Introduction.
The Bastille Linux project aims to provide an interactive tool for the purpose of performing additional security hardening measures to increase the over-all security, and decrease the susceptibility of compromise for your Ubuntu system. This guide is designed to assist in the installation, and execution of the Bastille Linux tool for the purpose of hardening the security of your Ubuntu system.
IMPORTANT: Please be aware that Bastille Linux requires advanced knowledge, is site-specific and has several options that no longer apply to Ubuntu.
Target Audience.
This guide is designed for intermediate to advanced users of Ubuntu, and is not recommended for beginners. The changes Bastille Linux can make to your Ubuntu system can potentially render parts of your system inoperative, or have other adverse affects. You should have a very good understanding of what will occur for every change you allow Bastille Linux to make, and understand any potential ramifications which may arise later from those changes. The author of this guide, the creators of Bastille Linux, and Ubuntu cannot be responsible for any adverse conditions with your Ubuntu system which may be caused by failure to understand what you are doing with Bastille Linux. You have been warned.
Bastille Linux.
With regards to security, Linux is much better than other operating systems. Nevertheless, every distribution is different from the other one concerning this matter. Bastille-Linux provides you with means to protect your system. It was initially written for RedHat but the last version works with other distributions too.
The project is managed by Jon Lasser (main coordinator) and Jay Beale (main developer). Many other developers, software designers and beta-testers are involved as well.
First of all, let's make it clear: Bastille-Linux is NOT a new Linux distribution! It's a set of scripts, written in perl intended to improve Linux security.
Security, means here computer security: how to avoid that unwanted people access your machine? Bastille-Linux gives a part of the answer by modifying the initial installation of your Linux distribution.
A basic task for every SysAdmin is to know the users needs, not only to comply with them, but also to avoid to keep running network unused programs... to be able to contain network security holes. One of my mentors used to say: the least you do, the better ;-] Of course, he was talking about algorithm complexity, but this is applicable to network administration: abundance of goods does harm as it gives more attack places. To reduce vulnerability just install what you really need.
Bastille-Linux tries to reduce the possibilities for an attack. To reach this goal, the software designers have a very educational approach: they explain what to do, step by step.
The Bastille Linux package is available for your Ubuntu system via packages, and may be installed with the package tool you prefer (e.g. apt-get, aptitude, or Synaptic) via the UniversePackages. The package includes a user interface, and configuration engine. The primary user interface is an X interface using the Perl/Tk system, and there is also a Curses-based text interface as well. You may use Bastille Linux in two primary modes:
- Interactively: Allows Bastille Linux to ask you a series of questions, with explanations of the concept involved and hardens your system according to your answers to those questions.
- Non-Interactively: You may also edit a configuration file which may then be used with Bastille Linux to enforce the security hardening measures. This is a good way to automate the hardening of several servers, for example.
Bastille's security hardening measures come from widely accepted security best practices, such as the SANS Securing Linux Step by Step guides, Kurt Seifried's Linux Administrator's Security Guide, and other reputable security sources.
Now that you have some idea about what Bastille Linux is, and does, we'll cover installation, and use of Bastille Linux.
Installing Bastille Linux.
You must enable the Universe repository in order to install Bastille Linux.
IMPORTANT: There is a problem with the package in 9.10 Karmic. You must install any of these packages first: bsd-mailx, mailx or mailutils. See Launchpad #434709 for details. It is reported to be fixed for 10.10 Lucid.
The apt-get command, to be issued from a terminal prompt is as follows:
sudo apt-get install bastille
If you prefer Synaptic, perform a search for Bastille, mark the Bastille package for installation, and click the Apply button.
Using Bastille Linux.
This guide will cover using the Interactive mode with Bastille Linux, and specifically, the X version of the interactive tool. The text mode interactive interface, and the non-interactive mode will be discussed in future revisions of this guide.
To start Bastille Linux in the X-based interactive interface, open an instance of the Terminal application, and launch the Bastille Linux X-based interactive tool with root privileges, by typing the following at the prompt:
sudo bastille –x
If you receive an error such as: WARNING: /usr/bin/perl cannot find Perl module Tk. then you need to first install the perl-tk package via your preferred packaged manager, using the Universe Packages, for example with apt-get the following command issued from a terminal prompt will do:
sudo apt-get install perl-tk
Then try to start the Bastille Linux X-based interactive tool per the instructions above again.
When you execute the Bastille Linux tool, a disclaimer is first printed to the terminal, and you must accept the terms of the disclaimer to proceed. Type accept when prompted, to continue executing the Bastille Linux tool.
You should then see a graphical window appear, titled Bastille.
You will begin at the Title Screen where you must next click the OK button to proceed.
Upon clicking the OK button for the first time, the Bastille Linux X-based interactive tool will begin asking the questions, which appear in the Question text area, along with an explanation of the question being asked, which appears in the Explanation text area. Select the appropriate radio button control, (e.g. No or Yes) and click the OK button to continue to the next question.
This guide will not address the questions and possible answers presented by the Bastille Linux X-based interactive tool, as that is beyond the scope of the guide. The reader of this guide is expected to read the associated manual pages, and websites referred to in the Resources section of this guide to properly understand the questions, and their results on the system.
When you've reached the end of the questions, the Bastille Linux X-based interactive tool will ask if you are finished making changes to your Bastille configuration. If so, click the Yes radio button, and then click the OK button. A Save Configuration Changes dialog window will appear. Click the appropriate button to exit without saving changes, go back and change configuration, or save configuration.
A Finishing Up dialog window will then appear. You may then click the appropriate button to exit without changing your system, go back and change configuration, or apply configuration to system. If you wish to have the changes you chose applied to your system at this time, click the Apply Configuration to System button now.
A Credits window will appear, and you will also note much information in the Terminal window. You may see many ERROR entries in the output of the Terminal window. To determine what the ERROR entries refer to, and possibly make corrections to them, examine the log file /var/log/Bastille/error-log. Sometimes the ERROR conditions logged will contain suggestions to correct the problem, and should you choose to do so, you can then go back and re-run the Bastille Linux tool to re-apply changes.
Reverting Bastille Linux Changes.
Should you decide that you would like to undo any, or all of the changes made to your Ubuntu system by Bastille Linux, you may use the RevertBastille command to undo all changes made by the Bastille Linux tool. For example, open a Terminal application, and type the following command at the prompt to revert (undo) the changes made by Bastille Linux:
sudo RevertBastille
After the RevertBastille tool finishes executing, the system will be configured as it was prior to hardening with Bastille Linux.
For more information on functions, capabilities, and the non-interactive mode of Bastille Linux, refer to the resources provided below.
Resources.
Additional information related to Bastille Linux, GNU/Linux security hardening guidelines are available via the following resources:
Local System Resources.
man bastille
System manual page for the Bastille Linux bastille tool
man bastillebackend
System manual page for the Bastille Linux BastilleBackEnd tool
man bastillechooser
System manual page for the Bastille Linux BastilleChooser tool
man revertbastille
System manual page for the Bastille Linux RevertBastille tool
man automatedbastilles
System manual page for the Bastille Linux AutomatedBastille tool
man interactivebastille
System manual page for the Bastille Linux InteractiveBastille tool
man undobastille
System manual page for the Bastille Linux {RevertBastille / UndoBastille tool
Running Bastille on Red Hat, SuSE and Mandrake Linux.
Bastille supports a number of Linux distributions and operating systems. In the RPM-focused world, it supports
Fedora Core, Red Hat Enterprise, Red Hat Classic (Red Hat 6 through 9), SuSE and Mandrake systems. On
these systems, Bastille is primarily used via an RPM, though you can also download the raw source tarball.
Installing Bastille 2.x on Red Hat (Classic, Enterprise or Fedora Core), SuSE or Mandrake is easiest via the RPM.
You need to install the Bastille RPM as well as a supporting perl module to provide either the graphical or
text-based interface.
- First, install the Bastille RPM, like so: rpm -ivh Bastille-3.2.1-0.1.noarch.rpm
- Second, if you want to use Hardening mode, you'll need to install perl-Tk
(for our Graphical Interface) or perl-Curses (for console/text mode).
(Installing perl-Tk/perl-Curses isn't necessary in Assessment mode, as it
generates a report in both HTML and Text.)You can usually do this most easily by getting the RPM shown in this table, installing
it via this command: rpm -ivh perl-Tk-a.b-c.i386.rpm
or
rpm -ivh perl-Curses-d.e-f.i386.rpmAlternatively, you can install these using the CPAN method, described here.
- Third, run the bastille command: bastille -x (for Graphical Mode Hardening)
or
bastille -c (for Text Mode Hardening)
or
bastille --report (for Assessment and Reporting)
- NOTE: Just because you're su-ing or ssh-ing into a system doesn't mean you're stuck in text mode.
You can use graphical (X) programs like Bastille's Tk interface or browsers by forwarding your X connections over the ssh connection. It's very, very simple. Just do this: ssh -X root@remote_box (when you were already SSH-ing)
OR
ssh -X root@127.0.0.1 (when you would normally just su)
Bastille Linux on Debian Linux.
Debian packages are available at this Debian package site maintained by Javier Fernandez-Sanguino Pena. Javier is an amazing Open Source developer who maintains both the Bastille port and the Tiger port for Debian.
Bastille is part of Gentoo, available through the portage system. Bryan Stine made a port of the current stable release set, which the Bastille project is working to integrate into the mainstream code for better maintainability.
Bryan's description of this effort follows:
Basically, since I've been patching it as maintenance for our portage package, all that's needed has been setting Gentoo-specific paths and adding some conditionals here and there (which I based on regexps used for other distros). Furthermore, the questions file was updated to reflect what Gentoo can support. Finally, I did some stuff to a few scripts and Perl modules to set Gentoo-specific routines up, such as rc-update for managing services and providing USE advice for Tk-based InteractiveBastille.
Apart from the core Bastille stuff, psad is being supported as a seperate package in Gentoo. My bastille patch did address included psad components, but the seperate package is a superior alternative.
The Bastille team's goal is to work with members of the Gentoo development team at LinuxWorld this year to integrate the code into Bastille's development tree, making maintenance easier and increasing our ability to bring the new functionality currently underway to Gentoo.
If you liked this article, subscribe to the feed by clicking the image below to keep informed about new contents of the blog:
0 commenti:
Post a Comment