Automating SLES Hardening


When you secure the operating system manually, you have an opportunity to determine and document what specific features are hardened. However, if you have a large number of servers to secure or need to do this on a regular basis (as a service to customers, for example), it would be much easier if you perform the task using a set of scripts. That way, you can execute them and have the process done for you automatically. This approach has two added advantages. First, the modifications are applied consistently every time. Second, the scripts serve as documentation; by scanning through the scripts, you know what features of the operating system are hardened. SLES 9 includes a number of hardening and monitoring scripts and applications to help make your job easier. Among them is a security setting option in YaST and the Bastille Linux package.

Within the Security and Users option in the YaST Control Center is a security setting control tool called Security Settings. This applet allows you (as root) to define a set of local security configurations, including password settings, user creation settings, console behavior, and file permissions. In the security settings, the default filesystem permissions are set to Easy. This means most system files are readable by root, but not by other users. The more stringent Secure setting restricts the files that can be viewed by root. And the Paranoid setting requires that users who run applications be predefined. A list of the system files, their ownership, and file permissions are predefined in /etc/permissions.easy, /etc/permissions.secure and /etc/permissions. paranoid. You can customize the file permission settings by adding users to /etc/permissions.local. The YaST Security Setting tool performs many of the same functions as Bastille and uses an interactive graphical menu. In most instances, either the Easy or Secure setting is sufficient; select Paranoid only if you are sure you need it or that you are paranoid.

Bastille Linux (often referred to as just Bastille) is an application (plus a number of configuration scripts) specifically designed to help you harden a Linux/Unix system. Unlike many other script-based packages, Bastille focuses on letting you, the system administrator, choose exactly how to harden your operating system. It runs in either interactive or batch mode. In interactive mode, it asks you questions (see Figure 13.4), explains the topics of those questions, and builds a policy based on your answers. It then applies the policy to the system. You can copy the saved configuration file and apply it to other systems.

Figure 13.4. Bastille Linux in GUI mode.


One of the best features of Bastille is that it actually educates you about security (by asking the various questions and telling you why the questions were asked), and helps you make balanced and informed choices. Many users have found Bastille's educational function just as useful as its hardening function. Because Bastille allows you to run through the entire interactive portion without applying the chosen changes, some organizations actually make their new system administrators run through an interactive Bastille session as part of their training.

TIP

Bastille Linux has a fairly good undo functionality built in. In essence, running Bastille with the -r switch restores all the configuration files and other OS state settings to exactly where they were before you applied the Bastille policy. Keep in mind that if you just installed Bastille a day ago and haven't changed things much, the undo works perfectly. However, if you installed Bastille on the system six months ago and have made a million manual changes to the system configuration (that Bastille doesn't know about), the undo feature probably won't work so well. Most of the time, Bastille will warn you when this is the case, but you should not consider this as a given.


On SLES, Bastille's related files (such as the OS-specific questions and script files) are installed into /usr/share/Bastille and the binary executable, bastille, in /usr/sbin. No man pages are installed, but you can find a number of readme files in /usr/share/doc/packages/bastille. Configuration files created by Bastille are stored in /etc/Bastille. Bastille runs in text mode (using ncurses) or in graphical mode under X (using the Tk graphics toolkit). If you launch bastille without any switches, it will first try the GUI mode, with text mode as the fallback. Alternatively, you can use bastille -x to force GUI mode or bastille -c to force text mode.

Bastille first displays an introductory disclaimer screen to ensure you understand that using Bastille can help to optimize your system's security but does not guarantee it. You need to type agree and then press Return to get past it; it will not be displayed the next time you run Bastille. (You can reactivate the disclaimer screen by deleting /usr/share/Bastille/.nodisclaimer.) You then are led through a series of questions (predefined in /usr/share/Bastille/Questions.txt) that you should read thoroughly and understand before answering and proceeding to the next screen. Depending on your server's current configuration, you may not see all the questions.

You should write down the answers you provided to Bastille for future reference and documentation purposes.

NOTE

If you need some guidelines or recommendations to Bastille questions, see "HOW-TO: Bastille Linux 2.1.2," at http://www.unofficial-support.com/article/how-to/bastille_linux.


NOTE

The Bastille Linux project (http://www.bastille-linux.org) is run by Jon Lasser, Lead Coordinator, and Jay Beale, Lead Developer. The SUSE port of Bastille was made by Niki Rahimi of IBM's Linux Technology Center located in Austin, Texas.




    SUSE LINUX Enterprise Server 9 Administrator's Handbook
    SUSE LINUX Enterprise Server 9 Administrators Handbook
    ISBN: 067232735X
    EAN: 2147483647
    Year: 2003
    Pages: 134

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net