Bastille Configuration . Install Bastille

1. If you have not already done so, log on to the machine using:

Username: root Password: tartans@1

2. Open a terminal window by clicking on:

Applications->Accessories->Terminal.

3. There are two modules that are required to implement Bastille:

perl-Curses-1.12-1.2.el4.rf.i386.rpm Bastille-3.0.8-1.0.noarch.rpm

Copy the required modules to the /root directory with this command:

# cp /media/AISTS/Tools/Linux/Bastille/* /root

4. Using the following commands, change to the /root directory and get a directory listing to confirm all of the Bastille files copied:

# cd /root

# ls –l

5. Install perl-Curses module:

# rpm –ivh perl-Curses-1.28-1.el5.rf.i386.rpm 6. Install Bastille module:

# rpm –ivh Bastille-3.0.9-1.0.noarch.rpm 1.2 Run Bastille

1. Copy Foxtrot’s Bastille template to the Bastille configuration directory (this command should be typed as one continuous line with a space after ‘cp’ and after ‘bastille-ids-config’):

# cp

/media/AISTS/Tools/Linux/Config_Files/Foxtrot_10.0.4.2/bast ille-syslog-config /etc/Bastille/config

Configuring Bastille

Page 2 of 6 Foxtrot Task 3/6

2. Run Bastille in batch mode to apply the preconfigured template:

# bastille –b –n 2>/dev/null

Note: The template generates error messages about the CentOS version, but the settings will be applied successfully. These messages are not important, so we divert all error messages for this command to /dev/null (the trash).

Figure 1: Bastille Output 2 Bastille Configuration

1. The template you applied has been previously configured as follows.

Enter the following command to view the new Bastille security settings:

# cat /etc/Bastille/config | less

2. Now you can scroll up and down to view the entire file. When you are finished reviewing the file, press the [Q] key to quit viewing the file and return to the shell prompt.

3. After reviewing the config file, reboot the system by typing reboot. You will now have to login with the admin account that was created in the Linux Host System Hardening task.

Make sure that the admin account was created before rebooting the system or you will not be able to login.

You may need to reset the screen resolution to 1024x768 the first time you log on to the admin account. You can do this by going to ‘System’ -> ‘Preferences’ -> ‘Screen

Resolution’.

The remaining sections of this document detail the previously configured template that you applied. Note that you will NOT need to actually perform any tasks in the following sections; it is merely here for your edification. After reviewing, you can move on to the next task.

2.1 File Permissions

• Disallow non-root access to ping, usernetctl, mount/umount, and at

• Disable the r-tools (rsh, rlogin, etc), which are troublesome due to their use of weak authentication.

Figure 2: File Permissions

2.2 Account Security Settings

• Enforce password aging

• Restrict cron (scheduler) to the root user

• Disallow root from direct login. After you apply this template all administrators must log in using the ‘admin’ account and then su to root.

• Set permissions on all user-created files so that the file is only readable by the user who created it.

Figure 3: Account Security Settings

Configuring Bastille

Page 4 of 6 Foxtrot Task 3/6

2.3 Boot Security Settings

• Disable CTRL-ALT-DELETE rebooting so that a user must have a valid username and password to reboot the machine.

• Password protect single user mode to require the root password. Single user mode is equivalent to run level 1. You are granted root access, but networking is disabled.

Figure 4: Boot Security Settings 2.4 Securing inetd and TCP Wrappers

• Disable telnet and ftp

• Create authorized use banners that will be displayed before the user can log in

• You do not set default deny on TCP wrappers in this configuration. Later on, you will configure an IPtables firewall that will handle this.

Figure 5: Securing inetd and TCP Wrappers 2.5 Configure PAM

• Set limits on resources. Users will only be allowed to start 150 concurrently running processes and will be unable to open core system (kernel) files.

• Only allow admin to log in at the console

Figure 6: PAM Settings

2.6 Logging Settings

• You will configure logging in a later module, therefore you will not configure logging through Bastille

Figure 7: Logging Settings 2.7 Sendmail Settings

• Prevent sendmail from running in daemon mode. This machine will not be a mail server, so sendmail does not need to listen for connections

Figure 8: Sendmail Settings 2.8 Miscellaneous Daemons

Figure 9: Miscellaneous Deamons 2.9 Apache Web Server Settings

Figure 10: Apache Web Server Settings 2.10 Tempdir Scripts

• This system is not a multi-user system and therefore you will not be very concerned with the temporary (shared) directories

Figure 11: Tempdir Scripts

Configuring Bastille

Page 6 of 6 Foxtrot Task 3/6

2.11 Packet Filtering Firewall

• You will configure a firewall in a later module, therefore you will not use Bastille’s firewall configuration

Figure 12: Packet Filtering Firewall 2.12 FTP Settings

Figure 13: FTP Settings

Systems

The host based firewall for Linux, iptables, can be configured by accessing the console directly or via SSH from a management workstation. Iptables has six pre-defined “chains” that are available with the ability to create user defined chains as well. The default chains are:

• INPUT

• OUTPUT

• INPUT

• FORWARD

• PREROUTING

• POSTROUTING

The table below lists various options that can be used when configuring iptables rules.

Additional information is available by typing iptables --help at the Linux command line or by reviewing the iptables man page (type: man iptables).

Figure 1: IPtables Options

Configuring IPTables

Page 2 of 6 Foxtrot Task 4/6