Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bastille Adds Reporting, Grabs Fed Attention

Posted by timothy on from the soon-comes-the-boiling-oil dept.

johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."

43 of 151 comments (clear)

  1. Call me a bluff traditionalist... by gowen · · Score: 5, Funny

    ... but if I were starting a Linux security project, I'd name it after a prison which was difficult to escape from, rather than one famous for being stormed by about 1,000 upset Frenchmen.

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    1. Re:Call me a bluff traditionalist... by Qzukk · · Score: 4, Funny

      rather than one famous for being stormed by about 1,000 upset Frenchmen.

      Good thing I don't need to keep 1000 upset Frenchmen out of my server ;)

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    2. Re:Call me a bluff traditionalist... by Pogue+Mahone · · Score: 4, Insightful

      Problem is, you don't want to stop people from escaping. You want to stop them from getting in. IIRC there was never any real problem to get IN to Alcatraz.

      --
      Every bloody emperor has his hand up history's skirt [Peter Hammill/VdGG]
    3. Re:Call me a bluff traditionalist... by gowen · · Score: 5, Funny
      Bastille is a French word meaning "castle" or "stronghold"
      And "C'était une plaisanterie, vous clod d'humeur-moins" is a French phrase meaning "It was a joke, you humourless clod."
      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    4. Re:Call me a bluff traditionalist... by mattyrobinson69 · · Score: 2, Funny

      I dont think they'd be a problem, im guessing bash doesn't understand outrageous comical accents.

    5. Re:Call me a bluff traditionalist... by jd · · Score: 2, Funny

      If you recall correctly? I hope you mean if someone else recalls correctly. :)

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    6. Re:Call me a bluff traditionalist... by Neoncow · · Score: 2, Insightful
      You know, if they taught that at school, I'll bet students would have a lot more fun learning a foreign language.

      Instead of doing stupid skits commenting about what people are doing, all skits should end with insults being tossed around.

      I mean, insulting someone in a foreign language. There's something that's actually useful!

  2. Why do we need to harden distros ? by Elgreco1 · · Score: 5, Insightful

    Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?

    1. Re:Why do we need to harden distros ? by gowen · · Score: 5, Insightful
      Why can't distributions be secure out of the box ?
      Essentially, there's a trade off to be made between security and ease of use (for example, a hardened distro won't let users mount filesystems, let alone do it automagically. Desktop distros consider automounting CD's and USB sticks to be de rigeur.).

      Most distributions try to steer a happy medium. Some sacrifice security for simplicity. Others (like Bastille) take the opposite tack.
      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    2. Re:Why do we need to harden distros ? by Kaali · · Score: 2, Insightful

      Because some security features have pros and cons. It might make your system more secure but suddenly normal users can't use CDs and so on. These wizards can tailor the systems security according to your needs, not general needs which will not be as secure as a complete customized system.

    3. Re:Why do we need to harden distros ? by Daengbo · · Score: 5, Insightful

      Part of Bastille's goal is to educate the admin, as well, so (even if your distro is very secure out of the box) you can run the program, listen to all the checks and changes, learn from Bastille why things should be set up that way, and maybe admin your box better. Alas, though, most distros are not as secure as they should be, and Bastille will make you think about what tradeoffs you really want to make between ease of use and security.

      --
      Put identity in the browser.
    4. Re:Why do we need to harden distros ? by yardbird · · Score: 4, Informative

      In TFA, he claims that the project is helping to push vendors in that direction:

      "The short-term effect of Bastille here was that possibly a hundred thousand Linux DNS servers couldn't be compromised. The long-term effect was that Linux distribution makers gained both familiarity with a couple more hardening steps and confidence that those steps would be palatable to users. Additionally, Linux users came to expect tighter configurations from their distribution vendors."

      I agree it would be better for the vendors to do it without prompting, though, but this can help to standardize best practices.

      --
      Free, legal music for iTunes users.
    5. Re:Why do we need to harden distros ? by admorgan · · Score: 5, Insightful
      Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?


      What about those of use whom don't use a distro? I often build systems from scratch and this gives me a convient useful tool to lock it down. Also why not go the other direction... Why don't distros use generic tools like this to keep their system secure out of the box. I would like to point out one thing though. People use linux for just about everything today. The wizard gives you the functionality to do non standard things to your system where as if the distro was secure out of the box when you add a new serice would you be able to say it was still secure or what happens if you make a mistake setting up a config file. Generic tools very good at what they do is much better than a large tools or relying on assumptions about the overall state of a system.
    6. Re:Why do we need to harden distros ? by gilesjuk · · Score: 3, Insightful

      Security can often carry a level of pain with it that would annoy a desktop user.

      Also auditing many applications takes time. You can expect a distro run by a few people to audit thousands of lines of code in each package.

    7. Re:Why do we need to harden distros ? by jbolden · · Score: 4, Interesting

      I once built a very secure version. Here is the sorts of things it I did.

      1) It had no shells of any sort, nor any user interface of any sort.

      2) It would not mount any filesystem whose CDs meet a certain checksum (this avoided mounting random data). CDs that had the right checksum it would automatically run a program with a particular name. This was the sole way to introduce new software/issue commands to the system.

      3) It only about 4 open ports, and 2 for getting data and 2 it used to sending the data out.

      4) It was stripped having almost no software except the bare mimimum needed to run 2 apps. It used a minimal set of libraries missing any links that weren't needed for the included software. All the apps and all the libraries had their names scrambled (using a hash generator) so apache might be something like /vksjl39/skl9394/i8843nvnnf. This made the box harder to get around. The result most pieces of gcc software wouldn't have run at all with a great deal of knowledge about the box.

      5) It checksummed the bios to verify the bios wasn't corrupted (i.e. boot password was intact).

      6) Data on the drives were encrypted.

      Sound like a fun distribution to work on? On the other hand under computer generated network attacks (like say 10000 attacks per second) they system was able function fine indefinitely. Even somebody with physical access would have had to take a long time to hack the system.

      That is sort of the ultimate in Linux security. The goal of hardening a system it to reduce points of entry for people to issue privledged commands, and this is done by reducing features. And that means a decrease in usability.

    8. Re:Why do we need to harden distros ? by iamnotanumber6 · · Score: 2, Funny

      I built a very secure version too.

      1) It had no shells of any sort, nor any user interface of any sort.

      2) It would not mount any file system at all.

      3) It had a firewall consisting of a one-inch air gap between the power cord and the power supply, which effectively prevented all unwanted electrons from breaking into the system.

      This was *really* the ultimate in Linux security.

  3. Now THAT's Funny! by pandrijeczko · · Score: 3, Informative
    This is presumably the same johnny.ihackstuff.com who got hacked himself recently resulting in the email addresses of subscibers to his web site getting into the hands of spammers - mine included with a huge increase in spam to it as a result.

    Perhaps he should have used Bastille himself...

    --
    Gentoo Linux - another day, another USE flag.
  4. A windows version by JohnnyKlunk · · Score: 2, Insightful

    I don't suppose someone could port this to windows could they?
    There's not a lot of decent tools for non-security-expert admins and windows could do with something like this (not meant as an anti-windows troll).

    Unfortunately too many corporate windows admins have so many pressures on their time that security of every server isn't always given the time it needs it sounds like this could provide a framework for that security.

    1. Re:A windows version by Sexy+Bern · · Score: 5, Informative
      The baseline security analyzer?

      http://www.microsoft.com/technet/security/tools/mb sahome.mspx

    2. Re:A windows version by Sexy+Bern · · Score: 4, Informative
      Hate to reply to myself, but some reluctant admins may also like to use the MS Exchange best practices analyzer:

      http://www.microsoft.com/exchange/downloads/2003/e xbpa/default.mspx

    3. Re:A windows version by pandrijeczko · · Score: 4, Informative
      I don't suppose someone could port this to windows could they?

      It's not really "portable" in the same sense as, say, Mozilla Firefox.

      I've not used Bastille in a while but I recall it's more of a tool that makes recommendations and changes to your system to lock it down - these can be everything from file permissions, service lockdown and kernel firewall settings.

      Therefore it's very much tied to the UNIX topography and even if you got it to run on Windows, the architecture is so different that it would be a totally different application by the time you'd modified it enough.

      However, you might want to consider running Bastille on, say, a Linux NAT/proxy router and just tucking Windows machines behind it.

      --
      Gentoo Linux - another day, another USE flag.
    4. Re:A windows version by Noksagt · · Score: 2, Insightful

      You might be joking, but quite a bit is needed to lockdown win32.

      Bastille does useful things such as stop unneeded services. The *nux distros I've used have been far better out of the box than win32 machines I've seen. File permissions on win32 are also a nightmare. Bastille also locks down common userland apps. Misconfigured apache on win32 can do as much damage as apache on linux.

    5. Re:A windows version by XMyth · · Score: 2, Insightful

      2003 Server is better about this and I'm sure Longhorn will be too. That's not in defense of Windows, just FYI.

      Also, I'm sure he was joking but the Microsoft Baseline Security Analyzer does a fair job at locking down Windows. I haven't used Bastille so I can't compare (from what I've heard I'd bet Bastille is more thorough though).

    6. Re:A windows version by pandrijeczko · · Score: 3, Informative
      what more do you need to secure a windows box?

      Unfortunately, you're lost on the context in which you would use Bastille.

      AV packages and XP firewall are more desktop orientated security applications that usually provide a second layer of security protection after corporate firewalls, NAT routers, proxies, etc.

      And whether you like it or not, there are security holes in Windows purely as a result of the architecture and the fact that a lot of applications have free access to any part of the system.

      If you have similar security holes in Linux it's because you're running a service at root permissions or have some file permissions set wrongly. You might not be using a UNIX system that has strong password checking built in or you might have inactive accounts on your system. All these things the types of issues checked by Bastille.

      Sure, you could use Bastille on a UNIX/Linux desktop to lock it down a bit but it's real use is for locking down services and maybe creating a server to hide desktops behind, like a NAT proxy. So it's more important in small office or home server use where a server needs to be doubly secure because you don't have the protection of two firewall layers that you will inevitably find in a corporate environment.

      --
      Gentoo Linux - another day, another USE flag.
    7. Re:A windows version by MajorDick · · Score: 2, Interesting

      It MAY be possible later as LongHorn / WinFS is supposed to use *nix stlye perms.

  5. Well... by JavaMoose · · Score: 4, Funny
    I downloaded this, but I can't get it to run.

    Anyone else haveing problems getting this to run on Windows XP?

  6. Scoring systems by admorgan · · Score: 5, Insightful
    The score idea is actually pretty central here. When I first heard about it, I thought it was overly simplistic, but people really do get motivated and sometimes even jazzed up about improving the score on a system. They'll get a lower score than their ego tells them they should and will turn around and harden a few items on the box just to achieve a more encouraging score.

    This is an excelent example of making an application have a "value" as incentive to do the right thing. People are by nature competative and will strive to improve a "score" even if it doesn't necessarily help them in any way. I give cudose to whoever decided to add this feature.
    1. Re:Scoring systems by gowen · · Score: 5, Funny
      People are by nature competative and will strive to improve a "score" even if it doesn't necessarily help them in any way
      You're talking rubbish. Now, excuse me, I've got to go and whore some more Karma.
      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  7. Needs to be point and click. by Guano_Jim · · Score: 4, Funny

    The download instructions for OSX were a little intimidating, even for someone like me with basic Unix skills...

    Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.

    --
    3D Printing Tips and Tricks at Zheng3.com
    1. Re:Needs to be point and click. by clickster · · Score: 2, Funny

      Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.

      As I recall, he didn't get very far, did he...Javert (sp?) my old friend.

      --
      If you mod me down, I shall become less powerful than you could possibly imagine.
    2. Re:Needs to be point and click. by iamnotanumber6 · · Score: 4, Informative

      I struggled with this for a while.

      "NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week."

      Huh? Well, it seemed to unpack for me, I don't know.

      Step three actually says:

      3. Run the install script, like so:

      cd Bastille && sh bin/Install-OSX.sh

      Which didn't work (you've corrected it above, but not on the actual page). Fooled around for a while in confusion about that, since there *is* an install script in the bin directory, but it's called "bastille"; it has an "os" option but only seems to know about HP-UX and not OSX...

      Finally found the other script, which failed with lots of error messages. You need to do "sudo" before the command.

      And then, "confirm that you have perl-Tk installed". Apparently I don't. "Do not forget to get perl-Tk installed before running Bastille." - to me that's a bit like "attach the toaster to your nose in the usual way". Where do I get it? Fink? Nope, not there. perltk.org? Total confusion. Ok, it's over an hour now, I'm still searching around trying to find how to install perlTk on OS X, and you know what?

      Fuck it.

      It's not that I don't have the skills. I just don't want fool around anymore.

      I don't mean to be critical, but you've been slashdotted, and there are going to be a *lot* of people having the same frustrating experience that I just did today, who probably won't remember to come back next week when it's working.

  8. Cool, but... by DrLex · · Score: 3, Interesting

    The ironical thing about this software is that it only works on *n*x systems, while the OS that probably could benefit most from it is Windows...

    1. Re:Cool, but... by Dr.Opveter · · Score: 2, Informative

      It's not that ironic if you see what type of thing it actually checks.
      Windows usually doesn't come with a mail or ftp server (yeah yeah, line up the spyware/malware server installing jokes here).

      --
      Sample this!
  9. Only half the battle... by lakerdonald · · Score: 2, Insightful

    A "lockdown" program such as this is only half of the battle. You need to keep your kernel updated, patch programs with fixes, and also make sure that a lockdown program such as Bastille is actually doing what it's supposed to, by making sure that the rules and configurations it creates are actually sane.

    1. Re:Only half the battle... by bhima · · Score: 3, Insightful
      No, I think it's a bit more than half.

      Usually when people update their windows servers it's because some virus or worm is rampaging about the net making everyone's life miserable. Whereas when I update my Linux server, it's because a couple propeller heads in a lab somewhere figured out some obscure weakness and the fix.

      --
      Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
  10. re: Bastille Unix by BitterAndDrunk · · Score: 2, Interesting
    Just as an FYI -
    Bastille Linux is a program, not a flavor. It should run on any flavor of Linux Distro with the appropriate tweaking.

    It's really nice; I was introduced to it with the book "Hackproofing Linux" and it does a lot of neat stuff.

    Sets up sudo (if it's not already configured) Creates a second root user that is the "true" root user, and keylogs everything that root does, and alerts the true root of any attempted accesses
    And a bunch of other stuff. I just thought the root stuff was extra sexy.

    --
    You better watch out, there may be dogs about . . .
  11. *BSD versions? by Noksagt · · Score: 2, Interesting

    I'm a bit surprised that it has been ported to a primarily desktop-OS (OS X), rather than Free/Open/Net-BSD. Anyone know of efforts to get this into ports? Are there already equivalent *BSD tools?

  12. More comprehensive tool by olyar · · Score: 2, Informative
    The assessment demo looks pretty nice, but not as comprehensive as, the Tiger Security tool. http://savannah.nongnu.org/projects/tiger.

    I've been working with Tiger quite a bit over the last few months (even contributing some changes) and I'm pretty impressed with what it can do.
    Also handy is the fact that it runs on most of the proprietary *NIX's.

    [/Tiger Plug]

    --
    Custom, hands-free Linux installs. Instalinux
    1. Re:More comprehensive tool by 99BottlesOfBeerInMyF · · Score: 2, Informative

      Your link is broken. The correct link is: http://savannah.nongnu.org/projects/tiger.

  13. Re:Wow. by pandrijeczko · · Score: 2, Insightful
    but as a Windows IT guy that wants to move to linux

    Why "move"? Dual boot it, play with it and move when and if you're ready to.

    It's amazing that a company that hosts the richest man in the world can't cope with the innovation of an 'inferior' (I'm being facetious here, not trolling) business model.

    The problem with Windows security is one of architecture, not so much business model.

    When a UNIX system gets attacked, it's because some cracker or script-kiddie has picked that system as a target - because of a buggy service that can be buffer overflowed, maybe because of a weak password on an account or maybe because of a file permissions issue. However, all these vulnerabilities can be corrected by a sysadmin who knows what he's doing and applies patches, tunrs of unnecessary services and locks permissions down. Bastille is just a tool that does the vulnerability analyis for the sysadmin and makes recommendations, maybe even carries some out.

    Windows, by design, has to allow certain applications full access to the system. That's why attacks on Windows systems are not usually targetted attacks but worms and viruses that can exploit a design weakness to get in and do their stuff on any Windows systems they find. So where as you know the likely points of intrusion into a UNIX system, you don't on Windows until either a worm hits it or MS release an update telling you what they've fixed.

    You can't say that either UNIX or Windows is more secure than the other out of the box but a good UNIX sysadmin has much more chance of predicting and preventing attacks than a good Windows sysadmin does.

    --
    Gentoo Linux - another day, another USE flag.
  14. this is *why* by Heisenbug · · Score: 2, Interesting

    A major reason that nix systems have a reputation hereabouts for superior security is that developers bother to write tools like this, and admins bother to run them and pay attention. It's not ironic -- it's an object lesson. As linux gets more exposure, we'll have an increasing need for this type of thing.

    For example, I've worked under linux at work for years, I could whip out the perl command to ROT-13 your entire drive in a couple of seconds, and I'm pretty sure any linux box I set up would be totally insecure. Don't downplay the significance of tools like this ...

  15. Gentoo by Danuvius · · Score: 2, Interesting

    You mentioned Gentoo.

    It is definitely more work to setup (though, if you are computer literate you doubtless will be able to do it, so long as you pay close attention to the Handbook) but more rewarding in the end.

    For me, other than that I found Gentoo to be the distribution that really started teaching me about linux, Gentoo was my eventual "only choice" because of the range of programs I use.

    I found no other distribution had *all* the programs I use in their native software repositories. And installing from third-party repositories eventually caused me problems on other systems. (SuSE, Debian, Ubuntu and Xandros were my other linux attempts.)

    So, let me heartily suggest, if you do make a decision to try out linux; do some research about programs first to make sure you can get the software you need with the distro you choose.

    If you do go with Gentoo, I (and the myriad other forum users at http://forums.gentoo.org/ will be happy to help you). If you'd like some pre-installation tips or help with figuring out linux equivelant programs send me a private message at http://forums.gentoo.org/ (username: danuvius) and I'll be happy to help you out.

    --
    Akarsz Magyar Gentoo fórumot? Akkor
  16. Great news by Anonymous Coward · · Score: 2, Interesting

    This new reporting feature reminds me of the CIS Security Benchmark which was recently covered by NewsForge. The thing that has always bothered me about CIScan, however, is the mandatory registration process you have to go through before you download it. With Bastille offering similar functionality the need to use CIScan is greatly deminished in favor of a more "open" solution (not to bash CIS, but I don't enjoy having to keep track of yet-another-download-account).

    What really makes the CIS benchmark great is the manual it comes with (which I briefly described in a comment here), so I hope the Bastille project doesn't neglect to document the benchmark in a similar way as to inform adminstrators about the various trade-off's involved. I suspect Bastille has modeled the reporting-feature after CIScan, though, so it will probably turn out to be a great replacement.

    Great work guys, this new feature is welcomed with open arms.