Ask Jon And Jay About Bastille Linux

You've heard about Bastille Linux 'round these parts before (on July 17 of this year) -- it's a set of scripts bundled to create (in combination with a base install of a distribution like Red Hat) a much more secure box than would be the default. The basic philosophy behind Bastille seems to be "It shouldn't be difficult to lock down your Linux box." Now, here's your chance to ask Bastille gurus Jon Lasser and Jay Beale about the project.You'll want to check out the project's main page, first, and also some of the security articles Jay's written as well as the additional information on his personal page. (And if that Lasser fellow's name is familiar, it should be -- he's also the author of the excellent Think Unix reviewed a few weeks ago.) So post your questions below, and Jay and Jon will soon respond in depth.

Debian?

[luge]

Do you guys have any plans to do something similar for Debian, or have others approached you about it? I'd love to apt-get install bastille, and have it do something similar to what I've heard it does for RH. Anyway, even if you don't, keep up the good work.
~luge

Configuration

[FeeDBaCK]

In what way does Bastille differentiate between different types of installs? Does it prompt the users about services? Will it shut off my apache service if I plan on making this machine a web server?

What third party tools do you install/recommend to help with the hardening of the system? Tripwire? tcpserver?

Do you incorporate any form of checking when doing your install to ensure that the box has not already been compromised, such as checking for common trojans/backdoors?

Distribution specific, etc.

[matman]

I have two questions actually.

The first: do you plan to make a non distribution specific hardening program/system/script? If so, how? It would be neat to have a consensus between distributions on file locations, etc to make this easier; do you plan on working with other distributions to come up with some sort of common interface or environment?

The second: do you plan on including any kernel based capability, IDS, or ACL addons? A good default use of these features would greatly increase the security of linux in general, but they are prohibitively complex for most users. Thus, these are great things to have taken care of by the system - do you plan on working on something to control these things (semi)automatically?

Why is Bastille Necessary?

[DG]

In a perfect world, the Bastille scripts would be unecessary, because the default installation of the distribution would have been hardened from the get-go.

Why do you feel that various distributions are so insecure by default? What are the most common mistakes they make? What kinds of changes need to happen at Red Hat to make your scripts unneeded?

Bastille Linux

[Wubby]

Did you guys consider your own distro? Why, why not and will you create a full Bastille distro.

(One minor wishlist item: could you fix the Curses thing for sparc) Sorry, just had to sneak that in.

"Missing" features?

[Coz]

A two-part question:

What features do you feel are missing from Bastille as it stands today, and aren't in the roadmap you have for the immediate future?

What elements of system security do you feel should be part of the "core" (if not the kernel) of the operating system, and why (in your opinions) aren't they there already?

Not such a good name for a distro...

[AFCArchvile]

...especially if you want to convey security. Do you remember your late 18th century European history? Right. The Bastille in France was invaded and destroyed, prisoners were liberated, and the monarchy was overthrown by that terrible harbinger of death, La Guillotine.

I'd hate to see any Bastille Linux-oriented viruses or trojans. Maybe there will be one which triggers on July 14th of every year and echoes on the screen: "Liberté! Egalité! Fraternité!"

For more historical stuff on Bastille Day, check out this link to the French Embassy.