[Bastille-linux-discuss] TCP Wrappers weakened stance?

[Jay B. <ja...@ba...>]

Bastille's "big red button" revert functionality, accessed with the 
bastille -r command, was originally created simply to decrease the 
amount of support e-mail we got from users who had all but locked 
themselves out of their systems.  Users who needed this had generally 
shot themselves in the foot by answering all the questions Yes instead 
of reading the questions and/or explanation text.

One of the more popular foot-shooting implements has been our 
default-deny TCP wrappers question.  Many a user has had Bastille 
configure a default-deny stance there, but not gone back to hand-edit 
the file to add more content.  This has been especially dangerous for a 
small number of users who don't have any physical access to the system, 
who then e-mail me asking how they can fix their system remotely without 
being able to log in.

We've dodged major e-mail support calls primarily by the existence of 
the revert command.

CIS's new Red Hat Enterprise Benchmark coordinator, George Toft, 
suggested by private e-mail that we might consider weakening our 
straight default-deny stance to allowing localhost, along with a 
user-configured network, to access all services.

I like his idea.  I'm looking for a situation that requires less user 
input and also helps less experienced users.  To that end, I'd like to 
recommend that we basically:

   0) keep the default-deny stance in TCP wrappers
   1) set a default-allow stance on localhost
   2) automatically allow ssh access from any networks the hardened host 
has a network interface on.

Number 2 is obviously the tough one here, but I think it's a decent 
compromise.  What do you all think?

  - Jay