Bastille Linux for Debian 5.0 (lenny)?
I've read here in older threads and in other tutorials about the Bastille Linux (or Unix) module to help beginners learn and configure their OS for security. When I installed it and tried it out, however, it seems it doesn't support Debian 5.0 - which is a bit weird given it downloaded modules marked "lenny".
I'm now not sure whether it's a good idea to try and run it in Debian 4.0 compatibility, as given my unfamiliarity with the deep guts of Debian and the changes between OS versions could do harm. Or whether I give Bastille a miss and go back to trying to fix everything by hand, which has the danger that I might miss something important. Or is there another security hardening package that is better to use with Debian 5.0?
I know I'm learning a lot by tweaking things by hand, but it would be nice to have some automated assurance I haven't done anything stupid with my iptables or left something really unsecure running by default!
14 Replies
As you can read at > We believe that the bug you reported is fixed in the latest version of bastille, which is due to be installed in the Debian FTP archive.
That means that is fixed in Testing but I don't know when will arrive to Stable.
In any case, don't 'tweak this thing by hand'
I guess I'll stick to learning how to lock things down by hand for now, which I'm hoping will block the majority of what's out there.
While you're waiting for the package in Lenny, maybe you'll find interesting Securing Debian Manual.
That manual is a work in progress but has some fine ideas and howtos.
@advocatux:
Bastille and other similar tools are a help but nothing more than that.
I know, but Bastille has a whole bunch of information at each step that tells you why it's doing what it's doing. I was looking forward to a sort of interactive tutorial on security.
Thanks for the link to the security manual. I'll work through it and see what I've missed so far.
Talking about security a little paranoia is always good. For instance, you can harden your server ports, Apache, CMS, etc and then install a beautiful theme for your CMS with malicious code inside!
Currently my strategy is to: 1) install what I need, 2) learn basic security (alongside step 1), 3) figure out how to monitor everything in case something goes wrong and 4) backup the system so if (when?) the server breaks I can always restart from scratch. Except for a minor point with my email step 1 was really easy, but step 2 is turning out to be a real challenge - mostly because there seems to be about ten different ways to do everything.
I tryed to install Bastille on the new Ubuntu 9.04, but one isn't recognized by Bastille.
Any ideas, please?
TIA.
@Alucard:
Unfortunately, unless it is deemed a security fix, this change will never hit Debian Lenny. The stable version is specifically not updated except to patch security holes. You would have to build it from testing to get it on Lenny (add a deb-src for squeeze in sources.list, sudo apt-get build-dep bastille; sudo apt-get source -b -t testing bastille).
Ah yes, thanks. I should have known that - that's the reason why I picked Debian over Ubuntu in the first place; they're more conservative about what goes into stable.
I'm a bit hesitant about trying software from testing, but I might make an exception for Bastille.
However, although Bastille is runnable, I'm not sure if it's working. The console interface was rather flaky, and some of the key elements it installed don't appear to work - the firewall script is throwing syntax errors, for example. I think with my early tinkering I'd managed to harden down half the stuff it did anyway, and I'm not sure if Bastille decided to revert some of that. Bastille did manage to harden a few permissions and turn on some logging options that were useful, but I fear it's made a pig's breakfast out of some of the rest of the system.
Not that it matters too much, as I'm planning on rebuilding the system from scratch in a few days anyway (this is just a test run to learn the ropes). But I'm on the horns of a dlemma. On the one hand, I trust the Bastille developers to know a lot more about security than me. But on the other, while the automated system did a good job of telling me why it should make the changes, it didn't give me a clue what it was doing, and I'm uncomfortable with that. I'm thinking I might be happier relying on my much simpler hand written changes, where at least I know for sure what, why and how I made each decision I did - although I don't know if that makes me more secure.
on Debian 5 there are two files that need to be modified after installing the bastille package:
/usr/lib/Bastille/API.pm
/usr/lib/Bastille/IOLoader.pm
Search for DB4.0 and you will see it grouped with the OS compatability listings. Just add DB5.0 right after the DB4.0 and you're set. At least, it worked fine for me.