1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
<!-- CVS revision of this document "$Revision: 1.7 $" -->
<chapt id="automatic-harden">Automatic hardening of Debian systems
<p>After reading through all the information in the previous chapters
you might be wondering "I have to do quite a lot of things in order to
harden my system, couldn't these things be automated?". The answer is
yes, but be careful with automated tools. Some people believe, that a
hardening tool does not eliminate the need for good administration. So
do not be fooled to think that you can automate the whole process and
will fix all the related issues. Security is an ever-ongoing process
in which the administrator must participate and cannot just stand away
and let the tools do all the work since no single tool can cope with
all the possible security policy implementations, all the attacks and
all the environments.
<p>Since woody (Debian 3.0) there are two specific packages that are
useful for security hardening. The <package>harden</package> package
which takes an approach based on the package dependencies to quickly
install valuable security packages and remove those with flaws,
configuration of the packages must be done by the administrator. The
<package>bastille</package> package that implements a given security
policy on the local system based on previous configuration by the
administrator (the building of the configuration can be a guided
process done with simple yes/no questions).
<sect>Harden
<p>The <package>harden</package> package tries to make it more easy to
install and administer hosts that need good security. This package
should be used by people that want some quick help to enhance the
security of the system. <!-- To do this it conflicts with packages with
known flaws, including (but not limited to): known security bugs (like
buffer overflows), use of plaintext passwords, lack of access control,
etc. --> It automatically installs some tools that should enhance
security in some way: intrusion detection tools, security analysis
tools, etc. Harden installs the following <em>virtual</em> packages
(i.e. no contents, just dependencies or recommendations on others):
<list>
<item><package>harden-tools</package>: tools to enhance system
security (integrity checkers, intrusion detection, kernel patches...)
<item><package>harden-environment</package>: helps configure a
hardened environment (currently empty).
<item><package>harden-servers</package>: removes servers considered
insecure for some reason.
<item><package>harden-clients</package>: removes clients considered
insecure for some reason.
<item><package>harden-remoteaudit</package>: tools to remotely audit a
system.
<item><package>harden-nids</package>: helps to install a network intrusion
detection system.
<item><package>harden-surveillance</package>: helps to install tools for
monitoring of networks and services.
</list>
Useful packages which are not a dependence:
<list>
<item><package>harden-doc</package>: provides this same manual and
other security-related documentation packages.
<item><package>harden-development</package>: development tools for creating
more secure programs.
</list>
<p>Be careful because if you have software you need (and which you do
not wish to uninstall for some reason) and it conflicts with some of the
packages above you might not be able to fully use
<package>harden</package>.
The harden packages do not (directly) do a thing. They do have,
however, intentional package conflicts with known non-secure packages.
This way, the Debian packaging system will not approve the installation
of these packages. For example, when you try to install a telnet daemon
with <package>harden-servers</package>, <package>apt</package> will say:
<example>
# apt-get install telnetd
The following packages will be REMOVED:
harden-servers
The following NEW packages will be installed:
telnetd
Do you want to continue? [Y/n]
</example>
<p>This should set off some warnings in the administrator head, who should
reconsider his actions.
<sect>Bastille Linux
<p><url name="Bastille Linux" id="http://www.bastille-unix.org"> is
an automatic hardening tool originally oriented towards the RedHat and
Mandrake Linux distributions. However, the <package>bastille</package>
package provided in Debian (since woody) is patched in order to
provide the same functionality for the Debian GNU/Linux system.
<p>Bastille can be used with different frontends (all are documented
in their own manpage in the Debian package) which enables the
administrator to:
<list>
<item>Answer questions step by step regarding the desired security of
your system (using <manref name="InteractiveBastille" section="8">).
<item>Use a default setting for security (amongst three: Lax, Moderate
or Paranoia) in a given setup (server or workstation) and let Bastille
decide which security policy to implement (using <manref
name="BastilleChooser" section="8">).
<item>Take a predefined configuration file (could be provided by
Bastille or made by the administrator) and implement a given security
policy (using <manref name="AutomatedBastille" section="8">).
</list>
|
