Linux Hardening
|
View:
New views
20 Messages
—
Rating Filter:
Alert me
|
 |
Linux Hardening
by jvicente
::
Rate this Message:
Hi,
I was looking for a Linux hardening tool. I found Bastille. The latest = version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions. Is this tool still being supported? Is there a similar tool out there? Thanks in advance, JP |
|
|
Re: Linux Hardening
by Matthew Hinman
::
Rate this Message:
The tool is still being actively developed and supported. 3.09 is indeed the latest verion (found here: http://bastille-linux.sourceforge.net/index.html)
Can you give a little bit more info about how this isn't working on later versions of Linux? (like an error message, etc) - Lee * jvicente@... <jvicente@...> [2007-10-11 12:36:39 -0000]: >Hi, > > >I was looking for a Linux hardening tool. I found Bastille. The latest = version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions. > > >Is this tool still being supported? Is there a similar tool out there? > > >Thanks in advance, > >JP |
|
|
RE: Linux Hardening
by jvicente
::
Rate this Message:
Below is the exact error that I got when I ran Bastille on FC7 and RHEL5.
[root@localhost ~]# InteractiveBastille ERROR: Couldn't determine Red Hat version! Setting to 9! ERROR: Couldn't determine Red Hat version! Setting to 9! ERROR: Couldn't determine Red Hat version! Setting to 9! NOTE: Valid display found; defaulting to Tk (X) interface. ERROR: Couldn't determine Red Hat version! Setting to 9! NOTE: Using Tk user interface module. ERROR: Couldn't determine Red Hat version! Setting to 9! NOTE: Only displaying questions relevant to the current configuration. ERROR: Couldn't determine Red Hat version! Setting to 9! ERROR: Could not load the 'Tk.pm' interface module.This may be due to an invalid $DISPLAY setting,or the module not being visible to Perl. -----Original Message----- From: Matthew Lee Hinman [mailto:matthew.hinman@...] Sent: Thursday, October 11, 2007 4:21 PM To: JP Vicente Cc: focus-linux@... Subject: Re: Linux Hardening The tool is still being actively developed and supported. 3.09 is indeed the latest verion (found here: http://bastille-linux.sourceforge.net/index.html) Can you give a little bit more info about how this isn't working on later versions of Linux? (like an error message, etc) - Lee * jvicente@... <jvicente@...> [2007-10-11 12:36:39 -0000]: >Hi, > > >I was looking for a Linux hardening tool. I found Bastille. The latest = version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions. > > >Is this tool still being supported? Is there a similar tool out there? > > >Thanks in advance, > >JP No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date: 10/11/2007 9:11 AM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date: 10/11/2007 9:11 AM |
|
|
RE: Linux Hardening
by Joe_Wulf
::
Rate this Message:
I'd also give serious review to the benchmark guidance and scoring tools from the Center for Internet Security. cisecurity.org. R, -Joe Wulf, CISSP, USN(RET) Senior IA Engineer ProSync Technology Group, LLC www.prosync.com -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Matthew Lee Hinman Sent: Thursday, October 11, 2007 16:21 To: jvicente@... Cc: focus-linux@... Subject: Re: Linux Hardening The tool is still being actively developed and supported. 3.09 is indeed the latest verion (found here: http://bastille-linux.sourceforge.net/index.html) Can you give a little bit more info about how this isn't working on later versions of Linux? (like an error message, etc) - Lee * jvicente@... <jvicente@...> [2007-10-11 12:36:39 -0000]: >Hi, > > >I was looking for a Linux hardening tool. I found Bastille. The latest = version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions. > > >Is this tool still being supported? Is there a similar tool out there? > > >Thanks in advance, > >JP |
|
|
RE: Linux Hardening
by Joe_Wulf
::
Rate this Message:
That's pretty normal behavior, actually. RHEL5 (32 and 64 bit) reports this as
well. Bastille has been developed for older versions of RHEL. A newer version of the OS has been published/released, but Bastille hasn't yet been updated. Do make sure you've got a compatible version of Perl-Tk installed along with bastille. R, -Joe Wulf, CISSP, USN(RET) Senior IA Engineer ProSync Technology Group, LLC www.prosync.com -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of JP Vicente Sent: Thursday, October 11, 2007 17:04 To: Matthew Lee Hinman Cc: focus-linux@... Subject: RE: Linux Hardening Below is the exact error that I got when I ran Bastille on FC7 and RHEL5. [root@localhost ~]# InteractiveBastille ERROR: Couldn't determine Red Hat version! Setting to 9! ERROR: Couldn't determine Red Hat version! Setting to 9! ERROR: Couldn't determine Red Hat version! Setting to 9! NOTE: Valid display found; defaulting to Tk (X) interface. ERROR: Couldn't determine Red Hat version! Setting to 9! NOTE: Using Tk user interface module. ERROR: Couldn't determine Red Hat version! Setting to 9! NOTE: Only displaying questions relevant to the current configuration. ERROR: Couldn't determine Red Hat version! Setting to 9! ERROR: Could not load the 'Tk.pm' interface module.This may be due to an invalid $DISPLAY setting,or the module not being visible to Perl. -----Original Message----- From: Matthew Lee Hinman [mailto:matthew.hinman@...] Sent: Thursday, October 11, 2007 4:21 PM To: JP Vicente Cc: focus-linux@... Subject: Re: Linux Hardening The tool is still being actively developed and supported. 3.09 is indeed the latest verion (found here: http://bastille-linux.sourceforge.net/index.html) Can you give a little bit more info about how this isn't working on later versions of Linux? (like an error message, etc) - Lee * jvicente@... <jvicente@...> [2007-10-11 12:36:39 -0000]: >Hi, > > >I was looking for a Linux hardening tool. I found Bastille. The latest = version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions. > > >Is this tool still being supported? Is there a similar tool out there? > > >Thanks in advance, > >JP No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date: 10/11/2007 9:11 AM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date: 10/11/2007 9:11 AM |
|
|
Re: Linux Hardening
by Matthew Hinman
::
Rate this Message:
Given that Bastille hasn't yet been built for RHEL5 and FC7 (hence why
it couldn't determine RedHat version), it might be difficult. Looks like you need to install the Tk perl module in order to use the graphical interface, you could also try to run it in text-mode by running "bastille -c". - Lee * JP Vicente <jvicente@...> [2007-10-11 17:03:40 -0400]: >Below is the exact error that I got when I ran Bastille on FC7 and RHEL5. > > > >[root@localhost ~]# InteractiveBastille >ERROR: Couldn't determine Red Hat version! Setting to 9! >ERROR: Couldn't determine Red Hat version! Setting to 9! >ERROR: Couldn't determine Red Hat version! Setting to 9! >NOTE: Valid display found; defaulting to Tk (X) interface. >ERROR: Couldn't determine Red Hat version! Setting to 9! >NOTE: Using Tk user interface module. >ERROR: Couldn't determine Red Hat version! Setting to 9! >NOTE: Only displaying questions relevant to the current configuration. >ERROR: Couldn't determine Red Hat version! Setting to 9! >ERROR: Could not load the 'Tk.pm' interface module.This may be due to an > invalid $DISPLAY setting,or the module not being visible to Perl. > > > > > >-----Original Message----- >From: Matthew Lee Hinman [mailto:matthew.hinman@...] >Sent: Thursday, October 11, 2007 4:21 PM >To: JP Vicente >Cc: focus-linux@... >Subject: Re: Linux Hardening > >The tool is still being actively developed and supported. 3.09 is indeed the latest verion (found here: http://bastille-linux.sourceforge.net/index.html) >Can you give a little bit more info about how this isn't working on later versions of Linux? (like an error message, etc) > >- Lee > >* jvicente@... <jvicente@...> [2007-10-11 12:36:39 -0000]: > >>Hi, >> >> >>I was looking for a Linux hardening tool. I found Bastille. The latest = version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions. >> >> >>Is this tool still being supported? Is there a similar tool out there? >> >> >>Thanks in advance, >> >>JP > >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date: 10/11/2007 9:11 AM > > > >No virus found in this outgoing message. >Checked by AVG Free Edition. >Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date: 10/11/2007 9:11 AM > |
|
|
Re: Linux Hardening
by Nikhil Wagholikar
::
Rate this Message:
Hello JV,
There are many papers out on internet which guides you for hardening Linux in general. You can note down points which you feel are applicable for your installed Linux OS and accordingly write a shell script which would do the same. UNIX/Linux Shell scripting is most powerful, easy and handy way for tunning UNIX/Linux OS. ---- Nikhil Wagholikar Information Security Analyst NII Consulting Web: http://www.niiconsulting.com On 11 Oct 2007 12:36:39 -0000, jvicente@... <jvicente@...> wrote: > Hi, > > > I was looking for a Linux hardening tool. I found Bastille. The latest = version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions. > > > Is this tool still being supported? Is there a similar tool out there? > > > Thanks in advance, > > JP > > -- Nikhil Wagholikar Information Security Analyst NII Consulting Web: www.niiconsulting.com Office Phone : 022-28392628 ------------------------------------------------------------------------ This message may contain privileged and confidential information and is solely for the use of intended recipient. If you are not the intended recipient you should not disseminate, distribute, store, print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. |
|
|
RE: Linux Hardening
by Smith Jr, Harry E
::
Rate this Message:
I spoofed the Name in the /etc/redhat-release to RH4. Everything worked
fine. ------------------------------------------------------------- Harry E Smith Jr. Senior Staff System Engineering (408) 473 6491 (work) (408) 888 5209 (cell) (877) 635 1529 (pager) -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Joe_Wulf Sent: Thursday, October 11, 2007 6:43 PM To: 'JP Vicente'; 'Matthew Lee Hinman' Cc: focus-linux@...; Jay Beale Subject: RE: Linux Hardening That's pretty normal behavior, actually. RHEL5 (32 and 64 bit) reports this as well. Bastille has been developed for older versions of RHEL. A newer version of the OS has been published/released, but Bastille hasn't yet been updated. Do make sure you've got a compatible version of Perl-Tk installed along with bastille. R, -Joe Wulf, CISSP, USN(RET) Senior IA Engineer ProSync Technology Group, LLC www.prosync.com -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of JP Vicente Sent: Thursday, October 11, 2007 17:04 To: Matthew Lee Hinman Cc: focus-linux@... Subject: RE: Linux Hardening Below is the exact error that I got when I ran Bastille on FC7 and RHEL5. [root@localhost ~]# InteractiveBastille ERROR: Couldn't determine Red Hat version! Setting to 9! ERROR: Couldn't determine Red Hat version! Setting to 9! ERROR: Couldn't determine Red Hat version! Setting to 9! NOTE: Valid display found; defaulting to Tk (X) interface. ERROR: Couldn't determine Red Hat version! Setting to 9! NOTE: Using Tk user interface module. ERROR: Couldn't determine Red Hat version! Setting to 9! NOTE: Only displaying questions relevant to the current configuration. ERROR: Couldn't determine Red Hat version! Setting to 9! ERROR: Could not load the 'Tk.pm' interface module.This may be due to an invalid $DISPLAY setting,or the module not being visible to Perl. -----Original Message----- From: Matthew Lee Hinman [mailto:matthew.hinman@...] Sent: Thursday, October 11, 2007 4:21 PM To: JP Vicente Cc: focus-linux@... Subject: Re: Linux Hardening The tool is still being actively developed and supported. 3.09 is indeed the latest verion (found here: http://bastille-linux.sourceforge.net/index.html) Can you give a little bit more info about how this isn't working on later versions of Linux? (like an error message, etc) - Lee * jvicente@... <jvicente@...> [2007-10-11 12:36:39 -0000]: >Hi, > > >I was looking for a Linux hardening tool. I found Bastille. The latest >= version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions. > > >Is this tool still being supported? Is there a similar tool out there? > > >Thanks in advance, > >JP No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date: 10/11/2007 9:11 AM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date: 10/11/2007 9:11 AM |
|
|
Re: Linux Hardening
by Sonixxfx
::
Rate this Message:
Maybe you'd also want to look at Tiger:
http://savannah.nongnu.org/projects/tiger/ It checks the security of a system, but the hardening should be done manually. 2007/10/12, Nikhil Wagholikar <visitnikhil@...>: > Hello JV, > > There are many papers out on internet which guides you for hardening > Linux in general. You can note down points which you feel are > applicable for your installed Linux OS and accordingly write a shell > script which would do the same. > > UNIX/Linux Shell scripting is most powerful, easy and handy way for > tunning UNIX/Linux OS. > > ---- > Nikhil Wagholikar > Information Security Analyst > NII Consulting > Web: http://www.niiconsulting.com > > > On 11 Oct 2007 12:36:39 -0000, jvicente@... <jvicente@...> wrote: > > Hi, > > > > > > I was looking for a Linux hardening tool. I found Bastille. The latest = version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions. > > > > > > Is this tool still being supported? Is there a similar tool out there? > > > > > > Thanks in advance, > > > > JP > > > > > > > > -- > Nikhil Wagholikar > Information Security Analyst > > NII Consulting > Web: www.niiconsulting.com > Office Phone : 022-28392628 > ------------------------------------------------------------------------ > > This message may contain privileged and confidential information and > is solely for the use of intended recipient. If you are not the > intended recipient you should not disseminate, distribute, store, > print, copy or deliver this message. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. > |
|
|
RE: Linux Hardening
by druid-2
::
Rate this Message:
I would take a serious look at gentoo-hardened, modern system hardening
includes things like applying patches to the kernel to utilize canary values to detect memory based attacks, inserting random spacing so memory addresses commonly used to exploit an executable are harder to hit, making sure users can not see other users processes, and then all kinds of service specific stuff depending on what kind of services you want to run. The gentoo hardened project has taken a more holistic approach, though the learning curve on installing/using gentoo is a lot sharper then redhat. Also don't forget the basics of making sure every service that provides any type of authentication has a lockout defined to thwart brute forcing, and that you are enforcing password complexity rules. Also disabling root login from the WAN is a good idea, and if possible require users to get a VPN established to your colocation to utilize services, though outside of an enterprise this is near impossible, but SSL-VPN technologies do make it a lot easier. -Eric On Fri, 12 Oct 2007, Smith Jr, Harry E wrote: > I spoofed the Name in the /etc/redhat-release to RH4. Everything worked > fine. > > > ------------------------------------------------------------- > Harry E Smith Jr. > Senior Staff System Engineering > (408) 473 6491 (work) > (408) 888 5209 (cell) > (877) 635 1529 (pager) > > -----Original Message----- > From: listbounce@... [mailto:listbounce@...] > On Behalf Of Joe_Wulf > Sent: Thursday, October 11, 2007 6:43 PM > To: 'JP Vicente'; 'Matthew Lee Hinman' > Cc: focus-linux@...; Jay Beale > Subject: RE: Linux Hardening > > That's pretty normal behavior, actually. RHEL5 (32 and 64 bit) reports > this as well. > Bastille has been developed for older versions of RHEL. A newer version > of the OS has been published/released, but Bastille hasn't yet been > updated. > > Do make sure you've got a compatible version of Perl-Tk installed along > with bastille. > > R, > -Joe Wulf, CISSP, USN(RET) > Senior IA Engineer > ProSync Technology Group, LLC > www.prosync.com > > -----Original Message----- > From: listbounce@... [mailto:listbounce@...] > On Behalf Of JP Vicente > Sent: Thursday, October 11, 2007 17:04 > To: Matthew Lee Hinman > Cc: focus-linux@... > Subject: RE: Linux Hardening > > Below is the exact error that I got when I ran Bastille on FC7 and > RHEL5. > > > [root@localhost ~]# InteractiveBastille > ERROR: Couldn't determine Red Hat version! Setting to 9! > ERROR: Couldn't determine Red Hat version! Setting to 9! > ERROR: Couldn't determine Red Hat version! Setting to 9! > NOTE: Valid display found; defaulting to Tk (X) interface. > ERROR: Couldn't determine Red Hat version! Setting to 9! > NOTE: Using Tk user interface module. > ERROR: Couldn't determine Red Hat version! Setting to 9! > NOTE: Only displaying questions relevant to the current > configuration. > ERROR: Couldn't determine Red Hat version! Setting to 9! > ERROR: Could not load the 'Tk.pm' interface module.This may be due to > an > invalid $DISPLAY setting,or the module not being visible to > Perl. > > > -----Original Message----- > From: Matthew Lee Hinman [mailto:matthew.hinman@...] > Sent: Thursday, October 11, 2007 4:21 PM > To: JP Vicente > Cc: focus-linux@... > Subject: Re: Linux Hardening > > The tool is still being actively developed and supported. 3.09 is indeed > the latest verion (found here: > http://bastille-linux.sourceforge.net/index.html) > Can you give a little bit more info about how this isn't working on > later versions of Linux? (like an error message, etc) > > - Lee > > * jvicente@... <jvicente@...> [2007-10-11 12:36:39 -0000]: > >> Hi, >> >> >> I was looking for a Linux hardening tool. I found Bastille. The latest >> = version > that I was able to find is 3.09. I cannot seem to get this = version to > work on later versions of Linux (RHEL 5, FC 6,7) = distributions. >> >> >> Is this tool still being supported? Is there a similar tool out there? >> >> >> Thanks in advance, >> >> JP > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date: > 10/11/2007 9:11 AM > > > > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date: > 10/11/2007 9:11 AM > > > > > |
|
|
Re: Linux Hardening
by David Francos Cuartero (XayOn)
::
Rate this Message:
El 11/10/2007, a las 23:03, JP Vicente escribió: > Below is the exact error that I got when I ran Bastille on FC7 and > RHEL5. > > Let's see.. RH and FC... > > [root@localhost ~]# InteractiveBastille > ERROR: Couldn't determine Red Hat version! Setting to 9! > ERROR: Couldn't determine Red Hat version! Setting to 9! > ERROR: Couldn't determine Red Hat version! Setting to 9! > NOTE: Valid display found; defaulting to Tk (X) interface. > ERROR: Couldn't determine Red Hat version! Setting to 9! > NOTE: Using Tk user interface module. > ERROR: Couldn't determine Red Hat version! Setting to 9! > NOTE: Only displaying questions relevant to the current > configuration. > ERROR: Couldn't determine Red Hat version! Setting to 9! > ERROR: Could not load the 'Tk.pm' interface module.This may be > due to an > invalid $DISPLAY setting,or the module not being visible > to Perl. > > It's seems that it's not ready for your red-hat version but may be the differences are not critical and you can exec it anyway... > > > > -----Original Message----- > From: Matthew Lee Hinman [mailto:matthew.hinman@...] > Sent: Thursday, October 11, 2007 4:21 PM > To: JP Vicente > Cc: focus-linux@... > Subject: Re: Linux Hardening > > The tool is still being actively developed and supported. 3.09 is > indeed the latest verion (found here: http://bastille- > linux.sourceforge.net/index.html) > Can you give a little bit more info about how this isn't working on > later versions of Linux? (like an error message, etc) > > - Lee > > * jvicente@... <jvicente@...> [2007-10-11 12:36:39 -0000]: > >> Hi, >> >> >> I was looking for a Linux hardening tool. I found Bastille. The >> latest = version that I was able to find is 3.09. I cannot seem to >> get this = version to work on later versions of Linux (RHEL 5, FC >> 6,7) = distributions. >> >> >> Is this tool still being supported? Is there a similar tool out >> there? >> >> >> Thanks in advance, >> >> JP > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date: > 10/11/2007 9:11 AM > > > > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date: > 10/11/2007 9:11 AM > |
|
|
Re: Linux Hardening
by Jure Krasovic
::
Rate this Message:
jvicente@... pravi:
> Hi, > > I was looking for a Linux hardening tool. I found Bastille. The latest = version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions. > > Is this tool still being supported? Is there a similar tool out there? > > Thanks in advance, > JP > > > try it. Regards! Jure |
|
|
RE: Linux Hardening
by rchamberland
::
Rate this Message:
I don't think the Bastille project has any activity. The Bastille forums seem dead, the bug tickets and feature requests listed on sourceforge are years old and none have been closed, there's practically no news, what little news there is now has just been updated after almost a year of nothing at all. I think it's basically been abandoned for just over a year and might only now be getting some activity. And I encounter the same problem - Bastille is unable to detect the latest version for either RHEL or Fedora, and these have been out for a while now. However, I find that if I just ignore the version errors and go ahead and harden, it does work. If it can't find something it just reports it and moves on to the next step. So it's still useful. And it can be used in combination with SElinux. Rob C -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Jure Krasovic Sent: Saturday, October 13, 2007 12:06 AM To: jvicente@... Cc: focus-linux@... Subject: Re: Linux Hardening jvicente@... pravi: > Hi, > > I was looking for a Linux hardening tool. I found Bastille. The latest = version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions. > > Is this tool still being supported? Is there a similar tool out there? > > Thanks in advance, > JP > > > SELinux is already included in RHEL and their clones. May be you should try it. Regards! Jure |
|
|
RE: Linux Hardening
by Uzair Hashmi
::
Rate this Message:
Hi,
I would suggest looking at grSecurity (http://www.grsecurity.net) And SELinux (http://www.nsa.gov/selinux/info/faq.cfm) Whichever suits your environment. Regards, Uzair |
|
|
RE: Linux Hardening
by Jackson, Ben (ITD)
::
Rate this Message:
http://bastille-linux.sourceforge.net/news_updates.htm
Seems pretty active to me... They've had a recent name change due to a domain dispute, but I pretty sure they're still ticking along merrily... -- Ben Jackson - Sr. Security Engineer - Commonwealth of Massachusetts ben.jackson@... - +1-617-626-4575 (v) - +1-617-626-4459 (f) http://www.linkedin.com/in/benjaminbjackson -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of rchamberland Sent: Tuesday, October 16, 2007 5:02 PM To: 'Jure Krasovic'; jvicente@... Cc: focus-linux@... Subject: RE: Linux Hardening I don't think the Bastille project has any activity. The Bastille forums seem dead, the bug tickets and feature requests listed on sourceforge are years old and none have been closed, there's practically no news, what little news there is now has just been updated after almost a year of nothing at all. I think it's basically been abandoned for just over a year and might only now be getting some activity. And I encounter the same problem - Bastille is unable to detect the latest version for either RHEL or Fedora, and these have been out for a while now. However, I find that if I just ignore the version errors and go ahead and harden, it does work. If it can't find something it just reports it and moves on to the next step. So it's still useful. And it can be used in combination with SElinux. Rob C -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Jure Krasovic Sent: Saturday, October 13, 2007 12:06 AM To: jvicente@... Cc: focus-linux@... Subject: Re: Linux Hardening jvicente@... pravi: > Hi, > > I was looking for a Linux hardening tool. I found Bastille. The latest > = version that I was able to find is 3.09. I cannot seem to get this = version to work on later versions of Linux (RHEL 5, FC 6,7) = distributions. > > Is this tool still being supported? Is there a similar tool out there? > > Thanks in advance, > JP > > > SELinux is already included in RHEL and their clones. May be you should try it. Regards! Jure |
|
|
Re: Linux Hardening
by Liran Cohen
::
Rate this Message:
what is the machine's location on your network (LAN\DMZ etc...) what is
the machine role, you should ask yourself some questions before approaching hardening, I would not put the same effort on a machine which is located on my LAN as much as I would make sure that DMZ machines are protected, same goes for a web server which usually has a lot of active processes on it and a DNS server or an FTP server which are in most cases relatively less vulnerable. there are a lot of tools , but one may perform some basic actions to make sure the machine is protected enough in regards to what it does and where it is located. Liran Cohen Jure Krasovic wrote: > jvicente@... pravi: >> Hi, >> >> I was looking for a Linux hardening tool. I found Bastille. The >> latest = version that I was able to find is 3.09. I cannot seem to >> get this = version to work on later versions of Linux (RHEL 5, FC >> 6,7) = distributions. >> >> Is this tool still being supported? Is there a similar tool out there? >> >> Thanks in advance, >> JP >> >> >> > SELinux is already included in RHEL and their clones. May be you > should try it. > > Regards! > > Jure > > -- Liran Cohen http://www.rct.co.il http://www.dir.rct.co.il |
|
|
|
|
|
Re: Linux Hardening
by Ansgar Wiechers-2
::
Rate this Message:
On 2007-10-21 Liran Cohen wrote:
> Ajai Khattri wrote: >> On Wed, 17 Oct 2007, Liran Cohen wrote: >>> what is the machine's location on your network (LAN\DMZ etc...) what >>> is the machine role, you should ask yourself some questions before >>> approaching hardening, I would not put the same effort on a machine >>> which is located on my LAN as much as I would make sure that DMZ >>> machines are protected >> >> I believe even machines on internal networks should all run local >> firewalls at the very least. There's always some Windoze user using >> Outlook and clicking on an email attachment they shouldn't click >> on... And then what? The services you need to be accessible in your LAN will still be accessible (and thus exploitable) even if you run local packet filters, because you need them to be accessible. If any of your computers become infected because of someone clicking on an attachment, your security concept has already failed several times, and you should ask yourself some serious questions, including (but not limited to): - Why didn't the spam/malware filter on your mailserver catch the attachment? - Why didn't the local virus scanner catch the attachment? - If the attachment is an executable: why did your Software Restriction Policies (and temp directory settings) allow it to be executed? - Why was an unneeded service running on the remote host? - If it was started by a user: why did your Software Restriction Policies allow that? - If the exploit was not a 0day: why was the system not up-to-date? On top of that: running a packet filter always means running additional code that may contain additional (remotely exploitable) bugs. There already has been a case (W32/Witty.worm) where systems became vulnerable *because* they were running a local firewall. > I completely agree providing you have the time and dont have a couple > of dozens of Linux machines to maintain daily, in many cases you have > to make a sensible choice what would be worth more or in other words > asses where the risk is higher and invest most of your efforts there. Reasonable risk assessments will most likely lead to the conclusion that host-based packet filters in the LAN are not worth the effort. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq |
|
|
Re: Linux Hardening
by Bugzilla from metcalfegreg@qwest.net
::
Rate this Message:
On Sunday 21 October 2007 04:32:18 am Liran Cohen wrote:
> I completely agree providing you have the time and dont have a couple of > dozens of Linux machines to maintain daily, in many cases you have to > make a sensible choice what would be worth more or in other words asses > where the risk is higher and invest most of your efforts there. > Unless you're in a very strange environment, you shouldn't be having too much trouble maintaining a couple of dozen Linux machines. When you get a chance, you might want to look through USENIX archives (maybe more specifically SAGE papers), etc. It's not uncommon for a small group to maintain hundreds of Unixy machines. Automation and a solid infrastructure are your friends. > Ajai Khattri wrote: > > On Wed, 17 Oct 2007, Liran Cohen wrote: > >> what is the machine's location on your network (LAN\DMZ etc...) what is > >> the machine role, you should ask yourself some questions before > >> approaching hardening, I would not put the same effort on a machine > >> which is located on my LAN as much as I would make sure that DMZ > >> machines are protected > > Spot on. > > I believe even machines on internal networks should all run local > > firewalls at the very least. There's always some Windoze user using > > Outlook and clicking on an email attachment they shouldn't click on... *Nothing is always*. Sorry, but that's a *very* bad mind-set to propagate on a security mailing list. What you're referring to is probably quite appropriate on an Ethernet of mixed Windows and Linux systems. But in some cases you can increase efficiency and security by subnetting. A few machines doing continuous builds, for instance, probably don't need more than ssh access. If you have a retired machine, use it for a gateway into a build farm subnet. Firewalls do burn CPU cycles. How much depends upon the environment, what your rule set looks like, whether you're doing centralized logging, etc. It always pays to test, if for no other reason that you always learn things, whether the ins and outs of optimizing packet filtering rules, regular exressions useful for parsing log files, setting up NTP so that your logs are sync'ed up, or whatever. That's what you tell management, anyway. The real reason you do it is that automating the daily trivia away is in itself a learning experience, is tons of fun, and a source of huge leverage. With automation (often just sets of bash scripts) harried admins can often get out from behind the 8-ball, and start having serious fun. More time means you can learn more, and you'll do a far better job of hardening Linux than running a script (bastille) from a group of people who have a history (over several years) of periodically halting development. They probably had their reasons--things do come up. But it still argues against depending upon a third-party tool to secure your nets and nodes. The threatscape evolves--sometimes quite rapidly. In the final analysis, there's no substitute for local knowledge. We're just lucky that it's so much frapping *fun*. |
|
|
Re: Linux Hardening
by Tony Murphy
::
Rate this Message:
Security Blanket by TCS is an automated lockdown tool for Linux and Solaris. TCS helped create the linux 2.6 kernel and is listed on the NSA webpage for having created the MLS extensions to SELinux.
The product blog is http://tcs-security-blanket.blogspot.com/ with tons of content, example reports, links to industry recognized lockdown criteria Security Blanket supports: RHEL 4 and above Oracle Ent Linux 4 and above Fedora 10 and above SUSE 11 and above OpenSUSE 11 and above Solaris 10 x86 and SPARC It runs on System z, SPARC, 32 bit and 64 bit x86 architectures and PowerPC Here is a demo of the 3.1 GA version and a newer version from RedHat Summit 2009 and a new product will release Dec 2009
|
attachment0 (193 bytes) 
| Free embeddable forum powered by Nabble | Forum Help |
