Automated Hardening with Bastille Linux

The last tool we’ll explore in this chapter is Bastille. You might be wondering why I’ve saved this powerful hardening utility for last: doesn’t it automate many of the tasks we’ve just covered? It does, but with two caveats.

First, it’s very Red Hat-centric. It simply will not run on any distribution besides those derived from Red Hat, specifically Red Hat itself, Mandrake, and Immunix (although future versions may include support for Debian, SuSE, TurboLinux, and HP/UX). Second, even if you do run a supported distribution, it’s extremely important that you use Bastille as a tool rather than a crutch. There’s no good shortcut for learning enough about how your system works to secure it.

The Bastille guys (Jay Beale and Jon Lasser) are at least as convinced of this as I am: Bastille has a remarkable focus on educating its users.

Background

Bastille Linux is a powerful set of Perl scripts, which both secures Linux systems and educates their administrators. It asks clear, specific questions about your system that allow it to create a custom security configuration. It also explains each question in detail so that by the time you’ve finished a Bastille session, you’ve learned quite a bit about Linux/Unix security. If you already understand system security and are only interested in using Bastille to save time, you can run Bastille in an “explain-less” mode that asks all the same questions but skips the explanations.

How Bastille came to be

The original ...

Get Building Secure Servers with Linux now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.