NAMEbastille - system lockdown tool
SYNOPSISPath: /usr/sbin (Linux) Path: /opt/sec_mgmt/bastille/bin (HP-UX) bastille [ -b | -c | -x ] [ --os version ] bastille [ -l | -r ]
DESCRIPTIONBastille is a system-hardening/lockdown program that enhances the security of a Unix host. It configures daemons, system settings and firewalls to be more secure. It can shut off unneeded services and r- tools like rcp and rlogin, and helps create "chroot jails" that help limit the vulnerability of common Internet services, like Web servers and DNS. This tool currently hardens Debian GNU/Linux 2.2-5.0, Red Hat 6.0-8.0, Mandrake 6.0-8.1, HP-UX 11.00, HP-UX 11i v1, and HP-UX 11i v2. It is currently being tested on Suse and Turbo Linux. The utility includes a user interface and a configuration engine. The primary user interface is an X interface via Perl/Tk. There is also a text-based Perl/Curses interface for Linux. The tool can be used 2 ways: interactively and noninteractively (when the configuration engine is used directly). Used interactively, Bastille has been designed to explain security issues to system administrators, then let them decide how to let the tool handle them. This both secures the system and educates the administrator. When the configuration engine is used directly, the utility is useful for duplicating a security configuration on multiple machines. When used interactively (bastille, bastille -x, or bastille -c), the user interface guides you through a series of questions. Each step contains a description of a security decision involved in hardening a Unix system. Each question describes the cost/benefit of each decision. The Tk interface gives you the option to skip to another question module and return to the current module later. The X interface provides "Completed Indicators" to show you which question modules are complete. After you have answered all of the questions, the interface then provides automated support in performing lockdown steps. After performing the steps Bastille can perform automatically, the utility produces a "to do" list that describes remaining actions you must perform manually to ensure their system is secure. Security hardening can also be performed directly through the configuration engine (bastille -b) using a predefined configuration file (see the config file in the FILES section below). This method is useful for duplicating a particular security configuration on multiple machines. Before using the configuration engine directly, a configuration file must be created by using Bastille interactively. After the configuration file is created, copy it to the other systems, install Bastille Unix on those systems, then run the configuration engine on those systems. Bastille draws from many major reputable sources on Unix Security. The initial development integrated Jay Beale's existing O/S hardening experience for Solaris and Linux with most major points from the SANS' Securing Linux Step by Step, Kurt Seifried's Linux Administrator's Security Guide. Later versions incorporated suggestions from the HP-UX Bastion Host Whitepaper and other sources. To ensure that Bastille is used as safely as possible, please: 1) Let the developers know about any impacts you discover which aren't mentioned in the question text for possible inclusion in future revisions of the questions text. 2) Test Bastille configurations in a nonproduction environment first, with the application stack fully functionally tested after lockdown before deployment in a production environment. The characterization of consequences is known to be incomplete, especially for general purpose systems. Options bastille recognizes the following options -b Run in batch mode. This option takes the answers that were created interactively and applies them to the machine. -c Linux Only. Bring up the text interface of the interactive portion of Bastille. It is implemented with the Perl/Curses module, which must be installed separately if it did not come with your version of Perl. -l List applied configuration files. List the configuration files in the configuration file directory that matches the one last used. -r Revert Bastille-modified system files to the state they were in before Bastille was run. Note that, if any changes to the system configuration were made in the interim, those changes should be reviewed again to make sure they (1) still work, and (2) have not broken the system or compromised its security. -x The default option. Run the Bastille X interface. It is implemented with the Perl/Tk module, which must be installed separately if it did not come with your version of Perl. --assess Run Bastille in assessment-only mode so that it investigates the state of hardening, reports on such and generates a score. No changes are made to the system. An HTML version of the report is shown in a browser if either a graphical or text browser can be found. --assessnobrowser Run Bastille in assessment-only mode so that it investigates the state of hardening, reports on such and generates a score. No changes are made to the system. An HTML version of the report is generated but not displayed in a browser. --os version Explicitly set the operating system version while generating a configuration file. By setting the operating system version, all questions valid for that operating system will be asked and configuration files can be generated for any version Bastille recognizes. For a complete list of operating system versions type bastille -x --os.
DIAGNOSTICS$DISPLAY not set, cannot use X interface... You explicitly asked for the X interface using the -x option, but the DISPLAY environment variable was not set. Set the environment variable to the desired display to correct the problem. System is in original state... You attempted to revert the files that Bastille changes with the -r option, but there were no changes to revert. Must run Bastille as root Bastille must run as the root user, since the changes it makes configure the machine. Troubleshooting Error messages that cite problems with opening, copying, or reading files usually relate to NFS file systems that do not trust the root user on the local machine. Please see the options parameter in the fstab(4) manpage for details. Errors that complain about individual configuration files indicate that a system has been too heavily modified for Bastille to make effective changes, or that the files, locations, or permissions of the Bastille installation directories have been changed.
EXAMPLESRun the Bastille X interface. This will create a configuration file which can be run either immediately by Bastille after you have answered all of the questions, or saved for later use in a config file. See the FILES section below. bastille Run Bastille in batch mode. This will take the answers that were created interactively and apply them to the machine. bastille -b
DEPENDENCIESo Perl version 5.5_003 or greater o Perl/Tk version 8.00.23 or greater o Perl/Curses version 1.06 or greater (on Linux only)
FILES/etc/Bastille/config (Linux) /etc/opt/sec_mgmt/bastille/config (HP-UX) The config file contains the answers to the most recently saved session /var/log/Bastille/error-log (Linux) /var/opt/sec_mgmt/bastille/log/error-log (HP-UX) The error log contains any errors that Bastille encountered while making changes to the system. /var/log/Bastille/action-log (Linux) /var/opt/sec_mgmt/bastille/log/action-log (HP-UX) The action log contains the specific steps that Bastille took when making changes to the system. /var/log/Bastille/TODO (Linux) /var/opt/sec_mgmt/bastille/TODO.txt (HP-UX) The To-Do list contains the actions that remain for you to do to ensure the machine is secure.
SEE ALSOperl(1), fstab(4), bastille(7), InteractiveBastille(8), BastilleBackEnd(8), UndoBastille(8), BastilleChooser(8). These programs include more documentation available at /usr/share/doc/bastille on Debian systems. Other useful documentation includes: The Linux Security HOWTO Available at //www.linuxdoc.org/HOWTO/Security- HOWTO.html. One of the best references regarding general Linux Security. Security Quick-Start HOWTO for Linux Available at //www.linuxsecurity.com/docs/LDP/Security- Quickstart-HOWTO/. This is also a very good starting point for novice users (both to Linux and security). The Linux Security Administrator's Guide Available at //seifried.org/lasg/. Securing and Optimizing Linux: RedHat Edition Available at //www.linuxdoc.org/links/p_books.html#securing_linux. Securing Debian Manual Available at //www.debian.org/doc/manuals/securing- debian-howto. It is provided for offline reading in several formats (Text, HTML and PDF) by installing the harden-doc package in Debian systems. BASTILLE(1)