Slashdot Mirror
Bastille Adds Reporting, Grabs Fed Attention
johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."
Perhaps he should have used Bastille himself...
Gentoo Linux - another day, another USE flag.
In TFA, he claims that the project is helping to push vendors in that direction:
"The short-term effect of Bastille here was that possibly a hundred thousand Linux DNS servers couldn't be compromised. The long-term effect was that Linux distribution makers gained both familiarity with a couple more hardening steps and confidence that those steps would be palatable to users. Additionally, Linux users came to expect tighter configurations from their distribution vendors."
I agree it would be better for the vendors to do it without prompting, though, but this can help to standardize best practices.
Free, legal music for iTunes users.
http://www.microsoft.com/technet/security/tools/mb sahome.mspx
http://www.microsoft.com/exchange/downloads/2003/e xbpa/default.mspx
It's not really "portable" in the same sense as, say, Mozilla Firefox.
I've not used Bastille in a while but I recall it's more of a tool that makes recommendations and changes to your system to lock it down - these can be everything from file permissions, service lockdown and kernel firewall settings.
Therefore it's very much tied to the UNIX topography and even if you got it to run on Windows, the architecture is so different that it would be a totally different application by the time you'd modified it enough.
However, you might want to consider running Bastille on, say, a Linux NAT/proxy router and just tucking Windows machines behind it.
Gentoo Linux - another day, another USE flag.
It's not that ironic if you see what type of thing it actually checks.
Windows usually doesn't come with a mail or ftp server (yeah yeah, line up the spyware/malware server installing jokes here).
Sample this!
The windows admins here keep saying that Windows has better security stuff than Linux
Do they? Where, I haven't noticed?
Windows 2003 SP1 has a funky new security lockdown wizard, and there've been IIS lockdown tools for a few years now. There's also MBSA which lets you security-scan your whole domain in one go.
the MS Exchange best practices analyzer:
Or, shorter, http://www.exbpa.com/.
Unfortunately, you're lost on the context in which you would use Bastille.
AV packages and XP firewall are more desktop orientated security applications that usually provide a second layer of security protection after corporate firewalls, NAT routers, proxies, etc.
And whether you like it or not, there are security holes in Windows purely as a result of the architecture and the fact that a lot of applications have free access to any part of the system.
If you have similar security holes in Linux it's because you're running a service at root permissions or have some file permissions set wrongly. You might not be using a UNIX system that has strong password checking built in or you might have inactive accounts on your system. All these things the types of issues checked by Bastille.
Sure, you could use Bastille on a UNIX/Linux desktop to lock it down a bit but it's real use is for locking down services and maybe creating a server to hide desktops behind, like a NAT proxy. So it's more important in small office or home server use where a server needs to be doubly secure because you don't have the protection of two firewall layers that you will inevitably find in a corporate environment.
Gentoo Linux - another day, another USE flag.
I've been working with Tiger quite a bit over the last few months (even contributing some changes) and I'm pretty impressed with what it can do.
Also handy is the fact that it runs on most of the proprietary *NIX's.
[/Tiger Plug]
Custom, hands-free Linux installs. Instalinux
as a Windows IT guy that wants to move to linux (gentoo, here I come?),
Since you felt the need to mention that you are in IT, I am going to assume that you are talking about moving some of the production machines over to Linux. If that is the case I would strongly advise against Gentoo. Go with a distro that has some kind of real support that will make management happy, we use Redhat but now that Novell owns and supports SuSE I would say that they are also an option.
Gentoo is not suited for the corporate arena. Gentoo is just the current trendy distro to have installed. There is always some trendy distro within the Linux Geek world and right now that distro is Gentoo. Give it a year and there will be another trendy distro and Gentoo will be forgotten. I say this as a guy who has been watching this happen for close to a decade now. Don't be a conformist geek sheep. Go with what works in the workplace not what some smelly zealot who has never even worked in IT thinks is the cool distro.
I struggled with this for a while.
"NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week."
Huh? Well, it seemed to unpack for me, I don't know.
Step three actually says:
3. Run the install script, like so:
cd Bastille && sh bin/Install-OSX.sh
Which didn't work (you've corrected it above, but not on the actual page). Fooled around for a while in confusion about that, since there *is* an install script in the bin directory, but it's called "bastille"; it has an "os" option but only seems to know about HP-UX and not OSX...
Finally found the other script, which failed with lots of error messages. You need to do "sudo" before the command.
And then, "confirm that you have perl-Tk installed". Apparently I don't. "Do not forget to get perl-Tk installed before running Bastille." - to me that's a bit like "attach the toaster to your nose in the usual way". Where do I get it? Fink? Nope, not there. perltk.org? Total confusion. Ok, it's over an hour now, I'm still searching around trying to find how to install perlTk on OS X, and you know what?
Fuck it.
It's not that I don't have the skills. I just don't want fool around anymore.
I don't mean to be critical, but you've been slashdotted, and there are going to be a *lot* of people having the same frustrating experience that I just did today, who probably won't remember to come back next week when it's working.