cis 193a – lesson4 bastille hardening a system. cis 193a – lesson4 focus question what linux...
TRANSCRIPT
CIS 193A – Lesson4CIS 193A – Lesson4
BastilleHardening a System
CIS 193A – Lesson4
Focus Question
What Linux utilities, commands, and files are used by Bastille to harden a system?
CIS 193A – Lesson4
The Bastille Package
• /etc/Bastille - Configuration files (config)• /var/log/Bastille - Reports and log files• /var/log/Bastillerevert - backup files• /usr/lib/Bastille - Perl libraries • /usr/share/Bastille - Documentation
CIS 193A – Lesson4
Command Syntax
• bastille –a # --assessAssess the system
• bastille –x # -c for cursesCreate config file and implement changes
• bastille –b <config>Harden system with specified configuration
• bastille –rUndoes the configuration
CIS 193A – Lesson4
Bastille Groupings
• File Permissions• Account Security• Boot Security• Logging• Miscellaneous Daemons• Secure Inetd• Disable User Tools• Services: Sendmail, Printing, Apache, DNS, FTP
CIS 193A – Lesson4
File Permissions
• Setting permissions in /sbin and /usr/sbin to 750 instead of 755
• Removing setuid bits from:– mount, umount– ping traceroute– dump restore– at– X windows– others
CIS 193A – Lesson4
Account Security
• Disable clear text r-protocols• Add password aging• Strengthen umask• Disable root loggins on ttys• Remove extraneous accounts and
groups• Restrict use of cron to root account
CIS 193A – Lesson4
Boot Security
• Password protect grub or lilo• Disable ctrl-alt-del reboot sequence• Password protect single user mode
CIS 193A – Lesson4
Logging
• Adding additional logging• Activating system auditing• Turning on process accounting
CIS 193A – Lesson4
Miscellaneous Daemons
• Disable the following services:– apmd / acpid– nfs, nis– samba– pcmcia– gpm– kudzu– etc
CIS 193A – Lesson4
Secure Inetd
• Disable telnet service• Disable ftp service• Include default deny for hosts.deny• Banners: authorized use warnings
CIS 193A – Lesson4
Disable User Tools
• Disable compilers
CIS 193A – Lesson4
Review
CIS 193A – Lesson4
Focus Question
What Linux utilities, commands, and files are used by Bastille to harden a system?
Bastille uses grub, PAM, chkconfig, chmod, iptables, and edits such files as
issue, securetty, nologin, inittab, login.defs, as well as service
configuration files.