Bastille: Classic Linux and Unix Security

Bastille runs your Linux or Unix installation through the ringer and squeezes out a more secure box.

 By Carla Schroder
Page 1 of 2
Print Article

The glamorous new kids in the Linux security parade are SELinux, AppArmor, and all manner of virtualization technologies. (Though it is being discovered that virtual machines, just like chroot jails, aren't all that difficult to break out of, so don't count on them for strong security.)

But don't overlook the reliable, helpful old-timer Bastille Linux. Bastille Linux is both a batch of Perl scripts that lead you through hardening your Linux system, and an educational tool. I recommend running it just to get a grounding in basic security measures — the newfangled things are nice, but the basics are still important and valuable.

It is best to run Bastille on a fresh, newly installed system that has not yet been connected to an untrusted network. You can use it on an existing system, but to be 100 percent certain you're not hardening a compromised system you need to start fresh.

Bastille Name Change

Bastille has officially renamed itself to Bastille Unix because it also supports Mac OS X and HP-UX. And there is drama with a domain-name squatter who somehow gained control of http://www.bastille-linux.org, so the official site is http://www.bastille-unix.org. Anyone who is interested can read all about it here. Just remember to visit http://www.bastille-unix.orgto read the official site, not the other one.

Supported Systems

Bastille does not work for every Linux distribution. So far it supports Red Hat and its clones (CentOS, Pie Box, etc.), Fedora, SUSE, Debian, Gentoo, and Mandriva; and HP-UX and Mac OS X. It works on Kubuntu, and it may work on other descendants such as Sabayon (Gentoo) but I haven't tried them yet.

Assessment Mode

Bastille has introduced a new assessment and reporting utility, bastille --assess. This only works on Red Hat and its clones and SUSE. If you run it on an unsupported system it will helpfully complain and give you a list of platforms that it does support.

Make sure you have the perl-Tk package installed, and perl-Curses for the Ncurses interface. Then fetch and install the Bastille RPM from its distribution siteand install it with :

# rpm -ivh Bastille-3.0.9-1.0.noarch.rpm

Then run it in assessment mode:

# bastille --assess

This does a read-only scan of your system and generates a nice report like this one. This gives you a snapshot of your system without having to make an entire Bastille run first. Making before and after assessment reports can be a valuable exercise and help you with fine-tuning. You can take this a step further and assign different weights to the various items; the defaults may not reflect your policies or priorities, so you can tweak them to suit.

Debian users can install Bastille with aptitude install bastille, and Gentoo via its portage system.

Running Bastille

I'm not going to discuss every option, but just hit the high points. Most options depend on how tightly you need to lock down your system, and Bastille gives you a lot of information as you go.

Bastille runs either in a Ncurses interface or in X using Perl-Tk. To me the Perl-Tk interface is not very readable and clunky, so I use Ncurses. This opens the Perl-Tk interface:

# bastille -x

Run it in Ncurses like this:

# bastille -c

bastille -r reverses all changes, so don't be afraid to dive in. However, if you do change your mind you want to do it right away, and not months later after you've made who-knows-what changes to your system. bastille --loglets you make a dry-run with no changes.

Give yourself about 30 minutes. Don't hurry: The idea is to learn as well as do.

This article was originally published on Oct 9, 2007
Get the Latest Scoop with Networking Update Newsletter