Bastille Adds Reporting, Grabs Fed Attention

johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Why do we need to harden distros ?

[yardbird]

In TFA, he claims that the project is helping to push vendors in that direction:

"The short-term effect of Bastille here was that possibly a hundred thousand Linux DNS servers couldn't be compromised. The long-term effect was that Linux distribution makers gained both familiarity with a couple more hardening steps and confidence that those steps would be palatable to users. Additionally, Linux users came to expect tighter configurations from their distribution vendors."

I agree it would be better for the vendors to do it without prompting, though, but this can help to standardize best practices.

Re:A windows version

[Sexy Bern]

The baseline security analyzer?

http://www.microsoft.com/technet/security/tools/mb sahome.mspx [microsoft.com]

Re:A windows version

[Sexy Bern]

Hate to reply to myself, but some reluctant admins may also like to use the MS Exchange best practices analyzer:

http://www.microsoft.com/exchange/downloads/2003/e xbpa/default.mspx [microsoft.com]

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Cool, but...

[Dr.Opveter]

It's not that ironic if you see what type of thing [bastille-linux.org] it actually checks.
Windows usually doesn't come with a mail or ftp server (yeah yeah, line up the spyware/malware server installing jokes here).

Re:What's the equivalent on Windows?

[Anonymous Coward]

The windows admins here keep saying that Windows has better security stuff than Linux

Do they? Where, I haven't noticed?

Windows 2003 SP1 has a funky new security lockdown wizard, and there've been IIS lockdown tools for a few years now. There's also MBSA which lets you security-scan your whole domain in one go.

Re:A windows version

[Anonymous Coward]

the MS Exchange best practices analyzer:

Or, shorter, http://www.exbpa.com/ [exbpa.com].

Comment removed

[account_deleted]

Comment removed based on user account deletion

More comprehensive tool

[olyar]

The assessment demo looks pretty nice, but not as comprehensive as, the Tiger Security tool. http://savannah.nongnu.org/projects/tiger. [nongnu.org]

I've been working with Tiger quite a bit over the last few months (even contributing some changes) and I'm pretty impressed with what it can do.
Also handy is the fact that it runs on most of the proprietary *NIX's.

[/Tiger Plug]

Re:More comprehensive tool

[99BottlesOfBeerInMyF]

Your link is broken. The correct link is: http://savannah.nongnu.org/projects/tiger [nongnu.org].

Re:Wow.

[Anonymous Coward]

as a Windows IT guy that wants to move to linux (gentoo, here I come?),

Since you felt the need to mention that you are in IT, I am going to assume that you are talking about moving some of the production machines over to Linux. If that is the case I would strongly advise against Gentoo. Go with a distro that has some kind of real support that will make management happy, we use Redhat but now that Novell owns and supports SuSE I would say that they are also an option.

Gentoo is not suited for the corporate arena. Gentoo is just the current trendy distro to have installed. There is always some trendy distro within the Linux Geek world and right now that distro is Gentoo. Give it a year and there will be another trendy distro and Gentoo will be forgotten. I say this as a guy who has been watching this happen for close to a decade now. Don't be a conformist geek sheep. Go with what works in the workplace not what some smelly zealot who has never even worked in IT thinks is the cool distro.

Re:Needs to be point and click.

[iamnotanumber6]

I struggled with this for a while.

"NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week."

Huh? Well, it seemed to unpack for me, I don't know.

Step three actually says:

3. Run the install script, like so:

cd Bastille && sh bin/Install-OSX.sh

Which didn't work (you've corrected it above, but not on the actual page). Fooled around for a while in confusion about that, since there *is* an install script in the bin directory, but it's called "bastille"; it has an "os" option but only seems to know about HP-UX and not OSX...

Finally found the other script, which failed with lots of error messages. You need to do "sudo" before the command.

And then, "confirm that you have perl-Tk installed". Apparently I don't. "Do not forget to get perl-Tk installed before running Bastille." - to me that's a bit like "attach the toaster to your nose in the usual way". Where do I get it? Fink? Nope, not there. perltk.org? Total confusion. Ok, it's over an hour now, I'm still searching around trying to find how to install perlTk on OS X, and you know what?

Fuck it.

It's not that I don't have the skills. I just don't want fool around anymore.

I don't mean to be critical, but you've been slashdotted, and there are going to be a *lot* of people having the same frustrating experience that I just did today, who probably won't remember to come back next week when it's working.