System administrators need to secure their systems while avoiding locking them down so strictly that they become useless. Bastille is a software tool that eases the process of hardening a Linux system, giving you the choice of what to lock down and what not to, depending on your security requirements. It bundles many of the tasks routinely done to securely configure a Linux system into one package.
Bastille is a set of Perl scripts that run as an interactive program, asking questions for each step of the hardening process. The scripts explain each step well, enabling you to understand what security measures will be introduced by any changes you make and why. Bastille can also optionally save your choice of options to a file for remote deployment to other machines.
Bastille currently works with Red Hat, Fedora, SUSE, Debian, Ubuntu, Gentoo, and Mandriva distributions, as well as HP-UX. A beta version is also available for Mac OS X. Most of the distributions Bastille supports have it available as a package that you can install with the default package manager for the distribution. Once it is installed, just run Bastille as root. Here are some common options:
bastille --assess runs Bastille in assessment mode. The utility will perform an assessment of the current system's security configuration, grading it according to its relative level of security according to a set of weights you supply. You can use Bastille's set of default weights for each area being tested or supply your own. This option is only available for the Red Hat and SUSE Linux distributions.
bastille -x runs Bastille in its default GUI mode using Perl-Tk to provide the user interface, while
bastille -c runs the program in console mode.
bastille --log logs any changes that Bastille would make to the system without actually applying the changes.
Once Bastille has completed its changes, it creates a TODO list in /var/log/Bastille/TODO that describes other actions you should perform on the system to further enhance its security.
If you're not happy with the changes Bastille makes to your computer, you can run
bastille -r to reverse its changes. This operation is not guaranteed to work perfectly if it has been a long time since you applied your original Bastille changes, or if you have done a lot of extra security configuration in the meantime.
Before you begin
Before you run Bastille on your systems, make sure they are up-to-date with the latest patches, especially for security.
Whenever you are securing a system you should follow some basic system administration principles.
- Only install the programs you actually need on your computer, especially in the case of servers. This limits the damage an intruder can do if one breaks into your system.
- Consider using more than a single security measure on a system component to try to ensure that that component does not have its security breached. If one measure fails the others remain as backups. For instance, a firewall may be your first line of defense against attacks on your printing service. Configuring your printing service to be as secure as possible by only allowing certain IP adresses to connect to it may be your second line of defense. Disabling your printing service entirely and not running it on systems that don't need it is your third line of defense on those systems.
- Follow the principle of least privilege. Each user, service, and system component should have access to only the resources it needs and no more.
Bastille in the enterprise
In an ideal world you would run Bastille to harden your standard operating environment (SOE) before it is deployed. With Bastille's security hardening options, you can divide your SOE into different configurations. For instance, your finance department members probably won't need a C compiler enabled on their systems, or root access to terminal sessions, but they will need printing services. The software development team will need a more flexible configuration that allows more access to their systems, while mobile users with laptop computers will need a special set of security requirements as well. Server systems will probably each need to be individually configured, with Bastille being run on each separately to harden it as required.
Once hardened, each SOE can be tested and then deployed in the department or section it was designed for, using tools such as System Imager. You can then deploy each SOE using Novell Zenworks, Red Hat Network, or other commercial deployment and server management solutions for Linux; open source server management or monitoring tools like monit or System Imager; or the more traditional Linux tools such as ssh and scp.
When using ssh and scp you can deploy Bastille using the commands:
scp /etc/Bastille/config root@targethost:/etc/Bastille
ssh root@targethost "bastille -b"
where targethost is the hostname or IP address of the computer you want to connect to. These commands copy the Bastille configuration file to the remote computer and then run Bastille on the remote computer in batch mode, which reads the configuration file to determine the changes Bastille should make and applies them to your system. Obviously Bastille needs to be installed on each of the remote computers first. For multiple remote hosts, you could write a shell or Perl script to be run from a central server, executing the commands above for each remote host, perhaps even leveraging information stored in an LDAP directory to access the hostnames for each system.
What if your systems are already in use by people everyday, and yet still in need of hardening? You can still use Bastille in these situations as long as you carefully consider the state of your environment before you begin and perform a thorough series of tests before you deploy.
Of course, while Bastille provides a firm starting point for a hardened Linux system, it may not be enough in itself to provide all of the security requirements for your situation. You should consider implementing additional security measures, such as intrusion detection systems like Snort and Tripwire, a network vulnerability scanner like Nessus, and an antivirus application, especially if your system is a mail server. You may also need to hand-configure some aspects of your system, especially if you run applications that require special attention, such as large commercial databases or high volume Web servers.
Balancing security with usability
Some of the options you can set with Bastille may unwittingly trip you up after you have applied them, and make your system less useful to end users than they need it to be. For example, you can remove SUID permissions from files so that non-root users cannot launch these files if they do not have permission to. This prevents malicious users from exploiting any newly discovered security vulnerabilies in these programs and gaining access to your system as root. However, removing SUID from mount and umount would mean ordinary users would not be able to load or eject CD-ROMS, USB keys, or external hard drives. Removing SUID from ping or traceroute would mean users would be unable to test network connectivity using the ping command. Password protecting the GRUB prompt could interfere with dual boot systems. Disabling root login to terminals could be annoying for users who need to do a lot of tasks as root. Setting your firewall to be too restrictive could mean users would't be able to access internal network services, such as Novell's iFolder, internal Web services, Bonjour or Zeroconf services, or Windows shares.
In some situations, a user's convenience may have to take precedence over security aspects, while in others the security requirements will outweigh the need for user convenience.
Bastille Linux can be a boon for Linux system administrators. It bundles a variety of system hardening options into a single easy-to-use package. For enterprise use, it provides a simple means of bringing a consistent level of security to the Linux computing environment. While neither it nor any piece of software will ever be able to create the perfectly hardened Linux system, it will at least help you come nearer to that goal.