) {
		&B_log("WARNING","Unable to use $bdf to determine disk usage for\n" .
		       "$directory\n" .
		       "Bastille will continue but note that disk\n" .
		       "usage checks were skipped.\n\n");
	    }
	    else {

		my $mountPoint = $fields[5];
		my $diskAvail = $fields[3];

		if($diskAvail <= $bastilleDirs{"$directory"}) {
		    &B_log("ERROR","$mountPoint does not contain enough available space\n" .
			      "for Bastille to run properly.  $directory needs\n" .
			      "at least $bastilleDirs{$directory} kilobytes of space.\n" .
			      "Please clear at least that amount of space from\n" .
			      "$mountPoint and run Bastille again.\n" .
			      "Current Free Space available = ${diskAvail} k\n\n");
 		    $exitFlag = 1;
		}
	    }
	}
    }

    # check to make sure that we are in at least run level 2 before we attempt to run
    my $who = &getGlobal('BIN', "who") . " -r";
    my $levelInfo = `$who`;
    if(($? >> 8) != 0 ) {
	&B_log("WARNING","Unable to use \"$who\" to determine system run.\n" .
		  "level Bastille will continue but note that the run\n" .
		  "level check was skipped.\n\n");
    }
    else {
	chomp $levelInfo;
	my @runlevel = split /\s+/, $levelInfo;
	if ((! defined $runlevel[3]) or ($runlevel[3] < 2)) {
	    &B_log("WARNING","Bastille requires a run-level of 2 or more to run properly.\n" .
		      "Please move your system to a higher run level and then\n" .
		      "run 'bastille -b'.\n\n");
	    if(defined $runlevel[3]) {
		&B_log("ERROR","Current run-level is '$runlevel[3]'.\n\n");
		$exitFlag=1;
	    }
	    else {
		&B_log("WARNING","Unable to use \"$who\" to determine system run.\n" .
			  "level Bastille will continue but note that the run\n" .
			  "level check was skipped.\n\n");
	    }
	}
	else {
	    &B_log("DEBUG","System run-level is $runlevel[3]\n");
	}
    }

    if($exitFlag) {
	exit(1);
    }

}

###################################################################
#  &B_swmodify($file);
#    This subroutine is called after a file is modified.  It will
#    redefine the file in the IPD with it's new properties.  If
#    the file is not in the IPD it does nothing.
#
#    uses B_System to make the swmodifications.
##################################################################
sub B_swmodify($){
    my $file = $_[0];
    if(defined &getGlobalSwlist($file)){
	my $swmodify = &getGlobal('BIN',"swmodify");
	my @productsInfo = @{&getGlobalSwlist($file)};
	# running swmodify on files that were altered by this function but
	# were created and maintained by SD
	foreach my $productInfo (@productsInfo) {
	    &B_System("$swmodify -x files='$file' $productInfo",
		      "$swmodify -x files='$file' $productInfo");
	}
    }
}

####################################################################
#  &B_load_ipf_rules($ipfruleset);
#    This function enables an ipfruleset.  It's a little more
#    specific than most API functions, but necessary because
#    ipf doesn't return correct exit codes (syntax error results
#    in a 0 exit code)
#
#   uses ActionLog and ErrorLog to log
#   calls crontab directly (to list and to read in new jobs)
###################################################################
sub B_load_ipf_rules ($) {
   my $ipfruleset=$_[0];

   &B_log("DEBUG","# sub B_load_ipf_rules");

   # TODO: grab ipf.conf dynamically from the rc.config.d files
   my $ipfconf = &getGlobal('FILE','ipf.conf');

   # file system changes - these are straightforward, and the API
   # will take care of the revert
   &B_create_file($ipfconf);
   &B_blank_file($ipfconf, 'a$b');
   &B_append_line($ipfconf, 'a$b', $ipfruleset);

   # runtime changes

   # define binaries
   my $grep = &getGlobal('BIN', 'grep');
   my ($ipf, $ipfstat) = &getIPFLocation;
   # create backup rules
   # This will exit with a non-zero exit code because of the grep
   my @oldrules = `$ipfstat -io 2>&1 | $grep -v empty`;

   my @errors=`$ipf -I -Fa -f $ipfconf 2>&1`;

   if(($? >> 8) == 0) {

      &B_set_rc("IPF_START","1");
      &B_set_rc("IPF_CONF","$ipfconf");

      # swap the rules in
      &B_System("$ipf -s","$ipf -s");

      # now create a "here" document with the previous version of
      # the rules and put it into the revert-actions script
      &B_revert_log("$ipf -I -Fa -f - <<EOF\n@{oldrules}EOF");

      if (@errors) {
        &B_log("ERROR","ipfilter produced the following errors when\n" .
                  "        loading $ipfconf.  You probably had an invalid\n" .
                  "        rule in ". &getGlobal('FILE','customipfrules') ."\n".
                  "@errors\n");
      }

   } else {
     &B_log("ERROR","Unable to run $ipf\n");
   }

}



####################################################################
#  &B_Schedule($pattern,$cronjob);
#    This function schedules a cronjob.  If $pattern exists in the
#    crontab file, that job will be replaced.  Otherwise, the job
#    will be appended.
#
#   uses ActionLog and ErrorLog to log
#   calls crontab directly (to list and to read in new jobs)
###################################################################
sub B_Schedule ($$) {
   my ($pattern,$cronjob)=@_;
   $cronjob .= "\n";

   &B_log("DEBUG","# sub B_Schedule");
   my $crontab = &getGlobal('BIN','crontab');

   my @oldjobs = `$crontab -l 2>/dev/null`;
   my @newjobs;
   my $patternfound=0;

   foreach my $oldjob (@oldjobs) {
       if (($oldjob =~ m/$pattern/ ) and (not($patternfound))) {
	   push @newjobs, $cronjob;
	   $patternfound=1;
	   &B_log("ACTION","changing existing cron job which matches $pattern with\n" .
		  "$cronjob");
       } elsif ($oldjob !~ m/$pattern/ ) {
       	&B_log("ACTION","keeping existing cron job $oldjob");
      	push @newjobs, $oldjob;
       } #implied: else if pattern matches, but we've
          #already replaced one, then toss the others.
   }

   unless ($patternfound) {
     &B_log("ACTION","adding cron job\n$cronjob\n");
     push @newjobs, $cronjob;
   }

   if(open(CRONTAB, "|$crontab - 2> /dev/null")) {
     print CRONTAB @newjobs;

     # now create a "here" document with the previous version of
     # the crontab file and put it into the revert-actions script
     &B_revert_log("$crontab <<EOF\n" . "@oldjobs" . "EOF");
     close CRONTAB;
   }

   # Now check to make sure it happened, since cron will exit happily
   # (retval 0) with no changes if there are any syntax errors
   my @editedjobs = `$crontab -l 2>/dev/null`;

   if (@editedjobs ne @newjobs) {
     &B_log("ERROR","failed to add cron job:\n$cronjob\n" .
               "         You probably had an invalid crontab file to start with.");
   }

}


#This function turns off a service, given a service name defined in HP-UX.service

sub B_ch_rc($) {

    my ($service_name)=@_;

    if (&GetDistro != "^HP-UX") {
       &B_log("ERROR","Tried to call ch_rc $service_name on a non-HP-UX\n".
                 "         system!  Internal Bastille error.");
       return undef;
    }
    my $configfile="";
    my $command = &getGlobal('BIN', 'ch_rc');
    
    my $startup_script=&getGlobal('DIR','initd') . "/". $service_name;
    my @rc_parameters= @{ &getGlobal('SERVICE',$service_name) };
    my @rcFiles=@{ &getGlobal('RCCONFIG',$service_name) };
    my $rcFile='';
    if (@rcFiles == 1){
        $rcFile=$rcFiles[0];
    } else {
        &B_log("FATAL","Multiple RC Files not yet supported... internal error.");
    }
    
    # if the service-related process is not run, and the control variable is stilll 1
    # there is a inconsistency.  in this case we only need to change the control variable
    my @psnames=@{ &getGlobal('PROCESS',$service_name)};
    my @processes;
    foreach my $psname (@psnames) {
        $psname .= '\b'; # avoid embedded match; anchor search pattern to trailing word boundry
        my @procList = &isProcessRunning($psname);
        if(@procList >= 0){
          splice @processes,$#processes+1,0,@procList;
        }
    }
#Actually set the rc variable
  foreach my $rcVariable (@rc_parameters){
    my $orig_value = &B_get_rc($rcVariable);
    if ($orig_value eq "" ) { #If variable not set, used the defined file
        $configfile=&getGlobal("DIR","rc.config.d") . "/" . $rcFile;
        if (not( -f $configfile )) {
            &B_create_file($configfile);
        }
    }
    &B_log("DEBUG","In B_ch_rc (no procs), setting $rcVariable to 0 in $configfile" .
           ", with an original value of $orig_value with rcfile: $rcFile");
    if ( ! @processes) { # IF there are no processes we don't neet to perform a "stop"
            &B_set_rc($rcVariable, "0", $configfile);
    } else {
        if ( $orig_value !~ "1" ) { #If param is not already 1, the "stop" script won't work
            &B_set_rc($rcVariable, "1",$configfile);
        }
        &B_System ($startup_script  . " stop", #stop service, then restart if the user runs bastille -r
                   $startup_script . " start");
        # set parameter, so that service will stay off after reboots
        &B_set_rc($rcVariable, "0", $configfile);
    }
  }
}


# This routine sets a value in a given file
sub B_set_value($$$) {
    my ($param, $value, $file)=@_;

    &B_log("DEBUG","B_set_value: $param, $value, $file");
    if (! -e $file ) {
	&B_create_file("$file");
    }

    # If a value is already set to something other than $value then reset it.
    #Note that though this tests for "$value ="the whole line gets replaced, so
    #any pre-existing values are also replaced.
    &B_replace_line($file,"^$param\\s*=\\s*","$param=$value\n");
    # If the value is not already set to something then set it.
    &B_append_line($file,"^$param\\s*=\\s*$value","$param=$value\n");

}


##################################################################################
# &B_chperm($owner,$group,$mode,$filename(s))
#   This function changes ownership and mode of a list of files. Takes four
#   arguments first the owner next the group and third the new mode in oct and
#   last a list of files that the permissions changes should take affect on.
#
#   uses: &swmodify and &B_revert_log
##################################################################################
sub B_chperm($$$$) {
    my ($newown, $newgrp, $newmode, $file_expr) = @_;
    my @files = glob($file_expr);

    my $return = 1;

    foreach my $file (@files){
	my @filestat = stat $file;
	my $oldmode = (($filestat[2]/512) % 8) .
	    (($filestat[2]/64) % 8) .
		(($filestat[2]/8) % 8) .
		    (($filestat[2]) % 8);

	if((chown $newown, $newgrp, $file) != 1 ){
	    &B_log("ERROR","Could not change ownership of $file to $newown:$newgrp\n");
	    $return = 0;
	}
	else{
	    &B_log("ACTION","Changed ownership of $file to $newown:$newgrp\n");
	    # swmodifying file if possible...
	    &B_swmodify($file);
	    &B_revert_log(&getGlobal('BIN',"chown") . " $filestat[4]:$filestat[5] $file\n");
	}

        my $newmode_formatted=sprintf "%5lo",$newmode;

	if((chmod $newmode, $file) != 1){
	    &B_log("ERROR","Could not change mode of $file to $newmode_formatted\n");
	    $return = 0;
	}
	else{
	    &B_log("ACTION","Changed mode of $file to $newmode_formatted\n");
	    &B_revert_log(&getGlobal('BIN',"chmod") . " $oldmode $file\n");
	}


    }
    return $return;
}

############################################################################
# &B_install_jail($jailname, $jailconfigfile);
# This function takes two arguments ( jail_name, jail_config )
# It's purpose is to take read in config files that define a
# chroot jail and then generate it bases on that specification
############################################################################
sub B_install_jail($$) {

    my $jailName = $_[0];  # Name of the jail e.g bind
    my $jailConfig = $_[1]; # Name of the jails configuration file
    # create the root directory of the jail if it does not exist
    &B_create_dir( &getGlobal('BDIR','jail'));
    &B_chperm(0,0,0555,&getGlobal('BDIR','jail'));

    # create the Jail dir if it does not exist
    &B_create_dir( &getGlobal('BDIR','jail') . "/" . $jailName);
    &B_chperm(0,0,0555,&getGlobal('BDIR','jail') . "/". $jailName);


    my $jailPath = &getGlobal('BDIR','jail') . "/" . $jailName;
    my @lines; # used to store no commented no empty config file lines
    # open configuration file for desired jail and parse in commands
    if(open(JAILCONFIG,"< $jailConfig")) {
	while(my $line=<JAILCONFIG>){
	    if($line !~ /^\s*\#|^\s*$/){
		chomp $line;
		push(@lines,$line);
	    }
	}
        close JAILCONFIG;
    }
    else{
	&B_log("ERROR","Open Failed on filename: $jailConfig\n");
	return 0;
    }
    # read through commands and execute
    foreach my $line (@lines){
        &B_log("ACTION","Install jail: $line\n");
	my @confCmd = split /\s+/,$line;
	if($confCmd[0] =~ /dir/){ # if the command say to add a directory
	    if($#confCmd == 4) { # checking dir Cmd form
		if(! (-d  $jailPath . "/" . $confCmd[1])){
		    #add a directory and change its permissions according
                    #to the conf file
		    &B_create_dir( $jailPath . "/" . $confCmd[1]);
                    &B_chperm((getpwnam($confCmd[3]))[2],
                              (getgrnam($confCmd[4]))[2],
                               oct($confCmd[2]),
                               $jailPath . "/" . $confCmd[1]);
		}
	    }
	    else {
		&B_log("ERROR","Badly Formed Configuration Line:\n$line\n\n");
	    }
	}
	elsif($confCmd[0] =~ /file/) {
	    if($#confCmd == 5) { # checking file cmd form
		if(&B_cp($confCmd[1],$jailPath . "/" . $confCmd[2])){
		    # for copy command cp file and change perms
		    &B_chperm($confCmd[4],$confCmd[5],oct($confCmd[3]),$jailPath . "/" . $confCmd[2]);
		}
		else {
		    &B_log("ERROR","Could not complete copy on specified files:\n" .
			   "$line\n");
		}
	    }
	    else {
		&B_log("ERROR","Badly Formed Configuration Line:\n" .
		       "$line\n\n");
	    }
	}
	elsif($confCmd[0] =~ /slink/) {
	    if($#confCmd == 2) { # checking file cmd form
		if(!(-e $jailPath . "/" . $confCmd[2])){
		    #for symlink command create the symlink
		    &B_symlink($jailPath . "/" . $confCmd[1], $confCmd[2]);
		}
	    }
	    else {
		&B_log("ERROR","Badly Formed Configuration Line:\n" .
		       "$line\n\n");
	    }
	}
	else {
	    &B_log("ERROR","Unrecognized Configuration Line:\n" .
		   "$line\n\n");
	}
    }
    return 1;
}



###########################################################################
#  &B_list_processes($service)                                            #
#                                                                         #
#  This subroutine uses the GLOBAL_PROCESS hash to determine if a         #
#  service's corresponding processes are running on the system.           #
#  If any of the processes are found to be running then the process       #
#  name(s) is/are returned by this subroutine in the form of an list      #
#  If none of the processes that correspond to the service are running    #
#  then an empty list is returned.                                        #
###########################################################################
sub B_list_processes($) {

    # service name
    my $service = $_[0];
    # list of processes related to the service
    my @processes=@{ &getGlobal('PROCESS',$service)};

    # current systems process information
    my $ps = &getGlobal('BIN',"ps");
    my $psTable = `$ps -elf`;

    # the list to be returned from the function
    my @running_processes;

    # for every process associated with the service
    foreach my $process (@processes) {
	# if the process is in the process table then
	if($psTable =~ m/$process/) {
	    # add the process to the list, which will be returned
	    push @running_processes, $process;
	}

    }

    # return the list of running processes
    return @running_processes;

}

#############################################################################
#  &B_list_full_processes($service)                                         #
#                                                                           #
#  This subroutine simply grep through the process table for those matching #
#  the input argument  TODO: Allow B_list process to levereage this code    #
#  ... Not done this cycle to avoid release risk (late in cycle)            #
#############################################################################
sub B_list_full_processes($) {

    # service name
    my $procName = $_[0];
    my $ps = &getGlobal('BIN',"ps");
    my @psTable = split(/\n/,`$ps -elf`);

    # for every process associated with the service
    my @runningProcessLines = grep(/$procName/ , @psTable);
    # return the list of running processes
    return @runningProcessLines;
}

################################################################################
#  &B_deactivate_inetd_service($service);                                      #
#                                                                              #
#  This subroutine will disable all inetd services associated with the input   #
#  service name.  Service name must be a reference to the following hashes     #
#  GLOBAL_SERVICE GLOBAL_SERVTYPE and GLOBAL_PROCESSES.  If processes are left #
#  running it will note these services in the TODO list as well as instruct the#
#  user in how they remaining processes can be disabled.                       #
################################################################################
sub B_deactivate_inetd_service($) {
    my $service = $_[0];
    my $servtype = &getGlobal('SERVTYPE',"$service");
    my $inetd_conf = &getGlobal('FILE',"inetd.conf");

    # check the service type to ensure that it can be configured by this subroutine.
    if($servtype ne 'inet') {
	&B_log("ACTION","The service \"$service\" is not an inet service so it cannot be\n" .
		   "configured by this subroutine\n");
	return 0;
    }

    # check for the inetd configuration files existence so it may be configured by
    # this subroutine.
    if(! -e $inetd_conf ) {
	&B_log("ACTION","The file \"$inetd_conf\" cannot be located.\n" .
		   "Unable to configure inetd\n");
	return 0;
    }

    # list of service identifiers present in inetd.conf file.
    my @inetd_entries = @{ &getGlobal('SERVICE',"$service") };

    foreach my $inetd_entry (@inetd_entries) {
	&B_hash_comment_line($inetd_conf, "^\\s*$inetd_entry");
    }

    # list of processes associated with this service which are still running
    # on the system
    my @running_processes = &B_list_processes($service);

    if($#running_processes >= 0) {
        my $todoString = "\n" .
	                 "---------------------------------------\n" .
	                 "Deactivating Inetd Service: $service\n" .
			 "---------------------------------------\n" .
			 "The following process(es) are associated with the inetd service \"$service\".\n" .
			 "They are most likely associated with a session which was initiated prior to\n" .
			 "running Bastille.  To disable a process see \"kill(1)\" man pages or reboot\n" .
			 "the system\n" .
			 "Active Processes:\n" .
			 "###################################\n";
	foreach my $running_process (@running_processes) {
	    $todoString .= "\t$running_process\n";
	}
	$todoString .= 	 "###################################\n";

	&B_TODO($todoString);
    }

}


################################################################################
# B_get_rc($key);                                                              #
#                                                                              #
#  This subroutine will use the ch_rc binary to get rc.config.d variables      #
#  values properly escaped and quoted.                                         #
################################################################################
sub B_get_rc($) {
    
    my $key=$_[0];
    my $ch_rc = &getGlobal('BIN',"ch_rc");

    # get the current value of the given parameter.
    my $currentValue=`$ch_rc -l -p $key`;
    chomp $currentValue;
    
    if(($? >> 8) == 0 ) {
        # escape all meta characters.
	# $currentValue =~ s/([\"\`\$\\])/\\$1/g; 
        # $currentValue = '"' . $currentValue . '"';
    }
    else {
	return undef;
    }

    return $currentValue;
}



################################################################################
# B_set_rc($key,$value);                                                       #
#                                                                              #
#  This subroutine will use the ch_rc binary to set rc.config.d variables.  As #
#  well as setting the variable this subroutine will set revert strings.       #
#                                                                              #
################################################################################
sub B_set_rc($$;$) {

    my ($key,$value,$configfile)=@_;
    my $ch_rc = &getGlobal('BIN',"ch_rc");

    # get the current value of the given parameter.
    my $currentValue=&B_get_rc($key);
    if(defined $currentValue ) {
        if ($currentValue =~ /^\"(.*)\"$/ ) {
            $currentValue = '"\"' . $1 . '\""';
        }
        if ($value =~ /^\"(.*)\"$/ ) {
            $value = '"\"' . $1 . '\""';
        }
	if ( &B_System("$ch_rc -a -p $key=$value $configfile",
		       "$ch_rc -a -p $key=$currentValue $configfile") ) {
	    #ch_rc success
	    return 1;
	}
	else {
	    #ch_rc failure.
	    return 0;
	}
    }
    else {
	&B_log("ERROR","ch_rc was unable to lookup $key\n");
	return 0;
    }

}


################################################################################
#  &ChrootHPApache($chrootScript,$httpd_conf,$httpd_bin,
#                  $apachectl,$apacheJailDir,$serverString);
#
#     This subroutine given an chroot script, supplied by the vendor, a
#     httpd.conf file, the binary location of httpd, the control script,
#     the jail directory, and the servers identification string, descriptive
#     string for TODO etc.  It makes modifications to httpd.conf so that when
#     Apache starts it will chroot itself into the jail that the above
#     mentions script creates.
#
#     uses B_replace_line B_create_dir B_System B_TODO
#
###############################################################################
sub B_chrootHPapache($$$$$$) {

    my ($chrootScript,$httpd_conf,$httpd_bin,$apachectl,$apacheJailDir,$serverString)= @_;

    my $exportpath = "export PATH=/usr/bin;";
    my $ps = &getGlobal('BIN',"ps");
    my $isRunning = 0;
    my $todo_header = 0;

    # checking for a 2.0 version of the apache chroot script.
    if(-e $chrootScript ) {

	if(open HTTPD, $httpd_conf) {
	    while (my $line = <HTTPD>){
		if($line =~ /^\s*Chroot/) {
		    &B_log("DEBUG","Apache is already running in a chroot as specified by the following line:\n$line\n" .
			   "which appears in the httpd.conf file.  No Apache Chroot action was taken.\n");
		    return;
		}
	    }
	    close(HTTPD);
	}

	if(`$ps -ef` =~ $httpd_bin ) {
	    $isRunning=1;
	    &B_System("$exportpath " . $apachectl . " stop","$exportpath " . $apachectl . " start");
	}
	&B_replace_line($httpd_conf, '^\s*#\s*Chroot' ,
			"Chroot " . $apacheJailDir);
	if(-d &getGlobal('BDIR',"jail")){
	    &B_log("DEBUG","Jail directory already exists. No action taken.\n");
	}
	else{
	    &B_log("ACTION","Jail directory was created.\n");
	    &B_create_dir( &getGlobal('BDIR','jail'));
	}

	if(-d $apacheJailDir){
	    &B_log("DEBUG","$serverString jail already exists. No action taken.\n");
	}
	else{
	    &B_System(&getGlobal('BIN',"umask") . " 022; $exportpath " . $chrootScript,
		      &getGlobal('BIN',"echo") . " \"Your $serverString is now running outside of it's\\n" .
		      "chroot jail.  You must manually migrate your web applications\\n" .
		      "back to your Apache server's httpd.conf defined location(s).\\n".
		      "After you have completed this, feel free to remove the jail directories\\n" .
		      "from your machine.  Your apache jail directory is located in\\n" .
		      &getGlobal('BDIR',"jail") . "\\n\" >> " . &getGlobal('BFILE',"TOREVERT"));

	}
	if($isRunning){
	    &B_System("$exportpath " . $apachectl . " start","$exportpath " . $apachectl . " stop");
	    &B_log("ACTION","$serverString is now running in an chroot jail.\n");
	}

	&B_log("ACTION","The jail is located in " . $apacheJailDir . "\n");

	if ($todo_header !=1){
	    &B_TODO("\n---------------------------------\nApache Chroot:\n" .
		    "---------------------------------\n");
	}
	&B_TODO("$serverString Chroot Jail:\n" .
		"httpd.conf contains the Apache dependencies.  You should\n" .
		"review this file to ensure that the dependencies made it\n" .
		"into the jail.  Otherwise, you run a risk of your Apache server\n" .
		"not having access to all its modules and functionality.\n");


    }

}


sub isSystemTrusted {
        my $getprdef = &getGlobal('BIN',"getprdef");
        my $definition = &B_Backtick("$getprdef -t 2>&1");
        if($definition =~ "System is not trusted.") {
            return 0;
        } else {
            return 1;
        }
}


sub isTrustedMigrationAvailable {
    my $distroVersion='';

    if (&GetDistro =~ '^HP-UX11.(\d*)') {
	$distroVersion=$1;
	if ($distroVersion < 23) { # Not available before 11.23
	    return 0; #FALSE
	} elsif ($distroVersion >= 31) { #Bundled with 11.31 and after
	    &B_log('DEBUG','isTrustedMigrationAvailable: HP-UX 11.31 always has trusted mode extensions');
	    return 1;
	} elsif ($distroVersion == 23) { # Optional on 11.23 if filesets installed
	    if ( -x &getGlobal('BIN',"userdbget") ) {
		&B_log('DEBUG','isTrustedMigrationAvailable: Trusted Extensions Installed');
		return 1;
	    } else {
		&B_log('DEBUG','isTrustedMigrationAvailable: Trusted Extensions Not Installed');
		return 0; #FALSE
	    }
	} else {
	    &B_log('DEBUG','isTrustedMigrationAvailable: ' . &GetDistro .
		   ' not currently supported for trusted extentions.');
	    return 0; #FALSE
	}
    } else {
	&B_log('WARNING','isTrustedMigrationAvailable: HP-UX routine called on Linux system');
	return 0; #FALSE
    }
}



###########################################################################
# &checkServiceOnHPUX($service);
#
# Checks if the given service is running on an HP/UX system.  This is
# called by B_is_Service_Off(), which is the function that Bastille
# modules should call.
#
# Return values:
# NOTSECURE_CAN_CHANGE() if the service is on
# SECURE_CANT_CHANGE() if the service is off
# INCONSISTENT() if the state of the service cannot be determined
# NOT_INSTALLED() if the s/w isn't insalled
#
###########################################################################
sub checkServiceOnHPUX($) {
  my $service=$_[0];

  # get the list of parameters which could be used to initiate the service
  # (could be in /etc/rc.config.d, /etc/inetd.conf, or /etc/inittab, so we
  # check all of them)
  my @params= @{ &getGlobal('SERVICE',$service) };
  my $grep =&getGlobal('BIN', 'grep');
  my $inetd=&getGlobal('FILE', 'inetd.conf');
  my $inittab=&getGlobal('FILE', 'inittab');
  my $retVals;
  my $startup=&getGlobal('DIR','initd') ;
  my @inet_bins= @{ &getGlobal('PROCESS',$service) };
  
  my $entry_found = 0;

  &B_log("DEBUG","CheckHPUXservice: $service");
  my $full_initd_path = $startup . "/" . $service;
  if ($GLOBAL_SERVTYPE{$service} eq "rc") { # look for the init script in /sbin/init.d
    if (not(-e $full_initd_path )) {
        return NOT_INSTALLED();
    }
  } else { #inet-based service, so look for inetd.conf entries.
    &B_log("DEBUG","Checking inet service $service");
    my @inet_entries= @{ &getGlobal('SERVICE',$service) };
    foreach my $service (@inet_entries) {
        &B_log('DEBUG',"Checking for inetd.conf entry of $service in checkService on HPUX");
        my $service_regex = '^[#\s]*' . $service . '\s+';
        if ( &B_match_line($inetd, $service_regex) ) { # inet entry search
            &B_log('DEBUG',"$service present, entry exists");
            $entry_found = 1 ;
        }
    }
    if ($entry_found == 0 ) {
       return NOT_INSTALLED();
    }
  }

 foreach my $param (@params) {
    &B_log("DEBUG","Checking to see if service $service is off.\n");
    if (&getGlobal('SERVTYPE', $service) =~ /rc/) {
      my $ch_rc=&getGlobal('BIN', 'ch_rc');
      my $on=&B_Backtick("$ch_rc -l -p $param");

      $on =~ s/\s*\#.*$//; # remove end-of-line comments
      $on =~ s/^\s*\"(.+)\"\s*$/$1/; # remove surrounding double quotes
      $on =~ s/^\s*\'(.+)\'\s*$/$1/; # remove surrounding single quotes
      $on =~ s/^\s*\"(.+)\"\s*$/$1/; # just in case someone did '"blah blah"'

      chomp $on;
      &B_log("DEBUG","ch_rc returned: $param=$on in checkServiceOnHPUX");

      if ($on =~ /^\d+$/ && $on != 0) {
        # service is on
        &B_log("DEBUG","CheckService found $param service is set to \'on\' in scripts.");
        return NOTSECURE_CAN_CHANGE();
      }
      elsif($on =~ /^\s*$/) {
        # if the value returned is an empty string return
        # INCONSISTENT(), since we don't know what the hard-coded default is.
        return INCONSISTENT();
      }
    } else {
      # those files which rely on comments to determine what gets
      # turned on, such as inetd.conf and inittab
      my $inettabs=&B_Backtick("$grep -e '^[[:space:]]*$param' $inetd $inittab");
      if ($inettabs =~ /.+/) {  # . matches anything except newlines
        # service is not off
        &B_log("DEBUG","Checking inetd.conf and inittab; found $inettabs");
        ###########################   BREAK out, don't skip question
        return NOTSECURE_CAN_CHANGE();
      }
    }
  } # foreach $param

  # boot-time parameters are not set; check processes
  # checkprocs for services returns INCONSISTENT() if a service is found
  # since a found-service is inconsistent with the above checks.
  B_log("DEBUG","Boot-Parameters not set, checking processes.");
  if (&runlevel < 2) { # Below runlevel 2, it is unlikely that
                      #services will be running, so just check "on-disk" state
    &B_log("NOTE","Running during boot sequence, so skipping process checks");
    return SECURE_CANT_CHANGE();
  } else {
    return &checkProcsForService($service);
  }
}

sub runlevel {
    my $who = &getGlobal("BIN", "who");
    my $runlevel = &B_Backtick("$who -r");
    if ($runlevel =~ s/.* run-level (\S).*/$1/) {
        &B_log("DEBUG","Runlevel is: $runlevel");
        return $runlevel;
    } else {
        &B_log("WARNING","Can not determine runlevel, assuming runlevel 3");
        &B_log("DEBUG","Runlevel command output: $runlevel");
        return "3"; #safer since the who command didn't work, we'll assume
                # runlevel 3 since that provides more checks.
    }
}

#
# given a profile file, it will return a PATH array set by the file.
#
sub B_get_path($) {
    my $file = $_[0];
    my $sh = &getGlobal("BIN", "sh");
    # use (``)[0] is becuase, signal 0 maybe trapped which will produce some stdout
    my $path = (`$sh -c '. $file 1>/dev/null 2>&1 < /dev/null ;  echo \$PATH'`)[0];
    my @path_arr = split(":", $path);
    my %tmp_path;
    my %path;
    for my $tmpdir (@path_arr) {
        chomp $tmpdir;
        if ($tmpdir ne ""  && ! $tmp_path{$tmpdir}) {
            $tmp_path{$tmpdir}++;
        }
    }
    return keys %tmp_path;
}

# Convert to trusted mode if it's not already
sub convertToTrusted {
   &B_log("DEBUG","# sub convertToTrusted \n");
   if( ! &isSystemTrusted) {

      my ($ok, $message) = &isOKtoConvert;

      my $ts_header="\n---------------------------------\nTrusted Systems:\n" .
                    "---------------------------------\n";

      if ($ok) {
	# actually do the conversion
        if(&B_System(&getGlobal('BIN','tsconvert'), &getGlobal('BIN','tsconvert') . " -r")){
	  # adjust change times for user passwords to keep them valid
	  # default is to expire them when converting to a trusted system,
	  # which can be problematic, especially since some older versions of
	  # SecureShell do not allow the user to change the password
	  &B_System(&getGlobal('BIN','modprpw') . " -V", "");

	  my $getprdef = &getGlobal('BIN','getprdef');
	  my $oldsettings = &B_Backtick("$getprdef -m lftm,exptm,mintm,expwarn,umaxlntr");
	  $oldsettings =~ s/ //g;

	  # remove password lifetime and increasing login tries so they
	  # don't lock themselves out of the system entirely.
	  # set default expiration time and the like.
	  my $newsettings="lftm=0,exptm=0,mintm=0,expwarn=0,umaxlntr=10";

	  &B_System(&getGlobal('BIN','modprdef') . " -m $newsettings",
		    &getGlobal('BIN','modprdef') . " -m $oldsettings");

          &B_TODO($ts_header .
                  "Your system has been converted to a trusted system.\n" .
                  "You should review the security settings available on a trusted system.\n".
                  "$message");

          # to get rid of "Cron: Your job did not contain a valid audit ID."
          # error, we re-read the crontab file after converting to trusted mode
          # Nothing is necessary in "revert" since we won't be in trusted mode
          # at that time.
          # crontab's errors can be spurious, and this will report an 'error'
          # of the crontab file is missing, so we send stderr to the bit bucket
          my $crontab = &getGlobal('BIN',"crontab");
	  &B_System("$crontab -l 2>/dev/null | $crontab","");
        }

      } else {
          &B_TODO($ts_header . $message);
          return 0; # not ok to convert, so we didn't
      }
   }
   else {
      &B_log("DEBUG","System is already in trusted mode, no action taken.\n");
      return 1;
   }

   # just to make sure
   if( &isSystemTrusted ) {
      return 1;
   } else {
      &B_log("ERROR","Trusted system conversion was unsuccessful for an unknown reason.\n" .
                "         You may try using SAM/SMH to do the conversion instead of Bastille.\n");
      return 0;
   }
}

# isOKtoConvert - check for conflicts between current system state and trusted
# mode
#
# Return values
# 0 - conflict found, see message for details
# 1 - no conflicts, see message for further instructions
#
sub isOKtoConvert {
    &B_log("DEBUG","# sub isOKtoConvert \n");
    # initialize text for TODO instructions
    my $specialinstructions="  - convert to trusted mode\n";

    # These are somewhat out-of-place, but only affect the text of the message.
    # Each of these messages is repeated in a separate TODO item in the
    # appropriate subroutine.
    if (&getGlobalConfig("AccountSecurity","single_user_password") eq "Y") {
	if (&GetDistro =~ "^HP-UX11.(.*)" and $1<23 ) {
	    $specialinstructions .= "  - set a single user password\n";
	}
    }

    if (&getGlobalConfig("AccountSecurity","passwordpolicies") eq "Y") {
	    $specialinstructions .= "  - set trusted mode password policies\n";
    }

    if (&getGlobalConfig("AccountSecurity", "PASSWORD_HISTORY_DEPTHyn") eq "Y") {
       $specialinstructions .= "  - set a password history depth\n";
    }

    if (&getGlobalConfig("AccountSecurity","system_auditing") eq "Y") {
       $specialinstructions .= "  - enable auditing\n";
    }

    my $saminstructions=
	   "The security settings can be modified by running SAM as follows:\n" .
	   "# sam\n" .
	   "Next, go to the \"Auditing and Security Area\" and review\n" .
	   "each sub-section.  Make sure that you review all of your\n" .
	   "settings, as some policies may seem restrictive.\n\n" .
           "On systems using the System Management Homepage, you can\n".
           "change your settings via the Tools:Security Attributes Configuration\n".
           "section.  On some systems, you may also have the option of using SMH.\n\n";

    # First, check for possible conflicts and corner cases

    # check nsswitch for possible conflicts
    my $nsswitch = &getGlobal('FILE', 'nsswitch.conf');
    if ( -e $nsswitch) {
        open(FILE, $nsswitch);
        while (<FILE>) {
            if (/nis/ or /compat/ or /ldap/) {
              my $message = "Bastille found a possible conflict between trusted mode and\n" .
		            "$nsswitch.  Please remove all references to\n" .
                            "\"compat\", \"nis\" and \"ldap\" in $nsswitch\n" .
                            "and rerun Bastille, or use SAM/SMH to\n" .
                            "$specialinstructions\n".
                            "$saminstructions";
              close(FILE);
	      return (0,$message);
            }
        }
        close(FILE);
    }

    # check the namesvrs config file for possible NIS conflicts
    #Changed to unless "Y AND Y" since question can be skipped when nis is off
    # but corner cases can still exist, so check then too.
    unless ( &getGlobalConfig('MiscellaneousDaemons','nis_client') eq "Y" and
         &getGlobalConfig('MiscellaneousDaemons','nis_server') eq "Y" ) {
	my $namesvrs = &getGlobal('FILE', 'namesvrs');
	if (open(FILE, $namesvrs)) {
	    while (<FILE>) {
		if (/^NIS.*=["]?1["]?$/) {
		    my $message= "Possible conflict between trusted mode and NIS found.\n".
			"Please use SAM/SMH to\n" .
			"  - turn off NIS\n" .
			"$specialinstructions\n".
			"$saminstructions";
		    close(FILE);
		    return (0,$message);
		}
	    }
	    close(FILE);
	} else {
            &B_log("ERROR","Unable to open $namesvrs for reading.");
            my $message= "Possible conflict between trusted mode and NIS found.\n".
		"Please use SAM/SMH to\n" .
		"  - turn off NIS\n" .
		"$specialinstructions\n".
		"$saminstructions";
	    return (0,$message);
	}
	if ( &B_match_line (&getGlobal("FILE","passwd"),"^\+:.*")) {
	    my $message= '"+" entry found in passwd file.  These are not\n' .
	    "compatible with Trusted Mode.  Either remove the entries\n" .
	    "and re-run Bastille, or re-run Bastille, and direct it to\n" .
	    "disable NIS client and server.\n";
	    return (0,$message);
	    }

    }


    # check for conflicts with DCE integrated login
    my $authcmd = &getGlobal('BIN','auth.adm');
    if ( -e $authcmd ) {
         my $retval = system("PATH=/usr/bin $authcmd -q 1>/dev/null 2>&1");
         if ($retval != 0 and $retval != 1) {
             my $message="It appears that DCE integrated login is configured on this system.\n" .
		      "DCE integrated login is incompatible with trusted systems and\n" .
		      "auditing.  Bastille is unable to\n" .
		      "$specialinstructions" .
		      "You will need to configure auditing and password policies using DCE.\n\n";
	     return (0,$message);
         }
    }

    if ( -e &getGlobal('FILE','shadow') ) {
       my $message="This system has already been converted to shadow passwords.\n" .
                   "Shadow passwords are incompatible with trusted mode.\n" .
		   "Bastille is unable to\n" .
		   "$specialinstructions" .
                   "If you desire these features, you should use\n".
                   "\'pwunconv\' to change back to standard passwords,\n".
                   "and then rerun Bastille.\n\n";
       return (0,$message);
   }

    return (1,$saminstructions);
}

# This routine allows Bastille to determine trusted-mode extension availability

sub convertToShadow {

        if (&isSystemTrusted) {
            # This is an internal error...Bastille should not call this routine
            # in this case.  Error is here for robustness against future changes.
            &B_log("ERROR","This system is already converted to trusted mode.\n" .
                      "         Converting to shadow passwords will not be attempted.\n");
            return 0;
        }

	# configuration files on which shadowed passwords depend
        my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf");

	# binaries used to convert to a shadowed password
	my $pwconv = &getGlobal('BIN',"pwconv");
	my $echo = &getGlobal('BIN','echo'); # the echo is used to pipe a yes into the pwconv program as
	                                     # pwconv requires user interaction.

	# the binary used in a system revert.
	my $pwunconv = &getGlobal('BIN',"pwunconv");
	#check the password file for nis usage and if the nis client
	#or server is running.
	if(-e $nsswitch_conf) {
	    # check the file for nis, nis+, compat, or dce usage.
	    if(&B_match_line($nsswitch_conf, '^\s*passwd:.+(nis|nisplus|dce|compat)')) {
		my $shadowTODO = "\n---------------------------------\nHide encrypted passwords:\n" .
		                 "---------------------------------\n" .
		                 "This version of password shadowing does not support any repository other\n" .
		                 "than files. In order to convert your password database to shadowed passwords\n" .
				 "there can be no mention of nis, nisplus, compat, or dce in the passwd\n" .
				 "field of the \"$nsswitch_conf\" file.  Please make the necessary edits to\n" .
				 "the $nsswitch_conf file and run Bastille again using the command:\n" .
				 "\"bastille -b\"\n";
		# Adding the shadowTODO comment to the TODO list.
		&B_TODO("$shadowTODO");
		# Notifing the user that the shadowed password coversion has failed.
		&B_log("ERROR","Password Shadowing Conversion Failed\n" .
			  "$shadowTODO");
		# exiting the subroutine.
		return 0;
	    }

	}

	# convert the password file to a shadowed repository.
        if (( -e $pwconv ) and ( -e $pwunconv ) and
            ( &B_System("$echo \"yes\" | $pwconv","$pwunconv") ) ){
	    &B_TODO( "\n---------------------------------\nShadowing Password File:\n" .
		     "---------------------------------\n" .
		     "Your password file has been converted to use password shadowing.\n" .
		     "This version of password shadowing does not support any repository other\n" .
		     "than files. There can be no mention of nis, nisplus, compat, or dce\n" .
		     "in the passwd field of the \"$nsswitch_conf\" file.\n\n" );
	} else {
            &B_log("ERROR","Conversion to shadow mode failed.  The system may require ".
                   "a patch to be capable of switching to shadow mode, or the ".
                   "system my be in a state where conversion is not possible.");
        }
}



##########################################################################
# &getSupportedSettings();
# Manipulates %trustedParameter and %isSupportedSetting, file-scoped variables
#
# Reads the password policy support matrix, which in-turn gives Bastille the
# places it should look for a given password policy setting.

# Note the file was created like this so if could be maintained in an Excel(tm)
# spreadsheet, to optimize reviewability.  TODO: consider other formats

#  File Format:
#  HEADERS:<comment>,[<OS Version> <Mode> <Extensions>,]...
#  [
#  :<label>:<trusted equivalent>,,,,,,,,,,,,<comment>
#  <action> (comment), [<test value>,]...
#  ] ...
# Example;
# HEADERS:Information Source (trusted equiv),11.11 Standard no-SMSE,11.11 Trusted no-SMSE,11.11 Shadow no-SMSE,11.23 Standard no-SMSE,11.23 Trusted no-SMSE,11.23 Shadow no-SMSE,11.23 Standard SMSE,11.23 Shadow SMSE,11.23 Trusted SMSE,11.31 Trusted SMSE,11.31 Shadow SMSE,11.31 Standard SMSE,Other Exceptions
#:ABORT_LOGIN_ON_MISSING_HOMEDIR,,,,,,,,,,,,,root
#/etc/security.dsc (search),x,,xx,x,x,x,!,!,!,!,!,!,
#/etc/default/security(search),y,y,y,y,y,y,y,y,y,y,y,y,
#getprdef (execute with <Trusted Equiv> argument),x,x,x,x,x,x,x,x,x,x,x,x,

###########################################################################
our %trustedParameter = ();
our %isSupportedSetting = ();

sub getSupportedSettings() {

    my $line; # For a config file line
    my $linecount = 0;
    my $currentsetting = "";
    my @fields; # Fields in a given line
    my @columns; #Column Definitions


    &B_open(*SETTINGSFILE,&getGlobal('BFILE','AccountSecSupport'));
    my @settingLines=<SETTINGSFILE>;
    &B_close(*SETTINGSFILE);

    #Remove blank-lines and comments
    @settingLines = grep(!/^#/,@settingLines);
    @settingLines = grep(!/^(\s*,+)*$/,@settingLines);

    foreach $line (@settingLines) {
	++$linecount;
	@fields = split(/,/,$line);
	if ($line =~ /^Information Source:/) { #Sets up colums
	    my $fieldcount = 1; #Skipping first field
	    while ((defined($fields[$fieldcount])) and
                   ($fields[$fieldcount] =~ /\d+\.\d+/)){
		my @subfields = split(/ /,$fields[$fieldcount]);
                my $fieldsCount = @subfields;
                if ($fieldsCount != 3){
                    &B_log("ERROR","Invalid subfield count: $fieldsCount in:".
                           &getGlobal('BFILE','AccountSecSupport') .
                           " line: $linecount and field: $fieldcount");
                }
		$columns[$fieldcount] = {OSVersion => $subfields[0],
                                         Mode => $subfields[1],
                                         Extension => $subfields[2] };
                &B_log("DEBUG","Found Header Column, $columns[$fieldcount]{'OSVersion'}, ".
                       $columns[$fieldcount]{'Mode'} ." , " .
                       $columns[$fieldcount]{'Extension'});
		++$fieldcount;
		}                                      # New Account Seting ex:
	} elsif ($line =~ /^:([^,:]+)(?::([^,]+))?/) { # :PASSWORD_WARNDAYS:expwarn,,,,,,,,,,,,
	    $currentsetting = $1;
	    if (defined($2)) {
		$trustedParameter{"$currentsetting"}=$2;
	    }
            &B_log("DEBUG","Found Current Setting: ". $currentsetting .
                   "/" . $trustedParameter{"$currentsetting"});
	} elsif (($line =~ /(^[^, :\)\(]+)[^,]*,((?:(?:[!y?nx]|!!),)+)/) and #normal line w/ in setting ex:
		 ($currentsetting ne "")){ # security.dsc (search),x,x,x,x,x,!,!!,!,!,!,!,
	    my $placeToLook = $1;
	    my $fieldcount = 1; #Skip the first one, which we used in last line
	    while (defined($fields[$fieldcount])) {
		&B_log("DEBUG","Setting $currentsetting : $columns[$fieldcount]{OSVersion} , ".
		       "$columns[$fieldcount]{Mode} , ".
		       "$columns[$fieldcount]{Extension} , ".
		       "$placeToLook, to $fields[$fieldcount]");
		$isSupportedSetting{"$currentsetting"}
		    {"$columns[$fieldcount]{OSVersion}"}
		    {"$columns[$fieldcount]{Mode}"}
		    {"$columns[$fieldcount]{Extension}"}
		    {"$placeToLook"} =
		    $fields[$fieldcount];
                    ++$fieldcount;
	    }
	} else {
	    if ($line !~ /^,*/) {
                &B_log("ERROR","Incorrectly Formatted Line at ".
                       &getGlobal('BFILE','AccountSecSupport') . ": $linecount");
            }
	}
    }
}

##########################################################################
# &B_get_sec_value($param);
# This subroutine finds the value for a given user policy parameter.
# Specifically, it supports the parameters listed in the internal data structure

# Return values:
# 'Not Defined' if the value is not present or not uniquely defined.
# $value if the value is present and unique
#
###########################################################################
sub B_get_sec_value($) {
    my $param=$_[0];

    my $os_version;
    if (&GetDistro =~ /^HP-UX\D*(\d+\.\d+)/ ){
	$os_version=$1;
    } else {
	&B_log("ERROR","B_get_sec_value only supported on HP-UX");
	return undef;
    }
#    my $sec_dsc =  &getGlobal('FILE', 'security.dsc');
    my $sec_file = &getGlobal('FILE', 'security');
    my $getprdef = &getGlobal('BIN','getprdef');
    my $getprpw = &getGlobal('BIN','getprpw');
    my $userdbget = &getGlobal('BIN','userdbget');
    my $passwd = &getGlobal('BIN','passwd');

    my $sec_flags = "";
    my @sec_settings=();
    my $user_sec_setting="";

    my $security_mode="Standard";
    my $security_extension="no-SMSE";

    &B_log("DEBUG","Entering get_sec_value for: $param");

    sub isok ($) { # Locally-scoped subroutine, takes supported-matrix entry as argument
	my $supportedMatrixEntry = $_[0];

	if ($supportedMatrixEntry =~ /!/) { #Matrix Entry for "Documented and/or tested"
           &B_log("DEBUG","isOk TRUE: $supportedMatrixEntry");
	    return 1;
	} else {
            &B_log("DEBUG","isOk FALSE: $supportedMatrixEntry");
	    return 0; #FALSE
	}
    } #end local subroutine

    #Get Top Array item non-destructively
    sub getTop (@) {
        my @incomingArray = @_;
        my $topval = pop(@incomingArray);
        push(@incomingArray,$topval); #Probably redundant, but left in just in case.
        return $topval;
    }

    sub ifExistsPushOnSecSettings($$) {
        my $sec_settings = $_[0];
        my $pushval = $_[1];

        if ($pushval ne ""){
            push (@$sec_settings, $pushval);
        }
    }

    #prpw and prdef both use "YES" instead of "1" like the other settings.
    sub normalizePolicy($){
        my $setting = $_[0];

        $setting =~ s/YES/1/;
        $setting =~ s/NO/1/;

        return $setting;
    }



    if ((%trustedParameter == ()) or (%isSupportedSetting == ())) {
	# Manipulates %trustedParameter and %isSupportedSetting
	&getSupportedSettings;
    }

    #First determine the security mode
    my $shadowFile = &getGlobal("FILE","shadow");
    my $passwdFile = &getGlobal("FILE","passwd");

    if (&isSystemTrusted) {
	$security_mode = 'Trusted';
    } elsif ((-e $shadowFile) and #check file exist, and that passwd has no non-"locked" accounts
             (not(&B_match_line($passwdFile,'^[^\:]+:[^:]*[^:*x]')))) {
	    $security_mode = 'Shadow';
    } else {
	$security_mode = 'Standard';
    }
    if (&isTrustedMigrationAvailable) {
	$security_extension = 'SMSE';
	} else {
	$security_extension = 'no-SMSE';
    }
    &B_log("DEBUG","Security mode: $security_mode extension: $security_extension");
    # Now look up the value from each applicable database, from highest precedence
    # to lowest:
    &B_log("DEBUG","Checking $param in userdbget");
    if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode}
              {$security_extension}{"userdbget_-a"})) {
	&ifExistsPushOnSecSettings(\@sec_settings,
                                   &B_getValueFromString('\w+\s+\w+=(\S+)',
                                                         &B_Backtick("$userdbget -a $param")));
        &B_log("DEBUG", $param . ":userdbget setting: ". &getTop(@sec_settings));
    }
    &B_log("DEBUG","Checking $param in passwd");
    if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode}
              {$security_extension}{"passwd_-sa"})) {
	if ($param eq "PASSWORD_MINDAYS") {
	    &ifExistsPushOnSecSettings(\@sec_settings,
                                       &B_getValueFromString('(?:\w+\s+){2}[\d\/]+\s+(\d+)\s+\d+',
                                                             &B_Backtick("$passwd -s -a")));
	} elsif ($param eq "PASSWORD_MAXDAYS") {
	    &ifExistsPushOnSecSettings(\@sec_settings,
                                       &B_getValueFromString('(?:\w+\s+){2}[\d\/]+\s+\d+\s+(\d+)',
                                                             &B_Backtick("$passwd -s -a")));
	} elsif ($param eq "PASSWORD_WARNDAYS") {
	    &ifExistsPushOnSecSettings(\@sec_settings,
                                       &B_getValueFromString('(?:\w+\s+){2}[\d\/]+(?:\s+\d+){2}\s+(\d+)',
                                                             &B_Backtick("$passwd -s -a")));
	}
        &B_log("DEBUG", $param . ":passwd -sa setting: ". &getTop(@sec_settings));
    }
    &B_log("DEBUG","Checking $param in get prpw");
    if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode}
              {$security_extension}{"getprpw"})) {
        my $logins = &getGlobal("BIN","logins");
	my @userArray = split(/\n/,`$logins`);
	my $userParamVals = '';
	foreach my $rawuser (@userArray) {
            $rawuser =~ /^(\S+)/;
	    my $user = $1;
            my $nextParamVal=&B_Backtick("$getprpw -l -m $trustedParameter{$param} $user");
            $nextParamVal =~ s/\w*=(-*[\w\d]*)/$1/;
	    if ($nextParamVal != -1) { #Don't count users for which the local DB is undefined
                $userParamVals .= $user . "::::" . $nextParamVal ."\n";
            }
	} #Note getValueFromStrings deals with duplicates, returning "Not Unigue"
        my $policySetting = &B_getValueFromString('::::(\S+)',"$userParamVals");
	&ifExistsPushOnSecSettings (\@sec_settings, &normalizePolicy($policySetting));
        &B_log("DEBUG", $param . ":prpw setting: ". &getTop(@sec_settings));
    }
    &B_log("DEBUG","Checking $param in get prdef");
    if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode}
              {$security_extension}{"getprdef"})) {
	$_ = &B_Backtick ("$getprdef -m " . $trustedParameter{$param});
	/\S+=(\S+)/;
        my $policySetting = $1;
	&ifExistsPushOnSecSettings(\@sec_settings, &normalizePolicy($policySetting));
        &B_log("DEBUG", $param . ":prdef setting: ". &getTop(@sec_settings));

    }
    &B_log("DEBUG","Checking $param in default security");
    if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode}
              {$security_extension}{"/etc/default/security"})) {
	&ifExistsPushOnSecSettings(\@sec_settings,&B_getValueFromFile('^\s*'. $param .
                                               '\s*=\s*([^\s#]+)\s*$', $sec_file));
        &B_log("DEBUG", $param . ":default setting: ". &getTop(@sec_settings));
    }
    #Commented below code in 3.0 release to avoid implication that bastille
    #had ever set these values explicitly, and the implications to runnable
    #config files where Bastille would then apply the defaults as actual policy
    #with possible conversion to shadow or similar side-effect.

#    &B_log("DEBUG","Checking $param in security.dsc");
    #security.dsc, only added in if valid for OS/mode/Extension, and nothing else
    #is defined (ie: @sec_settings=0)
#    if ((&isok($isSupportedSetting{$param}{$os_version}{$security_mode}
#              {$security_extension}{"/etc/security.dsc"})) and (@sec_settings == 0)) {
#	&ifExistsPushOnSecSettings(\@sec_settings, &B_getValueFromFile('^' . $param .
#                                                ';(?:[-\w/]*;){2}([-\w/]+);', $sec_dsc));
#        &B_log("DEBUG", $param . ":security.dsc: ". &getTop(@sec_settings));
#    }

    # Return what we found
    my $last_setting=undef;
    my $current_setting=undef;
    while (@sec_settings > 0) {
	$current_setting = pop(@sec_settings);
        &B_log("DEBUG","Comparing $param configuration for identity: " .
               $current_setting);
	if ((defined($current_setting)) and ($current_setting ne '')) {
	    if (not(defined($last_setting))){
		$last_setting=$current_setting;
	    } elsif (($last_setting ne $current_setting) or
                     ($current_setting eq 'Not Unique')){
                &B_log("DEBUG","$param setting not unique.");
		return 'Not Unique';  # Inconsistent state found, return 'Not Unique'
	    }
	}
    }
    if ((not(defined($last_setting))) or ($last_setting eq '')) {
        return undef;
    } else {
        return $last_setting;
    }

} #End B_get_sec_value

sub secureIfNoNameService($){
    my $retval = $_[0];
    
    if (&isUsingRemoteNameService) {
        return MANUAL();
    } else {
        return $retval;
    }
}

#Specifically for cleartext protocols like NIS, which are not "secure"
sub isUsingRemoteNameService(){
    
    if (&remoteServiceCheck('nis|nisplus|dce') == SECURE_CAN_CHANGE()){
        return 0; #false
    } else {
        return 1;
    }
}



###########################################
## This is a wrapper for two functions that
## test the existence of nis-like configurations
## It is used by both the front end test and the back-end run
##############################################
sub remoteServiceCheck($){
        my $regex = $_[0];
        
        my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf");
        my $passwd = &getGlobal('FILE',"passwd");
        
        # check the file for nis usage.
        if (-e $nsswitch_conf) {
            if (&B_match_line($nsswitch_conf, '^\s*passwd:.*('. $regex . ')')) {
                    return NOTSECURE_CAN_CHANGE();
            } elsif ((&B_match_line($nsswitch_conf, '^\s*passwd:.*(compat)')) and
            (&B_match_line($passwd, '^\s*\+'))) {
                    return NOTSECURE_CAN_CHANGE(); # true
            }
        } elsif ((&B_match_line($passwd, '^\s*\+'))) {
                return NOTSECURE_CAN_CHANGE();
        }
        
        my $oldnisdomain=&B_get_rc("NIS_DOMAIN");
        if ((($oldnisdomain eq "") or ($oldnisdomain eq '""')) and (&checkServiceOnHPUX('nis.client'))){
            return SECURE_CAN_CHANGE();
        }
        return NOTSECURE_CAN_CHANGE();
}

#############################################
# remoteNISPlusServiceCheck
# test the existence of nis+ configuration
#############################################
sub remoteNISPlusServiceCheck () {

    my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf");

    # check the file for nis+ usage.
    if (-e $nsswitch_conf) {
        if (&B_match_line($nsswitch_conf, 'nisplus')) {
            return NOTSECURE_CAN_CHANGE();
        }
    }

    return &checkServiceOnHPUX('nisp.client');
}


##########################################################################
# This subroutine creates nsswitch.conf file if the file not exists,
# and then append serveral services into the file if the service not
# exists in the file.
##########################################################################
sub B_create_nsswitch_file ($) {
    my $regex = $_[0];

    my $nsswitch = &getGlobal('FILE',"nsswitch.conf");

    if( ! -f $nsswitch ) {
        &B_create_file($nsswitch);
        # we don't need to revert the permissions change because we just
        # created the file
        chmod(0444, $nsswitch);

        &B_append_line($nsswitch,'\s*passwd:', "passwd:       $regex\n");
        &B_append_line($nsswitch,'\s*group:', "group:        $regex\n");
        &B_append_line($nsswitch,'\s*hosts:', "hosts:        $regex\n");
        &B_append_line($nsswitch,'\s*networks:', "networks:     $regex\n");
        &B_append_line($nsswitch,'\s*protocols:', "protocols:    $regex\n");
        &B_append_line($nsswitch,'\s*rpc:', "rpc:          $regex\n");
        &B_append_line($nsswitch,'\s*publickey:', "publickey:    $regex\n");
        &B_append_line($nsswitch,'\s*netgroup:', "netgroup:     $regex\n");
        &B_append_line($nsswitch,'\s*automount:', "automount:    $regex\n");
        &B_append_line($nsswitch,'\s*aliases:', "aliases:      $regex\n");
        &B_append_line($nsswitch,'\s*services:', "services:     $regex\n");
    }
}

1;