RE: Linux Hardening

I would take a serious look at gentoo-hardened, modern system hardening includes things like applying patches to the kernel to utilize canary values to detect memory based attacks, inserting random spacing so memory addresses commonly used to exploit an executable are harder to hit, making sure users can not see other users processes, and then all kinds of service specific stuff depending on what kind of services you want to run. The gentoo hardened project has taken a more holistic approach, though the learning curve on installing/using gentoo is a lot sharper then redhat.

Also don't forget the basics of making sure every service that provides any type of authentication has a lockout defined to thwart brute forcing, and that you are enforcing password complexity rules. Also disabling root login from the WAN is a good idea, and if possible require users to get a VPN established to your colocation to utilize services, though outside of an enterprise this is near impossible, but SSL-VPN technologies do make it a lot easier.

-Eric

On Fri, 12 Oct 2007, Smith Jr, Harry E wrote:

I spoofed the Name in the /etc/redhat-release to RH4. Everything worked
fine.


-------------------------------------------------------------
Harry E Smith Jr.
Senior Staff System Engineering
(408) 473 6491 (work)
(408) 888 5209 (cell)
(877) 635 1529 (pager)

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Joe_Wulf
Sent: Thursday, October 11, 2007 6:43 PM
To: 'JP Vicente'; 'Matthew Lee Hinman'
Cc: focus-linux@xxxxxxxxxxxxxxxxx; Jay Beale
Subject: RE: Linux Hardening

That's pretty normal behavior, actually. RHEL5 (32 and 64 bit) reports
this as well.
Bastille has been developed for older versions of RHEL. A newer version
of the OS has been published/released, but Bastille hasn't yet been
updated.

Do make sure you've got a compatible version of Perl-Tk installed along
with bastille.

R,
-Joe Wulf, CISSP, USN(RET)
Senior IA Engineer
ProSync Technology Group, LLC
www.prosync.com

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of JP Vicente
Sent: Thursday, October 11, 2007 17:04
To: Matthew Lee Hinman
Cc: focus-linux@xxxxxxxxxxxxxxxxx
Subject: RE: Linux Hardening

Below is the exact error that I got when I ran Bastille on FC7 and
RHEL5.


[root@localhost ~]# InteractiveBastille
ERROR: Couldn't determine Red Hat version! Setting to 9!
ERROR: Couldn't determine Red Hat version! Setting to 9!
ERROR: Couldn't determine Red Hat version! Setting to 9!
NOTE: Valid display found; defaulting to Tk (X) interface.
ERROR: Couldn't determine Red Hat version! Setting to 9!
NOTE: Using Tk user interface module.
ERROR: Couldn't determine Red Hat version! Setting to 9!
NOTE: Only displaying questions relevant to the current
configuration.
ERROR: Couldn't determine Red Hat version! Setting to 9!
ERROR: Could not load the 'Tk.pm' interface module.This may be due to
an
invalid $DISPLAY setting,or the module not being visible to
Perl.


-----Original Message-----
From: Matthew Lee Hinman [mailto:matthew.hinman@xxxxxxxxx]
Sent: Thursday, October 11, 2007 4:21 PM
To: JP Vicente
Cc: focus-linux@xxxxxxxxxxxxxxxxx
Subject: Re: Linux Hardening

The tool is still being actively developed and supported. 3.09 is indeed
the latest verion (found here:
http://bastille-linux.sourceforge.net/index.html)
Can you give a little bit more info about how this isn't working on
later versions of Linux? (like an error message, etc)

- Lee

* jvicente@xxxxxxxx <jvicente@xxxxxxxx> [2007-10-11 12:36:39 -0000]:

Hi,


I was looking for a Linux hardening tool. I found Bastille. The latest
= version
that I was able to find is 3.09. I cannot seem to get this = version to
work on later versions of Linux (RHEL 5, FC 6,7) = distributions.


Is this tool still being supported? Is there a similar tool out there?


Thanks in advance,

JP

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date:
10/11/2007 9:11 AM



No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.488 / Virus Database: 269.14.8/1063 - Release Date:
10/11/2007 9:11 AM






Relevant Pages

  • RE: Linux Hardening
    ... Senior Staff System Engineering ... Subject: Linux Hardening ... Bastille has been developed for older versions of RHEL. ... Couldn't determine Red Hat version! ...
    (Focus-Linux)
  • RE: Linux Hardening
    ... Bastille has been developed for older versions of RHEL. ... Subject: Linux Hardening ... Below is the exact error that I got when I ran Bastille on FC7 and RHEL5. ... Couldn't determine Red Hat version! ...
    (Focus-Linux)
  • Re: [SLE] Bastille Linux
    ... I have not used Bastille on SuSE 9.3. ... I used its hardening abilities and substituted ... SuSEfirewall2 for the firewall (look on UnixReview.com for my article ... because it changed ownership and I had no record of the previous ...
    (SuSE)
  • Re: Linux Hardening
    ... > Anyone know where I can find step-by-step documentation ... > on Hardening RH Linux boxes? ... I usually just use Bastille ...
    (Focus-Linux)
  • Re: Linux Hardening
    ... > Anyone know where I can find step-by-step documentation ... > on Hardening RH Linux boxes? ... I usually just use Bastille ...
    (Security-Basics)