Originally Published: Tuesday, 20 June 2000 Author: Matt Michie
Published to: featured_articles/Featured Articles Page: 1/1 - [Printable]

Bastille Linux Review

Bastille Linux has taken on the challenge of securing the often infamously crackable Red Hat distribution with an "after market" hardening script.

   Page 1 of 1  

Bastille Linux has taken on the challenge of securing the often infamously crackable Red Hat distribution with an "after market" hardening script.

The developers have stated that "the Bastille Hardening System attempts to `harden' or `tighten' the Linux operating system. It currently supports Red Hat and Mandrake systems. We attempt to provide the most secure, yet usable, system possible. The project is run by Jon Lasser, Lead Coordinator and Jay Beale, Lead Developer and involves a number of developers, beta-testers and concept-creators."

Being security-conscious and having my own regimen to lock-down a Red Hat box, I thought I'd give the latest Bastille Linux script a work out. The review machine is a Pentium II 300 running a semi-virgin Red Hat 6.1 install, with a 2.2.16 kernel.

The name Bastille struck me as a strange name for something secure. Although the French word Bastille means a strongly fortified structure, many people would associate it with the fortress that was a symbol of royal oppression and was stormed in the French Revolution.

That aside, I downloaded the script and untarred the file into /usr/local/src with the rest of my programs. I ran through the curses interface and realized something was wrong when I tried to enact the changes. After consulting the documentation, it became obvious that you must untar the file into /root. Doom on me. However, this is a small annoyance. I like having all my non packaged files in one place -- it is bad form to force your users into a particular directory.

Another small annoyance with the default tarball is the permissions it gives to some of the files. Why are files like COPYING, Changelog, and Credits set as executable? This seems sloppy, and makes it harder to spot the true executables in a colour directory listing.

The 1.1.0 release is a Perl program with a reasonably user-friendly curses interface. To start the configuration process, run the InteractiveBastille.pl executable. The interface is simple and is similar to a "wizard." All of the options are clearly explained in the dialogs. Kudos to the person writing the dialog documentation.

As you step through the configuration, most of the choices are of the Yes/No variety, with a reasonable default set. A new user could feel fairly confident with reading the descriptions and using the defaults.

Bastille has 16 different security modules that need to be setup:

  • Ipchains
  • PatchDownload
  • FilePermissions
  • AccountSecurity
  • BootSecurity
  • SecureInetd
  • DisableUserTools
  • ConfigureMiscPAM
  • Logging
  • MiscellaneousDaemons
  • SendMail
  • DNS
  • Apache
  • Printing
  • FTP

After running through the configuration, you have to enable the changes by running the BackEnd.pl script. Looking through the changes Bastille Linux made, I am impressed. I liked the changes to the logging, especially the modifications to /etc/hosts.allow.

Overall, Bastille has some minor buglets, but still adds a reasonable amount of security to a Red Hat install. Ideally, I would like to see Red Hat include a subset of Bastille in the default install. When you install Red Hat most of the default configurations from Bastille should be set already, with an option to modify them later. Red Hat Linux has a long way to go until it has the reputation of OpenBSD, but Bastille Linux is a big step on that journey.

Matt Michie lives in New Mexico. He maintains a web site at http://daimyo.org.





   Page 1 of 1