man bastille () - System Lockdown Tool

NAME

bastille - System Lockdown Tool

SYNOPSIS

bastille [( -b -c -l -r -x --os version ])]

DESCRIPTION

Bastille is a system hardening / lockdown program which enhances the security of a Unix host. It configures daemons, system settings and firewalls to be more secure. It can shut off unneeded services and r-tools like rcp and rlogin, and helps create "chroot jails" that help limit the vulnerability of common Internet services like Web servers and DNS. This tool currently hardens Debian GNU/Linux 2.2-3.0, Red Hat 6.0-8.0, Mandrake 6.0-8.1, HP-UX 11.00, and HP-UX 11i v1 (AKA 11.11). It is currently being tested on Suse, Turbo Linux and MacOS X.

The utility includes a user interface and a configuration engine. The primary user interface is an X interface via Perl/Tk. There is also a text-based Perl/Curses interface for Linux. The tool can be used 2 ways: interactively and non-interactively (when the configuration engine is used directly). Used interactively, Bastille has been designed to explain security issues to system administrators, then let them decide how to let the tool handle them. This both secures the system and educates the administrator. When the configuration engine is used directly, the utility is useful for duplicating a security configuration on multiple machines.

When used interactively (bastille, bastille -x, or bastille -c), the user interface guides the user through a series of questions. Each step contains a description of a security decision involved in hardening an Unix system. Each question describes the cost/benefit of each decision. The Tk interface gives the user the option to skip to another question module and return to the current module later. The X interface provides "Completed Indicators" to show the user which question modules are complete. After the user has answered all of the questions, the interface then provides automated support in performing lockdown steps. After performing the steps Bastille can perform automatically, the utility produces a "to do" list that describes remaining actions the user must perform manually to ensure their system is secure.

Security hardening can also be performed directly through the configuration engine (bastille -b) using a predefined configuration file (see config file in "FILES" below). This method is useful for duplicating a particular security configuration on multiple machines. Before using the configuration engine directly, a configuration file must be created by using Bastille interactively. After the configuration file is created, copy it to the other systems, install Bastille Unix on those systems, then run the configuration engine on those systems.

Bastille draws from many major reputable sources on Unix Security. The initial development integrated Jay Beale's existing O/S hardening experience for Solaris and Linux with most major points from the SANS' Securing Linux Step by Step, Kurt Seifried's Linux Administrator's Security Guide. Later versions incorporated suggestions from the HP-UX Bastion Host Whitepaper and other sources.

To ensure that Bastille is used as safely as possible, please:

1) Let the developers know about any impacts you discover which aren't mentioned in the question text for possible inclusion in future revisions of the questions text.

2) Test Bastille configurations in a non-production environment first, with the application stack fully functionally tested after lockdown before deployment in a production environment. The characterization of consequences is known to be incomplete, especially for general purpose systems.

Options

recognizes the following options

-b
Run Bastille in batch-mode. This option will take the answers that were created interactively with the user and apply them to the machine.
-c
Linux Only - This option brings up the text interface of the interactive portion of Bastille. It is implemented with the Perl/Curses module, which must be installed separately if it did not come with your version of Perl.
-l
List applied configuration file(s). This option will list the configuration files in the configuration file directory that match the one last used.
-r
This option reverts bastille-modified system files to the state they were in before Bastille was run. Note that if any changes to the system configuration were made in the interim, those changes should be reviewed again to make sure they 1) still work, and 2) have not broken the system or compromised its security.
-x
This is the default option. It option brings up the Bastille X interface. It is implemented with the Perl/Tk module, which must be installed separately if it did not come with your version of Perl.
--os version
This option explicitly sets the operating system version while generating a configuration file. By setting the operating system version, all questions valid for that operating system will be asked and configuration files can be generated for any version Bastille recognizes. For a complete list of operating system versions type "bastille -x --os" -v --verbose Verbose mode. Actions are printed to the logs and to STDOUT.
--log
Log-only mode. No action is taken; merely logs what changes would have been made.

DIAGNOSTICS

$DISPLAY not set, cannot use X interface...
The user explicitly asked for the X interface using the "-x" option, but the $DISPLAY environment variable was not set.

Set the environment variable to the desired display to correct the problem.

System is in original state...
The user attempted to revert the files that Bastille changes with the "-r" option, but there were no changes to revert.
Must run Bastille as root
Bastille must run as the root user, since the changes it makes configure the machine.
Troubleshooting:
Error messages that cite problems with opening, copying, or reading files usually relate to NFS file systems that do not trust the root user on the local machine.

Please see the options section in the fstab manpage for details.

Errors that complain about individual configuration files indicate that a system has been too heavily modified for Bastille to make effective changes, or that the files, locations, or permissions of the Bastille installation directories have been changed.

EXAMPLES

Run the Bastille X interface. This will create a configuration file which can be run either immediately by Bastille after the user has answered all of the questions, or saved for later use in a "config" file, see "Files" below.

bastille

Run Bastille in batch mode. This option will take the answers that were created interactively with the user and apply them to the machine.

bastille -b

DEPENDENCIES

•
Perl version 5.5_003 or greater
•
Perl/Tk version 8.00.23 or greater
•
Perl/Curses version 1.06 or greater (on Linux only)

FILES

/etc/Bastille/config (Linux)
/etc/opt/sec_mgmt/bastille/config (HP-UX)
The "config" file contains the answers to the most recently saved session
/var/log/Bastille/error-log (Linux)
/var/opt/sec_mgmt/bastille/log/error-log (HP-UX)
The error log contains any errors that Bastille encountered while making changes to the system.
/var/log/Bastille/action-log (Linux)
/var/opt/sec_mgmt/bastille/log/action-log (HP-UX)
The action log contains the specific steps that Bastille took when making changes to the system.
/var/opt/sec_mgmt/bastille/TODO.txt (HP-UX)
/var/log/Bastille/TODO (Linux)
The To-Do list contains the user's actions that remain to ensure the machine is secure.

SEE ALSO

perl(1), fstab(4), bastille(7), InteractiveBastille(8), BastilleBackEnd(8), UndoBastille(8), BastilleChooser(8).

These programs include more documentation available at /usr/share/doc/bastille on Debian systems.

For Debian systems you should read the Securing Debian Manual (available at http://www.debian.org/doc/manuals/securing-debian-howto ). This document is provided for offline reading in several formats (Text, HTML and PDF) by installing the harden-doc package. Other (non-Debian specific) documentation includes

The Linux Security HOWTO
Available at http://www.linuxdoc.org/HOWTO/Security-HOWTO.html which is one of the best references regarding general Linux Security.
Security Quick-Start HOWTO for Linux
Available at http://www.linuxsecurity.com/docs/LDP/Security-Quickstart-HOWTO/ which is also a very good starting point for novice users (both to Linux and security).
The Linux Security Administrator's Guide
Available at http://seifried.org/lasg/
Securing and Optimizing Linux: RedHat Edition
Available at http://www.linuxdoc.org/links/p_books.html#securing_linux
Securing Debian Manual
Available at http://www.debian.org/doc/manuals/securing-debian-howto , it is provided for offline reading in several formats (Text, HTML and PDF) by installing the harden-doc package in Debian systems.