Question: When you install Linux on a new machine, how do you harden it to reduce the risk of attack? Or, if you have a number of machines, how can implement a consistent configuration across all of them?
Answer: Bastille Linux
As its name suggests, Bastille Linux helps harden machines. Hardening is the process of strengthening a machine's defenses against attacks. It is performed by:
One might ask "Why is hardening necessary? My machines are not likely to be attacked; we're just a little company (or small non-profit, etc.)" The reality is that under those circumstances, it is unlikely that your organization will be targeted for attack. However, most attacks are not the result of deliberate targeting, but rather result from mindless, automated probing by
Essentially, these attacks result from someone (typically not very sophisticated, technically speaking) setting off an automated program that churns through a range of Internet addresses. If your machine just happens to be in that range, and is vulnerable, it will be attacked and perhaps compromised. Then the nasty business of recovering begins -- and recovering is always more work than prevention! Therefore, hardening machines is a crucial part of any organization's security plan.
As you might imagine, hardening a machine correctly is a detailed and time-consuming process for a system administrator. It's easy to overlook one or more important steps, which can not only leave the machine vulnerable, but also create a false sense of security about the risk profile of a machine.
Bastille makes it possible to address the full range of hardening activities while protecting against missing key steps. It also makes the process significantly more efficient. Bastille accomplishes this via a GUI-based, interactive process. (For a screen shot of what Bastille looks like, please see this page.)
What areas does Bastille address in hardening a system? Here is a partial list:
All of these items should be available if needed, but offer opportunity for attack if unused. Bastille helps in the process of deciding whether the functionality is needed, and, if not, configuring it to be made unavailable.
As a side note, once the machine is configured with Bastille, the machine should be probed with vulnerability scanner like Nessus. A scanner will determine if the remaining services and available ports are configured properly and implemented with the proper software patches.
Bastille's goodness is not limited to one machine, however. Configuring multiple machines, even with a tool like Bastille, can still be time-consuming. Also, performing the same actions repetitively can lead to carelessness, so the advantage Bastille provides in helping avoid overlooking one or more important steps can be negated if a number of machines must be hardened.
Bastille addresses this problem, enabling a policy file to be created on one machine and applied to one or more others. The policy file is automatically created through an interactive session, so the process of applying it couldn't be simpler:
#scp /etc/Bastille/config root@anotherhost:/etc/Bastille
ssh root@anotherhost "bastille -b"
Obviously, you must replace "anotherhost" with the name of your target machine(s). Also, Bastille must be installed on all the machines you wish to auto-configure. Nothing could be easier, right? Even if you only have one other machine that you must configure, using this feature of Bastille is a no-brainer.
Bastille is written in Perl, so extending it is easy. Many of the actual functions (like changing file permissions) can be set up with a simple declarative setting which Bastille will apply as part of its configuration work.
If your immediate reaction is that, while this product is great for hardening machines, you already have a set of machines installed and aren't sure how they're set up, you'll be happy to know that an upcoming release of Bastille will have an audit capability that will give you a read out on what your installed infrastructure looks like.
In short, Bastille should be in every sysadmin's or security guru's bag of tricks. It can make your life much easier.
This was first published in May 2005