Bastille: Classic Linux and Unix Security - Page 2

On the first series of questions you'll be asked if you want to disable the SUID root bit, which allows ordinary users to run commands that require root privileges, on certain commands. At first glance you might think "of course I don't want SUID root commands! What an obvious security hole!" But don't be in a hurry to say yes. For example, do you really want to require a root login to use mount or ping? Unprivileged users won't be able to mount removable media like CDs, and ping is hardly a weapon of mass destruction. If you say "Yes" and then change your mind later, use chmod to restore the SUID bit:

# chmod u+s ping

You should periodically check for SUID-enabled files anyway, just to keep an eye out for mischief or forgotten experiments. Run this command to see a list of them:

# find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -l {} \;

Should Bastille disable clear-text r-protocols that use IP-based authentication?
Yes. This includes rsh, rlogin, rcp, rdist, which send all traffic in cleartext. You shouldn't be using these anyway, as they have long been supplanted by ssh and scp.

Would you like to password protect single-user mode?
Yes. If there is no password, then anyone can gain root privileges by rebooting to single-user mode.

Should Bastille ensure the telnet service does not run on this system? Not only Yes, but Heck Yes, unless you are absolutely positively 100 percent certain you wish to leave it running. telnet is completely insecure. This is not the same as disabling the telnet client, which is still useful for network troubleshooting.

Disabling the gcc compiler isn't much of a security measure. If you need it, don't disable it. If you don't need it, remove it.

Would you like to put limits on system resource usage?
It's pretty safe to answer Yes. Core dumps aren't all that helpful to end users and can grow very large, and setting a limit on user processes is usually a good idea. Use this command to count user processes, so you'll know if Bastille's limit of 150 is enough:

$ ps --no-headers -U [username] | wc -l

You can change these in /etc/security/limits.conf.

Would you like to add additional logging? Yes, you would.

The firewall script is pretty good, but it doesn't give you enough information on what to do with which ports. Take a look at this list of dangerous TCP/IP ports. This will help you decide what to monitor or block. You'll need to figure out yourself if you need to open holes in your firewall for services, such as SSH, name or Web servers, and so forth. Bastille accepts either port numbers or service names, according to /etc/services. This page lists ICMP types, if you want to monitor these or just know what they are. You cannot block all ICMP messages without messing up basic networking functions; Bastille's defaults are fine.

ICMP Attacks Illustrated is a nice guide on ICMP perils.

When you reach the end, you can either activate the changes, or go back and make changes. Bastille tells you how to start, stop, and test your firewall script. Look in /etc/Bastille to see your new scripts, and /var/log/Bastille for a record of everything it did.

Do this a few times on different servers and desktop PCs, and you'll have a good education in the basics of hardening Linux systems.

Resources

http://www.bastille-unix.org