Tip

Hardening Linux with Bastille UNIX

Even with the common vulnerabilities I've talked about in the past, Linux is a solid operating system (OS) that stands up well to security tests. This doesn't mean, however,

    Requires Free Membership to View

that you should let your guard down. Over time, configuration tweaks, third-party software and human intervention tend to change the security posture of once-secure Linux systems. This will inevitably lead, at best, to dings noted on vulnerability-assessment or audit reports.

But there is a way to establish a solid Linux security foundation and set your business up for future success, and that is hardening your Linux systems using Bastille UNIX, an open source project led by Jay Beale.

Formerly named Bastille Linux, the graphical user interface (GUI)-based Bastille UNIX steps you through the OS-hardening process for Debian, Gentoo, Mandriva, Red Hat and SUSE Linux distributions, as well as HP-UX and Mac OS X. Its intuitive question-and-answer approach allows you to lock your system down without having to worry about fat-fingering or configuring something incorrectly along the way. Bastille is not just a hardening program -- it's also a great learning aid, something that could be used to teach classes.

Bastille UNIX is an easy download and even easier to run. There are several system hardening categories you can choose from, including patches, file permissions, account security, domain name systems and more. As shown in Figure 1, Bastille prompts users with specific questions and offers detailed explanations to ensure that the effects of each action will be understood.


Figure 1 -- System hardening questions and explanations in Bastille UNIX (Click the image to enlarge)

With Bastille, you can always reverse any changes made. As it states on the Bastille UNIX site, however, this may not do much good if numerous manual changes have been made since the program ran last. Still, that's a change management issue you'll have to address, rather than a shortcoming of Bastille.

If you'd rather take a more hands-on approach, you can always harden your Linux systems manually. There are several Linux hardening best practices published on the Web, such as the Center for Internet Security's Benchmarks and the Defense Information Systems Agency's UNIX Security Technical Implementation Guide.

Taking the time to harden your Linux systems will create more work for you in the short term, and if you're not careful, you can harden your systems to the point that things stop working. Proceed with caution, but don't let this discourage you. Spending a little time, money and effort securing Linux will pay for itself over and over again down the road. You'll benefit from more secure systems, fewer issues on security assessment or audit reports and help keep all that pesky compliance stuff in check.

ABOUT THE AUTHOR: Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

This was first published in November 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.