Bastille Adds Reporting, Grabs Fed Attention 151
johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."
Cool, but... (Score:3, Interesting)
What's the equivalent on Windows? (Score:0, Interesting)
Wow. (Score:1, Interesting)
On a related note, if Windows made updates/innovations at this rate, I highly doubt that there would be this much criticism towards them. It's amazing that a company that hosts the richest man in the world can't cope with the innovation of an 'inferior' (I'm being facetious here, not trolling) business model.
re: Bastille Unix (Score:2, Interesting)
Bastille Linux [bastille-linux.org] is a program, not a flavor. It should run on any flavor of Linux Distro with the appropriate tweaking.
It's really nice; I was introduced to it with the book "Hackproofing Linux" and it does a lot of neat stuff.
Sets up sudo (if it's not already configured) Creates a second root user that is the "true" root user, and keylogs everything that root does, and alerts the true root of any attempted accesses
And a bunch of other stuff. I just thought the root stuff was extra sexy.
*BSD versions? (Score:3, Interesting)
Re:Needs to be point and click. (Score:1, Interesting)
From the Bastille-Linux OS X page [bastille-linux.org]
1. Download the tarball from the source link: Bastille-.tbz2.
2. Uncompress the file, like so:
tar -xjvf Bastille-.tbz2
NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week.
3. Run the install script, like so:
cd Bastille && sh
4. Confirm that you have perl-Tk installed.
5. Start up an X Server.
6. Run bastille -x.
I'm thinking that anyone who doesn't have the skill to do that won't be able to implement the changes suggested by Bastille either, making the whole exercise pointless.
this is *why* (Score:3, Interesting)
For example, I've worked under linux at work for years, I could whip out the perl command to ROT-13 your entire drive in a couple of seconds, and I'm pretty sure any linux box I set up would be totally insecure. Don't downplay the significance of tools like this
Gentoo (Score:2, Interesting)
It is definitely more work to setup (though, if you are computer literate you doubtless will be able to do it, so long as you pay close attention to the Handbook) but more rewarding in the end.
For me, other than that I found Gentoo to be the distribution that really started teaching me about linux, Gentoo was my eventual "only choice" because of the range of programs I use.
I found no other distribution had *all* the programs I use in their native software repositories. And installing from third-party repositories eventually caused me problems on other systems. (SuSE, Debian, Ubuntu and Xandros were my other linux attempts.)
So, let me heartily suggest, if you do make a decision to try out linux; do some research about programs first to make sure you can get the software you need with the distro you choose.
If you do go with Gentoo, I (and the myriad other forum users at http://forums.gentoo.org/ will be happy to help you). If you'd like some pre-installation tips or help with figuring out linux equivelant programs send me a private message at http://forums.gentoo.org/ (username: danuvius) and I'll be happy to help you out.
Re:Why do we need to harden distros ? (Score:5, Interesting)
1) It had no shells of any sort, nor any user interface of any sort.
2) It would not mount any filesystem whose CDs meet a certain checksum (this avoided mounting random data). CDs that had the right checksum it would automatically run a program with a particular name. This was the sole way to introduce new software/issue commands to the system.
3) It only about 4 open ports, and 2 for getting data and 2 it used to sending the data out.
4) It was stripped having almost no software except the bare mimimum needed to run 2 apps. It used a minimal set of libraries missing any links that weren't needed for the included software. All the apps and all the libraries had their names scrambled (using a hash generator) so apache might be something like
5) It checksummed the bios to verify the bios wasn't corrupted (i.e. boot password was intact).
6) Data on the drives were encrypted.
Sound like a fun distribution to work on? On the other hand under computer generated network attacks (like say 10000 attacks per second) they system was able function fine indefinitely. Even somebody with physical access would have had to take a long time to hack the system.
That is sort of the ultimate in Linux security. The goal of hardening a system it to reduce points of entry for people to issue privledged commands, and this is done by reducing features. And that means a decrease in usability.
Re:A windows version (Score:3, Interesting)
Great news (Score:2, Interesting)
What really makes the CIS benchmark great is the manual it comes with (which I briefly described in a comment here [newsforge.com]), so I hope the Bastille project doesn't neglect to document the benchmark in a similar way as to inform adminstrators about the various trade-off's involved. I suspect Bastille has modeled the reporting-feature after CIScan, though, so it will probably turn out to be a great replacement.
Great work guys, this new feature is welcomed with open arms.