After you've gone through hardening your system a few times, you start to wish there was some kind of automated way of doing things. Thankfully, there is. Bastille Linux is a scripted framework that walks an administrator through the process of system hardening. It's relatively easy to install and use and works with a large number of Linux distributions as well as provides some preliminary Mac OS X support.
Bastille requires Perl to be installed, as well as ncurses or Tk. If you are running a system that handles package dependencies for you (e.g., Debian, Ubuntu, or CentOS) this shouldn't be a problem. If, on the other hand, you are rolling your own Linux system, you need to make sure that you have the Perl libcurses libraries as well.
Once Bastille is installed, you can start the configuration interface by running the command InteractiveBastille, which will display the window shown in Figure 14-7.
The Bastille setup is remarkably clear and well documented, and it really makes no sense for me to go through each and every option, but I do want to highlight some that I consider important or nonintuitive:
- Should Bastille disable clear-text r-protocols that use IP-based authentication?
Yes, definitely. This is a must, just like turning off Telnet and moving to SSH is a giant leap forward in reducing the number of times your password is sent in the clear. You should be running SSH, since it completely replaces all of the functionality in rlogin, rexec, rhost, and so on.
- Should we disallow root login on all ttys?
This one is a little difficult to get used to, but if you have installed sudo and are using it, you have little need to directly log in as root. Say "Yes" here.
- Would you like to password-protect single-user mode?
I turn this on, even though it doesn't provide a whole lot of real security. If someone has uninterrupted physical access to the machine, then you have pretty much lost the battle. But I turn this on anyway on servers for two reasons.
One reason is that if someone who works with me is mildly messing with one of the machines in the data center and they don't know what they're doing, as soon as they get a password prompt, they inevitably call me. At the very least, this has kept me in the loop while a DBA who thought that he was qualified to upgrade the system managed to reboot the completely wrong server into single-user mode (despite the fact that the servers were labeled). First I got a page telling me that the web server was offline; then I got a phone call from the DBA asking "What's the password on the database server?"
The other reason I turn this on is because it impresses the brass when you say "All runlevels require authentication, even runlevel 1 requires a password on our system." If they know what you are talking about, you can share a small chuckle, which is nice.
This doesn't really do anything for you unless you are planning to beef up the physical security as well or run encrypted filesystems on your hard drives.
- Should Bastille ensure the Telnet service does not run on this system?
I turn this on because I don't want Telnet on my systems; however, you probably don't want this on. For example, if you install some software that uses the Telnet protocol for remote administration and does not yet provide an SSH interface, you are going to be incredibly frustrated for hours on end trying to figure out why you can't reach your administration interface. If you do decide to have Bastille block Telnet, put a big fat sticky note on your desktop monitor that says "Bastille has Telnet blocked" so you won't be pulling your hair out at 3 a.m. trying to figure out why the new IT guy can't remotely configure some software you never heard of before.
- Should Bastille ensure inetd's FTP service does not run on this system?
I'm of two minds on this one. On the one hand, I am not a fan of FTP as a protocol and use scp or sftp almost exclusively. On the other hand, having the ability to turn FTP on is useful sometimes when someone running Windows needs to plop a file onto the system for you and they don't have ssh installed. My solution to this is to not install a traditional FTP system and instead run a usermode FTP server. My favorite is
Net::FTPServer, written for Perl and available from CPAN.- Would you like to add additional logging?
Unless you are running on an extremely tight budget and cannot afford disk space, you want to turn this on.
Outside of hardening the filesystem, Bastille has the capability to roll your own firewall rules. If you are not already running any, take advantage of the nice GUI and at least get some basic firewalling turned on. You can read more about firewall technology in Chapter 13