Bastille Adds Reporting, Grabs Fed Attention

johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."

Cool, but...

[DrLex]

The ironical thing about this software is that it only works on *n*x systems, while the OS that probably could benefit most from it is Windows...

What's the equivalent on Windows?

[Anonymous Coward]

The windows admins here keep saying that Windows has better security stuff than Linux; so before raising this issue with them, I wanted to get a heads up on how they might respond.

Wow.

[sglider]

I'm pretty stoked about this. Of course, this is the first time I've even *heard* about Bastille Linux, but as a Windows IT guy that wants to move to linux (gentoo, here I come?), I'm glad to see these innovations and changes.

On a related note, if Windows made updates/innovations at this rate, I highly doubt that there would be this much criticism towards them. It's amazing that a company that hosts the richest man in the world can't cope with the innovation of an 'inferior' (I'm being facetious here, not trolling) business model.

re: Bastille Unix

[BitterAndDrunk]

Just as an FYI -
Bastille Linux [bastille-linux.org] is a program, not a flavor. It should run on any flavor of Linux Distro with the appropriate tweaking.

It's really nice; I was introduced to it with the book "Hackproofing Linux" and it does a lot of neat stuff.

Sets up sudo (if it's not already configured) Creates a second root user that is the "true" root user, and keylogs everything that root does, and alerts the true root of any attempted accesses
And a bunch of other stuff. I just thought the root stuff was extra sexy.

*BSD versions?

[Noksagt]

I'm a bit surprised that it has been ported to a primarily desktop-OS (OS X), rather than Free/Open/Net-BSD. Anyone know of efforts to get this into ports? Are there already equivalent *BSD tools?

Re:Needs to be point and click.

[Anonymous Coward]

The download instructions for OSX were a little intimidating, even for someone like me with basic Unix skills...

From the Bastille-Linux OS X page [bastille-linux.org]

1. Download the tarball from the source link: Bastille-.tbz2.
2. Uncompress the file, like so:

tar -xjvf Bastille-.tbz2

NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week.
3. Run the install script, like so:

cd Bastille && sh ./Install-OSX.sh

4. Confirm that you have perl-Tk installed.
5. Start up an X Server.
6. Run bastille -x.

I'm thinking that anyone who doesn't have the skill to do that won't be able to implement the changes suggested by Bastille either, making the whole exercise pointless.

this is *why*

[Heisenbug]

A major reason that nix systems have a reputation hereabouts for superior security is that developers bother to write tools like this, and admins bother to run them and pay attention. It's not ironic -- it's an object lesson. As linux gets more exposure, we'll have an increasing need for this type of thing.

For example, I've worked under linux at work for years, I could whip out the perl command to ROT-13 your entire drive in a couple of seconds, and I'm pretty sure any linux box I set up would be totally insecure. Don't downplay the significance of tools like this ...

Gentoo

[Danuvius]

You mentioned Gentoo.

It is definitely more work to setup (though, if you are computer literate you doubtless will be able to do it, so long as you pay close attention to the Handbook) but more rewarding in the end.

For me, other than that I found Gentoo to be the distribution that really started teaching me about linux, Gentoo was my eventual "only choice" because of the range of programs I use.

I found no other distribution had *all* the programs I use in their native software repositories. And installing from third-party repositories eventually caused me problems on other systems. (SuSE, Debian, Ubuntu and Xandros were my other linux attempts.)

So, let me heartily suggest, if you do make a decision to try out linux; do some research about programs first to make sure you can get the software you need with the distro you choose.

If you do go with Gentoo, I (and the myriad other forum users at http://forums.gentoo.org/ will be happy to help you). If you'd like some pre-installation tips or help with figuring out linux equivelant programs send me a private message at http://forums.gentoo.org/ (username: danuvius) and I'll be happy to help you out.

Re:Why do we need to harden distros ?

[jbolden]

I once built a very secure version. Here is the sorts of things it I did.

1) It had no shells of any sort, nor any user interface of any sort.

2) It would not mount any filesystem whose CDs meet a certain checksum (this avoided mounting random data). CDs that had the right checksum it would automatically run a program with a particular name. This was the sole way to introduce new software/issue commands to the system.

3) It only about 4 open ports, and 2 for getting data and 2 it used to sending the data out.

4) It was stripped having almost no software except the bare mimimum needed to run 2 apps. It used a minimal set of libraries missing any links that weren't needed for the included software. All the apps and all the libraries had their names scrambled (using a hash generator) so apache might be something like /vksjl39/skl9394/i8843nvnnf. This made the box harder to get around. The result most pieces of gcc software wouldn't have run at all with a great deal of knowledge about the box.

5) It checksummed the bios to verify the bios wasn't corrupted (i.e. boot password was intact).

6) Data on the drives were encrypted.

Sound like a fun distribution to work on? On the other hand under computer generated network attacks (like say 10000 attacks per second) they system was able function fine indefinitely. Even somebody with physical access would have had to take a long time to hack the system.

That is sort of the ultimate in Linux security. The goal of hardening a system it to reduce points of entry for people to issue privledged commands, and this is done by reducing features. And that means a decrease in usability.

Re:A windows version

[MajorDick]

It MAY be possible later as LongHorn / WinFS is supposed to use *nix stlye perms.

Great news

[Anonymous Coward]

This new reporting feature reminds me of the CIS Security Benchmark [cisecurity.org] which was recently covered by NewsForge [newsforge.com]. The thing that has always bothered me about CIScan, however, is the mandatory registration process you have to go through before you download it. With Bastille offering similar functionality the need to use CIScan is greatly deminished in favor of a more "open" solution (not to bash CIS, but I don't enjoy having to keep track of yet-another-download-account).

What really makes the CIS benchmark great is the manual it comes with (which I briefly described in a comment here [newsforge.com]), so I hope the Bastille project doesn't neglect to document the benchmark in a similar way as to inform adminstrators about the various trade-off's involved. I suspect Bastille has modeled the reporting-feature after CIScan, though, so it will probably turn out to be a great replacement.

Great work guys, this new feature is welcomed with open arms.