Bastille is an open source program that facilitates the hardening of a Linux system. It performs many of the tasks, including downloading operating system updates and disabling services and ports that are not required for the system’s job functions.The program also offers a wider range of additional services, from installing a firewall (ipchains) to implementing secure shell (SSH). Bastille is powerful and can save administrators time from configuring each individual file and program throughout the operating system. Instead, the administrator answers a series of “Yes” and “No” questions through an interactive textbased interface.The program automatically implements the administrator’s preferences based on the answers to the questions.

Bastille is written specifically to Red Hat Linux and Mandrake Linux, but can be easily modified to run on most Unix flavors.The specific Red Hat/Mandrake content has been generalized, and now the hard-code filenames are represented as variables.These variables are set automatically at runtime.

Bastille Functions

The following list highlights the security features offered by Bastille to secure your system.You will choose which feature you want to implement on your system during the question-and-answer period. For example, many servers do not need to provide firewall or Network Address Translation (NAT), so you may not need to configure ipchains.This list may vary as new versions of Bastille are released and the program becomes more powerful. More information about eachof these features is explained in the program.

Run the ipchains script You can configure your system as a packet filter.This allows your system to perform NAT, serve as a small firewall,and deny certain connection types to your server.

Download and install RPM updates The most recent versions of the RPMs used on your system are downloaded and installed.These RPM downloads are obtained from the Red Hat Errata page (www.redhat.com/support/errata).

Apply restrictive permissions on administrator utilities Allows only the root to read and execute common Administrator utilities such as ifconfig, linuxconf, ping, traceroute, and runlevel). It disables the SUID root status for these programs, so nonroot users cannot use them.

Create a second root account A second UID 0 (root) account allows administrators to track the original root account.This is helpful for tracking hackers because Bastille notifies the second account to original account logins. If you always use the second account, then you know when a security breach may have occurred.

Disable r-protocols The r-protocols allow users to log on to remote systems using IP-based authentication. IP-based authentication permits only specific IP addresses to remotely log on to a system. Because this authentication is based on the IP address, a hacker who has discovered an authorized IP address can create spoofed packets that appear to be from the authorized system.

Implement password aging Default Red Hat Linux systems allow passwords to expire after 99,999 days. Because this is too long in a secure environment, Bastille offers to change the password expiration time to 180 days.These configurations are written to the /etc/login.defs file.

Password protect the LILO prompt Allows users with the correct password to add arguments to the LILO prompt. Otherwise, only the default value (usually linux) is allowed. Be careful to implement this change if you have a dual-boot system, because the name of the operating system, such as dos, is often typed at the LILO prompt to access other operating systems.

Disable CTRL-ALT-DELETE rebooting This disallows rebooting the machine by this method.

Password protect single-user mode If a user gains access to your physical system, he or she can enter single-user mode by typing init 1. Once in single-user mode, that user has root access, and no one else can access the machine. By placing a password on single-user mode, runlevel 1 is protected (the password is the root password).

Optimize TCP Wrappers This choice modifies the inetd.conf (pre- Red Hat Linux 7 versions only) and /etc/hosts.allow files so that inetd must contact TCP Wrappers whenever it gets a request, instead of automatically running the requested service.TCP Wrappers will determine if the requesting IP address is allowed to run the particular service. If the request is not allowed, the request is denied and the attempt is logged. Although IP-based authentication can be vulnerable, this optimization adds a layer of security to the process.

Add Authorized Use banners These banners automatically appear whenever anyone logs on to the system. Authorized Use banners are helpful in prosecuting malicious hackers, and should be added to every system on your network that allows access to the network. An information bulletin from the U.S. Department of Energy’s Computer Incident Advisory Capability can be found at http://ciac.llnl.gov/ciac/bulletins/ j-043.shtml. The bulletin is titled “Creating Login Banners” and explains what is required within login banners for government computers. It also includes how to create banners and provides the text from the approved banner for Federal Government computer systems. Bastille uses a modi- fied version of this login banner. You can modify the banner text to suit your security needs in the etc/motd file.

Disable the compiler Most hackers access systems through regular user accounts. Once they have access to the system, they compile malicious programs to attack the system and other systems. Disabling the compiler denies users from compiling programs, which reduces the security risk.This step is recommended for dedicated servers and firewalls, but may be too strict for workstations used by employees who require use of the compiler for their job tasks.

Limit system resource usage If you limit system resource usage, you can reduce the chances of server failure from a DoS attack. If you choose to limit system resource usage in Bastille, the following changes will occur:

Individual file size is limited to 40MB.

Each individual user is limited to 150 processes.

The allowable core files number is configured to zero. Core files are used for system troubleshooting.They are large and exploitable if a hacker gains control of them: they can grow and consume your file system. These limits are written to the /etc/security/limits.conf file.

Restrict console access Anyone with access to the console has special rights, such as CD-ROM mounting. Bastille can specify which user accounts are allowed to log on via the console.

Additional and remote logging Two additional logs can be added to /var/log/:

/var/log/kernel (kernel messages)

 /var/log/syslog (error and warning severity messages)

You can also log to a remote logging host if one exists.

Process accounting setup Allows you to log the commands of all users. It also records when the commands were executed.This log file is helpful in retracing a hacker’s steps into your system, but the file can become large quickly. If the hacker has root access, the hacker can remove this accounting log.

Disable unnecessary daemons Only the required services should run on a system. All other services should be removed. Bastille allows you to disable daemons that are often unnecessary and pose potential security risks. If you performed a custom Red Hat installation with “everything,” you will be asked if you want to disable the additional services

Ampd
Network File System
(NFS) and Samba
Atd
PCMCIA services
Dynamic Host
Configuration Protocol
(DHCP) daemon
News server daemon
Routing daemon
Network Information
System (NIS) server and
client programs
Simple Network
Management Protocol
(SNMP) daemon
Sendmail daemon mode

Download and install Secure Shell (SSH) A standard for securely logging on to remote systems. SSH encrypts usernames, passwords, and all information between hosts as they communicate across the network. Standard telnet connections send the information in clear text.Therefore, you should always use SSH to ensure secure remote connections.

Deactivate and chroot named Similar to other services, named should be deactivated if the service is not required (e.g., if the server will not answer DNS queries). Bastille also offers to change the root directory of named to a child node on the directory tree, which is /home/dns.This new directory is considered a “chroot’ed prison” because the daemon is limited to only part of the file system and can only access the required files needed to function.These prisons are not entirely secure, but they do offer another layer of security to fend off a would-be hacker.This change is transparent, except that all configuration files and editing must occur in /home/dns. In addition, if you control named with ndc, you must enter: ndc -c /home/dns/var/run/ndc.

Harden Apache Web server httpd should be deactivated if the service is not required. If you decide to use Apache, you can perform the steps shown in the “Hardening the Apache Web Server” sidebar in Bastille to run the service.

Disable printing Printing should only be enabled if your system needs to print. If printing is not required, Bastille removes SUID root on lpr, and disables lpr and lpd. As stated in the configuration script, if you disable SUID root on lpr and need to print, you must undo the setting by entering the following:

/bin/chmod 06555 /usr/bin/lpr /usr/bin/lprm /sbin/chkconfig lpd on

Disable FTP daemon user privileges By default (in the wu-ftpd configuration file), FTP clients cannot connect anonymously and upload files via FTP. Users with accounts on the system can still access the FTP server.This is dangerous if they access the server over a public network because the FTP passwords are sent as clear text, which can be captured by anyone with a packet sniffer.Anyone who has upload privileges can compromise the FTP daemon, because uploading files cause most attacks that allow root access.

Disable anonymous download Allows anyone to download files from your FTP server without a unique username and password. Instead, it is recommended that you use an Apache Web-based file archive to allow the public to download files.

Bastille Versions

Bastille 1.1.0 and later incorporates several important changes that make the program even more powerful and easy to use.The examples in this book use Bastille 1.1.1. It is recommended that you implement at least version 1.1.0 because of the following enhancements:

Nonvirgin system install Bastille runs on systems that are already in production. Previous versions only allowed Bastille to run on systems with a new install only.

Multiple runnings Bastille can be run many times on the same system. Therefore, administrators can change settings as needed.

Log-only feature Administrators can run Bastille without actually implementing the changes. Instead, the changes are written to a log file. This is helpful because it allows an administrator to decide what will work best for his or her system without being forced to commit to the changes. One wrong choice in Bastille can restrict the system’s functionality, and not allow the server to perform its job (hence, the all-important Undo feature).To run the program in log-only mode, enter the following at the prompt when using interactive mode: ./InteractiveBastille.pl -v

Distribution support Bastille is written specifically to Red Hat Linux and Mandrake Linux.The specific Red Hat/Mandrake content has been generalized, and hard-code filenames are now represented as variables. These variables are set automatically at runtime.

Undo feature Administrators can undo settings through various methods that are listed at the end of this section.