Battening down the Hatches with Bastille
Using Bastille is easy. From /root/Bastille, you run the script InteractiveBastille.pl (see Figure 1), which asks you a long list of questions about what you need enabled and how you need it configured for a balance of functionality and security appropriate for your particular needs. These questions are split into different sections: IPChains, PatchDownload, FilePermissions, etc. The results of this Q&A session are stored in a file called config.
Next, run the script BackEnd.pl, which invokes the scripts corresponding to each section in InteractiveBastille.pl, using config to define the numerous variables that determine how these scripts behave. Depending on how you answered Bastille's questions, some of the component scripts may not be invoked at all (e.g., if you answered “no” to “Configure IPChains?”).
If you don't want to bother with all those questions, you can instead run AutomatedBastille.pl, which will give you the choice of several default security baselines and will then immediately harden your system accordingly. AutomatedBastille.pl is an extremely simple script; really, it's just a mechanism for invoking BackEnd.pl with a canned configuration file.
The included baselines (Default_Workstation and Default_Workstation_plus_Firewall in Bastille v.1.1.0) can easily be adapted for your own particular needs; thus, it's a simple matter to create your own baselines and add them to AutomatedBastille.pl if you have large numbers of systems to harden. Alternatively, you can skip AutomatedBastille.pl altogether and simply run BackEnd.pl with the configuration file of your choice, for example:
./Backend.pl ./myconfig /root/bastille-output-log
InteractiveBastille.pl explains itself extremely well during the course of a Bastille session. If you take the time to read this script's explanations of its own questions, you'll learn a lot about system-hardening. If you already know a lot, you can select the explain less option at any point to make the questions a bit less wordy (and if you change your mind, you can choose “explain more” later).
Bastille's verbosity notwithstanding, the following general observations on certain sections may prove useful to the beginner:
Module 1: IPChains.pm—IPChains is Linux's firewall system. If your host is going to be accessible by hosts on the Internet, I strongly recommend that you configure IPChains. Even a few simple packet-filtering rules will greatly enhance overall system security.
Module 2: PatchDownload.pm—if you have a Red Hat system, Bastille can download and install RPMs of any software that has changed since you originally installed it.
Module 3: FilePermissions.pm—this module restricts access to certain utilities and files, mainly by disabling their SUID status. Generally speaking, SUID is used to allow a process to behave as though it had been invoked by root, allowing nonroot users to use utilities such as mount, ping and traceroute. However, these utilities are usually not needed by unprivileged users and can in fact be used for all sorts of mischief. Disabling SUID status makes such commands usable only by root.
Module 4: AccountSecurity.pm—this module allows you to create a new administration account and generally tighten up the security of user-account management. These are all excellent steps to take; I recommend using them all.
Module 5: BootSecurity.pm—if it's possible for unknown or untrusted persons to sit in front of your system, reboot or power-cycle it and interrupt the boot process; these settings can make it harder for them to compromise the system.
Module 6: SecureInetd.pm—in this section, internet services are tightened down and warning banners created.
Module 7: DisableUserTools.pm—disabling the compiler is a good idea if the system's nonroot users don't explicitly need to use it. As in most other cases, when Bastille says “disable” here it actually means “restrict to root-access only”.
Module 8: ConfigureMiscPAM.pm—several useful restrictions on user accounts are set here.
Module 9: Logging.pm—too little logging is enabled by default on most systems. This module increases logging and allows you to send log data to a remote host. Process accounting (i.e., tracking all processes) can also be enabled here but is overkill for most systems.
Module 10: MiscellaneousDaemons.pm—in this section you can disable a number of services that tend to be enabled by default despite being unnecessary for most users.
Module 11: Sendmail.pm—self-explanatory.
Module 12: RemoteAccess.pm—if you don't have it yet, Bastille can download and install the Secure Shell for you! SSH is a secure replacement for Telnet, rsh and rlogin. Note that Bastille will attempt to install RPMs compiled for Red Hat systems on i386 architectures. If you run Linux on a non-PC-compatible architecture or use a distribution that chokes on Red Hat RPMs (e.g., Debian), then this module won't work for you.
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
|Dart: a New Web Programming Experience||May 07, 2013|
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- Validate an E-Mail Address with PHP, the Right Way
- New Products
- Trying to Tame the Tablet
- Tech Tip: Really Simple HTTP Server with Python
23 min 39 sec ago
- not living upto the mobile revolution
3 hours 14 min ago
- Deceptive Advertising and
3 hours 50 min ago
- Let\'s declare that you have
3 hours 51 min ago
- Alterations in Contest Due
3 hours 52 min ago
- At a numbers mindset, your
3 hours 53 min ago
- Do not get Just Almost any
3 hours 57 min ago
- A fantastic rule-of-thumb to
3 hours 58 min ago
- Keren mastah..
4 hours 56 min ago
- mini tablet compare
6 hours 15 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.