Slashdot Mirror
Bastille Adds Reporting, Grabs Fed Attention
johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."
In TFA, he claims that the project is helping to push vendors in that direction:
"The short-term effect of Bastille here was that possibly a hundred thousand Linux DNS servers couldn't be compromised. The long-term effect was that Linux distribution makers gained both familiarity with a couple more hardening steps and confidence that those steps would be palatable to users. Additionally, Linux users came to expect tighter configurations from their distribution vendors."
I agree it would be better for the vendors to do it without prompting, though, but this can help to standardize best practices.
Free, legal music for iTunes users.
http://www.microsoft.com/technet/security/tools/mb sahome.mspx
http://www.microsoft.com/exchange/downloads/2003/e xbpa/default.mspx
It's not really "portable" in the same sense as, say, Mozilla Firefox.
I've not used Bastille in a while but I recall it's more of a tool that makes recommendations and changes to your system to lock it down - these can be everything from file permissions, service lockdown and kernel firewall settings.
Therefore it's very much tied to the UNIX topography and even if you got it to run on Windows, the architecture is so different that it would be a totally different application by the time you'd modified it enough.
However, you might want to consider running Bastille on, say, a Linux NAT/proxy router and just tucking Windows machines behind it.
Gentoo Linux - another day, another USE flag.
I struggled with this for a while.
"NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week."
Huh? Well, it seemed to unpack for me, I don't know.
Step three actually says:
3. Run the install script, like so:
cd Bastille && sh bin/Install-OSX.sh
Which didn't work (you've corrected it above, but not on the actual page). Fooled around for a while in confusion about that, since there *is* an install script in the bin directory, but it's called "bastille"; it has an "os" option but only seems to know about HP-UX and not OSX...
Finally found the other script, which failed with lots of error messages. You need to do "sudo" before the command.
And then, "confirm that you have perl-Tk installed". Apparently I don't. "Do not forget to get perl-Tk installed before running Bastille." - to me that's a bit like "attach the toaster to your nose in the usual way". Where do I get it? Fink? Nope, not there. perltk.org? Total confusion. Ok, it's over an hour now, I'm still searching around trying to find how to install perlTk on OS X, and you know what?
Fuck it.
It's not that I don't have the skills. I just don't want fool around anymore.
I don't mean to be critical, but you've been slashdotted, and there are going to be a *lot* of people having the same frustrating experience that I just did today, who probably won't remember to come back next week when it's working.