Bastille Adds Reporting, Grabs Fed Attention

johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."

MS Supports HD-DVD over Blue-Ray

Ok, completely off topic. Maybe somebody will post this. I think slashdotters would be interested. Its a big deal. No really it is lol.

http://www.microsoft.com/presspass/press/2005/Ap r0 5/04-18WBMSDVDTitlesPR.asp

Re:MS Supports HD-DVD over Blue-Ray

[Triddle]

So log on and post the story so everyone on /. can see it.

Re:MS Supports HD-DVD over Blue-Ray

Was going to do that. No account. To create one they email me the pw, at work I don't have full email access. But thanks for the suggestion.

Re:MS Supports HD-DVD over Blue-Ray

[RenaissanceGeek]

Was going to do that. No account. To create one they email me the pw, at work I don't have full email access. But thanks for the suggestion.

What, no webmail?

Actually for "you will be emailed your activation code" type activities, I recommend:
http://www.mailinator.com/

It's convenience itself: just make up an email account (up to 15 chatracters) @mailinator.com and use that to fill in the form with. There's no need to CREATE an account ahead of time: that is done automatically whenever an email is recieved. You don't even need a password!

Why hastle yourself with YET ANOTHER hotmail account for ANOTHER password when you only need to use it once?

Call me a bluff traditionalist...

[gowen]

... but if I were starting a Linux security project, I'd name it after a prison which was difficult to escape from, rather than one famous for being stormed by about 1,000 upset Frenchmen.

Re:Call me a bluff traditionalist...

[Nadsat]

Name it "The Coffin." Most Frenchman or Americans can't escape from that.

Re:Call me a bluff traditionalist...

[Qzukk]

rather than one famous for being stormed by about 1,000 upset Frenchmen.

Good thing I don't need to keep 1000 upset Frenchmen out of my server ;)

Re:Call me a bluff traditionalist...

[Pogue+Mahone]

Problem is, you don't want to stop people from escaping. You want to stop them from getting in. IIRC there was never any real problem to get IN to Alcatraz.

Re:Call me a bluff traditionalist...

[homerules]

Bastille is a French word meaning "castle" or "stronghold" and that was from your own reference.

Re:Call me a bluff traditionalist...

[gowen]

Bastille is a French word meaning "castle" or "stronghold"

And "C'était une plaisanterie, vous clod d'humeur-moins" is a French phrase meaning "It was a joke, you humourless clod."

Re:Call me a bluff traditionalist...

[ryanjensen]

The Rock.

Re:Call me a bluff traditionalist...

[mattyrobinson69]

I dont think they'd be a problem, im guessing bash doesn't understand outrageous comical accents.

Re:Call me a bluff traditionalist...

I don't get it.

Re:Call me a bluff traditionalist...

[Pogue+Mahone]

There were easier ways to get into Alcatraz ... ask any of the inmates: they had no trouble. ;-)

Re:Call me a bluff traditionalist...

[Jeff+DeMaagd]

I think it's easier to keep 1000 upset Frenchmen at bay than the same number of Mexican illegal immigrants.

Re:Call me a bluff traditionalist...

That is quite the literal translation you got going there. Pretty sure a frenchman wouldn't be caught dead saying something as archaic as that.

Re:Call me a bluff traditionalist...

[1u3hr]

Name it "The Coffin." Most Frenchman or Americans can't escape from that.

Coffins have been used as a method of escape -- in Len Deighton's Funeral in Berlin notably. As this was usewd to penetrate the Berlin wall, the security analogy is even more acute. On the other hand, no one is known to have escaped form Alcatraz (several got away, but are believed to have drowned).

Re:Call me a bluff traditionalist...

[jd]

If you recall correctly? I hope you mean if someone else recalls correctly. :)

Re:Call me a bluff traditionalist...

[gowen]

Yeah, I know. But that's google's translate service for you. Sadly, my own French was learned at school, and they didn't tend to focus on how to throw a well-crafted insult.

Re:Call me a bluff traditionalist...

[Neoncow]

You know, if they taught that at school, I'll bet students would have a lot more fun learning a foreign language.

Instead of doing stupid skits commenting about what people are doing, all skits should end with insults being tossed around.

I mean, insulting someone in a foreign language. There's something that's actually useful!

Re:Call me a bluff traditionalist...

[homerules]

Your humor is lost in the translation.

Re:Call me a bluff traditionalist...

Paint the server in Wehrmacht cam and post a pic on your site.
They will promptly surrender and form a collaborationist regime to cater to your every whim.
It will be a Sorrow and a Pity, but they are French after all.

Re:Call me a bluff traditionalist...

[Drishmung]

There you go then, your wish has been catered to.

Re:Call me a bluff traditionalist...

"Name it "The Coffin." Most Frenchman or Americans can't escape from that"

Well, if the frenchman is named Edmond Dantès, damn sure he can scape from a coffin.

Call me crazy

[scenestar]

WHith the us gov agencies and large corporations such as IBM swithcing to OS software im getting the idea that propietary softweare has no future.

Once again this calls for an over haul of the current OS license system and perhaps a new look at the current OS busines model.

Re:Call me crazy

In the IT acronym OS means Operating System. If you need an abbreviation for open source use OSS. That is standard convention. When you don't follow standards you confuse and annoy people and will continue getting modded down.

Why do we need to harden distros ?

[Elgreco1]

Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?

Re:Why do we need to harden distros ?

[gowen]

Why can't distributions be secure out of the box ?

Essentially, there's a trade off to be made between security and ease of use (for example, a hardened distro won't let users mount filesystems, let alone do it automagically. Desktop distros consider automounting CD's and USB sticks to be de rigeur.).

Most distributions try to steer a happy medium. Some sacrifice security for simplicity. Others (like Bastille) take the opposite tack.

Re:Why do we need to harden distros ?

[Kaali]

Because some security features have pros and cons. It might make your system more secure but suddenly normal users can't use CDs and so on. These wizards can tailor the systems security according to your needs, not general needs which will not be as secure as a complete customized system.

Re:Why do we need to harden distros ?

[Daengbo]

Part of Bastille's goal is to educate the admin, as well, so (even if your distro is very secure out of the box) you can run the program, listen to all the checks and changes, learn from Bastille why things should be set up that way, and maybe admin your box better. Alas, though, most distros are not as secure as they should be, and Bastille will make you think about what tradeoffs you really want to make between ease of use and security.

Re:Why do we need to harden distros ?

[yardbird]

In TFA, he claims that the project is helping to push vendors in that direction:

"The short-term effect of Bastille here was that possibly a hundred thousand Linux DNS servers couldn't be compromised. The long-term effect was that Linux distribution makers gained both familiarity with a couple more hardening steps and confidence that those steps would be palatable to users. Additionally, Linux users came to expect tighter configurations from their distribution vendors."

I agree it would be better for the vendors to do it without prompting, though, but this can help to standardize best practices.

Re:Why do we need to harden distros ?

[admorgan]

Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?

What about those of use whom don't use a distro? I often build systems from scratch and this gives me a convient useful tool to lock it down. Also why not go the other direction... Why don't distros use generic tools like this to keep their system secure out of the box. I would like to point out one thing though. People use linux for just about everything today. The wizard gives you the functionality to do non standard things to your system where as if the distro was secure out of the box when you add a new serice would you be able to say it was still secure or what happens if you make a mistake setting up a config file. Generic tools very good at what they do is much better than a large tools or relying on assumptions about the overall state of a system.

Re:Why do we need to harden distros ?

[gilesjuk]

Security can often carry a level of pain with it that would annoy a desktop user.

Also auditing many applications takes time. You can expect a distro run by a few people to audit thousands of lines of code in each package.

Re:Why do we need to harden distros ?

Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?

Because even if it is secure out of the box, after setting it up for everyday use it will probably no longer be secure anymore. That is where tools like this come in.

It is like OpenBSD. Sure it is secure out of the box. But the second you start configuring it to do something useful, if you don't know exactly what you're doing, you might make it insecure.

Re:Why do we need to harden distros ?

[jbolden]

I once built a very secure version. Here is the sorts of things it I did.

1) It had no shells of any sort, nor any user interface of any sort.

2) It would not mount any filesystem whose CDs meet a certain checksum (this avoided mounting random data). CDs that had the right checksum it would automatically run a program with a particular name. This was the sole way to introduce new software/issue commands to the system.

3) It only about 4 open ports, and 2 for getting data and 2 it used to sending the data out.

4) It was stripped having almost no software except the bare mimimum needed to run 2 apps. It used a minimal set of libraries missing any links that weren't needed for the included software. All the apps and all the libraries had their names scrambled (using a hash generator) so apache might be something like /vksjl39/skl9394/i8843nvnnf. This made the box harder to get around. The result most pieces of gcc software wouldn't have run at all with a great deal of knowledge about the box.

5) It checksummed the bios to verify the bios wasn't corrupted (i.e. boot password was intact).

6) Data on the drives were encrypted.

Sound like a fun distribution to work on? On the other hand under computer generated network attacks (like say 10000 attacks per second) they system was able function fine indefinitely. Even somebody with physical access would have had to take a long time to hack the system.

That is sort of the ultimate in Linux security. The goal of hardening a system it to reduce points of entry for people to issue privledged commands, and this is done by reducing features. And that means a decrease in usability.

Re:Why do we need to harden distros ?

[Mistah+Blue]

And if you know why things should be set up a certain way, you can make informed business decisions on possibly why you wouldn't want a certain thing secure (that "ought" to be). You could then document that yes it should be, but here is why we aren't doing it.

Re:Why do we need to harden distros ?

[0racle]

OpenBSD is, yet the fact the admin has to go and install extra things and actually configure services to run causes more people to whine that OpenBSD is too hard to use. People, including the vast number of admins, don't want a 'secure by default' installation, they want a system that just runs without much thought. Using Linux for that lets them delude themselves into thinking its secure on the based on the fact that its open source and not Windows.

Re:Why do we need to harden distros ?

[RealAlaskan]

... there's a trade off to be made between security and ease of use ...

Yes, indeed. Still, most of the things that really matter on a desktop system aren't part of that tradeoff.

My first linux install was RH6.0, and it had any number of servers running, right out of the box. Every server in the distribution was on and listening on the web, on the default install. For a great desktop experience, I didn't need NFS, bind, postfix, or any of a dozen other services that I eventually learned to shut down. What I did need was to be able to do what Win95 did, and RH6.0 with the red-hot, new 2.2 kernel did all that and more.

Automounting isn't a security risk on the typical home desktop, though it is a blasted nuisance, and should be easy to turn off. Open ports for things like X are a huge risk, and most distributions do a far better job of closing that sort of hole than RH6.0 did.

Re:Why do we need to harden distros ?

Why do we need wizards with two z's?

Re:Why do we need to harden distros ?

[Greyfox]

Compared to the level of pain required to correct an identity theft? I hear that's a pretty painful experience too...

When I was working at data general, we had a team of 4 to 5 people auditing the C standard library and the source code for all the various UNIX utilities. Admittedly the team did have several months to complete their work. It's not particularly difficult to audit code that's already been written, but it is rather boring work, which makes it difficult to do in an open source environment.

Re:Why do we need to harden distros ?

[Vandil+X]

Because some people newer to the world of Unix and Linux tend to execute

chmod -R 777 /

after giving up with trying to figure out permissions issues.

Re:Why do we need to harden distros ?

1) It had no shells of any sort, nor any user interface of any sort.

Next time my brother screws his Windows 98, I'll install him your distro.

Re:Why do we need to harden distros ?

[iamnotanumber6]

I built a very secure version too.

1) It had no shells of any sort, nor any user interface of any sort.

2) It would not mount any file system at all.

3) It had a firewall consisting of a one-inch air gap between the power cord and the power supply, which effectively prevented all unwanted electrons from breaking into the system.

This was *really* the ultimate in Linux security.

Re:Why do we need to harden distros ?

7) I attached 4 pounds of C4, so somone can only type the wrong password once.

Re:Why do we need to harden distros ?

[pAnkRat]

From the webpage:
"Is apache bound to 127.0.0.1 only?"
is one off the checks.

This is pretty secure, but for many webhosting servers, this is not really usefull, trust me.
Having each posible Sitevisitor build up a tunnel through SSH is not the way to go.

Now THAT's Funny!

[pandrijeczko]

This is presumably the same johnny.ihackstuff.com who got hacked himself recently resulting in the email addresses of subscibers to his web site getting into the hands of spammers - mine included with a huge increase in spam to it as a result.

Perhaps he should have used Bastille himself...

Re:Now THAT's Funny!

[j0hnnyhax]

You've got the right johnny, but well, you're just plain wrong about the email theft. No soup for you.

Re:Now THAT's Funny!

[pandrijeczko]

you're just plain wrong about the email theft.

Predictable response and you're in between a rock and a hard place no matter what answer you give - after all, if you admit to it, no-one's going to take you seriously on security any more...

It's a shame I didn't keep some of the original discussions about this because your site was definitely stated as the source from where our email addresses were obtained.

Re:Now THAT's Funny!

[j0hnnyhax]

To everyone in the security community that's been burned in even a small way by a hacker, hang it up. Sadly, your career is obviously over. You're done. No-one's [sic] going to take you seriously on security anymore.

My defacement did not result in my user database being compromised. If my hosting provider was broken into, then I apologize for the inconvenience, and I'll be sure to let them know. I hate even the idea that my user base might be inconvenienced as a result of signing up for an account. Seriously.

If this was a result of a break-in at my hosting provider, then to everyone in the security community that has had their hosting or upstream provider burned, even in a small way by an attacker- you should hang it up as well. Obviously your security career has also met an untimely demise. No-one's [sic] going to take you seriously on security anymore.

Listen carefully, and you can hear the sound of all the security careers grinding to an ugly halt. To those of you that might still be obstinately clinging to your career in security, keep on fighting the good fight. I know I will.

P.S. Bastille just plain rocks, which was the point of the post.

Re:Now THAT's Funny!

Yeah, it's not like any of his users have throwaway accounts.

"Oh no! They haxx0rd my spam account!"

mmmmm....lunchtime reading...

[nachtzeit]

second post =D

A windows version

[JohnnyKlunk]

I don't suppose someone could port this to windows could they?
There's not a lot of decent tools for non-security-expert admins and windows could do with something like this (not meant as an anti-windows troll).

Unfortunately too many corporate windows admins have so many pressures on their time that security of every server isn't always given the time it needs it sounds like this could provide a framework for that security.

Re:A windows version

[Sexy+Bern]

The baseline security analyzer?

http://www.microsoft.com/technet/security/tools/mb sahome.mspx

Re:A windows version

[Beatbyte]

why would you port security scripts for posix systems to windows?

if anything you could create a sister project for the same sort of thing for windows based systems... but do you have enough fingers for that damn?

Re:A windows version

[Sexy+Bern]

Hate to reply to myself, but some reluctant admins may also like to use the MS Exchange best practices analyzer:

http://www.microsoft.com/exchange/downloads/2003/e xbpa/default.mspx

Re:A windows version

[pandrijeczko]

I don't suppose someone could port this to windows could they?

It's not really "portable" in the same sense as, say, Mozilla Firefox.

I've not used Bastille in a while but I recall it's more of a tool that makes recommendations and changes to your system to lock it down - these can be everything from file permissions, service lockdown and kernel firewall settings.

Therefore it's very much tied to the UNIX topography and even if you got it to run on Windows, the architecture is so different that it would be a totally different application by the time you'd modified it enough.

However, you might want to consider running Bastille on, say, a Linux NAT/proxy router and just tucking Windows machines behind it.

Re:A windows version

[NickHewitt]

There is a windows version - its called the Microsoft Security Centre - it checks to see if you have an AV package, XP firewall turned on and Automatic updates switched on.. what more do you need to secure a windows box?

Re:A windows version

the MS Exchange best practices analyzer:

Or, shorter, http://www.exbpa.com/.

Re:A windows version

[Noksagt]

You might be joking, but quite a bit is needed to lockdown win32.

Bastille does useful things such as stop unneeded services. The *nux distros I've used have been far better out of the box than win32 machines I've seen. File permissions on win32 are also a nightmare. Bastille also locks down common userland apps. Misconfigured apache on win32 can do as much damage as apache on linux.

Re:A windows version

[XMyth]

2003 Server is better about this and I'm sure Longhorn will be too. That's not in defense of Windows, just FYI.

Also, I'm sure he was joking but the Microsoft Baseline Security Analyzer does a fair job at locking down Windows. I haven't used Bastille so I can't compare (from what I've heard I'd bet Bastille is more thorough though).

Re:A windows version

[pandrijeczko]

what more do you need to secure a windows box?

Unfortunately, you're lost on the context in which you would use Bastille.

AV packages and XP firewall are more desktop orientated security applications that usually provide a second layer of security protection after corporate firewalls, NAT routers, proxies, etc.

And whether you like it or not, there are security holes in Windows purely as a result of the architecture and the fact that a lot of applications have free access to any part of the system.

If you have similar security holes in Linux it's because you're running a service at root permissions or have some file permissions set wrongly. You might not be using a UNIX system that has strong password checking built in or you might have inactive accounts on your system. All these things the types of issues checked by Bastille.

Sure, you could use Bastille on a UNIX/Linux desktop to lock it down a bit but it's real use is for locking down services and maybe creating a server to hide desktops behind, like a NAT proxy. So it's more important in small office or home server use where a server needs to be doubly secure because you don't have the protection of two firewall layers that you will inevitably find in a corporate environment.

Re:A windows version

[NickHewitt]

Yeah I was joking I disable a number of services and install a long list of software to secure my Windows boxes before I allow them onto the internet. I would much prefer windows to ask me what services to start when I do the initial install as opposed to starting a load of services which I don't need - such as remote assistance....

Re:A windows version

As well, for Server 2003 SP1 - they included the security configuration wizard (SCW) that will ask you what you want your box to do - then will block ports/turn off processes that are not needed for running the tasks you specify.

Re:A windows version

[SonicBurst]

It's kinda already there and it is called the Security Configuration and Analysis tool. Probably not quite as in depth as Bastille, but does a very similar thing. There are only a few built-in security templates, but you can build your own easy enough.

Re:A windows version

[MajorDick]

It MAY be possible later as LongHorn / WinFS is supposed to use *nix stlye perms.

Re:A windows version

3 easy steps to secure a Windows box:

1. Find the power switch.
2. Power off.
3. Unplug network cable.

Re:A windows version

.... .....

Don't quit your day job.

Re:A windows version

Well, since windows is closed source you will never be as secure as a linux or BSD system. But the security baseline analyzer is a good start.

The NSA group policies for windows 2000 are also good, but you better know what you are doing!
http://nsa2.www.conxion.com/win2k/download .htm

Here is a huge NSA list for most systems:
http://www.nsa.gov/snac/downloads_all.cf m?MenuID=s cg10.3.1

Also read up at SANS.org

Too bad none of this is as easy to use as Bastille!

Well...

[JavaMoose]

I downloaded this, but I can't get it to run.

Anyone else haveing problems getting this to run on Windows XP?

Re:Well...

[JavaMoose]

Wow, pissy mods today...

IT WAS A JOKE.

Where are all the follow-up jokes like "If you ran it on Windows it would just tell you to install Linux" and the like?

Re:Well...

[ggvaidya]

Me too!

Do you get error code "4.09 Windows XP? Am I on candid camera?" too? Maybe we should report this ...

Re:Well...

It was choked to death by all the recommendations it would have to propose...

Re:Well...

[glsunder]

you have to download the front end for windows:
http://www.chiark.greenend.org.uk/~sgtat ham/putty/

Scoring systems

[admorgan]

The score idea is actually pretty central here. When I first heard about it, I thought it was overly simplistic, but people really do get motivated and sometimes even jazzed up about improving the score on a system. They'll get a lower score than their ego tells them they should and will turn around and harden a few items on the box just to achieve a more encouraging score.

This is an excelent example of making an application have a "value" as incentive to do the right thing. People are by nature competative and will strive to improve a "score" even if it doesn't necessarily help them in any way. I give cudose to whoever decided to add this feature.

Re:Scoring systems

cudose?

Sounds like a medical administration of copper!

Re:Scoring systems

[gowen]

People are by nature competative and will strive to improve a "score" even if it doesn't necessarily help them in any way

You're talking rubbish. Now, excuse me, I've got to go and whore some more Karma.

Re:Scoring systems

[m50d]

However, no kudos for whoever taught you to spell :)

Needs to be point and click.

[Guano_Jim]

The download instructions for OSX were a little intimidating, even for someone like me with basic Unix skills...

Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.

Re:Needs to be point and click.

THAT was intimidating?

it was about as straight forward as you can get and still be a command line install.

Re:Needs to be point and click.

The download instructions for OSX were a little intimidating, even for someone like me with basic Unix skills...

From the Bastille-Linux OS X page

1. Download the tarball from the source link: Bastille-.tbz2.
2. Uncompress the file, like so:

tar -xjvf Bastille-.tbz2

NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week.
3. Run the install script, like so:

cd Bastille && sh ./Install-OSX.sh

4. Confirm that you have perl-Tk installed.
5. Start up an X Server.
6. Run bastille -x.

I'm thinking that anyone who doesn't have the skill to do that won't be able to implement the changes suggested by Bastille either, making the whole exercise pointless.

Re:Needs to be point and click.

[swiftstream]

What, get locked up for 19 years?

Five years for what you did, the rest because you tried to run...

Re:Needs to be point and click.

[jbolden]

Anyone who can't do that probably can't implement the hardening advice. It works in the other direction though, there are lots of people who could follow those instructions that could use the advice.

Re:Needs to be point and click.

[ccharles]

Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.

I think they're planning on getting that up and running by 24/6/01.

Re:Needs to be point and click.

[clickster]

Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.

As I recall, he didn't get very far, did he...Javert (sp?) my old friend.

Re:Needs to be point and click.

That part's trivial. The perl-Tk installation doesn't like me, though, and I can't figure out why.

Re:Needs to be point and click.

[n3m6]

french jokes aren't funny, especially those alluding to Les Miserables

Re:Needs to be point and click.

[clickster]

Random whiny comments aren't useful either. Especially when they allude to allusions of Les Miserables.

Re:Needs to be point and click.

[iamnotanumber6]

I struggled with this for a while.

"NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week."

Huh? Well, it seemed to unpack for me, I don't know.

Step three actually says:

3. Run the install script, like so:

cd Bastille && sh bin/Install-OSX.sh

Which didn't work (you've corrected it above, but not on the actual page). Fooled around for a while in confusion about that, since there *is* an install script in the bin directory, but it's called "bastille"; it has an "os" option but only seems to know about HP-UX and not OSX...

Finally found the other script, which failed with lots of error messages. You need to do "sudo" before the command.

And then, "confirm that you have perl-Tk installed". Apparently I don't. "Do not forget to get perl-Tk installed before running Bastille." - to me that's a bit like "attach the toaster to your nose in the usual way". Where do I get it? Fink? Nope, not there. perltk.org? Total confusion. Ok, it's over an hour now, I'm still searching around trying to find how to install perlTk on OS X, and you know what?

Fuck it.

It's not that I don't have the skills. I just don't want fool around anymore.

I don't mean to be critical, but you've been slashdotted, and there are going to be a *lot* of people having the same frustrating experience that I just did today, who probably won't remember to come back next week when it's working.

Re:Needs to be point and click.

[poopdeville]

He didn't allude. He referred.

Re:Needs to be point and click.

[clickster]

I realized that when I was typing, but it just didn't sound as good. I really needed the double-word score

Re:Needs to be point and click.

[KH]

For perl/Tk, just run

cpan

and once you are inside cpan, you should issue a command "force install Tk". You have to force because cpan fails some of the tests.

I wouldn't have had problem installing Bastille, but I noticed that the install script installs all the files under /usr (like /usr/sbin, /usr/lib, etc.). So, I simply changed all the /usr/ to /usr/local/ where I usually install stuff myself.

Then, the install script runs OK, but... we don't have the script "bastille" installed! It's still lying in the bin/ directory of the distribution. As far as I can tell, the other install script doesn't seem to install the script either :O

So, I'd copy the script to the /usr/local/bin, and run... no luck because the bastille script expects the files it needs to be installed in /usr/share or /usr/lib or /usr/sbin :(

Then, I'd change those hard-coded locations in the bastille script by hand, and run. Another error. It still cannot find Bastille/*.pm in /usr/local/lib/Bastille because the $LIBPATH or whatever in the bastille script has /usr/local/lib/Bastille instead of just /usr/local/lib :(

I'd correct it and run bastille, and now I get another error telling something about it cannot find some information. At that point, I decide to rm -fr /usr/local/lib/Bastille and /usr/local/share/Bastille and a couple of files the install script installed in /usr/local/sbin :(

Cool, but...

[DrLex]

The ironical thing about this software is that it only works on *n*x systems, while the OS that probably could benefit most from it is Windows...

Re:Cool, but...

[Dr.Opveter]

It's not that ironic if you see what type of thing it actually checks.
Windows usually doesn't come with a mail or ftp server (yeah yeah, line up the spyware/malware server installing jokes here).

Re:Cool, but...

[Zemplar]

The ironical[sic] thing about this software is that it only works on *n*x systems, while the OS that probably could benefit most from it is Windows...

...as the saying goes, "You can't polish a turd!"

Re:Cool, but...

[Allicorn]

While Windows might certainly benefit from some similar support, Bastille provides a great service for Linux. With the popularity of Linux continuing to rise and rise, there are plenty of sysadmins in previously all-Windows shops who, while trying to learn all they can, are still nowhere near expert and can benefit from pre-packaged expertise like this.

In the early days of my shop trying some Linux servers, we were hit more than once by hackers and worms targetting known exploits in common Linux elements such as Bind. Didn't understand the OS well enough at the time to anticipate the holes. Wasn't familiar enough with the 'net-based sources of information of Linux expertise to always get the heads-up on new things to watch out for.

After bringing in Bastille, we never suffered another similar attack.

The project is a great boon for new Linux adopters and while long-time Linux experts might be quite comfortable in their ability to secure their own machines without products like this, for the sys-admin new to Linux, Bastille helps to provide that assurance of safety needed to help shops continue running the OS while their admins trek the long road toward a high enough level of Linux experience to be able to do it for themselves.

Re:Cool, but...

Or as quality manager friend of mine says. pluck the low hanging fruit first. Or in other words do the easy jobs first before tackling the near impossible jobs.

Re:Cool, but...

[TheAwfulTruth]

Nevermind that Microsoft has been shipping security lockdown and analysis tools for their own OS for YEARS now :( (Since at least Win2k)

http://www.microsoft.com/technet/security/tools/ de fault.mspx

Not that many IT people can pull their head out of their asses long enough to bother with them though :(

Locked down, admined and patched Windows machines do not get hacked. But don't let facts get in the way of a good MS bash.

Re:Cool, but...

[monkeydo]

There was a C2 security tool in the Windows NT resource kit.

What's the equivalent on Windows?

The windows admins here keep saying that Windows has better security stuff than Linux; so before raising this issue with them, I wanted to get a heads up on how they might respond.

Re:What's the equivalent on Windows?

The windows admins here keep saying that Windows has better security stuff than Linux

Do they? Where, I haven't noticed?

Windows 2003 SP1 has a funky new security lockdown wizard, and there've been IIS lockdown tools for a few years now. There's also MBSA which lets you security-scan your whole domain in one go.

Re:What's the equivalent on Windows?

[Senzei]

A lot of the "better security stuff" arguments i've seen tend to boil down to "NTFS permissions are more granular" and various arguments about active directory. At least when compared to default file permission handling in linux NTFS can do a whole lot more.

Combined with active directory it lets you set access controls on anything in your domain down to a per-user basis if you decide to be that anal. The fact that you can set a complex folder permissions policy, apply it through active directory, and have it update automagically is a nice touch too.

I'm not saying that either system has inherently better security. I think "out of the box security" arguments are a load of crap. Who cares if it is insecure by default, that is why we have the ability to change default settings.

Anyways, expect to see something about the following when you go in for this little argument.

• NTFS
• AD
• The combination of the above two
• Group Policy
• The word "granular" or phrase "more granular" a lot in relation to any of the above items
• XP Service Pack 2, possible 2003 Service Pack 1, and how either/both are a sign of a "Strong security commitment by microsoft"

Arguments I would suggest as points against windows security:

• Lack of established areas for installation files or the "Every app expects to be able to install itself in any directory no matter how critical" issue.
• The IE lack of true separation between browser and OS nightmare
• Further the above point with the fact that almost everything microsoft that works on the internet uses this code that is tied into the OS, so security issues with outlook, office, and IE all become security issues for the entire operating system
• Low knowledge barrier to entry for windows admins. They can make the system do more with less brains

• Either way you won't win anyone over. The argument is all fine and good but in the end people will not admit that the only thing they are trained to work on is less secure even if they believe it is.

Only half the battle...

[lakerdonald]

A "lockdown" program such as this is only half of the battle. You need to keep your kernel updated, patch programs with fixes, and also make sure that a lockdown program such as Bastille is actually doing what it's supposed to, by making sure that the rules and configurations it creates are actually sane.

Re:Only half the battle...

[bhima]

No, I think it's a bit more than half.

Usually when people update their windows servers it's because some virus or worm is rampaging about the net making everyone's life miserable. Whereas when I update my Linux server, it's because a couple propeller heads in a lab somewhere figured out some obscure weakness and the fix.

Re:Only half the battle...

[mwvdlee]

Why wouldn't Bastille be able to do this itself? It wouldn't be that hard to check if new security patches were release for the current kernel or whether it is up-to-date itself.

Re:Only half the battle...

[lakerdonald]

What I mean is that you shouldn't just start the program and then leave it running without ever checking on it, assuming everything's going fine. It's the mentality that something else will do it for you which makes so many systems vulnerable.

Wow.

[sglider]

I'm pretty stoked about this. Of course, this is the first time I've even *heard* about Bastille Linux, but as a Windows IT guy that wants to move to linux (gentoo, here I come?), I'm glad to see these innovations and changes.

On a related note, if Windows made updates/innovations at this rate, I highly doubt that there would be this much criticism towards them. It's amazing that a company that hosts the richest man in the world can't cope with the innovation of an 'inferior' (I'm being facetious here, not trolling) business model.

Re:Wow.

[pandrijeczko]

but as a Windows IT guy that wants to move to linux

Why "move"? Dual boot it, play with it and move when and if you're ready to.

It's amazing that a company that hosts the richest man in the world can't cope with the innovation of an 'inferior' (I'm being facetious here, not trolling) business model.

The problem with Windows security is one of architecture, not so much business model.

When a UNIX system gets attacked, it's because some cracker or script-kiddie has picked that system as a target - because of a buggy service that can be buffer overflowed, maybe because of a weak password on an account or maybe because of a file permissions issue. However, all these vulnerabilities can be corrected by a sysadmin who knows what he's doing and applies patches, tunrs of unnecessary services and locks permissions down. Bastille is just a tool that does the vulnerability analyis for the sysadmin and makes recommendations, maybe even carries some out.

Windows, by design, has to allow certain applications full access to the system. That's why attacks on Windows systems are not usually targetted attacks but worms and viruses that can exploit a design weakness to get in and do their stuff on any Windows systems they find. So where as you know the likely points of intrusion into a UNIX system, you don't on Windows until either a worm hits it or MS release an update telling you what they've fixed.

You can't say that either UNIX or Windows is more secure than the other out of the box but a good UNIX sysadmin has much more chance of predicting and preventing attacks than a good Windows sysadmin does.

Re:Wow.

as a Windows IT guy that wants to move to linux (gentoo, here I come?),

Since you felt the need to mention that you are in IT, I am going to assume that you are talking about moving some of the production machines over to Linux. If that is the case I would strongly advise against Gentoo. Go with a distro that has some kind of real support that will make management happy, we use Redhat but now that Novell owns and supports SuSE I would say that they are also an option.

Gentoo is not suited for the corporate arena. Gentoo is just the current trendy distro to have installed. There is always some trendy distro within the Linux Geek world and right now that distro is Gentoo. Give it a year and there will be another trendy distro and Gentoo will be forgotten. I say this as a guy who has been watching this happen for close to a decade now. Don't be a conformist geek sheep. Go with what works in the workplace not what some smelly zealot who has never even worked in IT thinks is the cool distro.

Re:Wow.

[adamfranco]

Go with what works in the workplace not what some smelly zealot who has never even worked in IT thinks is the cool distro.

Gentoo or most any other distro -- given a good admin -- can function well doing just about any type of normal "business" task. But as we are all beginning (at varying rates) to realize is that the distro itself doesn't really matter. More and more the various configuration tools are being ported to many/all distros and what we are left with are basically just different choices of filesystem (and a few other small things ;-)) that many users wouldn't notice.

The key thing, as you sort of note yourself, is make management happy. This is where Redhat/SuSE provide most of their value -- having someone to blame. Additionally, they do provide a sort of standard so that management can go hire someone who is an RHCE and be reasonably sure that that person can take care of the machines after their current admin decides to leave.

Re:Wow.

[Senzei]

However, all these vulnerabilities can be corrected by a sysadmin who knows what he's doing and applies patches, tunrs of unnecessary services and locks permissions down.
Note: bolding added by me for emphasis.

That applies to windows, linux, and basically anything else that is put in front of people who may want to trash it.

Windows, by design, has to allow certain applications full access to the system.

No, Windows by business model has to allow certain applications full access to the system. It's called legacy support, and windows goes a whole lot further back with it than linux does.

If one of the critical features of linux was support for as much of the past linux software as possible it would have many of the same problems. Especially if linux development had started at the same time DOS was being kicked around, and linux had to support the design practices of that time period too.

a good UNIX sysadmin has much more chance of predicting and preventing attacks than a good Windows sysadmin does.

No. A good windows sysadmin will know as much about securing windows as a good unix one does about securiting unix. The first thing I do on any fresh windows install is start up the firewall (if required) and explicitly deny tcp/udp 135, 137, 138, 139, and 445. That one action right there stops the majority of worms on the net, and has zero impact to most home users.

My point is that the majority of windows' problem lies in supporting legacy code (and the poor design methods all code at that time relied on) and a low knowledge barrier to entry for basic windows administrative actions. (You have to know less about windows to get anything done with windows). Fix those two as best as possible and a windows box can be just as secure.

Damn straight it's not UNIX

[Senor_Programmer]

UNIX, rm * GONE!

distros, rm rebigulattor.shit-on-your-shoe ARE YOU SURE?

UNIX, install, patch, set up according needs, tweak kernel, ...

distros, "Why can't it come out of the box with a hard on"

Re:Damn straight it's not UNIX

Wow...was that supposed to make any sense, or have you just been hitting the crack pipe too hard lately?

Re:Damn straight it's not UNIX

[Senor_Programmer]

No, just commenting on the never ending, "it should come this way out of the box", statements.

IMO things began to go down hill when 'they' started trying to make unix friendly. It's a tool and you don't put doilies on a tool.

Making the various distros suit the majority of whiners is as much wasted effort as trying to shoot a duck on the midway using a rubber barreled 'rifle'.

re: Bastille Unix

[BitterAndDrunk]

Just as an FYI -
Bastille Linux is a program, not a flavor. It should run on any flavor of Linux Distro with the appropriate tweaking.

It's really nice; I was introduced to it with the book "Hackproofing Linux" and it does a lot of neat stuff.

Sets up sudo (if it's not already configured) Creates a second root user that is the "true" root user, and keylogs everything that root does, and alerts the true root of any attempted accesses
And a bunch of other stuff. I just thought the root stuff was extra sexy.

Hah! You silly American programmers!

I wave my private parts in your general direction!

[hurls poop]

They're soliciting packagers...

[Noksagt]

We are actively seeking OS X packagers -- please e-mail Jay if interested.

I don't use OS X, but if anyone is looking to have a good impact with little effort email jay at bastille-linux.org

*BSD versions?

[Noksagt]

I'm a bit surprised that it has been ported to a primarily desktop-OS (OS X), rather than Free/Open/Net-BSD. Anyone know of efforts to get this into ports? Are there already equivalent *BSD tools?

Re:*BSD versions?

Are there already equivalent *BSD tools?

If things could be done on OpenBSD to improve security it would probably be better to simply contact the OpenBSD developers. They would probably make it the default so extra step weren't necessary.

Re:*BSD versions?

[Justin205]

I don't think this would really make a difference to security on OpenBSD. It's quite secure as-is.

I suppose their reasoning was that Macs have a larger percentage of the market share than *BSD. Or maybe someone just felt like porting to OSX, and no one was motivated to port to *BSD.

Re:*BSD versions?

Or maybe someone just felt like porting to OSX, and no one was motivated to port to *BSD.

I'd bet that's the answer.

Re:*BSD versions?

[dodobh]

Bastille for OpenBSD?

"I see that I am running on an OpenBSD system.

Checking ...
You are working as the root user. This is not secure. Please run as a non root user."

Call me a troll

[dos_dude]

but if the best thing you can say about something is that it's free and open source!, then what you are talking about isn't worth talking about.

I'm sure that Bastille is really nice and good and whatnot, but Best of all, it's free and open source! just doesn't sound that good to me.

We like open source because many OS programs are good or even very good, not because they are open source. Or don't we?

Re:Call me a troll

[NickHewitt]

ok... dos dude your a troll :o)

Re:Call me a troll

[gr8_phk]

"We like open source because many OS programs are good or even very good, not because they are open source. Or don't we?"

I like Free Software (GPL) because of the license. As a consequence of this license, many programs are good or very good. I actually prefer Free Software to other open source. This attitude is rather common, but so is yours. In the end, most of this stuff exists because of the licensing model. One should respect that. Should we call it the "best" feature? Probably not. GPL or just OSS does not imply quality automatically.

Re:Call me a troll

Out of curiosity,

Do you write GPL software or just use GPL software?

Re:Call me a troll

[dos_dude]

OK. So it looks like I'm a flamebaiting troll posting interesting articles. Cheers to the moderators! I told you to call me a troll. I never said anything about rating.

If I GPLed my first hello-world program, the best thing you could say about this piece of software is that it's free and open source. Surely, Bastille is a lot better than my hello-world, which wasn't even standard compliant.

What if you went shopping for a used car and the salesman told you "and the best thing: it's got a little light in the ashtray!"?

Yes, Slashdotters prefer free and OS software to commercial apps. But it seems to me that Slashdotters aren't the ones that decide about what software gets to run on the company's servers. It's the people that are called 'suits' around here and those people generally don't pay that much attention to the license. If these people think that a particular piece of software is good, they will happily shell out lots and lots of money.

If you want those people to use OS software, then please don't sound like bad used-cars salesmen.

Thanks for not reading this.

Windows Security, would you rephrase the question?

Does anyone see the connection between:
* Windows Security
* Military Intelligence
* Faith Sciences
* Microsoft Works
* Jumbo shrimp
* Guest host
* First-strike defense
* Department of Interior (responsible for everything outside ..???...)
* Pretty ugly
* Recently new
* Good grief
* Clean hack
* Violent Agreement
* This page intentionally left blank
* "Thank God I'm an Atheist"
* New classic
* Terribly pleased
* Sweet sorrow
* Small crowd
* Synthetic natural gas
* Genuine imitation
* Airline Food
* Terribly Good
* Terrific Head Ache
* Alone together
* Living dead
* Paid volunteer.
* Original copy.
* Long shorts
* Talkative mime
* Tactical mass destruction
* Friendly fire (as in firearms)
* Democratic dictatorship
* Real fake
* Old news

I'd like Mandrake 9.2 support.

[neo]

[root@localhost root]# bastille --report
ERROR: 'MN9.2' is not a supported operating system.

Re:I'd like Mandrake 9.2 support.

[Lord+Kano]

Same issue for me and Mandrake 10.0

LK

it's all good but..

[Suchetha]

.. when do we get one for Slackware

Suchetha

Re:it's all good but..

You might want to look here:

http://www.bastille-linux.org/source.html

More comprehensive tool

[olyar]

The assessment demo looks pretty nice, but not as comprehensive as, the Tiger Security tool. http://savannah.nongnu.org/projects/tiger.

I've been working with Tiger quite a bit over the last few months (even contributing some changes) and I'm pretty impressed with what it can do.
Also handy is the fact that it runs on most of the proprietary *NIX's.

[/Tiger Plug]

Re:More comprehensive tool

[99BottlesOfBeerInMyF]

Your link is broken. The correct link is: http://savannah.nongnu.org/projects/tiger.

Re:More comprehensive tool

[iamnotanumber6]

will it run on Tiger?

You can pick up a easy bonus point...

[MarkusQ]

You can pick up an easy bonus point if you spell "kudos" correctly (hint: it's from Greek).

--MarkusQ

this is *why*

[Heisenbug]

A major reason that nix systems have a reputation hereabouts for superior security is that developers bother to write tools like this, and admins bother to run them and pay attention. It's not ironic -- it's an object lesson. As linux gets more exposure, we'll have an increasing need for this type of thing.

For example, I've worked under linux at work for years, I could whip out the perl command to ROT-13 your entire drive in a couple of seconds, and I'm pretty sure any linux box I set up would be totally insecure. Don't downplay the significance of tools like this ...

Gentoo

[Danuvius]

You mentioned Gentoo.

It is definitely more work to setup (though, if you are computer literate you doubtless will be able to do it, so long as you pay close attention to the Handbook) but more rewarding in the end.

For me, other than that I found Gentoo to be the distribution that really started teaching me about linux, Gentoo was my eventual "only choice" because of the range of programs I use.

I found no other distribution had *all* the programs I use in their native software repositories. And installing from third-party repositories eventually caused me problems on other systems. (SuSE, Debian, Ubuntu and Xandros were my other linux attempts.)

So, let me heartily suggest, if you do make a decision to try out linux; do some research about programs first to make sure you can get the software you need with the distro you choose.

If you do go with Gentoo, I (and the myriad other forum users at http://forums.gentoo.org/ will be happy to help you). If you'd like some pre-installation tips or help with figuring out linux equivelant programs send me a private message at http://forums.gentoo.org/ (username: danuvius) and I'll be happy to help you out.

Re:Gentoo

[sglider]

I am registered on the Gentoo Forums site, and was especially interested in the SELinux section. Most notably, I currently run an FTP server for a gaming group I belong to, and would rather host a webserver for the same thing. Secure downloads, a small but definite plus in belonging to a gaming clans. (I *hate* trying to get downloads off of fileplanet et. al. these days) Gentoo is my means to an end. While I know Red Hat Linux, I'm disappointed in the lack of knowledge I really need to get the system to do what I need to. In contrast, with a Stage 1 install from Gentoo, I'm not only getting my feet wet, but I'm nearly in over my head. Exactly where I want to be. As a Windows IT guy (when I play that way, currently I'm in another profession) I'd love to transition someone from the Windows side of the house to the Linux side of the house. Bastille just gives me another reason to make that case, especially with Microsoft's many screw ups in the arena of security.

I prefer Castle Linux

[Garlik+II]

http://castle.altlinux.ru/

Data

[phorm]

Ahhh, but you do want to keep somebody from pulling a "prison-break" and getting your data out...

yu0 7ail it

session and joinX in metadiscussions

Great news

This new reporting feature reminds me of the CIS Security Benchmark which was recently covered by NewsForge. The thing that has always bothered me about CIScan, however, is the mandatory registration process you have to go through before you download it. With Bastille offering similar functionality the need to use CIScan is greatly deminished in favor of a more "open" solution (not to bash CIS, but I don't enjoy having to keep track of yet-another-download-account).

What really makes the CIS benchmark great is the manual it comes with (which I briefly described in a comment here), so I hope the Bastille project doesn't neglect to document the benchmark in a similar way as to inform adminstrators about the various trade-off's involved. I suspect Bastille has modeled the reporting-feature after CIScan, though, so it will probably turn out to be a great replacement.

Great work guys, this new feature is welcomed with open arms.

URL Fix!

[TheAwfulTruth]

How odd, a space got in that URL.

SlashCode seems to automatically add a space when a long line wraps. how nice and helpful of it! [Must resist making snarky comment about OSS quality...]

Remove the space and it works...

Re:URL Fix!

[ocelotbob]

it's not a bug, it's a feature you closed-source twat. It's done to prevent crapflooders from widening the page with large words. Make it into a real link with:

<a href="http://yadda/yadda/">...text...</a>

or, if you want to be real lazy:

<url:http://whatever/whatever>

It's not that hard, really, it's not. I'm sure even your windows-using peabrain can pick it up.

Re:URL Fix!

[TheAwfulTruth]

What, /. can't insert a line feed without adding a space?!?

Re:URL Fix!

Er, who was the real twat here?

Not to mention that the line wasn't even long enough to wrap. There was no conceivable reason for adding a space to the line.

It's a hack fix to a hacked bit of web programming that goes by the name of SlashDot!

Re:URL Fix!

I've been on plenty of BB systems that managed to avoid the "Page widening bug" without doing something as brain dead as randomly inserting spaces into people's posts.

How about /. actually FIX THE PROBLEM rather than applying a shit-ass patch to a broken system?

Nah, that would be so un-FOOS like.

doesn't help

[ylikone]

I run archlinux (modified version of slackware) and while the source does compile fine, the executable won't run because of "unknown" OS. Even if I specify one of the supported OS types via the "--os" parameter, it still won't run.

Re:doesn't help

[mattyrobinson69]

same with (k)ubuntu

I'm still waiting for the royalties

[Dhrakar]

Doggonit! I just knew that I should have trademarked my name. I mean, I'm flattered and all, but really! Ah, well... at least I can get a free copy :-)

Derek Bastille

I voted for Kudos...

[billstewart]

Wait, wasn't KuDOS an early PC operating system?