Bastille Linux Past, Present and Future

Jay BealeLead Developer, Bastille Linux

President, JJB Security Consulting

Bastille Linux

A security hardening script for Linux and Unix

Red Hat 7.3Mandrake 8.2

Turbo 7.0SuSE 7.2

Debian currentHP-UX 11.x

Bastille Linux

More operating systems:

SolarisOpenBSD (SSH worm anyone?)

FreeBSD?

Sample Screen

What Does Bastille Do? 1/3

Firewall

Set-UID and Permissions Audit

What Does Bastille Do? 2/3

Deactivate unncessary stuff

Tighten configurations of remaining stuff

What Does Bastille Do? 3/3

Educate Users and Admins

(They have guns pointed at their boots)

Why Do I Need It?

Shipped defaults are not optimized for security

Users need ease-of-useProgrammers want convenience

and

Neither groks security

But Why Do I Need Security? 1/4

You're targeted by clueful hackers (even if you're not interesting)

because you're one hop on the way to the real target.

But Why Do I Need Security? 2/4

You're targeted by script kiddies...

because you have an IP address!

(That got picked up as vulnerable by their vulnerability scanners.)

But Why Do I Need Security? 3/4

You're targeted by worms...

Slightly smarter than script kiddies, but fully automated.

Easy to defeat, with hardening!

But Why Do I Need Security? 4/4

Script kiddies choose your box at random to:

● Run their IRC bots● Run their IRC server● Serve as an exchange point for files, filez...● Attack other machines with DoS/DDoS programs● Brag about how many random machines they 0wn.● <your use here>

How Does It Work? 1/2

Minimize Points of Entry

Network DaemonsUser-accessible programs

How Does It Work? 2/2

Prevent Privilege Escalation

Set-UID programs let me turn my user nobody access into root!

But Does It Work?

Bastille was written before most of the security vulnerabilities in Red Hat 6.0 were discovered.

It could stop or contain almost all of them.

Vulnerabilties Stopped -Red Hat 6.0

BIND - remote rootwu-ftpd - remote rootuserhelper - local root

lpd + sendmail - remote rootdump/restore - local rootgpm - console local root

Vulnerabilties Not Stopped -RH 6.0

nmh - local root?

man - whatever user runs it

So Who's Using it?

You tell me!

MandrakeSoft had it in their distribution.Red Hat has talked about integrating it.

SGI sold appliances with it loaded.Guardent/foo uses it in some appliance.

Estimated around 75,000-150,000 people?

Capabilities

2.0 Release

● Intelligence - "requires" tags● X or Curses configuration● Reusable config file, with consistency checking

Where We're Going Soon

More content: this talk will demonstrate

Growing to run on more platforms: Solaris first.

Enterprise features

Firewall

Configure a default-deny firewall for a masquerading network, or a

single machine

Firewall

Firewall off daemons, but also harden/remove them.

Why both?

Defense in Depth

Protect each service or possible vulnerability through multiple means, so that if one fails, the

remaining methods keep your machine from being compromised.

File Permissions

File Permissions Audit

Want to do something more comprehensive!Educate newbies about groups?

SUID Audit

SUID Audit Blocking all paths to root!

Real Example: UserRooter (userhelper)

SUID Audit 1/2

mount/umount*ping

traceroutedump/restore*

cardctl

( * = has been vulnerable in past 3 years)

SUID Audit 2/2

atdosemuinn toolslpr/lp*r-tools*

usernetctl

Account Security

Protect the users' accountsEnforce good policies to prevent privilege

escalation

Account Security

Protect rhosts via PAMPassword Aging

Restrict CronUmask

Root TTY Logins

Boot Security

Password protect LILOPassword protect runlevel 1

Secure Inetd

Deactivate TelnetDeactivate FTP

...

Applied Minimalism

Since crackers may discover an exploitable vulnerability in any service running with privilege,

minimize both the number of these services and their levels of privilege.

Miscellaneous PAM

Mandatory System Resource Limits

prevent core dumpslimit number of processes per user

filesize limit 100mb

Logging

Lots of extra logging

Remote Logging Host

Process Accounting

Killing Daemons 1/2

apmdnfs/portmapper*

samba

atdpcmcia

dhcp server (*?)

Killing Daemons 2/2

gpm*news server*

routing daemonsNIS

SNMPd*

Sendmail

Reduce attacker's access to Sendmail

Remove recon. Commands.

Run sendmail as a non-root process via inetd/xinetd

Postfix?

Sendmail's security vulnerability history is rich!

Why? Consider PostFix, by Wietse Venema,

author of TCP Wrappers Modular, safer design!

DNS - BIND

Secure BIND

Historical note: We secured BIND before the remote

root exploits were released.

Philosophy: Harden it now, before the bugs are

discovered!

Hardening BIND 1/2

Chroot

Run as user/group dns

CONTAINMENT

Hardening BIND 2/2

Restrict queries to set of hosts

Restrict zone transfers to set of hosts

Choose a random version string

Offer to configure views in BIND 9

Hardening Apache 1/3

Deactivate Apache?

Bind Apache to localhost?

Hardening Apache 2/3

Symlinks

Server Side Includes

CGI Scripts

Indices

Hardening Apache 3/3

Removing Modules

Removing handlers

Restricting .htaccess overrides

FTP

FTP is Really Bad(tm)!

Unauthenticated data transfer channel (file theft)Bad authentication on command channel

Takeover issues (cleartext session)

Try to replace it:HTTP for downloads?

SFTP for password-ed user uploads?

Hardening FTP 1/2

Deactivate anonymous modeDeactivate normal user mode

Hardening FTP 2/2

Apply path filters to all filenames usedDeactivate compression/tar-ing (external progs)Choose version string randomlyChroot normal users via 'guest' accountsRequire RFC 822-compliant e-mail addressesDisable all dynamic 'message file' parsing/deliveryCreate less useful upload areaLog: transfers, commands and security violations

Speaker Bio

Jay Beale is the Lead Developer of Bastille Linux and an independent security consultant/trainer.

Mandrake. He's currently working on a book on Locking Down Linux for Addison Wesley. Read

more of his articles on:

http://www.bastille-linux.org/jay