Battening down the Hatches with Bastille
Using Bastille is easy. From /root/Bastille, you run the script InteractiveBastille.pl (see Figure 1), which asks you a long list of questions about what you need enabled and how you need it configured for a balance of functionality and security appropriate for your particular needs. These questions are split into different sections: IPChains, PatchDownload, FilePermissions, etc. The results of this Q&A session are stored in a file called config.
Next, run the script BackEnd.pl, which invokes the scripts corresponding to each section in InteractiveBastille.pl, using config to define the numerous variables that determine how these scripts behave. Depending on how you answered Bastille's questions, some of the component scripts may not be invoked at all (e.g., if you answered “no” to “Configure IPChains?”).
If you don't want to bother with all those questions, you can instead run AutomatedBastille.pl, which will give you the choice of several default security baselines and will then immediately harden your system accordingly. AutomatedBastille.pl is an extremely simple script; really, it's just a mechanism for invoking BackEnd.pl with a canned configuration file.
The included baselines (Default_Workstation and Default_Workstation_plus_Firewall in Bastille v.1.1.0) can easily be adapted for your own particular needs; thus, it's a simple matter to create your own baselines and add them to AutomatedBastille.pl if you have large numbers of systems to harden. Alternatively, you can skip AutomatedBastille.pl altogether and simply run BackEnd.pl with the configuration file of your choice, for example:
./Backend.pl ./myconfig /root/bastille-output-log
InteractiveBastille.pl explains itself extremely well during the course of a Bastille session. If you take the time to read this script's explanations of its own questions, you'll learn a lot about system-hardening. If you already know a lot, you can select the explain less option at any point to make the questions a bit less wordy (and if you change your mind, you can choose “explain more” later).
Bastille's verbosity notwithstanding, the following general observations on certain sections may prove useful to the beginner:
Module 1: IPChains.pm—IPChains is Linux's firewall system. If your host is going to be accessible by hosts on the Internet, I strongly recommend that you configure IPChains. Even a few simple packet-filtering rules will greatly enhance overall system security.
Module 2: PatchDownload.pm—if you have a Red Hat system, Bastille can download and install RPMs of any software that has changed since you originally installed it.
Module 3: FilePermissions.pm—this module restricts access to certain utilities and files, mainly by disabling their SUID status. Generally speaking, SUID is used to allow a process to behave as though it had been invoked by root, allowing nonroot users to use utilities such as mount, ping and traceroute. However, these utilities are usually not needed by unprivileged users and can in fact be used for all sorts of mischief. Disabling SUID status makes such commands usable only by root.
Module 4: AccountSecurity.pm—this module allows you to create a new administration account and generally tighten up the security of user-account management. These are all excellent steps to take; I recommend using them all.
Module 5: BootSecurity.pm—if it's possible for unknown or untrusted persons to sit in front of your system, reboot or power-cycle it and interrupt the boot process; these settings can make it harder for them to compromise the system.
Module 6: SecureInetd.pm—in this section, internet services are tightened down and warning banners created.
Module 7: DisableUserTools.pm—disabling the compiler is a good idea if the system's nonroot users don't explicitly need to use it. As in most other cases, when Bastille says “disable” here it actually means “restrict to root-access only”.
Module 8: ConfigureMiscPAM.pm—several useful restrictions on user accounts are set here.
Module 9: Logging.pm—too little logging is enabled by default on most systems. This module increases logging and allows you to send log data to a remote host. Process accounting (i.e., tracking all processes) can also be enabled here but is overkill for most systems.
Module 10: MiscellaneousDaemons.pm—in this section you can disable a number of services that tend to be enabled by default despite being unnecessary for most users.
Module 11: Sendmail.pm—self-explanatory.
Module 12: RemoteAccess.pm—if you don't have it yet, Bastille can download and install the Secure Shell for you! SSH is a secure replacement for Telnet, rsh and rlogin. Note that Bastille will attempt to install RPMs compiled for Red Hat systems on i386 architectures. If you run Linux on a non-PC-compatible architecture or use a distribution that chokes on Red Hat RPMs (e.g., Debian), then this module won't work for you.
- DevOps: Better Than the Sum of Its Parts
- Return of the Mac
- Drupageddon: SQL Injection, Database Abstraction and Hundreds of Thousands of Web Sites
- Play for Me, Jarvis
- Non-Linux FOSS: .NET?
- Not So Dynamic Updates
- Designing Foils with XFLR5
- Users, Permissions and Multitenant Sites
- April 2015 Issue of Linux Journal: High-Performance Computing