| <--YBC |
Technical Documents and Other Useful Information
- Bastille 1.3
|
Last Update 03/07/06
|
||||||||||||||||
|
Introduction and Installation Bastille-Linux, a security tool for Linux, consists of a series of scripts that will help a system administrator make a server or any Linux computer with an internet connection more secure. This software runs on many different distributions of Linux. The full list of supported platforms as well as the software can be found here: http://www.bastille-linux.org/. This document will describe an installation and configuration of Bastille-Linux on a Red Hat 7.2 Sever. Currently there is a beta version of Bastille-Linux for Red Hat 7.3 which has a similar installation. These instructions will also be similar to the instructions for using this security tool with Mandrake-Linux. The interactive primary script is set up to ask the questions relevant to each distribution. There are three components to download:
The installation directions found at http://www.bastille-linux.org/ explain how to install the rpm files. Remember the '--nodeps' tag when installing the Perl interface and modules. Bastille-Linux is installed into seven locations. The first directory contains basic help files and is located in the /usr/share/doc/Bastille folder. The second is /usr/share/Bastille. This directory contains the components the script uses to operate. The third directory is the /etc/Bastille, which contains the interactive configuration answer file and the configuration file for the Bastille firewall script. The main Bastille script is located in the /usr/bin/ directory and is called InteractiveBastille. If the firewall and Port Scan Attack Detector (PSAD) options are selected there will also be script entries copied into the /etc/rc.d/init.d (the fifth location) so that these services can be started and stopped at will. The initial firewall script calls on scripts in the /sbin directory which pull their firewall information from /etc/Bastille/bastille-firewall.cfg. The PSAD script calls on information held in the /etc/psad/psad.conf file. Components of the Bastille-Linux software Bastille-Linux addresses these security areas:
There are four main components to the script. First the script addresses file permissions and various user accounts on the system. This section can help to restrict access to important system files and programs. Next the script asks questions about various system services that are common to most default installations of Linux. Services that are security risks can be turned off or modified to be more secure. The third component of the Bastille script explains how to configure a firewall for the server. A firewall can help control the types of internet traffic traversing the server. Finally, this software comes with the use of a Port Scan Attack Detector (PSAD) tool This tool can help a system administrator to determine whether or not the server is being scanned for a possible attack. Running the Bastille-Linux script There are a couple of resources the user should take advantage of before running the script. The code of the script contains well organized instructions for using the script. The default directory for this script is /usr/sbin/InteractiveBastille. This script can be read with any text editor. There is also a Questions.txt document that can be viewed. This Questions.txt file contains all of the questions asked during the configuration of the server. The files in the /usr/share/doc/Bastille directory also contain helpful installation and configuration information. The script can be started and read through, question by question, to gain an understanding of what information will be needed about a network. If a question is not clear the user should research it and decide the best way to answer the question before applying this security configuration to the server . The Bastille Script is started with the command: /usr/sbin/InteractiveBastille. Two tags can be used with this: -x Starts the Tk interface -c Starts the Curses interface The Tk interface is a graphical user interface (GUI) tool that places the questions and explanations in text boxes. The Curses interface asks the same questions and modifies the same files at a command line. The Curses way of implementing these Bastille scripts is more secure because it does not need to use the X Window System. When the Bastille script is completed, a configuration file is created in /etc/Bastille/config. This file retains the answers to the questions already completed. This file can be deleted, and the Bastille script run again to create a new configuration file. When the script is finished the user can choose to apply or cancel the settings. There is also a TODO file that is created, /var/log/Bastille/TODO. This file will list any additional changes that the user will need to make on the server to make it more secure. Additional information about the PSAD utility and the firewall script If the firewall and PSAD options have been configured, Bastille asks if these services should be started at boot time. Bastille-Linux cautions the user to test the firewall and PSAD services before having them automatically start up when the system is first turned on. This caution is issued to help avoid the instance of a server not working correctly due to a mis-configured firewall or PSAD utility. The PSAD and firewall components of the Bastille-Linux scripts involve further configuration and explanation. The PSAD utility is a tool that monitors system log files for markers that may indicate a port scan on the server in question. When these port scans are detected an email of the event is sent to the email address specified in the PSAD configuration. The PSAD configuration files can be found in /etc/psad/. Use caution when setting up the PSAD utility. If the sensitivity values are set too low a user may not be notified of relevant port scanning activity. If the values for PSAD are set too high a user¹s mailbox can become flooded with false positive port scans. The firewall script requires some prior knowledge of Linux firewalls. The script is set to initially deny all tcp/ip traffic. This initial setting is the most secure one when the computer in question does not need to have external computers connected to it. However, ports such as 80 need to be open to allow web pages to be served to machines external to the firewall. Questions asked during the configuration of the firewall can be complex. It may be helpful for the user to map out what kind of access will be necessary for the various parts of the network before the Bastille firewall script is run. The Bastille firewall is controlled by /etc/rc.d/init.d/bastille-firewall. The configuration file is /etc/Bastille/bastille-firewall.cfg. This file can be modified to further tailor it for a specific network.. If the firewall configuration is modified, the firewall service will need to be restarted. A user can test the firewall by using service bastille-firewall start and service bastille-firewall stop (to remove all firewall rules). The Bastille script can configure the firewall to start up at boot time. If the user chooses to add the service to the start up sequence at a later time, these two commands will help: /sbin/chkconfig --add bastille-firewall /sbin/chkconfig bastille-firewall reset The Bastille Firewall uses it¹s own version of IPCHAINS or IPTABLES (if the Linux kernel is 2.3 or higher IPTABLES is used automatically) and the script disables the original IPCHAINS or IPTABLES start up scripts. The firewall component of Bastille can be disabled and the original IPCHAINS, or IPTABLES restarted at any time. Undoing changes made by the Bastille-Linux script After the Bastille-Linux scripts are run several files are created that can help a user restore a system to what it was before running the Bastille script. In the /var/log/Bastille directory there is an action-log, an error-log and an undo directory. The action-log records every change that was made to system files by the Bastille script. The error-log records any problems that Bastille may have encountered when modifying files. Inside the undo directory there is a backup folder which contains the originals of all the configuration files that were modified. There is a script that will undo all of the file changes Bastille has made and will also disable the Bastille-Firewall and PSAD utility. This script is the /usr/sbin/UndoBastille program. The Firewall and PSAD will be disabled, however the original IPCHAINS or IPTABLES will need to be manually restarted by the user. Concluding Remarks The Bastille-Linux security tool is great for teaching users about Linux system security. Nearly every aspect of Linux security is touched upon. The tool requires some knowledge about system networking and firewalls for the user to have a better experience with it. The documentation of the software also needs to be improved or centralized to a place where users can easily find it. Although Bastille-Linux cannot possibly cover every security event that may arise it can make it more difficult for a person to gain unauthorized access to the system. Bastille-Linux gives Linux users a good start in securing their systems. Additional Information: The User Guide to the upcoming v.2.0.0 of Bastille-Linux:
|
|
|||||||||||||||||
|
Problems with this site? Contact the
webmaster
|