Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bastille Adds Reporting, Grabs Fed Attention

timothy posted more than 9 years ago | from the soon-comes-the-boiling-oil dept.

Security 151

johnny.ihackstuff.com writes "NewsForge interviews the Bastille project lead Jay Beale about Bastille's cool new assessment feature, which reports and scores Linux security and -- as always -- makes Linux lockdown super-easy. Available for many distros and Mac OS X, too. Best of all, it's free and open source!" As Jay points out in the interview, the work was "sponsored by the U.S. government's Technical Support Working Group." An anonymous reader summarizes the new capability: "In essence, Bastille now does two things. In one mode, it locks down an operating system, tweaking the configuration for increased security, asking you about each step and teaching you along the way. In the new Assessment mode, it reports on what hardening steps have been taken and what could be taken."

Sorry! There are no comments related to the filter you selected.

MS Supports HD-DVD over Blue-Ray (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12291158)

Ok, completely off topic. Maybe somebody will post this. I think slashdotters would be interested. Its a big deal. No really it is lol.

http://www.microsoft.com/presspass/press/2005/Ap r0 5/04-18WBMSDVDTitlesPR.asp

Re:MS Supports HD-DVD over Blue-Ray (1)

Triddle (793231) | more than 9 years ago | (#12291185)

So log on and post the story so everyone on /. can see it.

Re:MS Supports HD-DVD over Blue-Ray (0)

Anonymous Coward | more than 9 years ago | (#12291206)

Was going to do that. No account. To create one they email me the pw, at work I don't have full email access. But thanks for the suggestion.

Call me a bluff traditionalist... (5, Funny)

gowen (141411) | more than 9 years ago | (#12291162)

... but if I were starting a Linux security project, I'd name it after a prison which was difficult to escape from [wikipedia.org] , rather than one famous for being stormed by about 1,000 upset Frenchmen. [wikipedia.org]

Re:Call me a bluff traditionalist... (1)

Nadsat (652200) | more than 9 years ago | (#12291187)

Name it "The Coffin." Most Frenchman or Americans can't escape from that.

Re:Call me a bluff traditionalist... (0)

Anonymous Coward | more than 9 years ago | (#12291881)

I don't get it.

Re:Call me a bluff traditionalist... (1)

1u3hr (530656) | more than 9 years ago | (#12292468)

Name it "The Coffin." Most Frenchman or Americans can't escape from that.

Coffins have been used as a method of escape -- in Len Deighton's Funeral in Berlin notably. As this was usewd to penetrate the Berlin wall, the security analogy is even more acute. On the other hand, no one is known to have escaped form Alcatraz (several got away, but are believed to have drowned).

Re:Call me a bluff traditionalist... (4, Funny)

Qzukk (229616) | more than 9 years ago | (#12291216)

rather than one famous for being stormed by about 1,000 upset Frenchmen.

Good thing I don't need to keep 1000 upset Frenchmen out of my server ;)

Re:Call me a bluff traditionalist... (2, Funny)

mattyrobinson69 (751521) | more than 9 years ago | (#12291599)

I dont think they'd be a problem, im guessing bash doesn't understand outrageous comical accents.

Re:Call me a bluff traditionalist... (0, Troll)

Jeff DeMaagd (2015) | more than 9 years ago | (#12292046)

I think it's easier to keep 1000 upset Frenchmen at bay than the same number of Mexican illegal immigrants.

Re:Call me a bluff traditionalist... (4, Insightful)

Pogue Mahone (265053) | more than 9 years ago | (#12291261)

Problem is, you don't want to stop people from escaping. You want to stop them from getting in. IIRC there was never any real problem to get IN to Alcatraz.

Re:Call me a bluff traditionalist... (1, Offtopic)

ryanjensen (741218) | more than 9 years ago | (#12291578)

The Rock [imdb.com] .

Re:Call me a bluff traditionalist... (1)

Pogue Mahone (265053) | more than 9 years ago | (#12291998)

There were easier ways to get into Alcatraz ... ask any of the inmates: they had no trouble. ;-)

Re:Call me a bluff traditionalist... (2, Funny)

jd (1658) | more than 9 years ago | (#12292549)

If you recall correctly? I hope you mean if someone else recalls correctly. :)

Data (1)

phorm (591458) | more than 9 years ago | (#12292595)

Ahhh, but you do want to keep somebody from pulling a "prison-break" and getting your data out...

Hah! You silly American programmers! (0, Funny)

Anonymous Coward | more than 9 years ago | (#12291311)

I wave my private parts in your general direction!

[hurls poop]

Re:Call me a bluff traditionalist... (0)

homerules (688184) | more than 9 years ago | (#12291340)

Bastille is a French word meaning "castle" or "stronghold" and that was from your own reference.

Re:Call me a bluff traditionalist... (5, Funny)

gowen (141411) | more than 9 years ago | (#12291396)

Bastille is a French word meaning "castle" or "stronghold"
And "C'était une plaisanterie, vous clod d'humeur-moins" is a French phrase meaning "It was a joke, you humourless clod."

Re:Call me a bluff traditionalist... (0)

Anonymous Coward | more than 9 years ago | (#12292265)

That is quite the literal translation you got going there. Pretty sure a frenchman wouldn't be caught dead saying something as archaic as that.

Re:Call me a bluff traditionalist... (1)

gowen (141411) | more than 9 years ago | (#12292586)

Yeah, I know. But that's google's translate service for you. Sadly, my own French was learned at school, and they didn't tend to focus on how to throw a well-crafted insult.

Call me crazy (0, Offtopic)

scenestar (828656) | more than 9 years ago | (#12291164)

WHith the us gov agencies and large corporations such as IBM swithcing to OS software im getting the idea that propietary softweare has no future.

Once again this calls for an over haul of the current OS license system and perhaps a new look at the current OS busines model.

Re:Call me crazy (0)

Anonymous Coward | more than 9 years ago | (#12292098)

In the IT acronym OS means Operating System. If you need an abbreviation for open source use OSS. That is standard convention. When you don't follow standards you confuse and annoy people and will continue getting modded down.

Why do we need to harden distros ? (5, Insightful)

Elgreco1 (714955) | more than 9 years ago | (#12291165)

Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?

Re:Why do we need to harden distros ? (5, Insightful)

gowen (141411) | more than 9 years ago | (#12291186)

Why can't distributions be secure out of the box ?
Essentially, there's a trade off to be made between security and ease of use (for example, a hardened distro won't let users mount filesystems, let alone do it automagically. Desktop distros consider automounting CD's and USB sticks to be de rigeur.).

Most distributions try to steer a happy medium. Some sacrifice security for simplicity. [slashdot.org] Others (like Bastille) take the opposite tack.

Re:Why do we need to harden distros ? (2, Insightful)

Kaali (671607) | more than 9 years ago | (#12291193)

Because some security features have pros and cons. It might make your system more secure but suddenly normal users can't use CDs and so on. These wizards can tailor the systems security according to your needs, not general needs which will not be as secure as a complete customized system.

Re:Why do we need to harden distros ? (5, Insightful)

Daengbo (523424) | more than 9 years ago | (#12291196)

Part of Bastille's goal is to educate the admin, as well, so (even if your distro is very secure out of the box) you can run the program, listen to all the checks and changes, learn from Bastille why things should be set up that way, and maybe admin your box better. Alas, though, most distros are not as secure as they should be, and Bastille will make you think about what tradeoffs you really want to make between ease of use and security.

Re:Why do we need to harden distros ? (1)

Mistah Blue (519779) | more than 9 years ago | (#12292390)

And if you know why things should be set up a certain way, you can make informed business decisions on possibly why you wouldn't want a certain thing secure (that "ought" to be). You could then document that yes it should be, but here is why we aren't doing it.

Re:Why do we need to harden distros ? (4, Informative)

yardbird (165009) | more than 9 years ago | (#12291197)

In TFA, he claims that the project is helping to push vendors in that direction:

"The short-term effect of Bastille here was that possibly a hundred thousand Linux DNS servers couldn't be compromised. The long-term effect was that Linux distribution makers gained both familiarity with a couple more hardening steps and confidence that those steps would be palatable to users. Additionally, Linux users came to expect tighter configurations from their distribution vendors."

I agree it would be better for the vendors to do it without prompting, though, but this can help to standardize best practices.

Re:Why do we need to harden distros ? (5, Insightful)

admorgan (168061) | more than 9 years ago | (#12291218)

Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?


What about those of use whom don't use a distro? I often build systems from scratch and this gives me a convient useful tool to lock it down. Also why not go the other direction... Why don't distros use generic tools like this to keep their system secure out of the box. I would like to point out one thing though. People use linux for just about everything today. The wizard gives you the functionality to do non standard things to your system where as if the distro was secure out of the box when you add a new serice would you be able to say it was still secure or what happens if you make a mistake setting up a config file. Generic tools very good at what they do is much better than a large tools or relying on assumptions about the overall state of a system.

Re:Why do we need to harden distros ? (3, Insightful)

gilesjuk (604902) | more than 9 years ago | (#12291235)

Security can often carry a level of pain with it that would annoy a desktop user.

Also auditing many applications takes time. You can expect a distro run by a few people to audit thousands of lines of code in each package.

Re:Why do we need to harden distros ? (0)

Anonymous Coward | more than 9 years ago | (#12292250)

Why do we need hardening wizzards, tools software and so on. Why can't distributions be secure out of the box ?

Because even if it is secure out of the box, after setting it up for everyday use it will probably no longer be secure anymore. That is where tools like this come in.

It is like OpenBSD. Sure it is secure out of the box. But the second you start configuring it to do something useful, if you don't know exactly what you're doing, you might make it insecure.

Re:Why do we need to harden distros ? (4, Interesting)

jbolden (176878) | more than 9 years ago | (#12292329)

I once built a very secure version. Here is the sorts of things it I did.

1) It had no shells of any sort, nor any user interface of any sort.

2) It would not mount any filesystem whose CDs meet a certain checksum (this avoided mounting random data). CDs that had the right checksum it would automatically run a program with a particular name. This was the sole way to introduce new software/issue commands to the system.

3) It only about 4 open ports, and 2 for getting data and 2 it used to sending the data out.

4) It was stripped having almost no software except the bare mimimum needed to run 2 apps. It used a minimal set of libraries missing any links that weren't needed for the included software. All the apps and all the libraries had their names scrambled (using a hash generator) so apache might be something like /vksjl39/skl9394/i8843nvnnf. This made the box harder to get around. The result most pieces of gcc software wouldn't have run at all with a great deal of knowledge about the box.

5) It checksummed the bios to verify the bios wasn't corrupted (i.e. boot password was intact).

6) Data on the drives were encrypted.

Sound like a fun distribution to work on? On the other hand under computer generated network attacks (like say 10000 attacks per second) they system was able function fine indefinitely. Even somebody with physical access would have had to take a long time to hack the system.

That is sort of the ultimate in Linux security. The goal of hardening a system it to reduce points of entry for people to issue privledged commands, and this is done by reducing features. And that means a decrease in usability.

Now THAT's Funny! (3, Informative)

pandrijeczko (588093) | more than 9 years ago | (#12291167)

This is presumably the same johnny.ihackstuff.com who got hacked himself recently resulting in the email addresses of subscibers to his web site getting into the hands of spammers - mine included with a huge increase in spam to it as a result.

Perhaps he should have used Bastille himself...

Re:Now THAT's Funny! (1)

j0hnnyhax (695923) | more than 9 years ago | (#12291454)

You've got the right johnny, but well, you're just plain wrong about the email theft. No soup for you.

Re:Now THAT's Funny! (1)

pandrijeczko (588093) | more than 9 years ago | (#12291674)

you're just plain wrong about the email theft.

Predictable response and you're in between a rock and a hard place no matter what answer you give - after all, if you admit to it, no-one's going to take you seriously on security any more...

It's a shame I didn't keep some of the original discussions about this because your site was definitely stated as the source from where our email addresses were obtained.

Re:Now THAT's Funny! (1)

j0hnnyhax (695923) | more than 9 years ago | (#12292192)

To everyone in the security community that's been burned in even a small way by a hacker, hang it up. Sadly, your career is obviously over. You're done. No-one's [sic] going to take you seriously on security anymore.

My defacement did not result in my user database being compromised. If my hosting provider was broken into, then I apologize for the inconvenience, and I'll be sure to let them know. I hate even the idea that my user base might be inconvenienced as a result of signing up for an account. Seriously.

If this was a result of a break-in at my hosting provider, then to everyone in the security community that has had their hosting or upstream provider burned, even in a small way by an attacker- you should hang it up as well. Obviously your security career has also met an untimely demise. No-one's [sic] going to take you seriously on security anymore.

Listen carefully, and you can hear the sound of all the security careers grinding to an ugly halt. To those of you that might still be obstinately clinging to your career in security, keep on fighting the good fight. I know I will.

P.S. Bastille just plain rocks, which was the point of the post.

mmmmm....lunchtime reading... (-1, Offtopic)

nachtzeit (516437) | more than 9 years ago | (#12291168)

second post =D

A windows version (2, Insightful)

JohnnyKlunk (568221) | more than 9 years ago | (#12291172)

I don't suppose someone could port this to windows could they?
There's not a lot of decent tools for non-security-expert admins and windows could do with something like this (not meant as an anti-windows troll).

Unfortunately too many corporate windows admins have so many pressures on their time that security of every server isn't always given the time it needs it sounds like this could provide a framework for that security.

Re:A windows version (5, Informative)

Sexy Bern (596779) | more than 9 years ago | (#12291207)

The baseline security analyzer?

http://www.microsoft.com/technet/security/tools/mb sahome.mspx [microsoft.com]

Re:A windows version (4, Informative)

Sexy Bern (596779) | more than 9 years ago | (#12291215)

Hate to reply to myself, but some reluctant admins may also like to use the MS Exchange best practices analyzer:

http://www.microsoft.com/exchange/downloads/2003/e xbpa/default.mspx [microsoft.com]

Re:A windows version (1, Informative)

Anonymous Coward | more than 9 years ago | (#12291273)

the MS Exchange best practices analyzer:

Or, shorter, http://www.exbpa.com/ [exbpa.com] .

Re:A windows version (0)

Anonymous Coward | more than 9 years ago | (#12292629)

3 easy steps to secure a Windows box:

1. Find the power switch.
2. Power off.
3. Unplug network cable.

Re:A windows version (1)

Beatbyte (163694) | more than 9 years ago | (#12291213)

why would you port security scripts for posix systems to windows?

if anything you could create a sister project for the same sort of thing for windows based systems... but do you have enough fingers for that damn?

Re:A windows version (4, Informative)

pandrijeczko (588093) | more than 9 years ago | (#12291231)

I don't suppose someone could port this to windows could they?

It's not really "portable" in the same sense as, say, Mozilla Firefox.

I've not used Bastille in a while but I recall it's more of a tool that makes recommendations and changes to your system to lock it down - these can be everything from file permissions, service lockdown and kernel firewall settings.

Therefore it's very much tied to the UNIX topography and even if you got it to run on Windows, the architecture is so different that it would be a totally different application by the time you'd modified it enough.

However, you might want to consider running Bastille on, say, a Linux NAT/proxy router and just tucking Windows machines behind it.

Re:A windows version (1, Funny)

NickHewitt (876323) | more than 9 years ago | (#12291257)

There is a windows version - its called the Microsoft Security Centre - it checks to see if you have an AV package, XP firewall turned on and Automatic updates switched on.. what more do you need to secure a windows box?

Re:A windows version (2, Insightful)

Noksagt (69097) | more than 9 years ago | (#12291389)

You might be joking, but quite a bit is needed to lockdown win32.

Bastille does useful things such as stop unneeded services. The *nux distros I've used have been far better out of the box than win32 machines I've seen. File permissions on win32 are also a nightmare. Bastille also locks down common userland apps. Misconfigured apache on win32 can do as much damage as apache on linux.

Re:A windows version (2, Insightful)

XMyth (266414) | more than 9 years ago | (#12291438)

2003 Server is better about this and I'm sure Longhorn will be too. That's not in defense of Windows, just FYI.

Also, I'm sure he was joking but the Microsoft Baseline Security Analyzer does a fair job at locking down Windows. I haven't used Bastille so I can't compare (from what I've heard I'd bet Bastille is more thorough though).

Re:A windows version (1)

NickHewitt (876323) | more than 9 years ago | (#12291500)

Yeah I was joking I disable a number of services and install a long list of software to secure my Windows boxes before I allow them onto the internet. I would much prefer windows to ask me what services to start when I do the initial install as opposed to starting a load of services which I don't need - such as remote assistance....

Re:A windows version (0)

Anonymous Coward | more than 9 years ago | (#12291999)

As well, for Server 2003 SP1 - they included the security configuration wizard (SCW) that will ask you what you want your box to do - then will block ports/turn off processes that are not needed for running the tasks you specify.

Re:A windows version (3, Informative)

pandrijeczko (588093) | more than 9 years ago | (#12291472)

what more do you need to secure a windows box?

Unfortunately, you're lost on the context in which you would use Bastille.

AV packages and XP firewall are more desktop orientated security applications that usually provide a second layer of security protection after corporate firewalls, NAT routers, proxies, etc.

And whether you like it or not, there are security holes in Windows purely as a result of the architecture and the fact that a lot of applications have free access to any part of the system.

If you have similar security holes in Linux it's because you're running a service at root permissions or have some file permissions set wrongly. You might not be using a UNIX system that has strong password checking built in or you might have inactive accounts on your system. All these things the types of issues checked by Bastille.

Sure, you could use Bastille on a UNIX/Linux desktop to lock it down a bit but it's real use is for locking down services and maybe creating a server to hide desktops behind, like a NAT proxy. So it's more important in small office or home server use where a server needs to be doubly secure because you don't have the protection of two firewall layers that you will inevitably find in a corporate environment.

Re:A windows version (2, Interesting)

MajorDick (735308) | more than 9 years ago | (#12292373)

It MAY be possible later as LongHorn / WinFS is supposed to use *nix stlye perms.

Windows Security, would you rephrase the question? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12291436)

Does anyone see the connection between:
* Windows Security
* Military Intelligence
* Faith Sciences
* Microsoft Works
* Jumbo shrimp
* Guest host
* First-strike defense
* Department of Interior (responsible for everything outside ..???...)
* Pretty ugly
* Recently new
* Good grief
* Clean hack
* Violent Agreement
* This page intentionally left blank
* "Thank God I'm an Atheist"
* New classic
* Terribly pleased
* Sweet sorrow
* Small crowd
* Synthetic natural gas
* Genuine imitation
* Airline Food
* Terribly Good
* Terrific Head Ache
* Alone together
* Living dead
* Paid volunteer.
* Original copy.
* Long shorts
* Talkative mime
* Tactical mass destruction
* Friendly fire (as in firearms)
* Democratic dictatorship
* Real fake
* Old news

Re:A windows version (1)

SonicBurst (546373) | more than 9 years ago | (#12292342)

It's kinda already there and it is called the Security Configuration and Analysis tool. Probably not quite as in depth as Bastille, but does a very similar thing. There are only a few built-in security templates, but you can build your own easy enough.

Well... (4, Funny)

JavaMoose (832619) | more than 9 years ago | (#12291176)

I downloaded this, but I can't get it to run.

Anyone else haveing problems getting this to run on Windows XP?

Re:Well... (0)

JavaMoose (832619) | more than 9 years ago | (#12291205)

Wow, pissy mods today...

IT WAS A JOKE.

Where are all the follow-up jokes like "If you ran it on Windows it would just tell you to install Linux" and the like?

Re:Well... (1, Funny)

ggvaidya (747058) | more than 9 years ago | (#12291228)

Me too!

Do you get error code "4.09 Windows XP? Am I on candid camera?" too? Maybe we should report this ...

Re:Well... (0)

Anonymous Coward | more than 9 years ago | (#12292029)

It was choked to death by all the recommendations it would have to propose...

Scoring systems (5, Insightful)

admorgan (168061) | more than 9 years ago | (#12291177)

The score idea is actually pretty central here. When I first heard about it, I thought it was overly simplistic, but people really do get motivated and sometimes even jazzed up about improving the score on a system. They'll get a lower score than their ego tells them they should and will turn around and harden a few items on the box just to achieve a more encouraging score.

This is an excelent example of making an application have a "value" as incentive to do the right thing. People are by nature competative and will strive to improve a "score" even if it doesn't necessarily help them in any way. I give cudose to whoever decided to add this feature.

Re:Scoring systems (0)

Anonymous Coward | more than 9 years ago | (#12291266)

cudose?

Sounds like a medical administration of copper!

Re:Scoring systems (5, Funny)

gowen (141411) | more than 9 years ago | (#12291280)

People are by nature competative and will strive to improve a "score" even if it doesn't necessarily help them in any way
You're talking rubbish. Now, excuse me, I've got to go and whore some more Karma.

Re:Scoring systems (1)

m50d (797211) | more than 9 years ago | (#12291429)

However, no kudos for whoever taught you to spell :)

You can pick up a easy bonus point... (1)

MarkusQ (450076) | more than 9 years ago | (#12291739)


You can pick up an easy bonus point if you spell "kudos" correctly (hint: it's from Greek).

--MarkusQ

Needs to be point and click. (4, Funny)

Guano_Jim (157555) | more than 9 years ago | (#12291182)

The download instructions for OSX were a little intimidating, even for someone like me with basic Unix skills...

Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.

They're soliciting packagers... (1)

Noksagt (69097) | more than 9 years ago | (#12291338)

We are actively seeking OS X packagers -- please e-mail Jay if interested.

I don't use OS X, but if anyone is looking to have a good impact with little effort email jay at bastille-linux.org

Re:Needs to be point and click. (0)

Anonymous Coward | more than 9 years ago | (#12291390)

THAT was intimidating?

it was about as straight forward as you can get and still be a command line install.

Re:Needs to be point and click. (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12291581)

The download instructions for OSX were a little intimidating, even for someone like me with basic Unix skills...

From the Bastille-Linux OS X page [bastille-linux.org]

1. Download the tarball from the source link: Bastille-.tbz2.
2. Uncompress the file, like so:

tar -xjvf Bastille-.tbz2

NOTE: We've got a case-sensitivity problem on OS X, as we use both a subdirectory called Bastille as well as a shell script called bastille. This makes the tarball expansion step fail on HFS and HFS+ filesystems. We're addressing this in the next week.
3. Run the install script, like so:

cd Bastille && sh ./Install-OSX.sh

4. Confirm that you have perl-Tk installed.
5. Start up an X Server.
6. Run bastille -x.

I'm thinking that anyone who doesn't have the skill to do that won't be able to implement the changes suggested by Bastille either, making the whole exercise pointless.

Re:Needs to be point and click. (1)

jbolden (176878) | more than 9 years ago | (#12292382)

Anyone who can't do that probably can't implement the hardening advice. It works in the other direction though, there are lots of people who could follow those instructions that could use the advice.

Re:Needs to be point and click. (1)

swiftstream (782211) | more than 9 years ago | (#12291649)

What, get locked up for 19 years?

Five years for what you did, the rest because you tried to run...

Re:Needs to be point and click. (1)

ccharles (799761) | more than 9 years ago | (#12292461)

Once Bastille for OSX becomes completely point and click it will take off like Jean Valjean after stealing a loaf of bread.

I think they're planning on getting that up and running by 24/6/01.

Cool, but... (4, Interesting)

DrLex (811382) | more than 9 years ago | (#12291184)

The ironical thing about this software is that it only works on *n*x systems, while the OS that probably could benefit most from it is Windows...

Re:Cool, but... (2, Informative)

Dr.Opveter (806649) | more than 9 years ago | (#12291237)

It's not that ironic if you see what type of thing [bastille-linux.org] it actually checks.
Windows usually doesn't come with a mail or ftp server (yeah yeah, line up the spyware/malware server installing jokes here).

Re:Cool, but... (1)

Zemplar (764598) | more than 9 years ago | (#12291424)

The ironical[sic] thing about this software is that it only works on *n*x systems, while the OS that probably could benefit most from it is Windows...

...as the saying goes, "You can't polish a turd!"

Re:Cool, but... (0)

Anonymous Coward | more than 9 years ago | (#12291810)

Or as quality manager friend of mine says. pluck the low hanging fruit first. Or in other words do the easy jobs first before tackling the near impossible jobs.

Re:Cool, but... (1)

Allicorn (175921) | more than 9 years ago | (#12291523)

While Windows might certainly benefit from some similar support, Bastille provides a great service for Linux. With the popularity of Linux continuing to rise and rise, there are plenty of sysadmins in previously all-Windows shops who, while trying to learn all they can, are still nowhere near expert and can benefit from pre-packaged expertise like this.

In the early days of my shop trying some Linux servers, we were hit more than once by hackers and worms targetting known exploits in common Linux elements such as Bind. Didn't understand the OS well enough at the time to anticipate the holes. Wasn't familiar enough with the 'net-based sources of information of Linux expertise to always get the heads-up on new things to watch out for.

After bringing in Bastille, we never suffered another similar attack.

The project is a great boon for new Linux adopters and while long-time Linux experts might be quite comfortable in their ability to secure their own machines without products like this, for the sys-admin new to Linux, Bastille helps to provide that assurance of safety needed to help shops continue running the OS while their admins trek the long road toward a high enough level of Linux experience to be able to do it for themselves.

this is *why* (2, Interesting)

Heisenbug (122836) | more than 9 years ago | (#12291969)

A major reason that nix systems have a reputation hereabouts for superior security is that developers bother to write tools like this, and admins bother to run them and pay attention. It's not ironic -- it's an object lesson. As linux gets more exposure, we'll have an increasing need for this type of thing.

For example, I've worked under linux at work for years, I could whip out the perl command to ROT-13 your entire drive in a couple of seconds, and I'm pretty sure any linux box I set up would be totally insecure. Don't downplay the significance of tools like this ...

What's the equivalent on Windows? (0, Interesting)

Anonymous Coward | more than 9 years ago | (#12291192)

The windows admins here keep saying that Windows has better security stuff than Linux; so before raising this issue with them, I wanted to get a heads up on how they might respond.

Re:What's the equivalent on Windows? (1, Informative)

Anonymous Coward | more than 9 years ago | (#12291260)

The windows admins here keep saying that Windows has better security stuff than Linux

Do they? Where, I haven't noticed?

Windows 2003 SP1 has a funky new security lockdown wizard, and there've been IIS lockdown tools for a few years now. There's also MBSA which lets you security-scan your whole domain in one go.

Only half the battle... (3, Insightful)

lakerdonald (825553) | more than 9 years ago | (#12291201)

A "lockdown" program such as this is only half of the battle. You need to keep your kernel updated, patch programs with fixes, and also make sure that a lockdown program such as Bastille is actually doing what it's supposed to, by making sure that the rules and configurations it creates are actually sane.

Re:Only half the battle... (3, Insightful)

bhima (46039) | more than 9 years ago | (#12291430)

No, I think it's a bit more than half.

Usually when people update their windows servers it's because some virus or worm is rampaging about the net making everyone's life miserable. Whereas when I update my Linux server, it's because a couple propeller heads in a lab somewhere figured out some obscure weakness and the fix.

Re:Only half the battle... (1)

mwvdlee (775178) | more than 9 years ago | (#12291563)

Why wouldn't Bastille be able to do this itself? It wouldn't be that hard to check if new security patches were release for the current kernel or whether it is up-to-date itself.

Wow. (1, Interesting)

sglider (648795) | more than 9 years ago | (#12291204)

I'm pretty stoked about this. Of course, this is the first time I've even *heard* about Bastille Linux, but as a Windows IT guy that wants to move to linux (gentoo, here I come?), I'm glad to see these innovations and changes.

On a related note, if Windows made updates/innovations at this rate, I highly doubt that there would be this much criticism towards them. It's amazing that a company that hosts the richest man in the world can't cope with the innovation of an 'inferior' (I'm being facetious here, not trolling) business model.

re: Bastille Unix (2, Interesting)

BitterAndDrunk (799378) | more than 9 years ago | (#12291284)

Just as an FYI -
Bastille Linux [bastille-linux.org] is a program, not a flavor. It should run on any flavor of Linux Distro with the appropriate tweaking.

It's really nice; I was introduced to it with the book "Hackproofing Linux" and it does a lot of neat stuff.

Sets up sudo (if it's not already configured) Creates a second root user that is the "true" root user, and keylogs everything that root does, and alerts the true root of any attempted accesses
And a bunch of other stuff. I just thought the root stuff was extra sexy.

Re:Wow. (2, Insightful)

pandrijeczko (588093) | more than 9 years ago | (#12291633)

but as a Windows IT guy that wants to move to linux

Why "move"? Dual boot it, play with it and move when and if you're ready to.

It's amazing that a company that hosts the richest man in the world can't cope with the innovation of an 'inferior' (I'm being facetious here, not trolling) business model.

The problem with Windows security is one of architecture, not so much business model.

When a UNIX system gets attacked, it's because some cracker or script-kiddie has picked that system as a target - because of a buggy service that can be buffer overflowed, maybe because of a weak password on an account or maybe because of a file permissions issue. However, all these vulnerabilities can be corrected by a sysadmin who knows what he's doing and applies patches, tunrs of unnecessary services and locks permissions down. Bastille is just a tool that does the vulnerability analyis for the sysadmin and makes recommendations, maybe even carries some out.

Windows, by design, has to allow certain applications full access to the system. That's why attacks on Windows systems are not usually targetted attacks but worms and viruses that can exploit a design weakness to get in and do their stuff on any Windows systems they find. So where as you know the likely points of intrusion into a UNIX system, you don't on Windows until either a worm hits it or MS release an update telling you what they've fixed.

You can't say that either UNIX or Windows is more secure than the other out of the box but a good UNIX sysadmin has much more chance of predicting and preventing attacks than a good Windows sysadmin does.

Gentoo (2, Interesting)

Danuvius (704536) | more than 9 years ago | (#12292297)

You mentioned Gentoo.

It is definitely more work to setup (though, if you are computer literate you doubtless will be able to do it, so long as you pay close attention to the Handbook) but more rewarding in the end.

For me, other than that I found Gentoo to be the distribution that really started teaching me about linux, Gentoo was my eventual "only choice" because of the range of programs I use.

I found no other distribution had *all* the programs I use in their native software repositories. And installing from third-party repositories eventually caused me problems on other systems. (SuSE, Debian, Ubuntu and Xandros were my other linux attempts.)

So, let me heartily suggest, if you do make a decision to try out linux; do some research about programs first to make sure you can get the software you need with the distro you choose.

If you do go with Gentoo, I (and the myriad other forum users at http://forums.gentoo.org/ will be happy to help you). If you'd like some pre-installation tips or help with figuring out linux equivelant programs send me a private message at http://forums.gentoo.org/ (username: danuvius) and I'll be happy to help you out.

Re:Wow. (1, Informative)

Anonymous Coward | more than 9 years ago | (#12292299)

as a Windows IT guy that wants to move to linux (gentoo, here I come?),

Since you felt the need to mention that you are in IT, I am going to assume that you are talking about moving some of the production machines over to Linux. If that is the case I would strongly advise against Gentoo. Go with a distro that has some kind of real support that will make management happy, we use Redhat but now that Novell owns and supports SuSE I would say that they are also an option.

Gentoo is not suited for the corporate arena. Gentoo is just the current trendy distro to have installed. There is always some trendy distro within the Linux Geek world and right now that distro is Gentoo. Give it a year and there will be another trendy distro and Gentoo will be forgotten. I say this as a guy who has been watching this happen for close to a decade now. Don't be a conformist geek sheep. Go with what works in the workplace not what some smelly zealot who has never even worked in IT thinks is the cool distro.

Damn straight it's not UNIX (-1, Flamebait)

Senor_Programmer (876714) | more than 9 years ago | (#12291224)

UNIX, rm * GONE!

distros, rm rebigulattor.shit-on-your-shoe ARE YOU SURE?

UNIX, install, patch, set up according needs, tweak kernel, ...

distros, "Why can't it come out of the box with a hard on"

Re:Damn straight it's not UNIX (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12291330)

Wow...was that supposed to make any sense, or have you just been hitting the crack pipe too hard lately?

Re:Damn straight it's not UNIX (1)

Senor_Programmer (876714) | more than 9 years ago | (#12291922)

No, just commenting on the never ending, "it should come this way out of the box", statements.

IMO things began to go down hill when 'they' started trying to make unix friendly. It's a tool and you don't put doilies on a tool.

Making the various distros suit the majority of whiners is as much wasted effort as trying to shoot a duck on the midway using a rubber barreled 'rifle'.

*BSD versions? (2, Interesting)

Noksagt (69097) | more than 9 years ago | (#12291350)

I'm a bit surprised that it has been ported to a primarily desktop-OS (OS X), rather than Free/Open/Net-BSD. Anyone know of efforts to get this into ports? Are there already equivalent *BSD tools?

Re:*BSD versions? (0)

Anonymous Coward | more than 9 years ago | (#12291445)

Are there already equivalent *BSD tools?

If things could be done on OpenBSD to improve security it would probably be better to simply contact the OpenBSD developers. They would probably make it the default so extra step weren't necessary.

Re:*BSD versions? (1)

Justin205 (662116) | more than 9 years ago | (#12291450)

I don't think this would really make a difference to security on OpenBSD. It's quite secure as-is.

I suppose their reasoning was that Macs have a larger percentage of the market share than *BSD. Or maybe someone just felt like porting to OSX, and no one was motivated to port to *BSD.

Call me a troll (-1, Troll)

dos_dude (521098) | more than 9 years ago | (#12291364)

but if the best thing you can say about something is that it's free and open source!, then what you are talking about isn't worth talking about.

I'm sure that Bastille is really nice and good and whatnot, but Best of all, it's free and open source! just doesn't sound that good to me.

We like open source because many OS programs are good or even very good, not because they are open source. Or don't we?

Re:Call me a troll (0)

NickHewitt (876323) | more than 9 years ago | (#12291452)

ok... dos dude your a troll :o)

Re:Call me a troll (1)

gr8_phk (621180) | more than 9 years ago | (#12291791)

"We like open source because many OS programs are good or even very good, not because they are open source. Or don't we?"

I like Free Software (GPL) because of the license. As a consequence of this license, many programs are good or very good. I actually prefer Free Software to other open source. This attitude is rather common, but so is yours. In the end, most of this stuff exists because of the licensing model. One should respect that. Should we call it the "best" feature? Probably not. GPL or just OSS does not imply quality automatically.

I'd like Mandrake 9.2 support. (1)

neo (4625) | more than 9 years ago | (#12291494)

[root@localhost root]# bastille --report
ERROR: 'MN9.2' is not a supported operating system.

it's all good but.. (1)

Suchetha (609968) | more than 9 years ago | (#12291506)

.. when do we get one for Slackware [slackware.com]

Suchetha

More comprehensive tool (2, Informative)

olyar (591892) | more than 9 years ago | (#12291558)

The assessment demo looks pretty nice, but not as comprehensive as, the Tiger Security tool. http://savannah.nongnu.org/projects/tiger. [nongnu.org]

I've been working with Tiger quite a bit over the last few months (even contributing some changes) and I'm pretty impressed with what it can do.
Also handy is the fact that it runs on most of the proprietary *NIX's.

[/Tiger Plug]

I prefer Castle Linux (1)

Garlik II (875842) | more than 9 years ago | (#12292464)

http://castle.altlinux.ru/

yu0 7ail it (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12292621)

session and joinX in metadiscussions
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?