Ask Jon And Jay About Bastille Linux

You've heard about Bastille Linux 'round these parts before (on July 17 of this year) -- it's a set of scripts bundled to create (in combination with a base install of a distribution like Red Hat) a much more secure box than would be the default. The basic philosophy behind Bastille seems to be "It shouldn't be difficult to lock down your Linux box." Now, here's your chance to ask Bastille gurus Jon Lasser and Jay Beale about the project.You'll want to check out the project's main page, first, and also some of the security articles Jay's written as well as the additional information on his personal page. (And if that Lasser fellow's name is familiar, it should be -- he's also the author of the excellent Think Unix reviewed a few weeks ago.) So post your questions below, and Jay and Jon will soon respond in depth.

Re:Why is Bastille Necessary?

Actually this is a quite common question among those in the know. Why *DO* the Distribution makers enable services by default that can potentially leave the system wide open to script kiddies? Especially with the droves of Windows users whom are trying Linux for the first time and are not always up on the latest sendmail/wu-ftpd/bind/whatever exploit of the week. Creating a more secure environment from the get-go should definitely be in the eyes of the ditro-makers. I applaud Bastille for their work in helping make the Internet a safer place to be.

Debian?

Do you guys have any plans to do something similar for Debian, or have others approached you about it? I'd love to apt-get install bastille, and have it do something similar to what I've heard it does for RH. Anyway, even if you don't, keep up the good work.
~luge

Re:Why is Bastille Necessary?

First, if you want a default installation that's "hardened from the get-go", either run OpenBSD, or a non-UNIX that has no services.

However, I don't see why this is really necessary. It's the sysadmin's job to secure his boxes, which is generally done after installation. First, you only select the services you need, then you tighten things up. Bastille just speeds this process up, and helps out novices a lot. Also, the OpenWall security patches (for the Linux kernel) are quite nifty; also, on ext2, chattr is pretty sweet if you're really paranoid. :)

It would be nice if a distro had a "Secure" option during installation, but basically they're just catering to the masses. Maybe you want to run 'ping'; maybe you're behind a firewall. Maybe you're not on the internet. Maybe you want to have all your services running in default configurations at startup, so you can tweak them later...

Basically, it's just easier to let the admin decide what to do with the box, and making it less secure makes that process easier for them as well. Most people don't know or care about security. And remember, just as the best form of birth control is still abstinence, the best form of network security is still the 'air-gap'.
---
pb Reply or e-mail; don't vaguely moderate [ncsu.edu].

Configuration

In what way does Bastille differentiate between different types of installs? Does it prompt the users about services? Will it shut off my apache service if I plan on making this machine a web server?

What third party tools do you install/recommend to help with the hardening of the system? Tripwire? tcpserver?

Do you incorporate any form of checking when doing your install to ensure that the box has not already been compromised, such as checking for common trojans/backdoors?

Question

What were the top 3 most asinine security holes you ever encountered on a GNU/Linux distro?

Security is a process, not a thing.

How will Bastille allow users to treat their computer and network security as a "process" (as Bruce Schneier is quoted to say). Are there tools to help users deal with security "events"?

Breaking out the cluestick...

Given the world's largest cluestick with which you could assault every single SysAd on the planet, what clues would you distribute, other than the use of bastille, and the knowledge that there's life outside computers?

--
"Don't trolls get tired?"

Distribution specific, etc.

I have two questions actually.

The first: do you plan to make a non distribution specific hardening program/system/script? If so, how? It would be neat to have a consensus between distributions on file locations, etc to make this easier; do you plan on working with other distributions to come up with some sort of common interface or environment?

The second: do you plan on including any kernel based capability, IDS, or ACL addons? A good default use of these features would greatly increase the security of linux in general, but they are prohibitively complex for most users. Thus, these are great things to have taken care of by the system - do you plan on working on something to control these things (semi)automatically?

Why is Bastille Necessary?

In a perfect world, the Bastille scripts would be unecessary, because the default installation of the distribution would have been hardened from the get-go.

Why do you feel that various distributions are so insecure by default? What are the most common mistakes they make? What kinds of changes need to happen at Red Hat to make your scripts unneeded?

Bastille Linux

Did you guys consider your own distro? Why, why not and will you create a full Bastille distro.

(One minor wishlist item: could you fix the Curses thing for sparc) Sorry, just had to sneak that in.

"Missing" features?

A two-part question:

What features do you feel are missing from Bastille as it stands today, and aren't in the roadmap you have for the immediate future?

What elements of system security do you feel should be part of the "core" (if not the kernel) of the operating system, and why (in your opinions) aren't they there already?

Target audience

Bastille is a great project, but ultimately it targets people who sort-of know what they are doing. How do you feel about projects like the NetBSD/i386 Firewall Project [dubbele.com] who (whilst having all sources available) targets people who have no clue other than "I need security" by giving them a firewall that has an install that's about as simple as one can make it? Is this just a matter of defining the target audience different?

Not such a good name for a distro...

...especially if you want to convey security. Do you remember your late 18th century European history? Right. The Bastille in France was invaded and destroyed, prisoners were liberated, and the monarchy was overthrown by that terrible harbinger of death, La Guillotine.

I'd hate to see any Bastille Linux-oriented viruses or trojans. Maybe there will be one which triggers on July 14th of every year and echoes on the screen: "Liberté! Egalité! Fraternité!"

For more historical stuff on Bastille Day, check out this link to the French Embassy [info-france-usa.org].

Re:Ins't this reinventing the wheel?

I believe that the concept is not to attempt to replace OpenBSD, but rather to create a way to harden Linux. Most distributions leave themselves wide open for some script kiddie to root your box before you even get the chance to completely set it up. By creating a distribution that is more secure out of the box, it allows for a lessened chance of the machine being compromised prior to hardening. OpenBSD is not perfect. It *is* secure in its default install and is audited very rigorously. I applaud the OpenBSD team for their great pains in increasing security and awareness. I believe where Bastille really gets their merit is the situation where a person feels more comfortable using linux as opposed to a system that they may not be as familiar. I would feel more comfortable in securing a linux box than I would some other OS because I am more familiar with linux. This also solves a problem wherein a PHB decides that you're going to use that new lienucks thingy I have been hearing about. Not all decisions of what OS to use for a particular job are decided by someone who has a clue. Sometimes we just have to make best with the tools we are given. I think Bastille does an excellent job of doing this and making us feel a little better about the inherent insecurities of linux versus other systems.