Friday, October 16, 2009

Linux Securirty Notes 13: Hardening With Bastille-Linux

Bastille Linux
    This is a project containing various components to determine how secured our Linux servers are. It scans the system and reports  how secured we are and  provides the policies to help tightening the Linux system from various different componants such as user accounting, startup scripts, services that runs in system, TTYs . Other various components also considered when bastille Linux is installed in system, which can be checked while running the Bastille-Linux .

Installing the Bastille-Linux
Download source from Project Home.

Reference:
Project Home:
http://bastille-linux.sourceforge.net 
http://www.bastille-unix.org/
Article:
http://www.linux.com/archive/feature/118353

# tar -xjvf Bastille-4.0.5.tar.bz2
# cd Bastile*

    Note:-
        Bastille uses perl and shell scripts to make changes to system.
The source contains various components that used to secure the system.
# ./install-sh
     This installs the Bastille script to the system. This will keep the link of the binary to the path /usr/sbin.
# bastille -c
    This will run the bastille in command mode. If any other dependencies are not fullfilled including the perl modules it will show the error while exicuting

So install the perl modules using CPAN.
# perl -MCPAN -e shell
(After initializing the cpan)
cpan> install $perl_module_name
   
# bastile -c
    Now this will start the bastile in the curses interface (CLI).

Checking the current system security Level.

# bastille --assess
    This will start the default browser with the Bastille Hardening Assessment Report in HTML page. So we have to run before configuring anything to get a mere picture that how secured our system is.
For eg :- RHEL fresh installation with latest patches Bastile gives Score about 7.25 out of 10.
So we can navigate through each and every items that the bastille has been scanned for.
Eg:- File permissions, Account Security, Boot Security, Daemons etc.

Hardening the system using Bastille.
# bastille -c
    This will star the bastille script in curses based interface. It opens a dialogue box in which we can navigate through the various options(These options are having the same sequence to the options in the results in command  bastille --assess).
General Options Available while running the Bastille
1. File permissions
    This deals with the permission with the binaries such as traceroute, ping, ifconfig, mount, fsck that general user doesnt need to have the access. Usually these can be exicuted by the normal user.This removes the setuids that have been given for certain commands that makes the user to exicute the program
as root. It will also prompt to uninstall the rlogin or rsh ("r" programs) which leads the communication in clear text format.

2. AccountSecurity.

    Here we can setup the account level security. This will disable the "r" programs. setup the default UMASK(0002) to more secure one. Allow or disallow root logins to consoles (TTY 1-6).Ask to password protect in single user mode. Secure inetd services etc.

3. ProcessAccounting
    forke the cpu access or limit the system resource to given limit for non-root user.

4. MicellaneousDaemons.
    It will ask to tune the other daemons in the system
5.Firewall
    This will create the firewall rules to the system.
       
    Now finish to start processing the system Harening. Now the system will be hardened according to the configurations that we have chosen.

Now its time to Re-assess the system security to verify the Bastille.

# bastille  --assess
    Now we can see the level of security has been increased.
        The script is sellf explanatory and have to read through the explanation while running the script to explore more.

Reverting the chages performed by Bastille
# bastille -r
    This will revert all the actions performed by the bastille.

/var/log/Bastille & /var/log/Bastillerevert/
will contain all the changed config files, backup of the original files that have changed and logs.

1 comment:

  1. You should check out Security Blanket by Trusted Computer Solutions. TCS is one of the companies that created the MLS capabilities in Linux 2.6 kernel and SELinux (They are listed on the NSA website).
    Security Blanket locks servers down to specific government and industry guidelines in addition to the capabilities in this post. They maintain a blog and detailed information at http://tcs-security-blanket.blogspot.com

    ReplyDelete

tag ur valuable ideas below