[ISN] Bastille Linux update: Hardening the OS with help from Uncle Sam

[InfoSec News]

http://software.newsforge.com/software/05/04/19/1256244.shtml?tid=78&tid=2&tid=79

By Jay Lyman 
April 19, 2005 

The Bastille Linux project has recently been working with the U.S.  
government to improve and harden the operating system security
software. Project leader Jay Beale took some time to tell NewsForge
readers what's been going on recently with Bastille.

NF: You mentioned recently that Bastille Linux has been under major
development -- please talk a little bit about what is happening.

Beale: Until today, Bastille could only harden or "lock down" systems.  
It did this by deactivating unnecessary operating system components
and better configuring the ones that remained. It took proactive steps
to make a system harder to compromise, reducing the probability that
the next item in the attacker's toolkit will be successful against
your system.

We've just finished adding reporting functionality to Bastille, so
that it can tell you what parts of the system aren't locked down. It
examines the system in a read-only fashion, reporting on the status of
each of its hardening items. For example, Bastille might check whether
the DNS server is locked in a chroot prison, whether telnet is turned
off, or even if passwords are required to be a good length. You can
take a look at a Web-only demo of this through this link.

Bastille's new reporting functionality even assigns you a score, using
weights you supply. These weights allow you to make some items count
more than others, or even not count at all. You can use our weights,
but you can just as easily use weights that are provided by one of the
standards bodies or your organization's IT security or system
administration staff.

The score idea is actually pretty central here. When I first heard
about it, I thought it was overly simplistic, but people really do get
motivated and sometimes even jazzed up about improving the score on a
system. They'll get a lower score than their ego tells them they
should and will turn around and harden a few items on the box just to
achieve a more encouraging score.

Anyway, we're quite excited about Bastille's ability to report on a
system. This is an entire second mission for Bastille, though it's
quite related to hardening. It's one that we achieved thanks to help
both from Hewlett-Packard, which has been donating developer time for
a few years now, and from the U.S. government.

NF: What can you tell us about the U.S. government sponsorship?

Beale: This work was sponsored by the U.S. government's Technical
Support Working Group (TSWG). TSWG funded the U.S. Navy's Space and
Naval Warfare (SPAWAR) Systems Center San Diego to provide Bastille
Linux with an auditing capability. The effort also provided for adding
some additional Department of Defense hardening steps within Bastille
and documentation. The project is called Fort Knox for Linux.

NF: What is your objective right now, and has that changed since the
project was started?

Beale: Well, our primary objective is to improve the state of
operating system security. In the short term, that means hardening a
large number of individual systems. In the long term, that means
demonstrating to both the users and the vendors that best practices
can be standard practices. Back in 1999, the Linux distributions all
ran the BIND DNS server with superuser (root) privileges. Bastille set
BIND to run as a non-root user and locked it in a chroot prison. When
the Lion worm ran around compromising DNS servers in 2001, it had a
drastically different effect on the non-Bastilled boxes, where it
could fully compromise them and use them as jumping off points to
attack other machines. On Bastille [protected] and similarly
hand-hardened boxes, it could only knock down the DNS server, but
couldn't complete a compromise or spread to other systems.

Soon after this worm died down, almost every Linux distribution began
running BIND as a non-root user. In the last two years, some have
begun chroot-jailing BIND themselves. The short-term effect of
Bastille here was that possibly a hundred thousand Linux DNS servers
couldn't be compromised. The long-term effect was that Linux
distribution makers gained both familiarity with a couple more
hardening steps and confidence that those steps would be palatable to
users. Additionally, Linux users came to expect tighter configurations
from their distribution vendors.

Our secondary objective has been to teach users and administrators
about security so that we could help them make better decisions both
in our hardening interview and in their use of IT later, from practice
to policy. We're still moving in that direction. The auditing
functionality both helps people see what more can be done on a system
that's somewhat hardened, and also raises their awareness about
host-based security.

NF: What is the biggest challenge for Bastille now?

Beale: There's so much more we'd like to do. We've been focusing on
porting to more operating systems and laying down good internal
architecture. I'd like to see us continue to increase the number of
things we can do on any given operating system. I'd like to get full
coverage of standards guides like those available from the Center for
Internet Security, [Information Systems Audit and Control Association]
(ISACA), and possibly [Defense Information Systems Agency] (DISA).  
That might lead naturally to creating content and weights files
corresponding to requirements in recent legislation. I'd like to widen
our list of supported operating systems just a bit further to include
Solaris and FreeBSD. Finally, using our new reporting functionality,
I'd like to create hardening items that look for non-standard or
unexpected misconfigurations that lead to vulnerabilities the way the
open source program Tiger does. For instance, we might find vital
directories marked world-writable, like in the local privilege
escalation vulnerability discovered on OS X by Eric Hall. Bastille has
the infrastructure for this already -- it's just a matter of coding
the items. I'm always looking for people to help!

NF: Where is the U.S. government in general on the idea of bolstering
security by using Linux and other open source software?

Beale: I don't speak for the government, so I'm not really qualified
to answer that, but from what I've seen, the government is exploring a
number of ways to enhance computer security through Linux and open
source software. TSWG, which I mentioned earlier, is focused on
securing critical infrastructure. As a system hardening tool, Bastille
provides clear support for that mission. By supporting an open source
project rather than someone else's for-spec software, TSWG knows that
the software, and thus their improvements, will be around for the long
term. The government gave us a wonderful boost, but it's up to us to
continue to enhance and support the technology they've helped us
create. We've got a wonderful community of people that have brought
Bastille to this point.

Bastille started out just hardening Red Hat Linux and MandrakeLinux.  
Individual developers brought us to Debian (Javier Fernandez-Sanguino)  
and Gentoo (Brian Stine). We got on SUSE and TurboLinux with IBM's
help (Niki Rahimi) and became the default hardening script for HP-UX
via the amazing efforts of Hewlett-Packard developers Keith Buck,
Robert Fritz, and Tyler Easterling. Along the way, many others have
contributed their time creating code and ideas, as well as beta
testing.

NF: What is needed for a more secure Linux and Internet:  
certifications, deployments, Bastille Linux, or something else?

Beale: The best way to increase Linux system security is to educate
users about good systems administration practices: keeping software
up-to-date, disabling unused services, hardening default
configurations, automating drudgery, backing up regularly, and reading
system and error logs. Bastille and the open source community can help
by creating and maintaining useful tools. In addition to Bastille,
these include complementary kernel-level technology like grSecurity,
SeLinux and ExecShield, compromise detection technology like Osiris
and Snort, and many others. In the end, however, the best tools in the
world can't help if system administrators and users are not proactive
about security. Perhaps the single most important task we have before
us is explaining to users why security matters.

NF: Anything else you would like to add?

Beale: Bastille has improved tremendously since our last major
release. We're always going to have more to do, and we can move faster
when users tell us what they need, and when people volunteer their
time and effort to help us. All the funding in the world is great, but
it's only one part of what makes Bastille work.

-=-

Links 

"Bastille Linux" - http://www.bastille-linux.org/ 
"link" - http://www.bastille-linux.org/Reporting/audit-report.html 
"Fort Knox for Linux" - http://fortknox.sourceforge.net/ 
"Lion worm" - http://www.sans.org/y2k/lion.htm 
"Center for Internet Security" - http://www.cisecurity.org/ 
"ISACA" - http://www.isaca.org/ 
"DISA" - http://www.disa.mil/ 
"Tiger" - http://www.net.tamu.edu/network/tools/tiger.html 
"grSecurity" - http://www.grsecurity.net/ 
"SeLinux" - http://www.nsa.gov/selinux/ 
"ExecShield" - http://people.redhat.com/mingo/exec-shield/ 
"Osiris" - http://osiris.shmoo.com/ 
"Snort" - http://www.snort.org/