Hi Fedora folks, I have been working on the Bastille-security hardening system for a while now (www.bastille-linux.org). I am currently interested in the enhancement of Bastille on Fedora as I see that it is not directly available on the distribution install media at this time. I have been working with Jay Beale, the lead developer of Bastille, on seeing that the software is working properly on Fedora core installations. I am curious to see what you all would think of the addition of Bastille to the Fedora install media. If you have any questions on the quality and/or useability of Bastille feel free to send me a note.
Thanks, Niki Rahimi
On Thu, 2004-09-30 at 17:30, Niki Rahimi wrote:
Hi Fedora folks, I have been working on the Bastille-security hardening system for a while now (www.bastille-linux.org). I am currently interested in the enhancement of Bastille on Fedora as I see that it is not directly available on the distribution install media at this time.
I'd be interested to see what changes bastille recommends, and rather just make those the default if they make sense.
"Do you want a secure system?"
should not be a Yes/No question, but a Yes/Yes.
On Thu, 2004-09-30 at 17:51 +0200, Arjan van de Ven wrote:
On Thu, 2004-09-30 at 17:30, Niki Rahimi wrote:
Hi Fedora folks, I have been working on the Bastille-security hardening system for a while now (www.bastille-linux.org). I am currently interested in the enhancement of Bastille on Fedora as I see that it is not directly available on the distribution install media at this time.
I'd be interested to see what changes bastille recommends, and rather just make those the default if they make sense.
Perfectly right. There shouldn't be any Bastille for Fedora/Red Hat :)
Marius Andreiana wrote:
On Thu, 2004-09-30 at 17:51 +0200, Arjan van de Ven wrote:
able on the distribution install media at this time.
I'd be interested to see what changes bastille recommends, and rather just make those the default if they make sense.
Perfectly right. There shouldn't be any Bastille for Fedora/Red Hat :)
The problems arise when usability suffers at the hands of security. While the added security is justifiable in some cases other times it is a model of inefficiency. If were aren't careful we'll end up with a "Rube Goldberg" imitation of a distribution (http://en.wikipedia.org/wiki/Rube_Goldberg). The goal is a peaceful balance between the two.
-- Michael Favia michael at insitesinc dot com Insites Incorporated http://michael.insitesinc.com
What I see Bastille doing is educating the security newbies to become more informed about basic security hardening on the system. I totally understand everyone's points as experienced Linux users but consider the end user w/o the many years of knowledge you all have. Many people get on the Bastille mailing list requesting support for the particular distors they operate including Fedora and Red Hat.
On Thu, 30 Sep 2004 11:47:04 -0500, Michael Favia michael@insitesinc.com wrote:
Marius Andreiana wrote:
On Thu, 2004-09-30 at 17:51 +0200, Arjan van de Ven wrote:
able on the distribution install media at this time.
I'd be interested to see what changes bastille recommends, and rather just make those the default if they make sense.
Perfectly right. There shouldn't be any Bastille for Fedora/Red Hat :)
The problems arise when usability suffers at the hands of security. While the added security is justifiable in some cases other times it is a model of inefficiency. If were aren't careful we'll end up with a "Rube Goldberg" imitation of a distribution (http://en.wikipedia.org/wiki/Rube_Goldberg). The goal is a peaceful balance between the two.
-- Michael Favia michael at insitesinc dot com Insites Incorporated http://michael.insitesinc.com
-- fedora-devel-list mailing list fedora-devel-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-devel-list
On Thu, 2004-09-30 at 10:30 -0500, Niki Rahimi wrote:
Hi Fedora folks,
Ola
I am curious to see what you all would think of the addition of Bastille to the Fedora install media. If you have any questions on the quality and/or useability of Bastille feel free to send me a note.
Anything which really improves security and works it's welcome.
Notes:
* perl-Tk would have to be added to distribution too. * the testing rpm works only with Tk, although I've installed perl- Curses for text. Remember, many sysadmins don't have X installed on servers.
Couldn't get further as perl-Tk from dag doesn't work on fc3t2: error: Failed dependencies: perl(Tk::LabRadio) is needed by perl-Tk-804.026-1.1.fc2.dag perl(Tk::TextReindex) is needed by perl-Tk-804.026-1.1.fc2.dag
I see no docs on bastille homepage, only FAQ. Want to know what it does, how does it detect problems with current configuration/versions.
From screenshot: FC2 build shouldn't have HP-UX tab.
At the end, will I see a diff from current config to bastille's before applying?
Thanks,
Marius Andreiana writes:
On Thu, 2004-09-30 at 10:30 -0500, Niki Rahimi wrote: I see no docs on bastille homepage, only FAQ. Want to know what it does, how does it detect problems with current configuration/versions.
From screenshot: FC2 build shouldn't have HP-UX tab.
At the end, will I see a diff from current config to bastille's before applying?
My experience with Bastille hasn't been the best (and I'm NOT just talking Fedora here). The problem is that Bastille offers reasonable sounding things as you work through its screens but doesn't tell you exactly how it will accomplish them. It was not clear what files would be modified--and I didn't find an easily readable log of these actions. Furthermore, I have never successfully "unrolled" Bastille's changes.
So, while it has much to teach and offers good advice, I'd really rather that Bastille were a HOWTO and not an "I'll fix it for you" script.
It's nice to be given a fish to eat, but it's nicer to know how to catch fish. Same old same old.
Thanks,
Marius Andreiana Galuna - Solutii Linux in Romania http://www.galuna.ro
-- fedora-devel-list mailing list fedora-devel-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-devel-list
On Fri, 1 Oct 2004 08:59:10 -0400, "Janina Sajka" janina@rednote.net said:
So, while it has much to teach and offers good advice, I'd really rather that Bastille were a HOWTO and not an "I'll fix it for you" script.
It's nice to be given a fish to eat, but it's nicer to know how to catch fish. Same old same old.
If the docs approach is of interest - there is a "Hardening Fedora" tutorial currently being written as part of the documentation project. The tracking bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129957
There is an ongoing thread about this tutorial on fedora-docs as well. -- Stuart Ellis s.ellis@fastmail.co.uk
While having a doc would be great. I think users would be happy to have something that would also do the work for them. I understand that a lot of security measures are already taken on the Fedora installs but the user should be made aware and can also have a choice in the details of the security measures taken. If they want ftp off but telnet on they can do so while being made aware of the implications of doing so. This is why Bastille has been so popular.
On Sun, 03 Oct 2004 20:31:40 +0100, Stuart Ellis s.ellis@fastmail.co.uk wrote:
On Fri, 1 Oct 2004 08:59:10 -0400, "Janina Sajka" janina@rednote.net said:
So, while it has much to teach and offers good advice, I'd really rather that Bastille were a HOWTO and not an "I'll fix it for you" script.
It's nice to be given a fish to eat, but it's nicer to know how to catch fish. Same old same old.
If the docs approach is of interest - there is a "Hardening Fedora" tutorial currently being written as part of the documentation project. The tracking bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129957
There is an ongoing thread about this tutorial on fedora-docs as well.
Stuart Ellis s.ellis@fastmail.co.uk
-- fedora-devel-list mailing list fedora-devel-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-devel-list
system-config-bastille?
man, 04.10.2004 kl. 19.38 skrev Niki Rahimi:
While having a doc would be great. I think users would be happy to have something that would also do the work for them. I understand that a lot of security measures are already taken on the Fedora installs but the user should be made aware and can also have a choice in the details of the security measures taken. If they want ftp off but telnet on they can do so while being made aware of the implications of doing so. This is why Bastille has been so popular.
On Sun, 03 Oct 2004 20:31:40 +0100, Stuart Ellis s.ellis@fastmail.co.uk wrote:
On Fri, 1 Oct 2004 08:59:10 -0400, "Janina Sajka" janina@rednote.net said:
So, while it has much to teach and offers good advice, I'd really rather that Bastille were a HOWTO and not an "I'll fix it for you" script.
It's nice to be given a fish to eat, but it's nicer to know how to catch fish. Same old same old.
If the docs approach is of interest - there is a "Hardening Fedora" tutorial currently being written as part of the documentation project. The tracking bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129957
There is an ongoing thread about this tutorial on fedora-docs as well.
Stuart Ellis s.ellis@fastmail.co.uk
-- fedora-devel-list mailing list fedora-devel-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-devel-list
On Thu, 30 Sep 2004, Niki Rahimi wrote:
Hi Fedora folks, I have been working on the Bastille-security hardening system for a while now (www.bastille-linux.org). I am currently interested in the enhancement of Bastille on Fedora as I see that it is not directly available on the distribution install media at this time. I have been working with Jay Beale, the lead developer of Bastille, on seeing that the software is working properly on Fedora core installations. I am curious to see what you all would think of the addition of Bastille to the Fedora install media. If you have any questions on the quality and/or useability of Bastille feel free to send me a note.
Some of what bastille does would be better as just being made defaults for fedora
For the rest, where it's going to go interactive, it would make more sense to look into integrating bastille into firstboot, rather than into the installer
later, chris
mm Chris Ricker writes:
On Thu, 30 Sep 2004, Niki Rahimi wrote:
Hi Fedora folks, I have been working on the Bastille-security hardening system for a while now (www.bastille-linux.org). I am currently interested in the enhancement of Bastille on Fedora as I see that it is not directly available on the distribution install media at this time. I have been working with Jay Beale, the lead developer of Bastille, on seeing that the software is working properly on Fedora core installations. I am curious to see what you all would think of the addition of Bastille to the Fedora install media. If you have any questions on the quality and/or useability of Bastille feel free to send me a note.
Some of what bastille does would be better as just being made defaults for fedora
For the rest, where it's going to go interactive, it would make more sense to look into integrating bastille into firstboot, rather than into the installer
We need something better than First Boot if for no other reason than First Boot is 100% inaccessible to anyone with a special interfacing requirement. It's an accessibility nightmare and could not possibly pass Sec. 508 muster in a U.S. Federal deployment.
Rather than adding to First Boot, we need to rethink First Boot.
On Fri, Oct 01, 2004 at 08:53:29AM -0400, Janina Sajka wrote:
We need something better than First Boot if for no other reason than First Boot is 100% inaccessible to anyone with a special interfacing requirement. It's an accessibility nightmare and could not possibly pass Sec. 508 muster in a U.S. Federal deployment.
This is currently in the issue tracker.
Rather than adding to First Boot, we need to rethink First Boot.
Text mode firstboot as well as graphical clearly is one part of that, what else ?
Alan Cox writes:
On Fri, Oct 01, 2004 at 08:53:29AM -0400, Janina Sajka wrote:
We need something better than First Boot if for no other reason than First Boot is 100% inaccessible to anyone with a special interfacing requirement. It's an accessibility nightmare and could not possibly pass Sec. 508 muster in a U.S. Federal deployment.
This is currently in the issue tracker.
Very glad to hear that. Did I know this and forget?
Will it be triggered by runlevel setting in /etc/inittab?
Rather than adding to First Boot, we need to rethink First Boot.
Text mode firstboot as well as graphical clearly is one part of that, what else ?
Off the top of my head the input and device side would be all, I think.
In the text screens, for example, it would be important to put the system cursor where the current focus is (and not in the lower right hand corner, for example).
For both text and graphical everything should be keyboardable--so mouse shouldn't be required.
There are also the Access X features our WG is on track to turn into an FSG standard.
On the device side it would be important to support as many devices as practical at some reasonable default setting. I suppose sound would be somewhat tricky, but we can expect more and more blind users relying on sound card.
Still, this deserves a more thorough response. I'm sorry I can't do a better response off the top of my head--but doing so is something we've calendared for next year in the A11y WG.
-- fedora-devel-list mailing list fedora-devel-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-devel-list
Thanks for the feedback everyone. I think having a security solution for Fedora that is both informative and merges well with Fedora would be ideal. Perhaps a compromise on Bastille where the Fedora community would be able to take Bastille and integrate it into the distribution. Many users are unaware of the level of security their OS is at upon first installation so utilizing an application like Bastille would be beneficial to them regarding this. It would give them some idea of where they are at or should be at to have a more secure system. There is a good deal that could be added and that is where I see the Fedora community adding to the project.
-
Alan Cox -
Arjan van de Ven -
Chris Ricker -
Janina Sajka -
Kyrre Ness Sjobak -
Marius Andreiana -
Michael Favia -
Niki Rahimi -
Stuart Ellis