Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bastille Adds Reporting, Grabs Fed Attention

Posted by timothy on from the soon-comes-the-boiling-oil dept.

johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."

15 of 151 comments (clear)

  1. Why do we need to harden distros ? by Elgreco1 · · Score: 5, Insightful

    Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?

    1. Re:Why do we need to harden distros ? by gowen · · Score: 5, Insightful
      Why can't distributions be secure out of the box ?
      Essentially, there's a trade off to be made between security and ease of use (for example, a hardened distro won't let users mount filesystems, let alone do it automagically. Desktop distros consider automounting CD's and USB sticks to be de rigeur.).

      Most distributions try to steer a happy medium. Some sacrifice security for simplicity. Others (like Bastille) take the opposite tack.
      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    2. Re:Why do we need to harden distros ? by Kaali · · Score: 2, Insightful

      Because some security features have pros and cons. It might make your system more secure but suddenly normal users can't use CDs and so on. These wizards can tailor the systems security according to your needs, not general needs which will not be as secure as a complete customized system.

    3. Re:Why do we need to harden distros ? by Daengbo · · Score: 5, Insightful

      Part of Bastille's goal is to educate the admin, as well, so (even if your distro is very secure out of the box) you can run the program, listen to all the checks and changes, learn from Bastille why things should be set up that way, and maybe admin your box better. Alas, though, most distros are not as secure as they should be, and Bastille will make you think about what tradeoffs you really want to make between ease of use and security.

      --
      Put identity in the browser.
    4. Re:Why do we need to harden distros ? by admorgan · · Score: 5, Insightful
      Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?


      What about those of use whom don't use a distro? I often build systems from scratch and this gives me a convient useful tool to lock it down. Also why not go the other direction... Why don't distros use generic tools like this to keep their system secure out of the box. I would like to point out one thing though. People use linux for just about everything today. The wizard gives you the functionality to do non standard things to your system where as if the distro was secure out of the box when you add a new serice would you be able to say it was still secure or what happens if you make a mistake setting up a config file. Generic tools very good at what they do is much better than a large tools or relying on assumptions about the overall state of a system.
    5. Re:Why do we need to harden distros ? by gilesjuk · · Score: 3, Insightful

      Security can often carry a level of pain with it that would annoy a desktop user.

      Also auditing many applications takes time. You can expect a distro run by a few people to audit thousands of lines of code in each package.

  2. A windows version by JohnnyKlunk · · Score: 2, Insightful

    I don't suppose someone could port this to windows could they?
    There's not a lot of decent tools for non-security-expert admins and windows could do with something like this (not meant as an anti-windows troll).

    Unfortunately too many corporate windows admins have so many pressures on their time that security of every server isn't always given the time it needs it sounds like this could provide a framework for that security.

    1. Re:A windows version by Noksagt · · Score: 2, Insightful

      You might be joking, but quite a bit is needed to lockdown win32.

      Bastille does useful things such as stop unneeded services. The *nux distros I've used have been far better out of the box than win32 machines I've seen. File permissions on win32 are also a nightmare. Bastille also locks down common userland apps. Misconfigured apache on win32 can do as much damage as apache on linux.

    2. Re:A windows version by XMyth · · Score: 2, Insightful

      2003 Server is better about this and I'm sure Longhorn will be too. That's not in defense of Windows, just FYI.

      Also, I'm sure he was joking but the Microsoft Baseline Security Analyzer does a fair job at locking down Windows. I haven't used Bastille so I can't compare (from what I've heard I'd bet Bastille is more thorough though).

  3. Scoring systems by admorgan · · Score: 5, Insightful
    The score idea is actually pretty central here. When I first heard about it, I thought it was overly simplistic, but people really do get motivated and sometimes even jazzed up about improving the score on a system. They'll get a lower score than their ego tells them they should and will turn around and harden a few items on the box just to achieve a more encouraging score.

    This is an excelent example of making an application have a "value" as incentive to do the right thing. People are by nature competative and will strive to improve a "score" even if it doesn't necessarily help them in any way. I give cudose to whoever decided to add this feature.
  4. Only half the battle... by lakerdonald · · Score: 2, Insightful

    A "lockdown" program such as this is only half of the battle. You need to keep your kernel updated, patch programs with fixes, and also make sure that a lockdown program such as Bastille is actually doing what it's supposed to, by making sure that the rules and configurations it creates are actually sane.

    1. Re:Only half the battle... by bhima · · Score: 3, Insightful
      No, I think it's a bit more than half.

      Usually when people update their windows servers it's because some virus or worm is rampaging about the net making everyone's life miserable. Whereas when I update my Linux server, it's because a couple propeller heads in a lab somewhere figured out some obscure weakness and the fix.

      --
      Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
  5. Re:Call me a bluff traditionalist... by Pogue+Mahone · · Score: 4, Insightful

    Problem is, you don't want to stop people from escaping. You want to stop them from getting in. IIRC there was never any real problem to get IN to Alcatraz.

    --
    Every bloody emperor has his hand up history's skirt [Peter Hammill/VdGG]
  6. Re:Wow. by pandrijeczko · · Score: 2, Insightful
    but as a Windows IT guy that wants to move to linux

    Why "move"? Dual boot it, play with it and move when and if you're ready to.

    It's amazing that a company that hosts the richest man in the world can't cope with the innovation of an 'inferior' (I'm being facetious here, not trolling) business model.

    The problem with Windows security is one of architecture, not so much business model.

    When a UNIX system gets attacked, it's because some cracker or script-kiddie has picked that system as a target - because of a buggy service that can be buffer overflowed, maybe because of a weak password on an account or maybe because of a file permissions issue. However, all these vulnerabilities can be corrected by a sysadmin who knows what he's doing and applies patches, tunrs of unnecessary services and locks permissions down. Bastille is just a tool that does the vulnerability analyis for the sysadmin and makes recommendations, maybe even carries some out.

    Windows, by design, has to allow certain applications full access to the system. That's why attacks on Windows systems are not usually targetted attacks but worms and viruses that can exploit a design weakness to get in and do their stuff on any Windows systems they find. So where as you know the likely points of intrusion into a UNIX system, you don't on Windows until either a worm hits it or MS release an update telling you what they've fixed.

    You can't say that either UNIX or Windows is more secure than the other out of the box but a good UNIX sysadmin has much more chance of predicting and preventing attacks than a good Windows sysadmin does.

    --
    Gentoo Linux - another day, another USE flag.
  7. Re:Call me a bluff traditionalist... by Neoncow · · Score: 2, Insightful
    You know, if they taught that at school, I'll bet students would have a lot more fun learning a foreign language.

    Instead of doing stupid skits commenting about what people are doing, all skits should end with insults being tossed around.

    I mean, insulting someone in a foreign language. There's something that's actually useful!