Bastille: a classic Linux and Unix System Security Program

In the Linux security field, we have recently joined many attractive new members, such as SELinux, AppArmor, and various forms of virtualization technology.

Give yourself 30 minutes to learn how to run Bastille. Don't worry: Our idea is to learn and do it.

A series of prompts at the beginning will ask you if you want to disable SUID root bit for some specific commands (this option allows common users to run commands that require root permission ). At first glance, you may think, "of course, I don't need the SUID root command! This is an obvious security vulnerability !" But don't rush to say yes. For example, do you really need to perform root login to use the mount or ping command? In this case, unauthorized users cannot install detachable media such as CD, and ping will not bring any major harm. If you answer "Yes" but then change your mind, you can use the following chmod command to reset SUID bit:

The following is a reference clip:
# Chmod u + s ping
In any case, you should check the files with SUID enabled on a regular basis, just pay attention to the potential damage to the system or the attempted modifications that have been forgotten. You can use the following command to view the list of these files:

The following is a reference clip:
# Find/-type f (-perm-04000-o-perm-02000)-exec ls-l {};
The following are some tips:

Should Bastille disable the IP-based plaintext r-protocol for user authentication? (Shocould Bastille disable clear-text r-protocols that use IP-based authentication ?)

Yes. This option targets rsh, rlogin, rcp, and rdist, which use Plaintext in all data transmission. You should not use them anyway, because they have long been replaced by ssh and scp.

Do you want to use a password to protect the single-user mode? (Wocould you like to password protect single-user mode ?)

Yes. Without a password, anyone can restart to enter the single-user mode to obtain the root permission.

Should Bastille ensure that the telnet service is not running on the system? (Shocould Bastille ensure the telnet service does not run on this system ?)

Not only do you answer Yes, but you must also be Yes, unless you are sure you want to run the telnet service. Enabling the telnet service is quite insecure. Selecting Yes does not disable the telnet client program, which is useful for network troubleshooting.

Disabling the gcc compiler is not an important security measure. If you need to use it, Do not disable it. Disable it if you do not need it.

Do you want to restrict the use of system resources? (Wocould you like to put limits on system resource usage ?)

Yes, it is quite safe. Core dump is not particularly useful to end users and files may become very large. Therefore, setting constraints on user processes is usually a good idea. You can use the following command to calculate the total number of user processes, and you will know whether the default 150 limit of Bastille is sufficient:

The following is a reference clip:
$ Ps -- no-headers-U [username] | wc-l
You can modify these limits in/etc/security/limits. conf.

Do you want to add additional logs? (Wocould you like to add additional logging ?)

Yes, you should do this.

Although the firewall script is quite good, it does not provide enough information to tell you what to do for each port. Take a look at this list of dangerous TCP/IP ports. You need to determine whether to open ports for certain services in the firewall, such as SSH, DNS, or Web servers. Bastille can accept the port number or service name based on the/etc/services file. This page lists ICMP types. You can refer to them when you want to monitor them or know what they are. You cannot block all ICMP messages. Otherwise, basic network functions may be confused. The default setting of Bastille is quite good.

This link is a good guide to ICMP attacks.

At the end, you can activate the changes and return the changes. Bastille will show you how to start, stop, and test your firewall script. You can view the new script in the/etc/Bastille directory, and view a record of all activities in the/var/log/Bastille directory.

If you do this several times on different servers and desktops, you will be able to learn basic Linux System Security Enhancement knowledge.