Bastille Linux

1

• Bastille Linux
• Past, Present and Future
• Jay Beale
• Lead Developer, Bastille Linux
• President, JJB Security Consulting

2
Bastille Linux

• A security hardening script for Linux and Unix
• Red Hat 7.3
• Mandrake 8.2
• Turbo 7.0
• SuSE 7.2
• Debian current
• HP-UX 11.x

3
Bastille Linux

• More operating systems
• Solaris
• OpenBSD (SSH worm anyone?)
• FreeBSD?

4
Sample Screen
5
What Does Bastille Do? 1/3

• Firewall
• Set-UID and Permissions Audit

6
What Does Bastille Do? 2/3

• Deactivate unncessary stuff
• Tighten configurations of remaining stuff

7
What Does Bastille Do? 3/3

• Educate Users and Admins
• (They have guns pointed at their boots)

8
Why Do I Need It?

• Shipped defaults are not optimized for security
• Users need ease-of-use
• Programmers want convenience
• and
• Neither groks security

9
But Why Do I Need Security? 1/4

• You're targeted by clueful hackers
• (even if you're not interesting)
• because you're one hop on the way to the real
  target.

10
But Why Do I Need Security? 2/4

• You're targeted by script kiddies...
• because you have an IP address!
• (That got picked up as vulnerable by their
  vulnerability scanners.)

11
But Why Do I Need Security? 3/4

• You're targeted by worms...
• Slightly smarter than script kiddies, but fully
  automated.
• Easy to defeat, with hardening!

12
But Why Do I Need Security? 4/4

• Script kiddies choose your box at random to
• Run their IRC bots
• Run their IRC server
• Serve as an exchange point for files, filez...
• Attack other machines with DoS/DDoS programs
• Brag about how many random machines they 0wn.
• ltyour use heregt

13
How Does It Work? 1/2

• Minimize Points of Entry
• Network Daemons
• User-accessible programs

14
How Does It Work? 2/2

• Prevent Privilege Escalation
• Set-UID programs let me turn my user nobody
  access into root!

15
But Does It Work?

• Bastille was written before most of the security
  vulnerabilities in Red Hat 6.0 were discovered.
• It could stop or contain almost all of them.

16
Vulnerabilties Stopped -Red Hat 6.0

• BIND - remote root
• wu-ftpd - remote root
• userhelper - local root
• lpd sendmail - remote root
• dump/restore - local root
• gpm - console local root

17
Vulnerabilties Not Stopped -RH 6.0

• nmh - local root?
• man - whatever user runs it

18
So Who's Using it?

• You tell me!
• MandrakeSoft had it in their distribution.
• Red Hat has talked about integrating it.
• SGI sold appliances with it loaded.
• Guardent/foo uses it in some appliance.
• Estimated around 75,000-150,000 people?

19
Capabilities

• 2.0 Release
• Intelligence - "requires" tags
• X or Curses configuration
• Reusable config file, with consistency checking

20
Where We're Going Soon

• More content this talk will demonstrate
• Growing to run on more platforms Solaris first.
• Enterprise features

21
Firewall

• Configure a default-deny firewall for a
• masquerading network, or a
• single machine

22
Firewall

• Firewall off daemons, but also harden/remove
  them.
• Why both?

23
Defense in Depth

• Protect each service or possible vulnerability
• through multiple means, so that if one fails,
  the
• remaining methods keep your machine from being
• compromised.

24
File Permissions

• File Permissions Audit
• Want to do something more comprehensive!
• Educate newbies about groups?

25
SUID Audit

• SUID Audit
• Blocking all paths to root!
• Real Example UserRooter (userhelper)

26
SUID Audit 1/2

• mount/umount
• ping
• traceroute
• dump/restore
• cardctl
• ( has been vulnerable in past 3 years)

27
SUID Audit 2/2

• at
• dosemu
• inn tools
• lpr/lp
• r-tools
• usernetctl

28
Account Security

• Protect the users' accounts
• Enforce good policies to prevent privilege
  escalation

29
Account Security

• Protect rhosts via PAM
• Password Aging
• Restrict Cron
• Umask
• Root TTY Logins

30
Boot Security

• Password protect LILO
• Password protect runlevel 1

31
Secure Inetd

• Deactivate Telnet
• Deactivate FTP
• ...

32
Applied Minimalism

• Since crackers may discover an exploitable
• vulnerability in any service running with
  privilege,
• minimize both the number of these services and
• their levels of privilege.

33
Miscellaneous PAM

• Mandatory System Resource Limits
• prevent core dumps
• limit number of processes per user
• filesize limit 100mb

34
Logging

• Lots of extra logging
• Remote Logging Host
• Process Accounting

35
Killing Daemons 1/2

• apmd
• nfs/portmapper
• samba
• atd
• pcmcia
• dhcp server (?)

36
Killing Daemons 2/2

• gpm
• news server
• routing daemons
• NIS
• SNMPd

37
Sendmail

• Reduce attacker's access to Sendmail
• Remove recon. Commands.
• Run sendmail as a non-root process via
  inetd/xinetd

38
Postfix?

• Sendmail's security vulnerability history is
  rich!
• Why?
• Consider PostFix, by Wietse Venema,
• author of TCP Wrappers
• Modular, safer design!

39
DNS - BIND

• Secure BIND
• Historical note
• We secured BIND before the remote
• root exploits were released.
• Philosophy
• Harden it now, before the bugs are
• discovered!

40
Hardening BIND 1/2

• Chroot
• Run as user/group dns
• CONTAINMENT

41
Hardening BIND 2/2

• Restrict queries to set of hosts
• Restrict zone transfers to set of hosts
• Choose a random version string
• Offer to configure views in BIND 9

42
Hardening Apache 1/3

• Deactivate Apache?
• Bind Apache to localhost?

43
Hardening Apache 2/3

• Symlinks
• Server Side Includes
• CGI Scripts
• Indices

44
Hardening Apache 3/3

• Removing Modules
• Removing handlers
• Restricting .htaccess overrides

45
FTP

• FTP is Really Bad(tm)!
• Unauthenticated data transfer channel (file
  theft)
• Bad authentication on command channel
• Takeover issues (cleartext session)
• Try to replace it
• HTTP for downloads?
• SFTP for password-ed user uploads?

46
Hardening FTP 1/2

• Deactivate anonymous mode
• Deactivate normal user mode

47
Hardening FTP 2/2

• Apply path filters to all filenames used
• Deactivate compression/tar-ing (external progs)
• Choose version string randomly
• Chroot normal users via 'guest' accounts
• Require RFC 822-compliant e-mail addresses
• Disable all dynamic 'message file'
  parsing/delivery
• Create less useful upload area
• Log transfers, commands and security violations

48
Speaker Bio

• Jay Beale is the Lead Developer of Bastille Linux
  and an independent security consultant/trainer.
  Mandrake. He's currently working on a book on
  Locking Down Linux for Addison Wesley. Read more
  of his articles on
• http//www.bastille-linux.org/jay