Home

Bastille - Fedora Linux Box Hardening

PostDateIcon February 8th, 2008

Introduction
================================================================

Bastille Linux is a Hardening and Reporting/Auditing Program which enhances the security of a Linux box, by configuring daemons, system settings and firewalling. It currently functions on most major Linux distributions as well as Mac OSX and HP-UX.

Installation
================================================================

-Fedora 7 distro on AMD ghetto box.

Next we will have too download Perl Curses, these are the two packages you will need.

Get Bastille from using the wget command with the appropriate link:

http://sourceforge.net/projects/bastille-linux/

rpm -ivh packageNameHere.noarch.rpm

yum install perl-Curses*
yum install perl-Tk*

After installing those packages run Bastille with the following command:

/usr/sbin/bastille -c

Bastille will load and will ask you fairly descriptive and explanitive questions about certain features you should or should not allow. It will also feature a section with IP tables and IP chains. However, this writer felt that they were not needed since I am running a fairly decent IP table firewall already.

Be leary of this software, it can lock you out of your machine if you make the wrong choices. So be carefull and think out your decisions before you tell it to execute the changes.

Questions
================================================================

Would you like to set more restrictive permissions on the administration utilities?: YES

Would you like to disable SUID status for mount/umount?: YES

NOTE:: Disabling SUID status will allow users that are not ROOT tounmount/mount devices. Thus the ROOT password will not be needed to be distrobuted to those who just "want" to mount/unmount drives.

Would you like to disable SUID status for ping?: YES

NOTE:: Should your users be able to use PING?

Would you like to disable SUID status for at?: YES

Would you like to disable the r-tools?: YES

Would you like to disable SUID status for usernetctl?: YES

Would you like to disable SUID status for traceroute?: YES

Should Bastille disable clear-text r-protocols that use IP-based authentication?: YES

Would you like to enforce password aging?: YES

Do you want to set the default umask?: YES

What umask would you like to set for users on the system?: 007

Should we disallow root login on tty's 1-6?: NO

Should Bastille ask you for extraneous accounts to delete?: NO

Would you like to password-protect the GRUB prompt?: NO

Would you like to disable CTRL-ALT-DELETE rebooting?: YES

Would you like to password protect single-user mode?: NO

Would you like to set a default-deny on TCP Wrappers and xinetd?: NO

Would you like to display "Authorized Use" messages at log-in time?: YES

Who is responsible for granting authorization to use this machine?: Whomever is responsible

Would you like to put limits on system resource usage?: YES

Should we restrict console access to a small group of user accounts?: YES

Which accounts should be able to login at console?: root

Would you like to set up process accounting?: NO

Would you like to disable acpid and/or apmd?: YES

Would you like to disable PCMCIA services?: YES

Would you like to disable GPM?: YES

Would you like to deactivate the HP OfficeJet (hpoj) script on this machine?: YES

Would you like to deactivate the ISDN script on this machine?: YES

Would you like to deactivate kudzu's run at boot?: YES

Do you want to stop sendmail from running in daemon mode?: YES

Would you like to deactivate named, at least for now?: NO

Would you like to deactivate the Apache web server?: NO

Would you like to bind the Web server to listen only to the localhost?: NO

Would you like to bind the web server to a particular interface?: NO

Would you like to deactivate the following of symbolic links?: YES

Would you like to disable printing?: YES

Would you like to install TMPDIR/TMP scripts?: NO

Would you like to run the packet filtering script?: NO

Are you finished answering the questions, i.e. may we make the changes?: YES

Conclusion
================================================================

Bastille is a usefull utility/software that can even further a Linux system. It will stop common attacks and build up security policies. May even be usefull for use, if preparing for a security audit and you might have missed something.

Resources
================================================================

http://sourceforge.net/projects/bastille-linux/

PostCategoryIcon Share this   | PostTagIcon Tags: Documentation, Fedora 7, Linux Documentation
Post new comment
The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.
Navigation
Syndicate
Syndicate content
Share this
Powered by Drupal, an open source content management system

® Ron Brash 2010 | About Me | Contact | Sitemap