The glamorous new kids in the Linux security parade are SELinux, AppArmor, and all manner of virtualization technologies. (Though it is being discovered that virtual machines, just like chroot jails, aren't all that difficult to break out of, so don't count on them for strong security.)
Linux & Unix Security
Stuck for a definition? Look it up at Webopedia:
But don't overlook the reliable, helpful old-timer Bastille Linux. Bastille Linux is both a batch of Perl scripts that lead you through hardening your Linux system, and an educational tool. I recommend running it just to get a grounding in basic security measures — the newfangled things are nice, but the basics are still important and valuable.
It is best to run Bastille on a fresh, newly installed system that has not yet been connected to an untrusted network. You can use it on an existing system, but to be 100 percent certain you're not hardening a compromised system you need to start fresh.
Bastille Name Change
Bastille has officially renamed itself to Bastille Unix because it also supports Mac OS X and HP-UX. And there is drama with a domain-name squatter who somehow gained control of http://www.bastille-linux.org, so the official site is http://www.bastille-unix.org. Anyone who is interested can read all about it here. Just remember to visit http://www.bastille-unix.org to read the official site, not the other one.
Supported Systems
Bastille does not work for every Linux distribution. So far it supports Red Hat and its clones (CentOS, Pie Box, etc.), Fedora, SUSE, Debian, Gentoo, and Mandriva; and HP-UX and Mac OS X. It works on Kubuntu, and it may work on other descendants such as Sabayon (Gentoo) but I haven't tried them yet.
Assessment Mode
Bastille has introduced a new assessment and reporting utility, bastille --assess. This only works on Red Hat and its clones and SUSE. If you run it on an unsupported system it will helpfully complain and give you a list of platforms that it does support.
Make sure you have the perl-Tk package installed, and perl-Curses for the Ncurses interface. Then fetch and install the Bastille RPM from its distribution site and install it with :
# rpm -ivh Bastille-3.0.9-1.0.noarch.rpm
Then run it in assessment mode:
# bastille --assess
Security Blogging
Enterprise Networking Planet Managing Editor Michael Hall blogs about Internet security and privacy daily at Open Networks Today
Debian users can install Bastille with aptitude install bastille, and Gentoo via its portage system.
Running Bastille
I'm not going to discuss every option, but just hit the high points. Most options depend on how tightly you need to lock down your system, and Bastille gives you a lot of information as you go.
Bastille runs either in a Ncurses interface or in X using Perl-Tk. To me the Perl-Tk interface is not very readable and clunky, so I use Ncurses. This opens the Perl-Tk interface:
# bastille -x
Run it in Ncurses like this:
# bastille -c
bastille -r reverses all changes, so don't be afraid to dive in. However, if you do change your mind you want to do it right away, and not months later after you've made who-knows-what changes to your system. bastille --log lets you make a dry-run with no changes.
Give yourself about 30 minutes. Don't hurry: The idea is to learn as well as do.
Images
IE 7
Firefox 2.0