Slashdot Mirror


Bastille Adds Reporting, Grabs Fed Attention

johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."

2 of 151 comments (clear)

  1. Cool, but... by DrLex · · Score: 3, Interesting

    The ironical thing about this software is that it only works on *n*x systems, while the OS that probably could benefit most from it is Windows...

  2. Re:Why do we need to harden distros ? by jbolden · · Score: 4, Interesting

    I once built a very secure version. Here is the sorts of things it I did.

    1) It had no shells of any sort, nor any user interface of any sort.

    2) It would not mount any filesystem whose CDs meet a certain checksum (this avoided mounting random data). CDs that had the right checksum it would automatically run a program with a particular name. This was the sole way to introduce new software/issue commands to the system.

    3) It only about 4 open ports, and 2 for getting data and 2 it used to sending the data out.

    4) It was stripped having almost no software except the bare mimimum needed to run 2 apps. It used a minimal set of libraries missing any links that weren't needed for the included software. All the apps and all the libraries had their names scrambled (using a hash generator) so apache might be something like /vksjl39/skl9394/i8843nvnnf. This made the box harder to get around. The result most pieces of gcc software wouldn't have run at all with a great deal of knowledge about the box.

    5) It checksummed the bios to verify the bios wasn't corrupted (i.e. boot password was intact).

    6) Data on the drives were encrypted.

    Sound like a fun distribution to work on? On the other hand under computer generated network attacks (like say 10000 attacks per second) they system was able function fine indefinitely. Even somebody with physical access would have had to take a long time to hack the system.

    That is sort of the ultimate in Linux security. The goal of hardening a system it to reduce points of entry for people to issue privledged commands, and this is done by reducing features. And that means a decrease in usability.