Bastille Linux is a security hardening script for Linux and Unix, soon Debian, Slackware and IRIX, because of user support. Basically it makes a firewall for the machine and does setuid and permissions audits.
Bastile works by asking lots of questions and giving lots of information about why you should make a decision in one way or another. Lots of people don't actually read status screens, so they don't get why it does stuff. But the documentation is available if they do take the time.
It makes a RedHat box much safer and harder to break in to.
The questions help find the balance between security and convenience and functionality. Don't want to turn your computer into a pet rock that can't do anything without hitting some security precaution.
The goal is to find out what the machine is going to be doing and don't be like an installer that doesn't let the users know what they're answering. Educate while you go through the process.
It's almost a HOWTO on security if you're new and you read.
It turns of unnecessary stuff and tightens the config of stuff that remains on. With Linux, you have to treat users as admins, so it does. Harvard wanted to run it on all the Linux boxes, some organizations use this as policy.
Why not do this by default? Well, shipped Unixes are simply not optimized for security. Marketing people want ease of use, and so do users and programmers. Neither really groks security.
So this becomes an anti-root kit for users.
The system will minimize points on entry into your machine, by minizing services running. Mostly stuff like DNS and FTP, but others services can be dangerous as well. The system also works to prevent privilege escalation with setuid programs.
Who is using Bastille?
SGI shipping on the appliances, standard. Mandrake is shipping in their distro. Harvard uses it for students and staff. Estimated around 50,000 people, but the number can't be certain because it's open source and there are so many mirrors.
Versions:
- 1.0 - Base hardening script, better than anything out there.
- 1.1 - Now runs on non-virgin system, Easy extensibity, Curses configuartor, API
- 1.2 - Released in mid-May 2001, Added intelligence to stuff you've done, It has to get smarter because people aren't, Number of questions reduced, Runs on RedHat 7.0 and Mandrake 8
In the future, the designers are looking to add more content, growing to run on more platforms and building a configuration editor.
This info was taken from notes I took at a presentation on Bastille by maintainers and developers Jon Lasser and Jay Beale at the May 8, 2001 Old Bay SAGE sysadmins meeting in Baltimore, MD.