Bastille Adds Reporting, Grabs Fed Attention 151
johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."
Call me a bluff traditionalist... (Score:5, Funny)
Re:Call me a bluff traditionalist... (Score:2)
Re:Call me a bluff traditionalist... (Score:2)
Coffins have been used as a method of escape -- in Len Deighton's Funeral in Berlin notably. As this was usewd to penetrate the Berlin wall, the security analogy is even more acute. On the other hand, no one is known to have escaped form Alcatraz (several got away, but are believed to have drowned).
Re:Call me a bluff traditionalist... (Score:5, Funny)
Good thing I don't need to keep 1000 upset Frenchmen out of my server
Re:Call me a bluff traditionalist... (Score:3, Funny)
Re:Call me a bluff traditionalist... (Score:5, Insightful)
Re:Call me a bluff traditionalist... (Score:2, Offtopic)
Re:Call me a bluff traditionalist... (Score:2)
Re:Call me a bluff traditionalist... (Score:3, Funny)
Data (Score:2)
I'm still waiting for the royalties (Score:2)
Derek Bastille
Re:Call me a bluff traditionalist... (Score:5, Funny)
Re:Call me a bluff traditionalist... (Score:1)
Re:Call me a bluff traditionalist... (Score:2, Insightful)
Instead of doing stupid skits commenting about what people are doing, all skits should end with insults being tossed around.
I mean, insulting someone in a foreign language. There's something that's actually useful!
Re:Call me a bluff traditionalist... (Score:2)
Why do we need to harden distros ? (Score:5, Insightful)
Re:Why do we need to harden distros ? (Score:5, Insightful)
Most distributions try to steer a happy medium. Some sacrifice security for simplicity. [slashdot.org] Others (like Bastille) take the opposite tack.
Re:Why do we need to harden distros ? (Score:2)
Yes, indeed. Still, most of the things that really matter on a desktop system aren't part of that tradeoff.
My first linux install was RH6.0, and it had any number of servers running, right out of the box. Every server in the distribution was on and listening on the web, on the default install. For a great desktop experience, I didn't need NFS, bind, postfix, or any of a dozen other services that I eventually learned to shut down
Re:Why do we need to harden distros ? (Score:2, Insightful)
Re:Why do we need to harden distros ? (Score:5, Insightful)
Re:Why do we need to harden distros ? (Score:2)
Re:Why do we need to harden distros ? (Score:4, Informative)
"The short-term effect of Bastille here was that possibly a hundred thousand Linux DNS servers couldn't be compromised. The long-term effect was that Linux distribution makers gained both familiarity with a couple more hardening steps and confidence that those steps would be palatable to users. Additionally, Linux users came to expect tighter configurations from their distribution vendors."
I agree it would be better for the vendors to do it without prompting, though, but this can help to standardize best practices.
Re:Why do we need to harden distros ? (Score:5, Insightful)
What about those of use whom don't use a distro? I often build systems from scratch and this gives me a convient useful tool to lock it down. Also why not go the other direction... Why don't distros use generic tools like this to keep their system secure out of the box. I would like to point out one thing though. People use linux for just about everything today. The wizard gives you the functionality to do non standard things to your system where as if the distro was secure out of the box when you add a new serice would you be able to say it was still secure or what happens if you make a mistake setting up a config file. Generic tools very good at what they do is much better than a large tools or relying on assumptions about the overall state of a system.
Re:Why do we need to harden distros ? (Score:4, Insightful)
Also auditing many applications takes time. You can expect a distro run by a few people to audit thousands of lines of code in each package.
Re:Why do we need to harden distros ? (Score:2)
When I was working at data general, we had a team of 4 to 5 people auditing the C standard library and the source code for all the various UNIX utilities. Admittedly the team did have several months to complete their work. It's not particularly difficult to audit code that's already been written, but it is rather boring work, which makes it difficult to do in an open source environment.
Re:Why do we need to harden distros ? (Score:5, Interesting)
1) It had no shells of any sort, nor any user interface of any sort.
2) It would not mount any filesystem whose CDs meet a certain checksum (this avoided mounting random data). CDs that had the right checksum it would automatically run a program with a particular name. This was the sole way to introduce new software/issue commands to the system.
3) It only about 4 open ports, and 2 for getting data and 2 it used to sending the data out.
4) It was stripped having almost no software except the bare mimimum needed to run 2 apps. It used a minimal set of libraries missing any links that weren't needed for the included software. All the apps and all the libraries had their names scrambled (using a hash generator) so apache might be something like
5) It checksummed the bios to verify the bios wasn't corrupted (i.e. boot password was intact).
6) Data on the drives were encrypted.
Sound like a fun distribution to work on? On the other hand under computer generated network attacks (like say 10000 attacks per second) they system was able function fine indefinitely. Even somebody with physical access would have had to take a long time to hack the system.
That is sort of the ultimate in Linux security. The goal of hardening a system it to reduce points of entry for people to issue privledged commands, and this is done by reducing features. And that means a decrease in usability.
Re:Why do we need to harden distros ? (Score:2, Funny)
1) It had no shells of any sort, nor any user interface of any sort.
2) It would not mount any file system at all.
3) It had a firewall consisting of a one-inch air gap between the power cord and the power supply, which effectively prevented all unwanted electrons from breaking into the system.
This was *really* the ultimate in Linux security.
Re:Why do we need to harden distros ? (Score:2)
Re:Why do we need to harden distros ? (Score:2)
Comment removed (Score:4, Informative)
Re:Now THAT's Funny! (Score:1)
Re: (Score:2)
Re:Now THAT's Funny! (Score:1)
My defacement did not result in my user database being compromised. If my hosting provider was broken into, then I apologize for the inconvenience, and I'll be sure to let them know. I hate even the idea that my user base might be inconvenienced as a result of signing up for an account. Serio
A windows version (Score:3, Insightful)
There's not a lot of decent tools for non-security-expert admins and windows could do with something like this (not meant as an anti-windows troll).
Unfortunately too many corporate windows admins have so many pressures on their time that security of every server isn't always given the time it needs it sounds like this could provide a framework for that security.
Re:A windows version (Score:5, Informative)
http://www.microsoft.com/technet/security/tools/mb sahome.mspx [microsoft.com]
Re:A windows version (Score:4, Informative)
http://www.microsoft.com/exchange/downloads/2003/e xbpa/default.mspx [microsoft.com]
Re:A windows version (Score:1, Informative)
Or, shorter, http://www.exbpa.com/ [exbpa.com].
Re:A windows version (Score:2)
if anything you could create a sister project for the same sort of thing for windows based systems... but do you have enough fingers for that damn?
Comment removed (Score:5, Informative)
Re:A windows version (Score:1, Funny)
Re:A windows version (Score:3, Insightful)
Bastille does useful things such as stop unneeded services. The *nux distros I've used have been far better out of the box than win32 machines I've seen. File permissions on win32 are also a nightmare. Bastille also locks down common userland apps. Misconfigured apache on win32 can do as much damage as apache on linux.
Re:A windows version (Score:3, Insightful)
Also, I'm sure he was joking but the Microsoft Baseline Security Analyzer does a fair job at locking down Windows. I haven't used Bastille so I can't compare (from what I've heard I'd bet Bastille is more thorough though).
Re:A windows version (Score:1)
Comment removed (Score:4, Informative)
Re:A windows version (Score:3, Interesting)
Re:A windows version (Score:2)
Well... (Score:4, Funny)
Anyone else haveing problems getting this to run on Windows XP?
Re:Well... (Score:1, Funny)
Do you get error code "4.09 Windows XP? Am I on candid camera?" too? Maybe we should report this
Re:Well... (Score:2)
http://www.chiark.greenend.org.uk/~sgta
Scoring systems (Score:5, Insightful)
This is an excelent example of making an application have a "value" as incentive to do the right thing. People are by nature competative and will strive to improve a "score" even if it doesn't necessarily help them in any way. I give cudose to whoever decided to add this feature.
Re:Scoring systems (Score:5, Funny)
Re:Scoring systems (Score:2)
You can pick up a easy bonus point... (Score:2)
You can pick up an easy bonus point if you spell "kudos" correctly (hint: it's from Greek).
--MarkusQ
I voted for Kudos... (Score:1)
Needs to be point and click. (Score:5, Funny)
Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.
They're soliciting packagers... (Score:2)
I don't use OS X, but if anyone is looking to have a good impact with little effort email jay at bastille-linux.org
Re:Needs to be point and click. (Score:1, Interesting)
From the Bastille-Linux OS X page [bastille-linux.org]
1. Download the tarball from the source link: Bastille-.tbz2.
2. Uncompress the file, like so:
tar -xjvf Bastille-.tbz2
NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the
Re:Needs to be point and click. (Score:2)
Re:Needs to be point and click. (Score:4, Informative)
"NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week."
Huh? Well, it seemed to unpack for me, I don't know.
Step three actually says:
3. Run the install script, like so:
cd Bastille && sh bin/Install-OSX.sh
Which didn't work (you've corrected it above, but not on the actual page). Fooled around for a while in confusion about that, since there *is* an install script in the bin directory, but it's called "bastille"; it has an "os" option but only seems to know about HP-UX and not OSX...
Finally found the other script, which failed with lots of error messages. You need to do "sudo" before the command.
And then, "confirm that you have perl-Tk installed". Apparently I don't. "Do not forget to get perl-Tk installed before running Bastille." - to me that's a bit like "attach the toaster to your nose in the usual way". Where do I get it? Fink? Nope, not there. perltk.org? Total confusion. Ok, it's over an hour now, I'm still searching around trying to find how to install perlTk on OS X, and you know what?
Fuck it.
It's not that I don't have the skills. I just don't want fool around anymore.
I don't mean to be critical, but you've been slashdotted, and there are going to be a *lot* of people having the same frustrating experience that I just did today, who probably won't remember to come back next week when it's working.
Re:Needs to be point and click. (Score:2)
cpan
and once you are inside cpan, you should issue a command "force install Tk". You have to force because cpan fails some of the tests.
I wouldn't have had problem installing Bastille, but I noticed that the install script installs all the files under
Then, the install script runs OK, but... we don't have the script "bastille" installed! It's still lying i
Re:Needs to be point and click. (Score:2)
Five years for what you did, the rest because you tried to run...
Re:Needs to be point and click. (Score:1)
I think they're planning on getting that up and running by 24/6/01.
Re:Needs to be point and click. (Score:3, Funny)
As I recall, he didn't get very far, did he...Javert (sp?) my old friend.
Re:Needs to be point and click. (Score:2)
Re:Needs to be point and click. (Score:2)
Re:Needs to be point and click. (Score:2)
Re:Needs to be point and click. (Score:2)
Cool, but... (Score:3, Interesting)
Re:Cool, but... (Score:3, Informative)
Windows usually doesn't come with a mail or ftp server (yeah yeah, line up the spyware/malware server installing jokes here).
Re:Cool, but... (Score:1)
...as the saying goes, "You can't polish a turd!"
Re:Cool, but... (Score:1)
In the early days of my shop trying some Linux servers, we were hit more than once by hackers and worms targetting known exploits in common Linux elements s
this is *why* (Score:3, Interesting)
For example, I've worked under linux at work for years, I could whip out the perl command to ROT-13 your entire drive in a couple of seconds, and I'm pretty sure any linux box I set up would be totally i
Re:Cool, but... (Score:2)
http://www.microsoft.com/technet/security/tools
Not that many IT people can pull their head out of their asses long enough to bother with them though
Locked down, admined and patched Windows machines do not get hacked. But don't let facts get in the way of a good MS bash.
URL Fix! (Score:2)
SlashCode seems to automatically add a space when a long line wraps. how nice and helpful of it! [Must resist making snarky comment about OSS quality...]
Remove the space and it works...
Re:URL Fix! (Score:2)
Re:Cool, but... (Score:2)
Only half the battle... (Score:2, Insightful)
Re:Only half the battle... (Score:4, Insightful)
Usually when people update their windows servers it's because some virus or worm is rampaging about the net making everyone's life miserable. Whereas when I update my Linux server, it's because a couple propeller heads in a lab somewhere figured out some obscure weakness and the fix.
Re:Only half the battle... (Score:2)
Wow. (Score:1, Interesting)
On a related note, if Windows made updates/innovations at this rate, I highly doubt that there would be this much criticism towards them. It's amazing that a company that hosts the richest man in the world can't cope with the innovation of an 'inferior' (I'm being facetious here,
re: Bastille Unix (Score:2, Interesting)
Bastille Linux [bastille-linux.org] is a program, not a flavor. It should run on any flavor of Linux Distro with the appropriate tweaking.
It's really nice; I was introduced to it with the book "Hackproofing Linux" and it does a lot of neat stuff.
Sets up sudo (if it's not already configured) Creates a second root user that is the "true" root user, and keylogs everything that root does, and alerts the true root of any attempted accesses
And a bunch of other stuff. I just thought the root stuff was extra se
Re: (Score:3, Insightful)
Gentoo (Score:2, Interesting)
It is definitely more work to setup (though, if you are computer literate you doubtless will be able to do it, so long as you pay close attention to the Handbook) but more rewarding in the end.
For me, other than that I found Gentoo to be the distribution that really started teaching me about linux, Gentoo was my eventual "only choice" because of the range of programs I use.
I found no other distribution had *all* the programs I use in their native software repositories. And installin
Re:Wow. (Score:1, Informative)
Since you felt the need to mention that you are in IT, I am going to assume that you are talking about moving some of the production machines over to Linux. If that is the case I would strongly advise against Gentoo. Go with a distro that has some kind of real support that will make management happy, we use Redhat but now that Novell owns and supports SuSE I would say that they are also an option.
Gentoo is not suited for the corporate
Re:Wow. (Score:2)
Gentoo or most any other distro -- given a good admin -- can function well doing just about any type of normal "business" task. But as we are all beginning (at varying rates) to realize is that the distro itself doesn't really matter. More and more the various configuration tools are being ported to many/all distros and what we are left with are basically just different choices of file
*BSD versions? (Score:3, Interesting)
Re:*BSD versions? (Score:1)
I suppose their reasoning was that Macs have a larger percentage of the market share than *BSD. Or maybe someone just felt like porting to OSX, and no one was motivated to port to *BSD.
Re:*BSD versions? (Score:2)
"I see that I am running on an OpenBSD system.
Checking
You are working as the root user. This is not secure. Please run as a non root user."
I'd like Mandrake 9.2 support. (Score:2)
ERROR: 'MN9.2' is not a supported operating system.
it's all good but.. (Score:2)
Suchetha
doesn't help (Score:1)
Re:doesn't help (Score:2)
More comprehensive tool (Score:2, Informative)
I've been working with Tiger quite a bit over the last few months (even contributing some changes) and I'm pretty impressed with what it can do.
Also handy is the fact that it runs on most of the proprietary *NIX's.
[/Tiger Plug]
Re:More comprehensive tool (Score:3, Informative)
Your link is broken. The correct link is: http://savannah.nongnu.org/projects/tiger [nongnu.org].
I prefer Castle Linux (Score:1)
Great news (Score:2, Interesting)
What really makes the CIS benchmark great
Re:What's the equivalent on Windows? (Score:1, Informative)
Do they? Where, I haven't noticed?
Windows 2003 SP1 has a funky new security lockdown wizard, and there've been IIS lockdown tools for a few years now. There's also MBSA which lets you security-scan your whole domain in one go.
Re:Call me a troll (Score:2)
I like Free Software (GPL) because of the license. As a consequence of this license, many programs are good or very good. I actually prefer Free Software to other open source. This attitude is rather common, but so is yours. In the end, most of this stuff exists because of the licensing model. One should respect that. Should we call it the "best" feature? Probably not. GPL or just OSS d
Re:Damn straight it's not UNIX (Score:1)
IMO things began to go down hill when 'they' started trying to make unix friendly. It's a tool and you don't put doilies on a tool.
Making the various distros suit the majority of whiners is as much wasted effort as trying to shoot a duck on the midway using a rubber barreled 'rifle'.
Re:MS Supports HD-DVD over Blue-Ray (Score:2)
What, no webmail?
Actually for "you will be emailed your activation code" type activities, I recommend:
http://www.mailinator.com/ [mailinator.com]
It's convenience itself: just make up an email account (up to 15 chatracters) @mailinator.com and use that to fill in the form with. There's no need to CREATE an account ahead of time: that is done automatically whenever an email is rec