Hardening your Linux hosts doesn't have to be a difficult process, if you can use an automated security tool like Bastille Linux. Bastille covers a wide variety of platforms and distributions, making it ideal for configuring heterogeneous IT environments. In this tip, I'll describe the way Bastille Linux works and explain how to get started.
Using automated hardening tools is a quick and easy way to provide some baseline security for your Linux hosts. Jay Beale's Bastille Linux has become the de facto standard application for Linux hardening. Bastille is installed on a target host and then executed to harden that host. The hardening process is structured around a question-and-answer method. Questions about various security-related configuration options are posed. Based on the responses to these questions, Bastille performs particular hardening and lock-down tasks. Each question comes with a detailed explanation of the implications of making that particular change.
Recent changes to Bastille have principally provided support for more recent versions of operating systems and distributions. Bastille can harden a number of platforms and distributions, including Red Hat and Red Hat Enterprise, SUSE, Mandriva, Gentoo, Fedora Core, Debian and TurboLinux. It is also supported on HP-UX and in beta on OS X.
Bastille runs in two modes -- Assessment and Hardening. Assessment mode scans your system for the current settings of the configuration options that Bastille hardens. It records the state of these options and scores the security of your host based on that state. A score out of ten is returned together with a HTML and text report detailing the state of each option. The higher the score, the more secure your host. The reports are normally generated into the /var/log/Bastille/Assessment/ directory.
In Hardening mode, Bastille prompts the user to answer questions and at the end of the process applies the requested configuration changes. Hardening mode can run either from the command line or via a GUI. Bastille also has a revert function that can undo the Hardening process -- although it's only really effective if you haven't manually made changes to your configuration files. If this is the case, then Bastille will warn you that changes may not be able to be reverted. You can run the Hardening process multiple times. For example, if your host has had some security controls reverted and needs to be re-hardened.
The application can harden a variety of elements in your operating system and some of your applications, most notably Apache. It can apply more granular controls to SUID and harden network daemons, including management tools and NFS/Samba. It can also harden your LILO or GRUB installation and help you configure a firewall for your host. In all, there are approximately fifty hardening features in the Bastille application.
Installing Bastille is easy, since many distributions come with Bastille available as a package, like Debian, Gentoo and Red Hat Fedora. You can also download Bastille in the form of an RPM or as a source file. There are some pre-requisites you will need if you want to run Bastille in Hardening mode (you can run Bastille in Assessment mode without these). These are:
- perl-Tk and perl-Curses,
- perl-Tk for Bastille in GUI mode
- and perl-Curses for the command-line mode.
After these pre-requisites are installed, you can install Bastille, for example via RPM as:
# rpm -ivh Bastille-3.0.9-1.0.noarch.rpm
Bastille is then executed by running the bastille binary. Run the command with the -x option for GUI Hardening mode, with the -c option for command-line Hardening mode. If you just want to run Bastille in Assessment mode, then run the bastille binary with the --assess option. This will assess the host and then try to launch a browser to display the resulting report. If you do not wish to display the report, you can run Bastille with the --assessnobrowser option, which just generates the report and does not launch a browser. If you wish to revert an already hardened host you can use the -r option like so:
# bastille -r
Bastille can be a powerful tool, particularly for ensuring a consistent security baseline on your Linux hosts. It doesn't guarantee that your host is secured against all threats, but it does take care of a lot of configuration weaknesses and security configuration that can be time-consuming and complicated. Bastille's model also means that you can apply the same controls on a number of hosts in a consistent and structured manner. The broad platform and distribution coverage available in the application also means that you can easily harden a variety of hosts without having to worry about differing configuration standards, file locations and default settings. Finally, any tool that helps you with the process of hardening and securing your hosts with the minimum of effort, especially when IT and security resources are sometimes stretched thin, is well worth investing in time to understand and implement.
This was first published in April 2007