Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security OS X Operating Systems Software Unix IT Linux

Bastille Adds Reporting, Grabs Fed Attention 151

johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."
This discussion has been archived. No new comments can be posted.

Bastille Adds Reporting, Grabs Fed Attention

Comments Filter:
  • by gowen ( 141411 ) <gwowen@gmail.com> on Wednesday April 20, 2005 @07:15AM (#12291162) Homepage Journal
    ... but if I were starting a Linux security project, I'd name it after a prison which was difficult to escape from [wikipedia.org], rather than one famous for being stormed by about 1,000 upset Frenchmen. [wikipedia.org]
  • by Elgreco1 ( 714955 ) on Wednesday April 20, 2005 @07:16AM (#12291165) Homepage
    Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?
    • by gowen ( 141411 ) <gwowen@gmail.com> on Wednesday April 20, 2005 @07:19AM (#12291186) Homepage Journal
      Why can't distributions be secure out of the box ?
      Essentially, there's a trade off to be made between security and ease of use (for example, a hardened distro won't let users mount filesystems, let alone do it automagically. Desktop distros consider automounting CD's and USB sticks to be de rigeur.).

      Most distributions try to steer a happy medium. Some sacrifice security for simplicity. [slashdot.org] Others (like Bastille) take the opposite tack.
      • ... there's a trade off to be made between security and ease of use ...

        Yes, indeed. Still, most of the things that really matter on a desktop system aren't part of that tradeoff.

        My first linux install was RH6.0, and it had any number of servers running, right out of the box. Every server in the distribution was on and listening on the web, on the default install. For a great desktop experience, I didn't need NFS, bind, postfix, or any of a dozen other services that I eventually learned to shut down

    • Because some security features have pros and cons. It might make your system more secure but suddenly normal users can't use CDs and so on. These wizards can tailor the systems security according to your needs, not general needs which will not be as secure as a complete customized system.
    • by Daengbo ( 523424 ) <daengbo AT gmail DOT com> on Wednesday April 20, 2005 @07:21AM (#12291196) Homepage Journal
      Part of Bastille's goal is to educate the admin, as well, so (even if your distro is very secure out of the box) you can run the program, listen to all the checks and changes, learn from Bastille why things should be set up that way, and maybe admin your box better. Alas, though, most distros are not as secure as they should be, and Bastille will make you think about what tradeoffs you really want to make between ease of use and security.
      • And if you know why things should be set up a certain way, you can make informed business decisions on possibly why you wouldn't want a certain thing secure (that "ought" to be). You could then document that yes it should be, but here is why we aren't doing it.
    • by yardbird ( 165009 ) * on Wednesday April 20, 2005 @07:22AM (#12291197) Homepage
      In TFA, he claims that the project is helping to push vendors in that direction:

      "The short-term effect of Bastille here was that possibly a hundred thousand Linux DNS servers couldn't be compromised. The long-term effect was that Linux distribution makers gained both familiarity with a couple more hardening steps and confidence that those steps would be palatable to users. Additionally, Linux users came to expect tighter configurations from their distribution vendors."

      I agree it would be better for the vendors to do it without prompting, though, but this can help to standardize best practices.
    • by admorgan ( 168061 ) on Wednesday April 20, 2005 @07:25AM (#12291218) Homepage
      Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?


      What about those of use whom don't use a distro? I often build systems from scratch and this gives me a convient useful tool to lock it down. Also why not go the other direction... Why don't distros use generic tools like this to keep their system secure out of the box. I would like to point out one thing though. People use linux for just about everything today. The wizard gives you the functionality to do non standard things to your system where as if the distro was secure out of the box when you add a new serice would you be able to say it was still secure or what happens if you make a mistake setting up a config file. Generic tools very good at what they do is much better than a large tools or relying on assumptions about the overall state of a system.
    • by gilesjuk ( 604902 ) <giles@jones.zen@co@uk> on Wednesday April 20, 2005 @07:28AM (#12291235)
      Security can often carry a level of pain with it that would annoy a desktop user.

      Also auditing many applications takes time. You can expect a distro run by a few people to audit thousands of lines of code in each package.
      • Compared to the level of pain required to correct an identity theft? I hear that's a pretty painful experience too...

        When I was working at data general, we had a team of 4 to 5 people auditing the C standard library and the source code for all the various UNIX utilities. Admittedly the team did have several months to complete their work. It's not particularly difficult to audit code that's already been written, but it is rather boring work, which makes it difficult to do in an open source environment.

    • by jbolden ( 176878 ) on Wednesday April 20, 2005 @09:45AM (#12292329) Homepage
      I once built a very secure version. Here is the sorts of things it I did.

      1) It had no shells of any sort, nor any user interface of any sort.

      2) It would not mount any filesystem whose CDs meet a certain checksum (this avoided mounting random data). CDs that had the right checksum it would automatically run a program with a particular name. This was the sole way to introduce new software/issue commands to the system.

      3) It only about 4 open ports, and 2 for getting data and 2 it used to sending the data out.

      4) It was stripped having almost no software except the bare mimimum needed to run 2 apps. It used a minimal set of libraries missing any links that weren't needed for the included software. All the apps and all the libraries had their names scrambled (using a hash generator) so apache might be something like /vksjl39/skl9394/i8843nvnnf. This made the box harder to get around. The result most pieces of gcc software wouldn't have run at all with a great deal of knowledge about the box.

      5) It checksummed the bios to verify the bios wasn't corrupted (i.e. boot password was intact).

      6) Data on the drives were encrypted.

      Sound like a fun distribution to work on? On the other hand under computer generated network attacks (like say 10000 attacks per second) they system was able function fine indefinitely. Even somebody with physical access would have had to take a long time to hack the system.

      That is sort of the ultimate in Linux security. The goal of hardening a system it to reduce points of entry for people to issue privledged commands, and this is done by reducing features. And that means a decrease in usability.
      • I built a very secure version too.

        1) It had no shells of any sort, nor any user interface of any sort.

        2) It would not mount any file system at all.

        3) It had a firewall consisting of a one-inch air gap between the power cord and the power supply, which effectively prevented all unwanted electrons from breaking into the system.

        This was *really* the ultimate in Linux security.
    • OpenBSD is, yet the fact the admin has to go and install extra things and actually configure services to run causes more people to whine that OpenBSD is too hard to use. People, including the vast number of admins, don't want a 'secure by default' installation, they want a system that just runs without much thought. Using Linux for that lets them delude themselves into thinking its secure on the based on the fact that its open source and not Windows.
    • Because some people newer to the world of Unix and Linux tend to execute
      chmod -R 777 /
      after giving up with trying to figure out permissions issues.
  • Comment removed (Score:4, Informative)

    by account_deleted ( 4530225 ) on Wednesday April 20, 2005 @07:17AM (#12291167)
    Comment removed based on user account deletion
    • You've got the right johnny, but well, you're just plain wrong about the email theft. No soup for you.
      • Comment removed based on user account deletion
        • To everyone in the security community that's been burned in even a small way by a hacker, hang it up. Sadly, your career is obviously over. You're done. No-one's [sic] going to take you seriously on security anymore.

          My defacement did not result in my user database being compromised. If my hosting provider was broken into, then I apologize for the inconvenience, and I'll be sure to let them know. I hate even the idea that my user base might be inconvenienced as a result of signing up for an account. Serio
  • A windows version (Score:3, Insightful)

    by JohnnyKlunk ( 568221 ) * on Wednesday April 20, 2005 @07:18AM (#12291172)
    I don't suppose someone could port this to windows could they?
    There's not a lot of decent tools for non-security-expert admins and windows could do with something like this (not meant as an anti-windows troll).

    Unfortunately too many corporate windows admins have so many pressures on their time that security of every server isn't always given the time it needs it sounds like this could provide a framework for that security.
  • Well... (Score:4, Funny)

    by JavaMoose ( 832619 ) on Wednesday April 20, 2005 @07:18AM (#12291176)
    I downloaded this, but I can't get it to run.

    Anyone else haveing problems getting this to run on Windows XP?

  • Scoring systems (Score:5, Insightful)

    by admorgan ( 168061 ) on Wednesday April 20, 2005 @07:18AM (#12291177) Homepage
    The score idea is actually pretty central here. When I first heard about it, I thought it was overly simplistic, but people really do get motivated and sometimes even jazzed up about improving the score on a system. They'll get a lower score than their ego tells them they should and will turn around and harden a few items on the box just to achieve a more encouraging score.

    This is an excelent example of making an application have a "value" as incentive to do the right thing. People are by nature competative and will strive to improve a "score" even if it doesn't necessarily help them in any way. I give cudose to whoever decided to add this feature.
  • by Guano_Jim ( 157555 ) on Wednesday April 20, 2005 @07:19AM (#12291182)
    The download instructions for OSX were a little intimidating, even for someone like me with basic Unix skills...

    Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.
    • We are actively seeking OS X packagers -- please e-mail Jay if interested.

      I don't use OS X, but if anyone is looking to have a good impact with little effort email jay at bastille-linux.org
    • by Anonymous Coward
      The download instructions for OSX were a little intimidating, even for someone like me with basic Unix skills...

      From the Bastille-Linux OS X page [bastille-linux.org]

      1. Download the tarball from the source link: Bastille-.tbz2.
      2. Uncompress the file, like so:

      tar -xjvf Bastille-.tbz2

      NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the
      • Anyone who can't do that probably can't implement the hardening advice. It works in the other direction though, there are lots of people who could follow those instructions that could use the advice.
      • by iamnotanumber6 ( 755703 ) on Wednesday April 20, 2005 @01:59PM (#12294810)
        I struggled with this for a while.

        "NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week."

        Huh? Well, it seemed to unpack for me, I don't know.

        Step three actually says:

        3. Run the install script, like so:

        cd Bastille && sh bin/Install-OSX.sh

        Which didn't work (you've corrected it above, but not on the actual page). Fooled around for a while in confusion about that, since there *is* an install script in the bin directory, but it's called "bastille"; it has an "os" option but only seems to know about HP-UX and not OSX...

        Finally found the other script, which failed with lots of error messages. You need to do "sudo" before the command.

        And then, "confirm that you have perl-Tk installed". Apparently I don't. "Do not forget to get perl-Tk installed before running Bastille." - to me that's a bit like "attach the toaster to your nose in the usual way". Where do I get it? Fink? Nope, not there. perltk.org? Total confusion. Ok, it's over an hour now, I'm still searching around trying to find how to install perlTk on OS X, and you know what?

        Fuck it.

        It's not that I don't have the skills. I just don't want fool around anymore.

        I don't mean to be critical, but you've been slashdotted, and there are going to be a *lot* of people having the same frustrating experience that I just did today, who probably won't remember to come back next week when it's working.
        • For perl/Tk, just run

          cpan

          and once you are inside cpan, you should issue a command "force install Tk". You have to force because cpan fails some of the tests.

          I wouldn't have had problem installing Bastille, but I noticed that the install script installs all the files under /usr (like /usr/sbin, /usr/lib, etc.). So, I simply changed all the /usr/ to /usr/local/ where I usually install stuff myself.

          Then, the install script runs OK, but... we don't have the script "bastille" installed! It's still lying i
    • What, get locked up for 19 years?

      Five years for what you did, the rest because you tried to run...
    • Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.

      I think they're planning on getting that up and running by 24/6/01.
    • Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.

      As I recall, he didn't get very far, did he...Javert (sp?) my old friend.
  • Cool, but... (Score:3, Interesting)

    by DrLex ( 811382 ) on Wednesday April 20, 2005 @07:19AM (#12291184) Homepage
    The ironical thing about this software is that it only works on *n*x systems, while the OS that probably could benefit most from it is Windows...
    • Re:Cool, but... (Score:3, Informative)

      by Dr.Opveter ( 806649 )
      It's not that ironic if you see what type of thing [bastille-linux.org] it actually checks.
      Windows usually doesn't come with a mail or ftp server (yeah yeah, line up the spyware/malware server installing jokes here).
    • The ironical[sic] thing about this software is that it only works on *n*x systems, while the OS that probably could benefit most from it is Windows...

      ...as the saying goes, "You can't polish a turd!"
    • While Windows might certainly benefit from some similar support, Bastille provides a great service for Linux. With the popularity of Linux continuing to rise and rise, there are plenty of sysadmins in previously all-Windows shops who, while trying to learn all they can, are still nowhere near expert and can benefit from pre-packaged expertise like this.

      In the early days of my shop trying some Linux servers, we were hit more than once by hackers and worms targetting known exploits in common Linux elements s
    • this is *why* (Score:3, Interesting)

      by Heisenbug ( 122836 )
      A major reason that nix systems have a reputation hereabouts for superior security is that developers bother to write tools like this, and admins bother to run them and pay attention. It's not ironic -- it's an object lesson. As linux gets more exposure, we'll have an increasing need for this type of thing.

      For example, I've worked under linux at work for years, I could whip out the perl command to ROT-13 your entire drive in a couple of seconds, and I'm pretty sure any linux box I set up would be totally i
    • Nevermind that Microsoft has been shipping security lockdown and analysis tools for their own OS for YEARS now :( (Since at least Win2k)

      http://www.microsoft.com/technet/security/tools/ de fault.mspx

      Not that many IT people can pull their head out of their asses long enough to bother with them though :(

      Locked down, admined and patched Windows machines do not get hacked. But don't let facts get in the way of a good MS bash.
  • A "lockdown" program such as this is only half of the battle. You need to keep your kernel updated, patch programs with fixes, and also make sure that a lockdown program such as Bastille is actually doing what it's supposed to, by making sure that the rules and configurations it creates are actually sane.
  • Wow. (Score:1, Interesting)

    by sglider ( 648795 )
    I'm pretty stoked about this. Of course, this is the first time I've even *heard* about Bastille Linux, but as a Windows IT guy that wants to move to linux (gentoo, here I come?), I'm glad to see these innovations and changes.

    On a related note, if Windows made updates/innovations at this rate, I highly doubt that there would be this much criticism towards them. It's amazing that a company that hosts the richest man in the world can't cope with the innovation of an 'inferior' (I'm being facetious here,
    • Just as an FYI -
      Bastille Linux [bastille-linux.org] is a program, not a flavor. It should run on any flavor of Linux Distro with the appropriate tweaking.

      It's really nice; I was introduced to it with the book "Hackproofing Linux" and it does a lot of neat stuff.

      Sets up sudo (if it's not already configured) Creates a second root user that is the "true" root user, and keylogs everything that root does, and alerts the true root of any attempted accesses
      And a bunch of other stuff. I just thought the root stuff was extra se

    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
    • Gentoo (Score:2, Interesting)

      by Danuvius ( 704536 )
      You mentioned Gentoo.

      It is definitely more work to setup (though, if you are computer literate you doubtless will be able to do it, so long as you pay close attention to the Handbook) but more rewarding in the end.

      For me, other than that I found Gentoo to be the distribution that really started teaching me about linux, Gentoo was my eventual "only choice" because of the range of programs I use.

      I found no other distribution had *all* the programs I use in their native software repositories. And installin
    • Re:Wow. (Score:1, Informative)

      by Anonymous Coward
      as a Windows IT guy that wants to move to linux (gentoo, here I come?),

      Since you felt the need to mention that you are in IT, I am going to assume that you are talking about moving some of the production machines over to Linux. If that is the case I would strongly advise against Gentoo. Go with a distro that has some kind of real support that will make management happy, we use Redhat but now that Novell owns and supports SuSE I would say that they are also an option.

      Gentoo is not suited for the corporate
      • Go with what works in the workplace not what some smelly zealot who has never even worked in IT thinks is the cool distro.

        Gentoo or most any other distro -- given a good admin -- can function well doing just about any type of normal "business" task. But as we are all beginning (at varying rates) to realize is that the distro itself doesn't really matter. More and more the various configuration tools are being ported to many/all distros and what we are left with are basically just different choices of file
  • *BSD versions? (Score:3, Interesting)

    by Noksagt ( 69097 ) on Wednesday April 20, 2005 @07:50AM (#12291350) Homepage
    I'm a bit surprised that it has been ported to a primarily desktop-OS (OS X), rather than Free/Open/Net-BSD. Anyone know of efforts to get this into ports? Are there already equivalent *BSD tools?
    • I don't think this would really make a difference to security on OpenBSD. It's quite secure as-is.

      I suppose their reasoning was that Macs have a larger percentage of the market share than *BSD. Or maybe someone just felt like porting to OSX, and no one was motivated to port to *BSD.
    • Bastille for OpenBSD?

      "I see that I am running on an OpenBSD system.

      Checking ...
      You are working as the root user. This is not secure. Please run as a non root user."
  • [root@localhost root]# bastille --report
    ERROR: 'MN9.2' is not a supported operating system.
  • .. when do we get one for Slackware [slackware.com]

    Suchetha
  • by olyar ( 591892 )
    The assessment demo looks pretty nice, but not as comprehensive as, the Tiger Security tool. http://savannah.nongnu.org/projects/tiger. [nongnu.org]

    I've been working with Tiger quite a bit over the last few months (even contributing some changes) and I'm pretty impressed with what it can do.
    Also handy is the fact that it runs on most of the proprietary *NIX's.

    [/Tiger Plug]

  • http://castle.altlinux.ru/
  • Great news (Score:2, Interesting)

    by Anonymous Coward
    This new reporting feature reminds me of the CIS Security Benchmark [cisecurity.org] which was recently covered by NewsForge [newsforge.com]. The thing that has always bothered me about CIScan, however, is the mandatory registration process you have to go through before you download it. With Bastille offering similar functionality the need to use CIScan is greatly deminished in favor of a more "open" solution (not to bash CIS, but I don't enjoy having to keep track of yet-another-download-account).

    What really makes the CIS benchmark great

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...