Bastille system hardening - your views.

Discussion in 'all things UNIX' started by Ocky, Jul 11, 2009.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    With Bastille Day coming up soon (14th July), let's have some views on this
    security app. It's hardly ever mentioned in the forum, whereas AppArmor and
    SELinux are often referred to. Is there something not to like ?
    (Maybe because the Bastille was stormed and destroyed by the commoners
    who declared themselves the National Assembly and ultimately executed
    the King and Queen by guilliotine ?) :argh:
    Bastille
    I see it is available via Synaptic. Has an undo function in case one messes up.
     
  2. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    Hi Ocky,

    Bastille Linux was renamed to Bastille Unix back in 9/11/2007. It is a hardening script that helps to harden about 8|9 different Linux distributions as referenced at the link given. That is all I know about it.

    -- Tom
     
  3. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Bastille is just an automated script that performs basic hardening. All of these steps can be done manually without it. For instance, Bastille will check your /home permissions, it will check if you have a BIOS password, and it will check the number of SUID or GUID files one has on the system and allow the user to change permissions on those. It does much more than this, but you get the idea. I always just do these things myself, and I find most of them are not necessary (I don't want or need a BIOS password, for instance).

    If you want a nice guide on hardening your system manually, then I suggest you read the Gentoo security guide. Just google, "Gentoo security" and it will be near the top. It will walk you through how to lock down permissions, how to harden /etc/sysctl and other stuff. All of these things will be distro agnostic.

    But speaking of these hardening tools, I really like Fedora's "Sectool." If you have Fedora, then:

    sudo yum install sectool sectool-gui

    It has a nice GUI and performs about 20 or so tests on your system. You can define levels like "Desktop" or "Server" or "Paranoid." It will show all the potential "weaknesses" and show you how to correct them. It is a nice tool and I prefer it over Bastille.
     
  4. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Thanks. Yes Sectool does look good with a nicer GUI. Unfortunately I don't have
    Fedora - only CentOS 5.3 (and Ubuntu). As Sectool seems less intimidating than
    SELinux it would be nice if Sectool would work with CentOS 5.3 which is also
    Red Hat based. Might give it a try.
     
Loading...
Thread Status:
Not open for further replies.