Forgot your password?
typodupeerror
Security OS X Operating Systems Software Unix IT Linux

Bastille Adds Reporting, Grabs Fed Attention 151

Posted by timothy
from the soon-comes-the-boiling-oil dept.
johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."
This discussion has been archived. No new comments can be posted.

Bastille Adds Reporting, Grabs Fed Attention

Comments Filter:
  • by gowen (141411) <gwowen@gmail.com> on Wednesday April 20, 2005 @08:15AM (#12291162) Homepage Journal
    ... but if I were starting a Linux security project, I'd name it after a prison which was difficult to escape from [wikipedia.org], rather than one famous for being stormed by about 1,000 upset Frenchmen. [wikipedia.org]
  • by Elgreco1 (714955) on Wednesday April 20, 2005 @08:16AM (#12291165) Homepage
    Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?
    • by gowen (141411) <gwowen@gmail.com> on Wednesday April 20, 2005 @08:19AM (#12291186) Homepage Journal
      Why can't distributions be secure out of the box ?
      Essentially, there's a trade off to be made between security and ease of use (for example, a hardened distro won't let users mount filesystems, let alone do it automagically. Desktop distros consider automounting CD's and USB sticks to be de rigeur.).

      Most distributions try to steer a happy medium. Some sacrifice security for simplicity. [slashdot.org] Others (like Bastille) take the opposite tack.
      • ... there's a trade off to be made between security and ease of use ...

        Yes, indeed. Still, most of the things that really matter on a desktop system aren't part of that tradeoff.

        My first linux install was RH6.0, and it had any number of servers running, right out of the box. Every server in the distribution was on and listening on the web, on the default install. For a great desktop experience, I didn't need NFS, bind, postfix, or any of a dozen other services that I eventually learned to shut down

    • Because some security features have pros and cons. It might make your system more secure but suddenly normal users can't use CDs and so on. These wizards can tailor the systems security according to your needs, not general needs which will not be as secure as a complete customized system.
    • by Daengbo (523424) <daengbo AT gmail DOT com> on Wednesday April 20, 2005 @08:21AM (#12291196) Homepage Journal
      Part of Bastille's goal is to educate the admin, as well, so (even if your distro is very secure out of the box) you can run the program, listen to all the checks and changes, learn from Bastille why things should be set up that way, and maybe admin your box better. Alas, though, most distros are not as secure as they should be, and Bastille will make you think about what tradeoffs you really want to make between ease of use and security.
      • And if you know why things should be set up a certain way, you can make informed business decisions on possibly why you wouldn't want a certain thing secure (that "ought" to be). You could then document that yes it should be, but here is why we aren't doing it.
    • by yardbird (165009) * on Wednesday April 20, 2005 @08:22AM (#12291197) Homepage
      In TFA, he claims that the project is helping to push vendors in that direction:

      "The short-term effect of Bastille here was that possibly a hundred thousand Linux DNS servers couldn't be compromised. The long-term effect was that Linux distribution makers gained both familiarity with a couple more hardening steps and confidence that those steps would be palatable to users. Additionally, Linux users came to expect tighter configurations from their distribution vendors."

      I agree it would be better for the vendors to do it without prompting, though, but this can help to standardize best practices.
    • by admorgan (168061) on Wednesday April 20, 2005 @08:25AM (#12291218) Homepage
      Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?


      What about those of use whom don't use a distro? I often build systems from scratch and this gives me a convient useful tool to lock it down. Also why not go the other direction... Why don't distros use generic tools like this to keep their system secure out of the box. I would like to point out one thing though. People use linux for just about everything today. The wizard gives you the functionality to do non standard things to your system where as if the distro was secure out of the box when you add a new serice would you be able to say it was still secure or what happens if you make a mistake setting up a config file. Generic tools very good at what they do is much better than a large tools or relying on assumptions about the overall state of a system.
    • by gilesjuk (604902) <.giles.jones. .at. .zen.co.uk.> on Wednesday April 20, 2005 @08:28AM (#12291235)
      Security can often carry a level of pain with it that would annoy a desktop user.

      Also auditing many applications takes time. You can expect a distro run by a few people to audit thousands of lines of code in each package.
      • Compared to the level of pain required to correct an identity theft? I hear that's a pretty painful experience too...

        When I was working at data general, we had a team of 4 to 5 people auditing the C standard library and the source code for all the various UNIX utilities. Admittedly the team did have several months to complete their work. It's not particularly difficult to audit code that's already been written, but it is rather boring work, which makes it difficult to do in an open source environment.

    • by jbolden (176878) on Wednesday April 20, 2005 @10:45AM (#12292329) Homepage
      I once built a very secure version. Here is the sorts of things it I did.

      1) It had no shells of any sort, nor any user interface of any sort.

      2) It would not mount any filesystem whose CDs meet a certain checksum (this avoided mounting random data). CDs that had the right checksum it would automatically run a program with a particular name. This was the sole way to introduce new software/issue commands to the system.

      3) It only about 4 open ports, and 2 for getting data and 2 it used to sending the data out.

      4) It was stripped having almost no software except the bare mimimum needed to run 2 apps. It used a minimal set of libraries missing any links that weren't needed for the included software. All the apps and all the libraries had their names scrambled (using a hash generator) so apache might be something like /vksjl39/skl9394/i8843nvnnf. This made the box harder to get around. The result most pieces of gcc software wouldn't have run at all with a great deal of knowledge about the box.

      5) It checksummed the bios to verify the bios wasn't corrupted (i.e. boot password was intact).

      6) Data on the drives were encrypted.

      Sound like a fun distribution to work on? On the other hand under computer generated network attacks (like say 10000 attacks per second) they system was able function fine indefinitely. Even somebody with physical access would have had to take a long time to hack the system.

      That is sort of the ultimate in Linux security. The goal of hardening a system it to reduce points of entry for people to issue privledged commands, and this is done by reducing features. And that means a decrease in usability.
      • I built a very secure version too.

        1) It had no shells of any sort, nor any user interface of any sort.

        2) It would not mount any file system at all.

        3) It had a firewall consisting of a one-inch air gap between the power cord and the power supply, which effectively prevented all unwanted electrons from breaking into the system.

        This was *really* the ultimate in Linux security.
    • OpenBSD is, yet the fact the admin has to go and install extra things and actually configure services to run causes more people to whine that OpenBSD is too hard to use. People, including the vast number of admins, don't want a 'secure by default' installation, they want a system that just runs without much thought. Using Linux for that lets them delude themselves into thinking its secure on the based on the fact that its open source and not Windows.
    • Because some people newer to the world of Unix and Linux tend to execute
      chmod -R 777 /
      after giving up with trying to figure out permissions issues.
  • Now THAT's Funny! (Score:4, Informative)

    by pandrijeczko (588093) on Wednesday April 20, 2005 @08:17AM (#12291167)
    This is presumably the same johnny.ihackstuff.com who got hacked himself recently resulting in the email addresses of subscibers to his web site getting into the hands of spammers - mine included with a huge increase in spam to it as a result.

    Perhaps he should have used Bastille himself...

    • You've got the right johnny, but well, you're just plain wrong about the email theft. No soup for you.
      • you're just plain wrong about the email theft.

        Predictable response and you're in between a rock and a hard place no matter what answer you give - after all, if you admit to it, no-one's going to take you seriously on security any more...

        It's a shame I didn't keep some of the original discussions about this because your site was definitely stated as the source from where our email addresses were obtained.

        • To everyone in the security community that's been burned in even a small way by a hacker, hang it up. Sadly, your career is obviously over. You're done. No-one's [sic] going to take you seriously on security anymore.

          My defacement did not result in my user database being compromised. If my hosting provider was broken into, then I apologize for the inconvenience, and I'll be sure to let them know. I hate even the idea that my user base might be inconvenienced as a result of signing up for an account. Serio
  • A windows version (Score:3, Insightful)

    by JohnnyKlunk (568221) * on Wednesday April 20, 2005 @08:18AM (#12291172)
    I don't suppose someone could port this to windows could they?
    There's not a lot of decent tools for non-security-expert admins and windows could do with something like this (not meant as an anti-windows troll).

    Unfortunately too many corporate windows admins have so many pressures on their time that security of every server isn't always given the time it needs it sounds like this could provide a framework for that security.
    • Re:A windows version (Score:5, Informative)

      by Sexy Bern (596779) on Wednesday April 20, 2005 @08:23AM (#12291207)
      The baseline security analyzer?

      http://www.microsoft.com/technet/security/tools/mb sahome.mspx [microsoft.com]

    • why would you port security scripts for posix systems to windows?

      if anything you could create a sister project for the same sort of thing for windows based systems... but do you have enough fingers for that damn?
    • Re:A windows version (Score:5, Informative)

      by pandrijeczko (588093) on Wednesday April 20, 2005 @08:28AM (#12291231)
      I don't suppose someone could port this to windows could they?

      It's not really "portable" in the same sense as, say, Mozilla Firefox.

      I've not used Bastille in a while but I recall it's more of a tool that makes recommendations and changes to your system to lock it down - these can be everything from file permissions, service lockdown and kernel firewall settings.

      Therefore it's very much tied to the UNIX topography and even if you got it to run on Windows, the architecture is so different that it would be a totally different application by the time you'd modified it enough.

      However, you might want to consider running Bastille on, say, a Linux NAT/proxy router and just tucking Windows machines behind it.

      • There is a windows version - its called the Microsoft Security Centre - it checks to see if you have an AV package, XP firewall turned on and Automatic updates switched on.. what more do you need to secure a windows box?
        • by Noksagt (69097)
          You might be joking, but quite a bit is needed to lockdown win32.

          Bastille does useful things such as stop unneeded services. The *nux distros I've used have been far better out of the box than win32 machines I've seen. File permissions on win32 are also a nightmare. Bastille also locks down common userland apps. Misconfigured apache on win32 can do as much damage as apache on linux.
          • by XMyth (266414)
            2003 Server is better about this and I'm sure Longhorn will be too. That's not in defense of Windows, just FYI.

            Also, I'm sure he was joking but the Microsoft Baseline Security Analyzer does a fair job at locking down Windows. I haven't used Bastille so I can't compare (from what I've heard I'd bet Bastille is more thorough though).
          • Yeah I was joking I disable a number of services and install a long list of software to secure my Windows boxes before I allow them onto the internet. I would much prefer windows to ask me what services to start when I do the initial install as opposed to starting a load of services which I don't need - such as remote assistance....
        • Re:A windows version (Score:4, Informative)

          by pandrijeczko (588093) on Wednesday April 20, 2005 @09:07AM (#12291472)
          what more do you need to secure a windows box?

          Unfortunately, you're lost on the context in which you would use Bastille.

          AV packages and XP firewall are more desktop orientated security applications that usually provide a second layer of security protection after corporate firewalls, NAT routers, proxies, etc.

          And whether you like it or not, there are security holes in Windows purely as a result of the architecture and the fact that a lot of applications have free access to any part of the system.

          If you have similar security holes in Linux it's because you're running a service at root permissions or have some file permissions set wrongly. You might not be using a UNIX system that has strong password checking built in or you might have inactive accounts on your system. All these things the types of issues checked by Bastille.

          Sure, you could use Bastille on a UNIX/Linux desktop to lock it down a bit but it's real use is for locking down services and maybe creating a server to hide desktops behind, like a NAT proxy. So it's more important in small office or home server use where a server needs to be doubly secure because you don't have the protection of two firewall layers that you will inevitably find in a corporate environment.

      • Re:A windows version (Score:3, Interesting)

        by MajorDick (735308)
        It MAY be possible later as LongHorn / WinFS is supposed to use *nix stlye perms.
    • It's kinda already there and it is called the Security Configuration and Analysis tool. Probably not quite as in depth as Bastille, but does a very similar thing. There are only a few built-in security templates, but you can build your own easy enough.
  • Well... (Score:4, Funny)

    by JavaMoose (832619) on Wednesday April 20, 2005 @08:18AM (#12291176)
    I downloaded this, but I can't get it to run.

    Anyone else haveing problems getting this to run on Windows XP?

  • Scoring systems (Score:5, Insightful)

    by admorgan (168061) on Wednesday April 20, 2005 @08:18AM (#12291177) Homepage
    The score idea is actually pretty central here. When I first heard about it, I thought it was overly simplistic, but people really do get motivated and sometimes even jazzed up about improving the score on a system. They'll get a lower score than their ego tells them they should and will turn around and harden a few items on the box just to achieve a more encouraging score.

    This is an excelent example of making an application have a "value" as incentive to do the right thing. People are by nature competative and will strive to improve a "score" even if it doesn't necessarily help them in any way. I give cudose to whoever decided to add this feature.
  • by Guano_Jim (157555) on Wednesday April 20, 2005 @08:19AM (#12291182)
    The download instructions for OSX were a little intimidating, even for someone like me with basic Unix skills...

    Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.
    • We are actively seeking OS X packagers -- please e-mail Jay if interested.

      I don't use OS X, but if anyone is looking to have a good impact with little effort email jay at bastille-linux.org
    • by Anonymous Coward
      The download instructions for OSX were a little intimidating, even for someone like me with basic Unix skills...

      From the Bastille-Linux OS X page [bastille-linux.org]

      1. Download the tarball from the source link: Bastille-.tbz2.
      2. Uncompress the file, like so:

      tar -xjvf Bastille-.tbz2

      NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the
      • Anyone who can't do that probably can't implement the hardening advice. It works in the other direction though, there are lots of people who could follow those instructions that could use the advice.
      • by iamnotanumber6 (755703) on Wednesday April 20, 2005 @02:59PM (#12294810)
        I struggled with this for a while.

        "NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week."

        Huh? Well, it seemed to unpack for me, I don't know.

        Step three actually says:

        3. Run the install script, like so:

        cd Bastille && sh bin/Install-OSX.sh

        Which didn't work (you've corrected it above, but not on the actual page). Fooled around for a while in confusion about that, since there *is* an install script in the bin directory, but it's called "bastille"; it has an "os" option but only seems to know about HP-UX and not OSX...

        Finally found the other script, which failed with lots of error messages. You need to do "sudo" before the command.

        And then, "confirm that you have perl-Tk installed". Apparently I don't. "Do not forget to get perl-Tk installed before running Bastille." - to me that's a bit like "attach the toaster to your nose in the usual way". Where do I get it? Fink? Nope, not there. perltk.org? Total confusion. Ok, it's over an hour now, I'm still searching around trying to find how to install perlTk on OS X, and you know what?

        Fuck it.

        It's not that I don't have the skills. I just don't want fool around anymore.

        I don't mean to be critical, but you've been slashdotted, and there are going to be a *lot* of people having the same frustrating experience that I just did today, who probably won't remember to come back next week when it's working.
        • For perl/Tk, just run

          cpan

          and once you are inside cpan, you should issue a command "force install Tk". You have to force because cpan fails some of the tests.

          I wouldn't have had problem installing Bastille, but I noticed that the install script installs all the files under /usr (like /usr/sbin, /usr/lib, etc.). So, I simply changed all the /usr/ to /usr/local/ where I usually install stuff myself.

          Then, the install script runs OK, but... we don't have the script "bastille" installed! It's still lying i
    • What, get locked up for 19 years?

      Five years for what you did, the rest because you tried to run...
    • Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.

      I think they're planning on getting that up and running by 24/6/01.
    • Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.

      As I recall, he didn't get very far, did he...Javert (sp?) my old friend.
  • Cool, but... (Score:3, Interesting)

    by DrLex (811382) on Wednesday April 20, 2005 @08:19AM (#12291184) Homepage
    The ironical thing about this software is that it only works on *n*x systems, while the OS that probably could benefit most from it is Windows...
    • Re:Cool, but... (Score:3, Informative)

      by Dr.Opveter (806649)
      It's not that ironic if you see what type of thing [bastille-linux.org] it actually checks.
      Windows usually doesn't come with a mail or ftp server (yeah yeah, line up the spyware/malware server installing jokes here).
    • The ironical[sic] thing about this software is that it only works on *n*x systems, while the OS that probably could benefit most from it is Windows...

      ...as the saying goes, "You can't polish a turd!"
    • While Windows might certainly benefit from some similar support, Bastille provides a great service for Linux. With the popularity of Linux continuing to rise and rise, there are plenty of sysadmins in previously all-Windows shops who, while trying to learn all they can, are still nowhere near expert and can benefit from pre-packaged expertise like this.

      In the early days of my shop trying some Linux servers, we were hit more than once by hackers and worms targetting known exploits in common Linux elements s
    • this is *why* (Score:3, Interesting)

      by Heisenbug (122836)
      A major reason that nix systems have a reputation hereabouts for superior security is that developers bother to write tools like this, and admins bother to run them and pay attention. It's not ironic -- it's an object lesson. As linux gets more exposure, we'll have an increasing need for this type of thing.

      For example, I've worked under linux at work for years, I could whip out the perl command to ROT-13 your entire drive in a couple of seconds, and I'm pretty sure any linux box I set up would be totally i
    • Nevermind that Microsoft has been shipping security lockdown and analysis tools for their own OS for YEARS now :( (Since at least Win2k)

      http://www.microsoft.com/technet/security/tools/ de fault.mspx

      Not that many IT people can pull their head out of their asses long enough to bother with them though :(

      Locked down, admined and patched Windows machines do not get hacked. But don't let facts get in the way of a good MS bash.
  • A "lockdown" program such as this is only half of the battle. You need to keep your kernel updated, patch programs with fixes, and also make sure that a lockdown program such as Bastille is actually doing what it's supposed to, by making sure that the rules and configurations it creates are actually sane.
  • Wow. (Score:1, Interesting)

    by sglider (648795)
    I'm pretty stoked about this. Of course, this is the first time I've even *heard* about Bastille Linux, but as a Windows IT guy that wants to move to linux (gentoo, here I come?), I'm glad to see these innovations and changes.

    On a related note, if Windows made updates/innovations at this rate, I highly doubt that there would be this much criticism towards them. It's amazing that a company that hosts the richest man in the world can't cope with the innovation of an 'inferior' (I'm being facetious here,
    • re: Bastille Unix (Score:2, Interesting)

      Just as an FYI -
      Bastille Linux [bastille-linux.org] is a program, not a flavor. It should run on any flavor of Linux Distro with the appropriate tweaking.

      It's really nice; I was introduced to it with the book "Hackproofing Linux" and it does a lot of neat stuff.

      Sets up sudo (if it's not already configured) Creates a second root user that is the "true" root user, and keylogs everything that root does, and alerts the true root of any attempted accesses
      And a bunch of other stuff. I just thought the root stuff was extra se

    • Re:Wow. (Score:3, Insightful)

      by pandrijeczko (588093)
      but as a Windows IT guy that wants to move to linux

      Why "move"? Dual boot it, play with it and move when and if you're ready to.

      It's amazing that a company that hosts the richest man in the world can't cope with the innovation of an 'inferior' (I'm being facetious here, not trolling) business model.

      The problem with Windows security is one of architecture, not so much business model.

      When a UNIX system gets attacked, it's because some cracker or script-kiddie has picked that system as a target - becaus

    • Gentoo (Score:2, Interesting)

      by Danuvius (704536)
      You mentioned Gentoo.

      It is definitely more work to setup (though, if you are computer literate you doubtless will be able to do it, so long as you pay close attention to the Handbook) but more rewarding in the end.

      For me, other than that I found Gentoo to be the distribution that really started teaching me about linux, Gentoo was my eventual "only choice" because of the range of programs I use.

      I found no other distribution had *all* the programs I use in their native software repositories. And installin
    • Re:Wow. (Score:1, Informative)

      by Anonymous Coward
      as a Windows IT guy that wants to move to linux (gentoo, here I come?),

      Since you felt the need to mention that you are in IT, I am going to assume that you are talking about moving some of the production machines over to Linux. If that is the case I would strongly advise against Gentoo. Go with a distro that has some kind of real support that will make management happy, we use Redhat but now that Novell owns and supports SuSE I would say that they are also an option.

      Gentoo is not suited for the corporate
      • Go with what works in the workplace not what some smelly zealot who has never even worked in IT thinks is the cool distro.

        Gentoo or most any other distro -- given a good admin -- can function well doing just about any type of normal "business" task. But as we are all beginning (at varying rates) to realize is that the distro itself doesn't really matter. More and more the various configuration tools are being ported to many/all distros and what we are left with are basically just different choices of file
  • *BSD versions? (Score:3, Interesting)

    by Noksagt (69097) on Wednesday April 20, 2005 @08:50AM (#12291350) Homepage
    I'm a bit surprised that it has been ported to a primarily desktop-OS (OS X), rather than Free/Open/Net-BSD. Anyone know of efforts to get this into ports? Are there already equivalent *BSD tools?
    • I don't think this would really make a difference to security on OpenBSD. It's quite secure as-is.

      I suppose their reasoning was that Macs have a larger percentage of the market share than *BSD. Or maybe someone just felt like porting to OSX, and no one was motivated to port to *BSD.
    • Bastille for OpenBSD?

      "I see that I am running on an OpenBSD system.

      Checking ...
      You are working as the root user. This is not secure. Please run as a non root user."
  • [root@localhost root]# bastille --report
    ERROR: 'MN9.2' is not a supported operating system.
  • .. when do we get one for Slackware [slackware.com]

    Suchetha
  • by olyar (591892)
    The assessment demo looks pretty nice, but not as comprehensive as, the Tiger Security tool. http://savannah.nongnu.org/projects/tiger. [nongnu.org]

    I've been working with Tiger quite a bit over the last few months (even contributing some changes) and I'm pretty impressed with what it can do.
    Also handy is the fact that it runs on most of the proprietary *NIX's.

    [/Tiger Plug]

  • http://castle.altlinux.ru/
  • Great news (Score:2, Interesting)

    by Anonymous Coward
    This new reporting feature reminds me of the CIS Security Benchmark [cisecurity.org] which was recently covered by NewsForge [newsforge.com]. The thing that has always bothered me about CIScan, however, is the mandatory registration process you have to go through before you download it. With Bastille offering similar functionality the need to use CIScan is greatly deminished in favor of a more "open" solution (not to bash CIS, but I don't enjoy having to keep track of yet-another-download-account).

    What really makes the CIS benchmark great

PLUG IT IN!!!

Working...