April 19, 2005

Bastille Linux update: Hardening the OS with help from Uncle Sam

Author: Jay Lyman

The Bastille Linux project has recently been working with the U.S. government to improve and harden the operating system security software. Project leader Jay Beale took some time to tell NewsForge readers what's been going on recently with Bastille.

NF: You mentioned recently that Bastille Linux has been under major development -- please talk a little bit about what is happening.

Beale: Until today, Bastille could only harden or "lock down" systems. It did this by deactivating unnecessary operating system components and better configuring the ones that remained. It took proactive steps to make a system harder to compromise, reducing the probability that the next item in the attacker's toolkit will be successful against your system.

We've just finished adding reporting functionality to Bastille, so that it can tell you what parts of the system aren't locked down. It examines the system in a read-only fashion, reporting on the status of each of its hardening items. For example, Bastille might check whether the DNS server is locked in a chroot prison, whether telnet is turned off, or even if passwords are required to be a good length. You can take a look at a Web-only demo of this through this link.

Bastille's new reporting functionality even assigns you a score, using weights you supply. These weights allow you to make some items count more than others, or even not count at all. You can use our weights, but you can just as easily use weights that are provided by one of the standards bodies or your organization's IT security or system administration staff.

The score idea is actually pretty central here. When I first heard about it, I thought it was overly simplistic, but people really do get motivated and sometimes even jazzed up about improving the score on a system. They'll get a lower score than their ego tells them they should and will turn around and harden a few items on the box just to achieve a more encouraging score.

Anyway, we're quite excited about Bastille's ability to report on a system. This is an entire second mission for Bastille, though it's quite related to hardening. It's one that we achieved thanks to help both from Hewlett-Packard, which has been donating developer time for a few years now, and from the U.S. government.

NF: What can you tell us about the U.S. government sponsorship?

Beale: This work was sponsored by the U.S. government's Technical Support Working Group (TSWG). TSWG funded the U.S. Navy's Space and Naval Warfare (SPAWAR) Systems Center San Diego to provide Bastille Linux with an auditing capability. The effort also provided for adding some additional Department of Defense hardening steps within Bastille and documentation. The project is called Fort Knox for Linux.

NF: What is your objective right now, and has that changed since the project was started?

Beale: Well, our primary objective is to improve the state of operating system security. In the short term, that means hardening a large number of individual systems. In the long term, that means demonstrating to both the users and the vendors that best practices can be standard practices. Back in 1999, the Linux distributions all ran the BIND DNS server with superuser (root) privileges. Bastille set BIND to run as a non-root user and locked it in a chroot prison. When the Lion worm ran around compromising DNS servers in 2001, it had a drastically different effect on the non-Bastilled boxes, where it could fully compromise them and use them as jumping off points to attack other machines. On Bastille [protected] and similarly hand-hardened boxes, it could only knock down the DNS server, but couldn't complete a compromise or spread to other systems.

Soon after this worm died down, almost every Linux distribution began running BIND as a non-root user. In the last two years, some have begun chroot-jailing BIND themselves. The short-term effect of Bastille here was that possibly a hundred thousand Linux DNS servers couldn't be compromised. The long-term effect was that Linux distribution makers gained both familiarity with a couple more hardening steps and confidence that those steps would be palatable to users. Additionally, Linux users came to expect tighter configurations from their distribution vendors.

Our secondary objective has been to teach users and administrators about security so that we could help them make better decisions both in our hardening interview and in their use of IT later, from practice to policy. We're still moving in that direction. The auditing functionality both helps people see what more can be done on a system that's somewhat hardened, and also raises their awareness about host-based security.

NF: What is the biggest challenge for Bastille now?

Beale: There's so much more we'd like to do. We've been focusing on porting to more operating systems and laying down good internal architecture. I'd like to see us continue to increase the number of things we can do on any given operating system. I'd like to get full coverage of standards guides like those available from the Center for Internet Security, [Information Systems Audit and Control Association] (ISACA), and possibly [Defense Information Systems Agency] (DISA). That might lead naturally to creating content and weights files corresponding to requirements in recent legislation. I'd like to widen our list of supported operating systems just a bit further to include Solaris and FreeBSD. Finally, using our new reporting functionality, I'd like to create hardening items that look for non-standard or unexpected misconfigurations that lead to vulnerabilities the way the open source program Tiger does. For instance, we might find vital directories marked world-writable, like in the local privilege escalation vulnerability discovered on OS X by Eric Hall. Bastille has the infrastructure for this already -- it's just a matter of coding the items. I'm always looking for people to help!

NF: Where is the U.S. government in general on the idea of bolstering security by using Linux and other open source software?

Beale: I don't speak for the government, so I'm not really qualified to answer that, but from what I've seen, the government is exploring a number of ways to enhance computer security through Linux and open source software. TSWG, which I mentioned earlier, is focused on securing critical infrastructure. As a system hardening tool, Bastille provides clear support for that mission. By supporting an open source project rather than someone else's for-spec software, TSWG knows that the software, and thus their improvements, will be around for the long term. The government gave us a wonderful boost, but it's up to us to continue to enhance and support the technology they've helped us create. We've got a wonderful community of people that have brought Bastille to this point.

Bastille started out just hardening Red Hat Linux and MandrakeLinux. Individual developers brought us to Debian (Javier Fernandez-Sanguino) and Gentoo (Brian Stine). We got on SUSE and TurboLinux with IBM's help (Niki Rahimi) and became the default hardening script for HP-UX via the amazing efforts of Hewlett-Packard developers Keith Buck, Robert Fritz, and Tyler Easterling. Along the way, many others have contributed their time creating code and ideas, as well as beta testing.

NF: What is needed for a more secure Linux and Internet: certifications, deployments, Bastille Linux, or something else?

Beale: The best way to increase Linux system security is to educate users about good systems administration practices: keeping software up-to-date, disabling unused services, hardening default configurations, automating drudgery, backing up regularly, and reading system and error logs. Bastille and the open source community can help by creating and maintaining useful tools. In addition to Bastille, these include complementary kernel-level technology like grSecurity, SeLinux and ExecShield, compromise detection technology like Osiris and Snort, and many others. In the end, however, the best tools in the world can't help if system administrators and users are not proactive about security. Perhaps the single most important task we have before us is explaining to users why security matters.

NF: Anything else you would like to add?

Beale: Bastille has improved tremendously since our last major release. We're always going to have more to do, and we can move faster when users tell us what they need, and when people volunteer their time and effort to help us. All the funding in the world is great, but it's only one part of what makes Bastille work.


  • Security
Click Here!