Battening down the Hatches with Bastille

How to harden your system.
Getting Started with Bastille

Using Bastille is easy. From /root/Bastille, you run the script InteractiveBastille.pl (see Figure 1), which asks you a long list of questions about what you need enabled and how you need it configured for a balance of functionality and security appropriate for your particular needs. These questions are split into different sections: IPChains, PatchDownload, FilePermissions, etc. The results of this Q&A session are stored in a file called config.

Figure 1. InteractiveBastille.pl

Next, run the script BackEnd.pl, which invokes the scripts corresponding to each section in InteractiveBastille.pl, using config to define the numerous variables that determine how these scripts behave. Depending on how you answered Bastille's questions, some of the component scripts may not be invoked at all (e.g., if you answered “no” to “Configure IPChains?”).

If you don't want to bother with all those questions, you can instead run AutomatedBastille.pl, which will give you the choice of several default security baselines and will then immediately harden your system accordingly. AutomatedBastille.pl is an extremely simple script; really, it's just a mechanism for invoking BackEnd.pl with a canned configuration file.

The included baselines (Default_Workstation and Default_Workstation_plus_Firewall in Bastille v.1.1.0) can easily be adapted for your own particular needs; thus, it's a simple matter to create your own baselines and add them to AutomatedBastille.pl if you have large numbers of systems to harden. Alternatively, you can skip AutomatedBastille.pl altogether and simply run BackEnd.pl with the configuration file of your choice, for example:

./Backend.pl ./myconfig /root/bastille-output-log
Some Notes on InteractiveBastille.pl

InteractiveBastille.pl explains itself extremely well during the course of a Bastille session. If you take the time to read this script's explanations of its own questions, you'll learn a lot about system-hardening. If you already know a lot, you can select the explain less option at any point to make the questions a bit less wordy (and if you change your mind, you can choose “explain more” later).

Bastille's verbosity notwithstanding, the following general observations on certain sections may prove useful to the beginner:

  • Module 1: IPChains.pm—IPChains is Linux's firewall system. If your host is going to be accessible by hosts on the Internet, I strongly recommend that you configure IPChains. Even a few simple packet-filtering rules will greatly enhance overall system security.

  • Module 2: PatchDownload.pm—if you have a Red Hat system, Bastille can download and install RPMs of any software that has changed since you originally installed it.

  • Module 3: FilePermissions.pm—this module restricts access to certain utilities and files, mainly by disabling their SUID status. Generally speaking, SUID is used to allow a process to behave as though it had been invoked by root, allowing nonroot users to use utilities such as mount, ping and traceroute. However, these utilities are usually not needed by unprivileged users and can in fact be used for all sorts of mischief. Disabling SUID status makes such commands usable only by root.

  • Module 4: AccountSecurity.pm—this module allows you to create a new administration account and generally tighten up the security of user-account management. These are all excellent steps to take; I recommend using them all.

  • Module 5: BootSecurity.pm—if it's possible for unknown or untrusted persons to sit in front of your system, reboot or power-cycle it and interrupt the boot process; these settings can make it harder for them to compromise the system.

  • Module 6: SecureInetd.pm—in this section, internet services are tightened down and warning banners created.

  • Module 7: DisableUserTools.pm—disabling the compiler is a good idea if the system's nonroot users don't explicitly need to use it. As in most other cases, when Bastille says “disable” here it actually means “restrict to root-access only”.

  • Module 8: ConfigureMiscPAM.pm—several useful restrictions on user accounts are set here.

  • Module 9: Logging.pm—too little logging is enabled by default on most systems. This module increases logging and allows you to send log data to a remote host. Process accounting (i.e., tracking all processes) can also be enabled here but is overkill for most systems.

  • Module 10: MiscellaneousDaemons.pm—in this section you can disable a number of services that tend to be enabled by default despite being unnecessary for most users.

  • Module 11: Sendmail.pm—self-explanatory.

  • Module 12: RemoteAccess.pm—if you don't have it yet, Bastille can download and install the Secure Shell for you! SSH is a secure replacement for Telnet, rsh and rlogin. Note that Bastille will attempt to install RPMs compiled for Red Hat systems on i386 architectures. If you run Linux on a non-PC-compatible architecture or use a distribution that chokes on Red Hat RPMs (e.g., Debian), then this module won't work for you.

______________________

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState