Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Linux Software

Ask Jon And Jay About Bastille Linux 70

You've heard about Bastille Linux 'round these parts before (on July 17 of this year) -- it's a set of scripts bundled to create (in combination with a base install of a distribution like Red Hat) a much more secure box than would be the default. The basic philosophy behind Bastille seems to be "It shouldn't be difficult to lock down your Linux box." Now, here's your chance to ask Bastille gurus Jon Lasser and Jay Beale about the project.You'll want to check out the project's main page, first, and also some of the security articles Jay's written as well as the additional information on his personal page. (And if that Lasser fellow's name is familiar, it should be -- he's also the author of the excellent Think Unix reviewed a few weeks ago.) So post your questions below, and Jay and Jon will soon respond in depth.
This discussion has been archived. No new comments can be posted.

Ask Jon And Jay About Bastille Linux

Comments Filter:
  • Penis Bird Guy. Definetly. He always had something coherent to say, instead of just spouting out incoherent nonsense, like Bob Abooey and the others.
  • Jon, would you consider writting a "Think Unix"-like book on Linux security? As a real Linux (but not computer) newbie, I am frustrated that I have to struggle to understand what the heck is going on, whereas in other OS's I pretty much understand. What I uderstand of your book "Think Unix", it gives the reader a fundamental understanding of what is going on, sort of a modern "Inside the IBM PC" (by Peter Norton, a book that really helped me understand PC's in the DOS days...).
    As someone who installed Linux for the first trime just a few days ago, you *know* I am gonna have to grab your Bastille tool, tonite in fact....thanks!

    Going on means going far
    Going far means returning
  • Thankfully, THAT isnt their intent. It is obvious that you are just looking to flamebait, and unfortunately, its a slow halloween, so I am feeding it.

    The simple truth is OpenBSD is *NOT* the perfect solution to all problem. You dont use a hammer to drill and vice versa.

    This is about helping LINUX, not BSD. They are very different systems, despite being mostly-compatible.

    Different goals, different licenses, and different focii.

    However, and in the best spirit of slashdot, I hope that you honestly want to see a secure linux (I doubt it though).

    If that is the case, then yes, it would be nice to see a line by line audit of code, but the sad fact is, there are still plenty of things to add BEFORE we start down that path.

    Audits slow development WAY down. Thats one reason OpenBSD isnt nearly as portable as NetBSD. It wasnt intended to be, and its not a bad thing, its just a product of the process.

    The first process in getting a truly secure linux would be convincing the major distributions that there IS a security issue, and a way to fix it. :)

    Thats what Bastille does (IMHO).

  • Although the thought of "yet another distro" strikes pain into me more than most, I have decided to go that path, and create on based on security.

    There are other distros that do so, and that i trust and use in various forms.

    However, none seem geared towards the audience I am aiming for, namely web servers, and shell servers.

    If YOU were to design a distro to serve shell and web servers, and wanted it to be as secure as possible (obviously), what would YOU have it do?

    Thanks for a great product, btw.
  • When are you guys going to come out with a version for RedHat 7.0?
  • Thankfully, THAT isnt their intent. It is obvious that you are just looking to flamebait, and unfortunately, its a slow halloween, so I am feeding it.

    that's what trolls do and that's all user 219096 cares to do. Take a quick look at what the troll posted and you can see the quality of the content.

    [/rant]
  • Given the high number of Linux forks, do you find it difficult to think in terms of the portability so your scripts can support the 180+ linux distros that now exist?
  • Currently Bastille seems aimed at shutting off unneeded services, making sure services don't run as root, and updating known security holes. It seems to me that this is a very good start, but is really only half of the story. Does Bastille have any plans to start an audit of the Linux kernel and userland for vulnerabilities ala OpenBSD? It seems to me that making Linux "theoretically" secure requires such an audit. Do you agree or disagree?

    have a day,

    -l

  • In your interview with LinuxSecurity.com, you mention that Bastille has some great forthcoming architectural changes. What is the nature of these upcoming features?

    have a day,

    -l

  • Why worry about portability to 180+ distros when your product only supports 2 very similar distros?
  • What is your take on the differing methods of:

    a) Taking something that has been around for a long time (think inetd) and changing the configuration so that it is less vulnerable to existing exploits.

    vs.

    b) Replacing the older techniques with newer things (think tcpserver) that may be a little less convenient, at least in shifting methods, but protect the system better even if a particular service is compromised.

  • Jay Beale, here, replying: Actually (plug mode ON), I'm writing a book called "Securing Linux the Bastille Way". It's just not done yet, whereas Jon's excellent book is.(plug mode off)
  • Could you tell us a little about this upcoming book? Will it discuss Bastille Linux in more depth? I've run the Bastille script several times and I find that I really need more information about certain things. I would really like to see something (a book, website, etc...) that goes into each question of the script in greater detail.

    Also, can you give us some specifics about your plans for the future of Bastille Linux? What's the next big feature we'll see, and where do you see it going in the long run?

  • by FeeDBaCK ( 42286 ) on Tuesday October 31, 2000 @08:50AM (#661623) Homepage
    Actually this is a quite common question among those in the know. Why *DO* the Distribution makers enable services by default that can potentially leave the system wide open to script kiddies? Especially with the droves of Windows users whom are trying Linux for the first time and are not always up on the latest sendmail/wu-ftpd/bind/whatever exploit of the week. Creating a more secure environment from the get-go should definitely be in the eyes of the ditro-makers. I applaud Bastille for their work in helping make the Internet a safer place to be.
  • ...and how long will it take for you to learn that?
  • by luge ( 4808 ) <slashdotNO@SPAMtieguy.org> on Tuesday October 31, 2000 @08:51AM (#661625) Homepage
    Do you guys have any plans to do something similar for Debian, or have others approached you about it? I'd love to apt-get install bastille, and have it do something similar to what I've heard it does for RH. Anyway, even if you don't, keep up the good work.
    ~luge
  • I've wondered the same thing for a long time. I had an old Slackware distro that had one of the 2.0 level kernels on it (it was a masq box for my cablemodem at the time) and it got broke into. I don't think that it was used for anything, and I formatted and reinstalled it with a newer Linux distro and version, but it still bothered me that I only installed packages that seemed necessary for masq and a few port redirects and it still was compromised...
  • Considering that you're promoting yourselves as security experts with a tool to secure Linux distributions, why is your verification on your tarball an MD5 checksum, which is much easier to forge than a PGP/GPG signature?

    I think the md5 checksum is a good idea, for those who can't/won't install pgp or gpg, but why not authenticate with one, or both, public-key tools?


    --Parity
  • by Anonymous Coward
    Thank you for the work you have done, I know we dont always let the developer know that. I have used your script to secure my RH 6.2 system. The only problem I had was the firewall script somehow made my second ethernet card not initalize correctly after installing the script. Uninstallation works well, I then cut the firewall script from the installer. And used pmfirewall from www.pointman.org in its place. I had a hard time to follow what was going on in the firewall scripts, to figure out what my problem was. My question is, have you worked on doucmentation to show whats going on other than the user disecting the individual scripts? Thanks MadMax
  • Sorta reminds me of the line of luggage named for Amelia Earhart. Who thought that was a good idea?
  • First, I recommend Bastille as a primer on Linux security issues for my co-workers who are just learning Linux. Running the Bastille install is a great way to teach someone about security while tightening up their box. Thanks for the tool.

    What kinds of reactions have you had when approaching distribution vendors about pre-Bastilling their stuff before shipment? (anonymous please) Same for any vendor that ships Linux pre installed on a box.

    Since a New Linux Convert is the least likely to know about and most likely to need Bastille how are you guys getting the word out to them?

  • *holds up sign*
    PLEASE DO NOT FEED THE TROLLS

    thank you

    Seriously, I've read more than one post from you today...all you're doing is trolling. What's the deal? Too much karma?

    Bastille Linux is *not* a distribution...though you would know that if you had bothered to check the home page. No, I will NOT be linking to it here because it's in the original post (which you failed to read.) It's a set of scripts, originally very Red Hat-specific, working toward being non-distribution-specific. It's really kinda nice to be able to go through a list of plain-English questions and just pecking Enter and Tab to lock down your machine better.

    Hell, the KDE and GNOME people might as well close up shop, and while we're at it, most of Microsoft, too...while we're at it, Apple as well. I mean, Xerox already invented the GUI. Why continue to develop copies of the GUI that Xerox developed when they already had it done 30 years ago? Sheesh.
  • by pb ( 1020 ) on Tuesday October 31, 2000 @10:56AM (#661632)
    First, if you want a default installation that's "hardened from the get-go", either run OpenBSD, or a non-UNIX that has no services.

    However, I don't see why this is really necessary. It's the sysadmin's job to secure his boxes, which is generally done after installation. First, you only select the services you need, then you tighten things up. Bastille just speeds this process up, and helps out novices a lot. Also, the OpenWall security patches (for the Linux kernel) are quite nifty; also, on ext2, chattr is pretty sweet if you're really paranoid. :)

    It would be nice if a distro had a "Secure" option during installation, but basically they're just catering to the masses. Maybe you want to run 'ping'; maybe you're behind a firewall. Maybe you're not on the internet. Maybe you want to have all your services running in default configurations at startup, so you can tweak them later...

    Basically, it's just easier to let the admin decide what to do with the box, and making it less secure makes that process easier for them as well. Most people don't know or care about security. And remember, just as the best form of birth control is still abstinence, the best form of network security is still the 'air-gap'.
    ---
    pb Reply or e-mail; don't vaguely moderate [ncsu.edu].
  • As a user of Linux-Mandrake, I've noted its annoyingly unwavering tendency to re-write configuration files and re-set file permissions when one decides to use one of their graphical configuration tools.

    That being said, are there any plans to add any such functionality to Bastille, such as, when bastille-firewall is started when entering multiuser mode, checking to make sure all its changes are still intact? Even better, perhaps setting up a cron job to run every few minutes to check to make sure, say, drakconf (or whatever a different distro uses) hasn't overwritten its changes?
  • Awww...did we disagree with the mean ol' Slashdot reader? Why was my post marked "Offtopic" but not any of the parents? Huh?
  • Hi, Jon. On your homepage [tux.org] you indicate you majored in English and philosophy, rather than CS, mathematics, or the hard sciences. Has your background in the humanities allowed you to bring a unique approach to problem solving in the areas you're now exploring?

    For example, much of "hardening" consists of finding poorly written code with buffer overruns and the like. But much of it also consists of cultural engineering/deengineering: how would a script kiddy approach this distribution? What sort of exploits generate the most prestige among fellow crackers/kiddies? That sort of thing. Did your humanities training (which is clearly still an active part of your life, what with all the poetry you write) give you a unique perspective that others lack?

    (And on a personal note, did you ever forgive [tux.org] your girlfriend for her choice in that waiting-room?)
  • I nearly read that as `Ask Jay and Silent Bob about Bastille Linux'. :-)

  • Check out Mandrake 7.2. It's ogt configurable security levels. They can be chosen at installation, and later changed (with a snazzy graphical tool). I believe there's 6 levels of security, and the most secure really does take a lot of precautions. Very nice.
  • Do you have any opinions regarding the Linux rwxs permission scheme? Since this allows for very little fine grained acess control, a number of significant security issues raise their head. Primarily, system admionistrators needing to log in with a `full system access' account [`root'] to properly administer the system. This seems to go against the Unix philosophy of giving users only permission to do only the tasks they need to perform on the system.

    Furthermore a wide variety of applications aren't able to use the sceme as their access control mechanism. Thus they implement their own security schemes. Squid and [to a lesser extent] samba are two examples. The result of this is multiple security systems, and more fronts to fight crackers on.

    What arre your thoughts o the issue? Do you believe in, and would you support, a future implementation of Posix ACLs into the Linux kernel?
  • From what I understand, Bastille Linux allows the user to have a more secure Linux box by answering (simple?) questions. But who do you think should use it, experienced users who know already how to lock down their system but need a tool to do it quick or newbies who don't know anything about security?

    This is a question for any administration automation tool, but it's a real issue, can you secure a Linux system without learning what's really going on?

    Maybe it would be a good idea to distribute Bastille Linux as a Book+CD package

  • How does Bastille compare to TrinityOS found at http://www.ecst.csuchico.edu/~dranch/LINUX/index-l inux.html They appear to be very similar. I'd be very interested in hearing from the developers of Bastille, Mr. Ranch, and anyone who has used both systems.
  • This sounds like a clone of OpenBSD. What benefits are there to doing this in Linux instead of working with a UNIX that's already been audited and secured?
  • >>This sounds like a clone of OpenBSD.

    It's not a clone of anything. It's a set of scripts to help secure a previously installed Red Hat box.

  • Have you looked into merging Bastille with any distros out-of-the-box? I'm sure that some of the major distros would be interested in this.
  • by FeeDBaCK ( 42286 ) on Tuesday October 31, 2000 @08:56AM (#661644) Homepage
    In what way does Bastille differentiate between different types of installs? Does it prompt the users about services? Will it shut off my apache service if I plan on making this machine a web server?

    What third party tools do you install/recommend to help with the hardening of the system? Tripwire? tcpserver?

    Do you incorporate any form of checking when doing your install to ensure that the box has not already been compromised, such as checking for common trojans/backdoors?
  • Now, when are you going to do a line by line audit of every piece of software on the RedHat box for holes? When are you doing to check the million lines of Apache for overruns and underflows, then Perl, etc?
  • by JCCyC ( 179760 ) on Tuesday October 31, 2000 @09:00AM (#661646) Journal
    What were the top 3 most asinine security holes you ever encountered on a GNU/Linux distro?
  • You should instead say you'll never match OpenBSD in its *default* configuration. OpenBSD has recently had a root exploit, though it was in a service that is *not* enabled by default.
  • ...especially since there's no distribution named Bastille Linux.
  • by Enahs ( 1606 )
    I somehow managed to block *all* connections to the X server on my machine. Very funny for about 10 seconds. =)
  • The allusion is deliberate.
  • having just installed it on a mandrake (red hat based) system, i can assure that the install of bastille took no more than 5-10 minutes. I think it should be bundled with every system, and should be run upon roots first logon. (disable network interfaces first, then run, then re-enable)...
    -stax
    /. poster #104543567
  • /*
    I defy _anyone_ to root the box at this IP:

    209.242.124.241
    */

    Disable Telnet, you crazy fool!
  • Have you given any thought to defaults for these scripts which would be task specific>? "This machine is a pure webserver" "This machine is my home firewall and family webserver" "This machine is an internal workstation". where you could make a coherent set of reccomendations. Security which prevents the work from getting done leads to amateur changes to loosen the security ...
  • Necessity is the mother of invention, as they say...
    -stax
    /. poster #104543567
  • by Skapare ( 16644 ) on Tuesday October 31, 2000 @01:17PM (#661655) Homepage

    How will Bastille allow users to treat their computer and network security as a "process" (as Bruce Schneier is quoted to say). Are there tools to help users deal with security "events"?

  • It's the sysadmin's job to secure his boxes, which is generally done after installation. First, you only select the services you need, then you tighten things up.

    Why not make it easy on everybody? Just make the default maximally tight, and make it "The Sysadmin's job" to OPEN any holes he wants open, rather than closing all the holes in the swiss cheese?

    Especially when the distribution doesn't come with any document that even LISTS the holes in the cheese.

    That way:

    - The box is secure from the start: No temporary holes for somebody to break through and plant a backdoor while the sysadming gets around to closing holes.

    - Ordinary users, or even newbies, can install and go right to work, without having to become a skilled sysadmin just to have a safe box. (Something not working? Bring up the config tool and turn it on.)

    Both ordinary users and sysadmins would thank any distro vendor who did it this way.

    So why don't they?

    Probably because they fear a flood of support calls when things don't work because they aren't turned on yet.

    So they leave their customers hanging out there with the wind blowing through the holes in their cheese.

    Software liability, anyone?
  • Why are you guys coding at all on Bastille Day? You should be watching the Tour [letour.fr]!
  • by mosch ( 204 ) on Tuesday October 31, 2000 @01:55PM (#661658) Homepage
    Given the world's largest cluestick with which you could assault every single SysAd on the planet, what clues would you distribute, other than the use of bastille, and the knowledge that there's life outside computers?

    --
    "Don't trolls get tired?"
  • They said it on their webpage. They initially intended it as such. But they found that the effort to do such a thing was more than they were willing to commit to.

    They also found that they could accomplish nearly the same thing in an existing distro with a few scripts.


    Chas - The one, the only.
    THANK GOD!!!

  • One of the best thing I like about Bastille is that it provides a very detailed, step by step explanation of what is going on.

    As many security experts stated, the weakest link is always the people. Bastille not only harden your Linux box, it also helps the inexperienced sysadmin/home user to learn more about their systems.

    After running Bastille on several sytems, I am confident enough to manually harden distros that are not supported by Bastille (yet :-).

    So my question is what prompt you guys to spend so much time on the document side, which is often the last thing most developers do (if at all)?

    Bastille is truly a useful and educational tool. Well done and thank you guys.

    ====

  • Well, my point was, sometimes it isn't that easy to turn something on or get it working after it has been secured. I don't necessarily like it, but that's the rationale, and it isn't so hard to run something like Bastille, either.

    It would be nice if the default installs were more secure, though, and it sounds like Mandrake tries to give people that option upon installation.

    The hardest thing to do is to make something like this easy and smart; any distro vendor who can do that gets my vote of confidence as well.
    ---
    pb Reply or e-mail; don't vaguely moderate [ncsu.edu].
  • by matman ( 71405 ) on Tuesday October 31, 2000 @08:38AM (#661662)
    I have two questions actually.

    The first: do you plan to make a non distribution specific hardening program/system/script? If so, how? It would be neat to have a consensus between distributions on file locations, etc to make this easier; do you plan on working with other distributions to come up with some sort of common interface or environment?

    The second: do you plan on including any kernel based capability, IDS, or ACL addons? A good default use of these features would greatly increase the security of linux in general, but they are prohibitively complex for most users. Thus, these are great things to have taken care of by the system - do you plan on working on something to control these things (semi)automatically?
  • by DG ( 989 ) on Tuesday October 31, 2000 @08:39AM (#661663) Homepage Journal
    In a perfect world, the Bastille scripts would be unecessary, because the default installation of the distribution would have been hardened from the get-go.

    Why do you feel that various distributions are so insecure by default? What are the most common mistakes they make? What kinds of changes need to happen at Red Hat to make your scripts unneeded?

  • How can you be so pathetic as to be posting at #9 and still believe you got first post?

    What sort of permanent daydream are you living in? Huh? HUH?

    --

  • I'm know Linux junkie, but I would like to setup a linux box and have addons that are easy to do. A year or so ago I installed a base Red Hat 6.0 install on a box and I tried with no avail to install PHP & MySQL. It was very confusing for me and the lack of centralized information sources for help made me give up. <BR>

    It sounds like this distro could be something like I need. An easy way to add on products and lock down the box for linux non-experts??

  • by Wubby ( 56755 ) on Tuesday October 31, 2000 @09:16AM (#661666) Homepage Journal
    Did you guys consider your own distro? Why, why not and will you create a full Bastille distro.

    (One minor wishlist item: could you fix the Curses thing for sparc) Sorry, just had to sneak that in.

  • by Coz ( 178857 ) on Tuesday October 31, 2000 @09:21AM (#661667) Homepage Journal
    A two-part question:

    What features do you feel are missing from Bastille as it stands today, and aren't in the roadmap you have for the immediate future?

    What elements of system security do you feel should be part of the "core" (if not the kernel) of the operating system, and why (in your opinions) aren't they there already?

  • I'd like to thank you guys for not making another distribution :) I'm terrified of a Free Software world were each and every major app(ie: word processor[Corel], desktop software[Mandrake], or security system[you case :]) needs an entirely different distribution underneath it.

    I'm glad Bastille relies on work that has already been done by others, rather than re-inventing the wheel.

    Thank you :)

    Dave
    'Round the firewall,
    Out the modem,
    Through the router,
    Down the wire,
  • How do you check the actual security of a 'bastilled' distro before you make a new release ? Do you use specific tools (if so, which of them ?) or do you only rely on your own knowledge about security to declare that the distribution "is secure" ?
  • by Anonymous Coward
    I'm not an expert, but while trying to lock down my box I stumbled onto Bastille.

    Originally, it was supposed to be a secure distro, but since then it became a set of scripts to secure a just-installed Red Hat distro. Recently it became useful for non-virgin installs.

    In regards to prompting, it does have an interactive mode which asks confirmation on all items. So you can choose wheather to shut off apache or not. In fact, even if you do choose to shut off apache, it goes through posible changes to apache anyway, so if you decide to turn on apache later, it's secure.

    Anyway, good questions, just tiding you over till the official responce gets in.

  • ...because the guy obviously didn't read the Bastille FAQ, particularly this question [bastille-linux.org]. It says right there that the original purpose of Bastille was to "make a new, more secure Linux distribution".

    Given the wording at the above mentioned place in their FAQ, it is highly unlikely that they'll ever do their own distro.

  • When will Debian scripts be available?

    --
    Me pican las bolas, man!
    Thanks
  • by DreamerFi ( 78710 ) <john.sinteur@com> on Tuesday October 31, 2000 @09:33PM (#661673) Homepage
    Bastille is a great project, but ultimately it targets people who sort-of know what they are doing. How do you feel about projects like the NetBSD/i386 Firewall Project [dubbele.com] who (whilst having all sources available) targets people who have no clue other than "I need security" by giving them a firewall that has an install that's about as simple as one can make it? Is this just a matter of defining the target audience different?
  • OK, so maybe this begs the question: No time. But, seriously, why not Debian? Because, even though the market share statistics might say "RH 0wnz all of you", if you look beyond that, a lot of the clued users, a lot of the servers that get rolled out, are Debian. I'm involved in rolling out servers, and they have to be able to be built, by unqualified people, in a short amount of time. I can't just say "yeah, edit the proftpd config flie and disallow ... blah" - I have to have quick, easy, reproducable procedures. I must say I was rather pissed off at having to run with RedHat for the servers for that very reason. Please think about Debian, SuSE, etc as well. d


    -
  • by AFCArchvile ( 221494 ) on Tuesday October 31, 2000 @08:42AM (#661675)
    ...especially if you want to convey security. Do you remember your late 18th century European history? Right. The Bastille in France was invaded and destroyed, prisoners were liberated, and the monarchy was overthrown by that terrible harbinger of death, La Guillotine.

    I'd hate to see any Bastille Linux-oriented viruses or trojans. Maybe there will be one which triggers on July 14th of every year and echoes on the screen: "Liberté! Egalité! Fraternité!"

    For more historical stuff on Bastille Day, check out this link to the French Embassy [info-france-usa.org].

  • it's nice that these kind of distros exist; but until all linux distros are by far more secure by default (like not havin millions of daemons running per default) everybody just have to learn securing their box the hard way - there is no quick way for anything. but hopefully this bastille linux will show the way.

    just my 2 pennies

  • So it's up to you, brave intrepid AC, to post the HARD questions. :P
  • by FeeDBaCK ( 42286 ) on Tuesday October 31, 2000 @08:45AM (#661678) Homepage
    I believe that the concept is not to attempt to replace OpenBSD, but rather to create a way to harden Linux. Most distributions leave themselves wide open for some script kiddie to root your box before you even get the chance to completely set it up. By creating a distribution that is more secure out of the box, it allows for a lessened chance of the machine being compromised prior to hardening. OpenBSD is not perfect. It *is* secure in its default install and is audited very rigorously. I applaud the OpenBSD team for their great pains in increasing security and awareness. I believe where Bastille really gets their merit is the situation where a person feels more comfortable using linux as opposed to a system that they may not be as familiar. I would feel more comfortable in securing a linux box than I would some other OS because I am more familiar with linux. This also solves a problem wherein a PHB decides that you're going to use that new lienucks thingy I have been hearing about. Not all decisions of what OS to use for a particular job are decided by someone who has a clue. Sometimes we just have to make best with the tools we are given. I think Bastille does an excellent job of doing this and making us feel a little better about the inherent insecurities of linux versus other systems.

A triangle which has an angle of 135 degrees is called an obscene triangle.

Working...