Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bastille Adds Reporting, Grabs Fed Attention

Posted by timothy on from the soon-comes-the-boiling-oil dept.

johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."

23 of 151 comments (clear)

  1. Call me a bluff traditionalist... by gowen · · Score: 5, Funny

    ... but if I were starting a Linux security project, I'd name it after a prison which was difficult to escape from, rather than one famous for being stormed by about 1,000 upset Frenchmen.

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    1. Re:Call me a bluff traditionalist... by Qzukk · · Score: 4, Funny

      rather than one famous for being stormed by about 1,000 upset Frenchmen.

      Good thing I don't need to keep 1000 upset Frenchmen out of my server ;)

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    2. Re:Call me a bluff traditionalist... by Pogue+Mahone · · Score: 4, Insightful

      Problem is, you don't want to stop people from escaping. You want to stop them from getting in. IIRC there was never any real problem to get IN to Alcatraz.

      --
      Every bloody emperor has his hand up history's skirt [Peter Hammill/VdGG]
    3. Re:Call me a bluff traditionalist... by gowen · · Score: 5, Funny
      Bastille is a French word meaning "castle" or "stronghold"
      And "C'était une plaisanterie, vous clod d'humeur-moins" is a French phrase meaning "It was a joke, you humourless clod."
      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  2. Why do we need to harden distros ? by Elgreco1 · · Score: 5, Insightful

    Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?

    1. Re:Why do we need to harden distros ? by gowen · · Score: 5, Insightful
      Why can't distributions be secure out of the box ?
      Essentially, there's a trade off to be made between security and ease of use (for example, a hardened distro won't let users mount filesystems, let alone do it automagically. Desktop distros consider automounting CD's and USB sticks to be de rigeur.).

      Most distributions try to steer a happy medium. Some sacrifice security for simplicity. Others (like Bastille) take the opposite tack.
      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    2. Re:Why do we need to harden distros ? by Daengbo · · Score: 5, Insightful

      Part of Bastille's goal is to educate the admin, as well, so (even if your distro is very secure out of the box) you can run the program, listen to all the checks and changes, learn from Bastille why things should be set up that way, and maybe admin your box better. Alas, though, most distros are not as secure as they should be, and Bastille will make you think about what tradeoffs you really want to make between ease of use and security.

      --
      Put identity in the browser.
    3. Re:Why do we need to harden distros ? by yardbird · · Score: 4, Informative

      In TFA, he claims that the project is helping to push vendors in that direction:

      "The short-term effect of Bastille here was that possibly a hundred thousand Linux DNS servers couldn't be compromised. The long-term effect was that Linux distribution makers gained both familiarity with a couple more hardening steps and confidence that those steps would be palatable to users. Additionally, Linux users came to expect tighter configurations from their distribution vendors."

      I agree it would be better for the vendors to do it without prompting, though, but this can help to standardize best practices.

      --
      Free, legal music for iTunes users.
    4. Re:Why do we need to harden distros ? by admorgan · · Score: 5, Insightful
      Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?


      What about those of use whom don't use a distro? I often build systems from scratch and this gives me a convient useful tool to lock it down. Also why not go the other direction... Why don't distros use generic tools like this to keep their system secure out of the box. I would like to point out one thing though. People use linux for just about everything today. The wizard gives you the functionality to do non standard things to your system where as if the distro was secure out of the box when you add a new serice would you be able to say it was still secure or what happens if you make a mistake setting up a config file. Generic tools very good at what they do is much better than a large tools or relying on assumptions about the overall state of a system.
    5. Re:Why do we need to harden distros ? by gilesjuk · · Score: 3, Insightful

      Security can often carry a level of pain with it that would annoy a desktop user.

      Also auditing many applications takes time. You can expect a distro run by a few people to audit thousands of lines of code in each package.

    6. Re:Why do we need to harden distros ? by jbolden · · Score: 4, Interesting

      I once built a very secure version. Here is the sorts of things it I did.

      1) It had no shells of any sort, nor any user interface of any sort.

      2) It would not mount any filesystem whose CDs meet a certain checksum (this avoided mounting random data). CDs that had the right checksum it would automatically run a program with a particular name. This was the sole way to introduce new software/issue commands to the system.

      3) It only about 4 open ports, and 2 for getting data and 2 it used to sending the data out.

      4) It was stripped having almost no software except the bare mimimum needed to run 2 apps. It used a minimal set of libraries missing any links that weren't needed for the included software. All the apps and all the libraries had their names scrambled (using a hash generator) so apache might be something like /vksjl39/skl9394/i8843nvnnf. This made the box harder to get around. The result most pieces of gcc software wouldn't have run at all with a great deal of knowledge about the box.

      5) It checksummed the bios to verify the bios wasn't corrupted (i.e. boot password was intact).

      6) Data on the drives were encrypted.

      Sound like a fun distribution to work on? On the other hand under computer generated network attacks (like say 10000 attacks per second) they system was able function fine indefinitely. Even somebody with physical access would have had to take a long time to hack the system.

      That is sort of the ultimate in Linux security. The goal of hardening a system it to reduce points of entry for people to issue privledged commands, and this is done by reducing features. And that means a decrease in usability.

  3. Now THAT's Funny! by pandrijeczko · · Score: 3, Informative
    This is presumably the same johnny.ihackstuff.com who got hacked himself recently resulting in the email addresses of subscibers to his web site getting into the hands of spammers - mine included with a huge increase in spam to it as a result.

    Perhaps he should have used Bastille himself...

    --
    Gentoo Linux - another day, another USE flag.
  4. Well... by JavaMoose · · Score: 4, Funny
    I downloaded this, but I can't get it to run.

    Anyone else haveing problems getting this to run on Windows XP?

  5. Scoring systems by admorgan · · Score: 5, Insightful
    The score idea is actually pretty central here. When I first heard about it, I thought it was overly simplistic, but people really do get motivated and sometimes even jazzed up about improving the score on a system. They'll get a lower score than their ego tells them they should and will turn around and harden a few items on the box just to achieve a more encouraging score.

    This is an excelent example of making an application have a "value" as incentive to do the right thing. People are by nature competative and will strive to improve a "score" even if it doesn't necessarily help them in any way. I give cudose to whoever decided to add this feature.
    1. Re:Scoring systems by gowen · · Score: 5, Funny
      People are by nature competative and will strive to improve a "score" even if it doesn't necessarily help them in any way
      You're talking rubbish. Now, excuse me, I've got to go and whore some more Karma.
      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
  6. Needs to be point and click. by Guano_Jim · · Score: 4, Funny

    The download instructions for OSX were a little intimidating, even for someone like me with basic Unix skills...

    Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.

    --
    3D Printing Tips and Tricks at Zheng3.com
    1. Re:Needs to be point and click. by iamnotanumber6 · · Score: 4, Informative

      I struggled with this for a while.

      "NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week."

      Huh? Well, it seemed to unpack for me, I don't know.

      Step three actually says:

      3. Run the install script, like so:

      cd Bastille && sh bin/Install-OSX.sh

      Which didn't work (you've corrected it above, but not on the actual page). Fooled around for a while in confusion about that, since there *is* an install script in the bin directory, but it's called "bastille"; it has an "os" option but only seems to know about HP-UX and not OSX...

      Finally found the other script, which failed with lots of error messages. You need to do "sudo" before the command.

      And then, "confirm that you have perl-Tk installed". Apparently I don't. "Do not forget to get perl-Tk installed before running Bastille." - to me that's a bit like "attach the toaster to your nose in the usual way". Where do I get it? Fink? Nope, not there. perltk.org? Total confusion. Ok, it's over an hour now, I'm still searching around trying to find how to install perlTk on OS X, and you know what?

      Fuck it.

      It's not that I don't have the skills. I just don't want fool around anymore.

      I don't mean to be critical, but you've been slashdotted, and there are going to be a *lot* of people having the same frustrating experience that I just did today, who probably won't remember to come back next week when it's working.

  7. Cool, but... by DrLex · · Score: 3, Interesting

    The ironical thing about this software is that it only works on *n*x systems, while the OS that probably could benefit most from it is Windows...

  8. Re:A windows version by Sexy+Bern · · Score: 5, Informative
    The baseline security analyzer?

    http://www.microsoft.com/technet/security/tools/mb sahome.mspx

  9. Re:A windows version by Sexy+Bern · · Score: 4, Informative
    Hate to reply to myself, but some reluctant admins may also like to use the MS Exchange best practices analyzer:

    http://www.microsoft.com/exchange/downloads/2003/e xbpa/default.mspx

  10. Re:A windows version by pandrijeczko · · Score: 4, Informative
    I don't suppose someone could port this to windows could they?

    It's not really "portable" in the same sense as, say, Mozilla Firefox.

    I've not used Bastille in a while but I recall it's more of a tool that makes recommendations and changes to your system to lock it down - these can be everything from file permissions, service lockdown and kernel firewall settings.

    Therefore it's very much tied to the UNIX topography and even if you got it to run on Windows, the architecture is so different that it would be a totally different application by the time you'd modified it enough.

    However, you might want to consider running Bastille on, say, a Linux NAT/proxy router and just tucking Windows machines behind it.

    --
    Gentoo Linux - another day, another USE flag.
  11. Re:Only half the battle... by bhima · · Score: 3, Insightful
    No, I think it's a bit more than half.

    Usually when people update their windows servers it's because some virus or worm is rampaging about the net making everyone's life miserable. Whereas when I update my Linux server, it's because a couple propeller heads in a lab somewhere figured out some obscure weakness and the fix.

    --
    Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
  12. Re:A windows version by pandrijeczko · · Score: 3, Informative
    what more do you need to secure a windows box?

    Unfortunately, you're lost on the context in which you would use Bastille.

    AV packages and XP firewall are more desktop orientated security applications that usually provide a second layer of security protection after corporate firewalls, NAT routers, proxies, etc.

    And whether you like it or not, there are security holes in Windows purely as a result of the architecture and the fact that a lot of applications have free access to any part of the system.

    If you have similar security holes in Linux it's because you're running a service at root permissions or have some file permissions set wrongly. You might not be using a UNIX system that has strong password checking built in or you might have inactive accounts on your system. All these things the types of issues checked by Bastille.

    Sure, you could use Bastille on a UNIX/Linux desktop to lock it down a bit but it's real use is for locking down services and maybe creating a server to hide desktops behind, like a NAT proxy. So it's more important in small office or home server use where a server needs to be doubly secure because you don't have the protection of two firewall layers that you will inevitably find in a corporate environment.

    --
    Gentoo Linux - another day, another USE flag.