Bastille: Classic Linux and Unix Security

By Carla Schroder | Oct 8, 2007 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3704046/Bastille-Classic-Linux-and-Unix-Security.htm

The glamorous new kids in the Linux security parade are SELinux, AppArmor, and all manner of virtualization technologies. (Though it is being discovered that virtual machines, just like chroot jails, aren't all that difficult to break out of, so don't count on them for strong security.)

But don't overlook the reliable, helpful old-timer Bastille Linux. Bastille Linux is both a batch of Perl scripts that lead you through hardening your Linux system, and an educational tool. I recommend running it just to get a grounding in basic security measures — the newfangled things are nice, but the basics are still important and valuable.

It is best to run Bastille on a fresh, newly installed system that has not yet been connected to an untrusted network. You can use it on an existing system, but to be 100 percent certain you're not hardening a compromised system you need to start fresh.

Bastille Name Change

Bastille has officially renamed itself to Bastille Unix because it also supports Mac OS X and HP-UX. And there is drama with a domain-name squatter who somehow gained control of http://www.bastille-linux.org, so the official site is http://www.bastille-unix.org. Anyone who is interested can read all about it here. Just remember to visit http://www.bastille-unix.org to read the official site, not the other one.

Supported Systems

Bastille does not work for every Linux distribution. So far it supports Red Hat and its clones (CentOS, Pie Box, etc.), Fedora, SUSE, Debian, Gentoo, and Mandriva; and HP-UX and Mac OS X. It works on Kubuntu, and it may work on other descendants such as Sabayon (Gentoo) but I haven't tried them yet.

Assessment Mode

Bastille has introduced a new assessment and reporting utility, bastille --assess. This only works on Red Hat and its clones and SUSE. If you run it on an unsupported system it will helpfully complain and give you a list of platforms that it does support.

Make sure you have the perl-Tk package installed, and perl-Curses for the Ncurses interface. Then fetch and install the Bastille RPM from its distribution site and install it with :

# rpm -ivh Bastille-3.0.9-1.0.noarch.rpm

Then run it in assessment mode:

# bastille --assess

This does a read-only scan of your system and generates a nice report like this one. This gives you a snapshot of your system without having to make an entire Bastille run first. Making before and after assessment reports can be a valuable exercise and help you with fine-tuning. You can take this a step further and assign different weights to the various items; the defaults may not reflect your policies or priorities, so you can tweak them to suit.

Debian users can install Bastille with aptitude install bastille, and Gentoo via its portage system.

Running Bastille

I'm not going to discuss every option, but just hit the high points. Most options depend on how tightly you need to lock down your system, and Bastille gives you a lot of information as you go.

Bastille runs either in a Ncurses interface or in X using Perl-Tk. To me the Perl-Tk interface is not very readable and clunky, so I use Ncurses. This opens the Perl-Tk interface:

# bastille -x

Run it in Ncurses like this:

# bastille -c

bastille -r reverses all changes, so don't be afraid to dive in. However, if you do change your mind you want to do it right away, and not months later after you've made who-knows-what changes to your system. bastille --log lets you make a dry-run with no changes.

Give yourself about 30 minutes. Don't hurry: The idea is to learn as well as do.

On the first series of questions you'll be asked if you want to disable the SUID root bit, which allows ordinary users to run commands that require root privileges, on certain commands. At first glance you might think "of course I don't want SUID root commands! What an obvious security hole!" But don't be in a hurry to say yes. For example, do you really want to require a root login to use mount or ping? Unprivileged users won't be able to mount removable media like CDs, and ping is hardly a weapon of mass destruction. If you say "Yes" and then change your mind later, use chmod to restore the SUID bit:

# chmod u+s ping

You should periodically check for SUID-enabled files anyway, just to keep an eye out for mischief or forgotten experiments. Run this command to see a list of them:

# find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -l {} \;

Should Bastille disable clear-text r-protocols that use IP-based authentication?
Yes. This includes rsh, rlogin, rcp, rdist, which send all traffic in cleartext. You shouldn't be using these anyway, as they have long been supplanted by ssh and scp.

Would you like to password protect single-user mode?
Yes. If there is no password, then anyone can gain root privileges by rebooting to single-user mode.

Should Bastille ensure the telnet service does not run on this system? Not only Yes, but Heck Yes, unless you are absolutely positively 100 percent certain you wish to leave it running. telnet is completely insecure. This is not the same as disabling the telnet client, which is still useful for network troubleshooting.

Disabling the gcc compiler isn't much of a security measure. If you need it, don't disable it. If you don't need it, remove it.

Would you like to put limits on system resource usage?
It's pretty safe to answer Yes. Core dumps aren't all that helpful to end users and can grow very large, and setting a limit on user processes is usually a good idea. Use this command to count user processes, so you'll know if Bastille's limit of 150 is enough:

$ ps --no-headers -U [username] | wc -l

You can change these in /etc/security/limits.conf.

Would you like to add additional logging? Yes, you would.

Security Blogging

Enterprise Networking Planet Managing Editor Michael Hall blogs about Internet security and privacy daily at Open Networks Today

The firewall script is pretty good, but it doesn't give you enough information on what to do with which ports. Take a look at this list of dangerous TCP/IP ports. This will help you decide what to monitor or block. You'll need to figure out yourself if you need to open holes in your firewall for services, such as SSH, name or Web servers, and so forth. Bastille accepts either port numbers or service names, according to /etc/services. This page lists ICMP types, if you want to monitor these or just know what they are. You cannot block all ICMP messages without messing up basic networking functions; Bastille's defaults are fine.

ICMP Attacks Illustrated is a nice guide on ICMP perils.

When you reach the end, you can either activate the changes, or go back and make changes. Bastille tells you how to start, stop, and test your firewall script. Look in /etc/Bastille to see your new scripts, and /var/log/Bastille for a record of everything it did.

Do this a few times on different servers and desktop PCs, and you'll have a good education in the basics of hardening Linux systems.

Resources

http://www.bastille-unix.org