Webserver install - Part 6 - Hardening V. - Debian Lenny
Installation
Bastille can be installed from source and from debian repository. I prefer repository and it is already installed from a previous section with psad. However in Lenny some things are missing so it wont start. We have to make some modifications to ake it useable.
Edit /usr/lib/Bastille/API.pm file and insert "DB5.0" into the file as seen below.
Open the file for editing:
nano /usr/lib/Bastille/API.pm
Insert "DB5.0" at these places:
sub get_supported_OS_list () { my @list = ( "DB5.0","DB2.2", "DB3.0", "DB3.1", "DB4.0", "RH6.0","RH6.1","RH6.2","RH7.0","RH7.1","RH7.2","RH7.3","RH8.0","RH9$ "MN6.0","MN6.1","MN7.0","MN7.1","MN7.2","MN8.0","MN8.1","MN8.2", "HP-UX11.00","HP-UX11.11", "HP-UX11.22", "HP-UX11.23", "SE7.2","SE7.3", "SE8.0","TB7.0", "OSX10.2.0","OSX10.2.1","OSX10.2.2","OSX10.2.3","OSX10.2.4"); return \@list; }
Open /usr/lib/Bastille/IOLoader.pm and insert "DB5.0" in it.
Open the file for editing:
nano /usr/lib/Bastille/IOLoader.pm
Insert the string "DB5.0" at these places:
if ($data =~ /\bDB\b/) { my $supported_versions = 'DB2.2 DB3.0 DB3.1 DB4.0 DB5.0'; $data =~ s/\bDB\b/$supported_versions/; }
Now we can run the program.
Configuration
I show the screenshots and also the final config file. You could use the config file but I suggest you to read the whole Bastille setup at least once.
Start the tool with the InteractiveBastille command:
InteractiveBastille
I will not comment the pictures because they are self explaining.
Configuration can be checked or modified in the config file:
nano /etc/Bastille/config
My config file looks like this:
# Q: Would you like to set more restrictive permissions on the administration utilities? [N] FilePermissions.generalperms_1_1="Y" # Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] AccountSecurity.protectrhost="Y" # Q: Would you like to enforce password aging? [Y] AccountSecurity.passwdage="Y" # Q: Would you like to restrict the use of cron to administrative accounts? [Y] AccountSecurity.cronuser="Y" # Q: Do you want to set the default umask? [Y] AccountSecurity.umaskyn="Y" # Q: What umask would you like to set for users on the system? [077] AccountSecurity.umask="022" # Q: Should we disallow root login on all ttys? [N] AccountSecurity.rootttylogins="Y" # Q: Would you like to password-protect the GRUB prompt? [N] BootSecurity.protectgrub="N" # Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] BootSecurity.secureinittab="N" # Q: Would you like to password protect single-user mode? [Y] BootSecurity.passsum="Y" # Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N] SecureInetd.tcpd_default_deny="N" # Q: Should Bastille ensure the telnet service does not run on this system? [y] SecureInetd.deactivate_telnet="Y" # Q: Should Bastille ensure inetd's FTP service does not run on this system? [y] SecureInetd.deactivate_ftp="Y" # Q: Would you like to display "Authorized Use" messages at log-in time? [Y] SecureInetd.banners="Y" # Q: Who is responsible for granting authorization to use this machine? SecureInetd.owner="its owner" # Q: Would you like to put limits on system resource usage? [N] ConfigureMiscPAM.limitsconf="Y" # Q: Should we restrict console access to a small group of user accounts? [N] ConfigureMiscPAM.consolelogin="Y" # Q: Which accounts should be able to login at console? [root] ConfigureMiscPAM.consolelogin_accounts="user" # Q: Would you like to add additional logging? [Y] Logging.morelogging="Y" # Q: Do you have a remote logging host? [N] Logging.remotelog="N" # Q: Would you like to install TMPDIR/TMP scripts? [N] TMPDIR.tmpdir="Y" # Q: Would you like to run the packet filtering script? [N] Firewall.ip_intro="N"
To create the same message at logon for everybody copy the newly generated welcome message to /etc/motd.tail
cat /etc/issue >> /etc/motd.tail
Links:
http://bastille-linux.sourceforge.net/running_bastille_on.htm#debian
The next tutorial is: Webserver install - Part 7 - Hardening VI. - Debian Lenny