14 October 2011

Bastille

Local security management of computers organization can be rather expensive. Some organizations are constantly launching new systems, either for use as a work PC or server. In theory, the IT Security Department should oversee the creation and configuration of these new teams, but in practice these departments are often overworked and lack of personnel available to assign to this task. This is where comes in the use of scripts to ensure proper computer setup before passing it into production. The department of IT Security passes these scripts to Systems Department to apply them just before the start of production of the equipment. This will automate the task and gains in efficiency.

A design option is proram these scripts ourselves, the other is not reinventing the wheel and use what others have created. In this sense Bastille is one of the most recognized. Throughout this article we will explain its use.

If your operating system is Ubuntu Bastille installation is extremely simple install it since it is included in the default repositories of this distribution: 


@ dante dante-desktop: ~ $ sudo aptitude search bastille
[Sudo] password for dante:
c bastille - Security hardening tool
@ dante dante-desktop: ~ $ sudo aptitude show bastille
Package: bastille
Status: not installed
Version: 1:2.1.1-13
Priority: Optional
Section: universe / admin
Developer: Ubuntu MOTU Developers 
Uncompressed Size: 1544k
Depends: perl5, libcurses-perl
Recommends: whois, psad, bind9-host | host
Suggests: acct, perl-tk (> = 1:800.011) | libgtk-perl
It conflicts with: libcurses-widgets-perl
Description: Security hardening tool
Bastille Linux is a security hardening program for GNU / Linux. Increase the security of it the system by disabling services Either (If They are not NECESSARY) or by Altering
Their configuration.

If run in the (recommended) Interactive mode, Bastille educates the administrator During The hardening process: In Each step of the process, Extensive descriptions are Given
of what security issues are Involved. Each step is optional. If run in The Quick Automated mode, Bastille Hardens the system according the profile chosen.

Bastille Linux works for Linux Several distributions. This Has Been package specifically modified to work for Debian GNU / Linux.

Homepage: http://www.bastille-linux.org/

@ dante dante-desktop: ~ $ sudo aptitude install bastille
(...)
Be installed following NEW packages:
libbit bastille-vector-perl-perl libcarp-clan-perl libcurses libata-calc-perl-perl libnetwork-ipv4addr-syslog-perl libunix whois psad
0 upgraded, 9 newly installed, 0 to remove and 107 not upgraded.
0B/1355kB need to download files. After unpacking 6697kB will be used.
Do you want to continue? [Y / n /?] And
(...)
@ dante dante-desktop: ~ $

Once installed, you can run Bastille. It is recommended to run in interactive mode, so that the program will go by a series of questions to ascertain the use to which it intends to give the computer. Depending on the answers, Bastille configures the computer as secure as possible. These questions will be formulated through a simple ncurses-based interface and therefore easily viewable through an ssh session. With Bastille, IT Security just hast to give Systems Department a simple checklist with answers to each configuration step to let Bastille installed.

Bastille includes a detailed explanation next to each question with the cause of the issue and what will be done in terms of the response. Next we are going to overview main Bastille installation steps:
  1. Would you like to set more restrictive permissions on the administration utilities? [N] ---> Useful on machines with multiple user accounts. There are utilities that, in general, are only executed by the administrator of the machine but by default regular users have access to them, at least part of their functionality (why does the user need to implement management tools such as top or ifconfig ?). To avoid possible security problems that this could lead, Bastille can change the permissions of the above applications in order to ensure that only the administrator can perform. If you are the only user of the machine does not make sense to enable this option. If you have other users accessing it (eg to upload files to your web folders) it would be interesting to add this option.
  2. Would you like to disable SUID status for mount / umount? [Y] ---> In general, programs that have the SUID attribute are very dangerous because although they can be invoked by normal users run with root privileges. This does not entail any risk if these programs were limited to doing what they were designed, the problem is that it is relatively common to discover bugs in these applications that allow "fake" to do things with root privileges. If you say yes to this question Bastille will ensure that the command mount / umount can only be executed by those who know the root password, thus reducing the risk exposure of the team.
  3. Would you like to disable SUID status for ping? [Y] ---> Same as above.
  4. Would you like to disable SUID status for at? [Y] ---> Same as above.
  5. Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] ---> The so-called r-tools are a set of utilities for remote management of computers. The problem with them is they dont use encryption to exchange data and IP addresses for authentication. This lack of confidentiality and ease to spoof source IP addresses have made people move from the use of r-tools to safer alternatives.
  6. Would you like to enforce password aging? [Y] ---> Enables a time of password expiration of 180 days. Before you spend that time the user is prompted to change your password. If the deadline arrives and the user has not changed your password the account will be blocked until the administrator re-activates it.
  7. Would you like to restrict the use of cron to administrative accounts? [Y] ---> There are certain attacks that can take advantage of the ability of users to use cron tool to launch deferred tasks on a schedule determined. If users do not need to launch scheduled tasks, it is best to let Bastille restrict the use of cron so that is only available for the administrator. 
  8. Do you want to set the default umask? [Y] ---> The umask is the default permissions that you put the files you create. It is best to let it set Bastille to a safe value.
  9. What umask would you like to set for users on the system?[077] ---> Continued from previous question, the best option is to use 077 so as to ensure both the confidentiality of our records as data integrity by preventing anyone but the owner can either read or write about them .
  10. Should we disallow root login on all ttys? [N] ---> This option is extremely useful for computers that can be accessed via SSH without limitation as to the source IP, because they are often victims of dictionary attacks from Internet bots. These bots prove first root account, ubiquitous in all Unix / Linux. However if this option is enabled, Bastille will ensure that the only way to access the root is connect to a normal user account and then doing "su -". The advantage is that this way the bot is forced to discover not only a password, but also the name of the registered user able to connect. The best thing therefore is to enable this option.
  11. Would you like to password-protect the GRUB prompt? [N] ---> If an attacker has physical access to the computer can get a root console rebooting computer and passing certain parameters to GRUB. To avoid this, it is best to enable this option so that even if you can restart the computer and boot normally you would have to provide a password before being allowed to pass parameter to GRUB.
  12. Would you like to disable CTRL-ALT-DELETE rebooting? [N] ---> This sequence allows a user with physical access to the machine to boot it. At first sight it might be interesting to tell Bastille to disable this keyboard sequence. But problem is that an intruder who has access to local keyboard has access to electrical plug too. So he is going to reboot computer anyway but you have to ponder if you frefer him reboot computer cleanly with control-alt-del or violently unplugging computer (so its hard drives cold be severely damaged). The Bastille itself do not recommend disabling this keyboard sequence.
  13. Would you like to password protect single-user mode? [Y] ---> single-user mode is supposed to be used by root in emergencies so that he can access system without password. It is a type of access that is used in cases of emergency, such as when you do not remember the root password... Clearly, this is a double-edged sword that can allow unauthorized access to the system. Enabling this option will avoid this situation Bastille asking for password to access this ... but beware: do not forget your root password or you wont be able retrieve it!.
  14. Would you like to set to default-deny on TCP Wrappers and xinetd? [N] ---> inetd services are allowed by default. If this option is enabled, Bastille changes the settings so that is a denied by default.
  15. Should Bastille Ensure the telnet service does not run on this system? [And] ---> The telnet service is obsolete and pose a serious risk to the safety of the system because it transmits data in clear. It is recommended to use SSH access to the console instead of telnet.
  16. Should ensure inetd's FTP Bastille service does not run on this system? [And] ---> What I said about telnet service is equally valid for FTP.In this case it is best to replace it with SCP or SFTP.
  17. Would you like to display "Authorized Use" messages at log-in time? [Y] ---> This option will enable a message that appears at the beginning of console sessions. This message warns you that you are accessing a restricted and that any not allowed access may be prosecuted by law. Then you can edit the message to fit properly to what Legal Department advises.
  18. Who is responsible for granting authorization to keep my machine? ---> This one question is related to the last one we explained. In this case we indentify user responsible for authorizing the different accesses to computer.
  19. Would you like to disable the gcc compiler? [N] ---> Activating this option will prevent that you can use the C compiler in this computer. That will make life much harder for those intruders who gain access to the system and want download the source code of attack tools to compile in-situ. Furthermore, to disable the C compiler should not be a problem on computers, such as perimeter firewalls, in which there is no plan to make any kind of development.
  20. Would you like to put limits on system resource usage? [N] ---> Set some limits on the number of processes and memory used by user in order to avoid denial of service attacks.
  21. Should we restrict console access to a small group of user accounts? [N] ---> This is to deny access to the console except for a select group of accounts.
  22. Would you like to add additional logging? [Y] ---> Configure your computer to increase the number of log sources and to display some of them in the terminals 7 and 8 (accessible via Alt + F7 and F8, respectively).
  23. Would you like to disable printing? [N] ---> If your computer has not a printer, leaving the printer daemon enabled is leaving a door opened to disaster.
  24. Would you like to install TMPDIR / TMP scripts? [N] ---> Activating this option, Bastille will install some scripts in the accounts of users to configure the variables TMPDIR and TMP directories so that use of temporary files will be completely individual, instead of everyone using the / tmp which can be extremely dangerous in multi-user environments.
  25. Would you like to run the packet filtering script? [N] ---> Enable native Linux firewall. Activating it is safer but note that you need to configure locally (if you dont want to remotely "cut your hands down") either through the command line or through the GUI accordingly. So you must think about it twice before switching it. 
  26. Are you finished answering the questions, ie may we make changes? ---> And finally we come to the end. If you are really sure of the settings specified before, answer Yes to apply changes to your system.