10:30 a.m.
Hi Fedora folks,
I have been working on the Bastille-security hardening system for a
while now (www.bastille-linux.org). I am currently interested in the
enhancement of Bastille on Fedora as I see that it is not directly
available on the distribution install media at this time. I have been
working with Jay Beale, the lead developer of Bastille, on seeing that
the software is working properly on Fedora core installations.
I am curious to see what you all would think of the addition of
Bastille to the Fedora install media. If you have any questions on the
quality and/or useability of Bastille feel free to send me a note.
Thanks,
Niki Rahimi
10:51 a.m.
On Thu, 2004-09-30 at 17:30, Niki Rahimi wrote:
Hi Fedora folks,
I have been working on the Bastille-security hardening system for a
while now (www.bastille-linux.org). I am currently interested in the
enhancement of Bastille on Fedora as I see that it is not directly
available on the distribution install media at this time.
I'd be interested to see what changes bastille recommends, and rather
just make those the default if they make sense.
"Do you want a secure system?"
should not be a Yes/No question, but a Yes/Yes.
11:04 a.m.
On Thu, 2004-09-30 at 17:51 +0200, Arjan van de Ven wrote:
On Thu, 2004-09-30 at 17:30, Niki Rahimi wrote:
> Hi Fedora folks,
> I have been working on the Bastille-security hardening system for a
> while now (www.bastille-linux.org). I am currently interested in the
> enhancement of Bastille on Fedora as I see that it is not directly
> available on the distribution install media at this time.
I'd be interested to see what changes bastille recommends, and rather
just make those the default if they make sense.
Perfectly right. There
shouldn't be any Bastille for Fedora/Red Hat :)
--
Marius Andreiana
Galuna - Solutii Linux in Romania
http://www.galuna.ro
11:47 a.m.
Marius Andreiana wrote:
On Thu, 2004-09-30 at 17:51 +0200, Arjan van de Ven wrote:
>>able on the distribution install media at this time.
>>
>>
>I'd be interested to see what changes bastille recommends, and rather
>just make those the default if they make sense.
>
>
Perfectly right. There shouldn't be any Bastille for Fedora/Red Hat :)
The problems arise when usability suffers at the hands of security.
While the added security is justifiable in some cases other times it is
a model of inefficiency. If were aren't careful we'll end up with a
"Rube Goldberg" imitation of a distribution
(http://en.wikipedia.org/wiki/Rube_Goldberg). The goal is a peaceful
balance between the two.
--
Michael Favia michael at insitesinc dot com
Insites Incorporated http://michael.insitesinc.com
1:13 p.m.
What I see Bastille doing is educating the security newbies to become
more informed about basic security hardening on the system. I totally
understand everyone's points as experienced Linux users but consider
the end user w/o the many years of knowledge you all have. Many people
get on the Bastille mailing list requesting support for the particular
distors they operate including Fedora and Red Hat.
On Thu, 30 Sep 2004 11:47:04 -0500, Michael Favia
<michael(a)insitesinc.com> wrote:
Marius Andreiana wrote:
>On Thu, 2004-09-30 at 17:51 +0200, Arjan van de Ven wrote:
>
>
>>>able on the distribution install media at this time.
>>>
>>>
>>I'd be interested to see what changes bastille recommends, and rather
>>just make those the default if they make sense.
>>
>>
>Perfectly right. There shouldn't be any Bastille for Fedora/Red Hat :)
>
>
The problems arise when usability suffers at the hands of security.
While the added security is justifiable in some cases other times it is
a model of inefficiency. If were aren't careful we'll end up with a
"Rube Goldberg" imitation of a distribution
(http://en.wikipedia.org/wiki/Rube_Goldberg). The goal is a peaceful
balance between the two.
--
Michael Favia michael at insitesinc dot com
Insites Incorporated http://michael.insitesinc.com
--
fedora-devel-list mailing list
fedora-devel-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-devel-list
11:02 a.m.
On Thu, 2004-09-30 at 10:30 -0500, Niki Rahimi wrote:
Hi Fedora folks,
Ola
I am curious to see what you all would think of the addition of
Bastille to the Fedora install media. If you have any questions on the
quality and/or useability of Bastille feel free to send me a note.
Anything which
really improves security and works it's welcome.
Notes:
* perl-Tk would have to be added to distribution too.
* the testing rpm works only with Tk, although I've installed perl-
Curses for text. Remember, many sysadmins don't have X installed on
servers.
Couldn't get further as perl-Tk from dag doesn't work on fc3t2:
error: Failed dependencies:
perl(Tk::LabRadio) is needed by perl-Tk-804.026-1.1.fc2.dag
perl(Tk::TextReindex) is needed by perl-Tk-804.026-1.1.fc2.dag
I see no docs on bastille homepage, only FAQ. Want to know what it does,
how does it detect problems with current configuration/versions.
From screenshot: FC2 build shouldn't have HP-UX tab.
At the
end, will I see a diff from current config to bastille's before
applying?
Thanks,
--
Marius Andreiana
Galuna - Solutii Linux in Romania
http://www.galuna.ro
7:59 a.m.
Marius Andreiana writes:
On Thu, 2004-09-30 at 10:30 -0500, Niki Rahimi wrote:
I see no docs on bastille homepage, only FAQ. Want to know what it does,
how does it detect problems with current configuration/versions.
>From screenshot: FC2 build shouldn't have HP-UX tab.
At the end, will I see a diff from current config to bastille's before
applying?
My experience with Bastille hasn't been the best (and I'm NOT just
talking Fedora here). The problem is that Bastille offers reasonable
sounding things as you work through its screens but doesn't tell you
exactly how it will accomplish them. It was not clear what files would
be modified--and I didn't find an easily readable log of these actions.
Furthermore, I have never successfully "unrolled" Bastille's changes.
So, while it has much to teach and offers good advice, I'd really
rather that Bastille were a HOWTO and not an "I'll fix it for you"
script.
It's nice to be given a fish to eat, but it's nicer to know how to catch
fish. Same old same old.
Thanks,
--
Marius Andreiana
Galuna - Solutii Linux in Romania
http://www.galuna.ro
--
fedora-devel-list mailing list
fedora-devel-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-devel-list
--
Janina Sajka, Chair
Accessibility Workgroup
Free Standards Group (FSG)
janina(a)freestandards.org Phone: +1 202.494.7040
2:31 p.m.
On Fri, 1 Oct 2004 08:59:10 -0400, "Janina Sajka" <janina(a)rednote.net>
said:
So, while it has much to teach and offers good advice, I'd
really
rather that Bastille were a HOWTO and not an "I'll fix it for you"
script.
It's nice to be given a fish to eat, but it's nicer to know how to catch
fish. Same old same old.
If the docs approach is of interest - there is a "Hardening Fedora"
tutorial currently being written as part of the documentation project.
The tracking bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129957
There is an ongoing thread about this tutorial on fedora-docs as well.
--
Stuart Ellis
s.ellis(a)fastmail.co.uk
12:38 p.m.
While having a doc would be great. I think users would be happy to
have something that would also do the work for them. I understand that
a lot of security measures are already taken on the Fedora installs
but the user should be made aware and can also have a choice in the
details of the security measures taken. If they want ftp off but
telnet on they can do so while being made aware of the implications of
doing so. This is why Bastille has been so popular.
On Sun, 03 Oct 2004 20:31:40 +0100, Stuart Ellis <s.ellis(a)fastmail.co.uk> wrote:
On Fri, 1 Oct 2004 08:59:10 -0400, "Janina Sajka"
<janina(a)rednote.net>
said:
> So, while it has much to teach and offers good advice, I'd really
> rather that Bastille were a HOWTO and not an "I'll fix it for you"
> script.
>
> It's nice to be given a fish to eat, but it's nicer to know how to catch
> fish. Same old same old.
If the docs approach is of interest - there is a "Hardening Fedora"
tutorial currently being written as part of the documentation project.
The tracking bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129957
There is an ongoing thread about this tutorial on fedora-docs as well.
--
Stuart Ellis
s.ellis(a)fastmail.co.uk
--
fedora-devel-list mailing list
fedora-devel-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-devel-list
12:37 p.m.
system-config-bastille?
man, 04.10.2004 kl. 19.38 skrev Niki Rahimi:
While having a doc would be great. I think users would be happy to
have something that would also do the work for them. I understand that
a lot of security measures are already taken on the Fedora installs
but the user should be made aware and can also have a choice in the
details of the security measures taken. If they want ftp off but
telnet on they can do so while being made aware of the implications of
doing so. This is why Bastille has been so popular.
On Sun, 03 Oct 2004 20:31:40 +0100, Stuart Ellis <s.ellis(a)fastmail.co.uk> wrote:
> On Fri, 1 Oct 2004 08:59:10 -0400, "Janina Sajka"
<janina(a)rednote.net>
> said:
> > So, while it has much to teach and offers good advice, I'd really
> > rather that Bastille were a HOWTO and not an "I'll fix it for
you"
> > script.
> >
> > It's nice to be given a fish to eat, but it's nicer to know how to
catch
> > fish. Same old same old.
>
> If the docs approach is of interest - there is a "Hardening Fedora"
> tutorial currently being written as part of the documentation project.
> The tracking bug:
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129957
>
> There is an ongoing thread about this tutorial on fedora-docs as well.
> --
> Stuart Ellis
> s.ellis(a)fastmail.co.uk
>
>
>
> --
> fedora-devel-list mailing list
> fedora-devel-list(a)redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-devel-list
>
11:22 a.m.
On Thu, 30 Sep 2004, Niki Rahimi wrote:
Hi Fedora folks,
I have been working on the Bastille-security hardening system for a
while now (www.bastille-linux.org). I am currently interested in the
enhancement of Bastille on Fedora as I see that it is not directly
available on the distribution install media at this time. I have been
working with Jay Beale, the lead developer of Bastille, on seeing that
the software is working properly on Fedora core installations.
I am curious to see what you all would think of the addition of
Bastille to the Fedora install media. If you have any questions on the
quality and/or useability of Bastille feel free to send me a note.
Some of what bastille does would be better as just being made defaults for
fedora
For the rest, where it's going to go interactive, it would make more sense
to look into integrating bastille into firstboot, rather than into the
installer
later,
chris
7:53 a.m.
mm
Chris Ricker writes:
On Thu, 30 Sep 2004, Niki Rahimi wrote:
> Hi Fedora folks,
> I have been working on the Bastille-security hardening system for a
> while now (www.bastille-linux.org). I am currently interested in the
> enhancement of Bastille on Fedora as I see that it is not directly
> available on the distribution install media at this time. I have been
> working with Jay Beale, the lead developer of Bastille, on seeing that
> the software is working properly on Fedora core installations.
> I am curious to see what you all would think of the addition of
> Bastille to the Fedora install media. If you have any questions on the
> quality and/or useability of Bastille feel free to send me a note.
Some of what bastille does would be better as just being made defaults for
fedora
For the rest, where it's going to go interactive, it would make more sense
to look into integrating bastille into firstboot, rather than into the
installer
We need something better than First Boot if for no other reason than
First Boot is 100% inaccessible to anyone with a special interfacing
requirement. It's an accessibility nightmare and could not possibly pass
Sec. 508 muster in a U.S. Federal deployment.
Rather than adding to First Boot, we need to rethink First Boot.
--
Janina Sajka, Chair
Accessibility Workgroup
Free Standards Group (FSG)
janina(a)freestandards.org Phone: +1 202.494.7040
8:01 a.m.
On Fri, Oct 01, 2004 at 08:53:29AM -0400, Janina Sajka wrote:
We need something better than First Boot if for no other reason than
First Boot is 100% inaccessible to anyone with a special interfacing
requirement. It's an accessibility nightmare and could not possibly pass
Sec. 508 muster in a U.S. Federal deployment.
This is currently in the issue tracker.
Rather than adding to First Boot, we need to rethink First Boot.
Text mode firstboot as well as graphical clearly is one part of that, what
else ?
8:58 a.m.
New subject: First Boot (was: Bastille)
Alan Cox writes:
On Fri, Oct 01, 2004 at 08:53:29AM -0400, Janina Sajka wrote:
> We need something better than First Boot if for no other reason than
> First Boot is 100% inaccessible to anyone with a special interfacing
> requirement. It's an accessibility nightmare and could not possibly pass
> Sec. 508 muster in a U.S. Federal deployment.
This is currently in the issue tracker.
Very glad to hear that. Did I know this and forget?
Will it be triggered by runlevel setting in /etc/inittab?
> Rather than adding to First Boot, we need to rethink First
Boot.
Text mode firstboot as well as graphical clearly is one part of that, what
else ?
Off the top of my head the input and device side would be all, I think.
In the text screens, for example, it would be important to put the
system cursor where the current focus is (and not in the lower right
hand corner, for example).
For both text and graphical everything should be keyboardable--so mouse
shouldn't be required.
There are also the Access X features our WG is on track to turn into an
FSG standard.
On the device side it would be important to support as many devices as
practical at some reasonable default setting. I suppose sound would be
somewhat tricky, but we can expect more and more blind users relying on
sound card.
Still, this deserves a more thorough response. I'm sorry I can't do a
better response off the top of my head--but doing so is something we've
calendared for next year in the A11y WG.
--
fedora-devel-list mailing list
fedora-devel-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-devel-list
--
Janina Sajka, Chair
Accessibility Workgroup
Free Standards Group (FSG)
janina(a)freestandards.org Phone: +1 202.494.7040
3:41 p.m.
Thanks for the feedback everyone. I think having a security solution
for Fedora that is both informative and merges well with Fedora would
be ideal. Perhaps a compromise on Bastille where the Fedora community
would be able to take Bastille and integrate it into the distribution.
Many users are unaware of the level of security their OS is at upon
first installation so utilizing an application like Bastille would be
beneficial to them regarding this. It would give them some idea of
where they are at or should be at to have a more secure system. There
is a good deal that could be added and that is where I see the Fedora
community adding to the project.
7142
days inactive
7146
days old
14 comments
9 participants
participants (9)
-
Alan Cox -
Arjan van de Ven -
Chris Ricker -
Janina Sajka -
Kyrre Ness Sjobak -
Marius Andreiana -
Michael Favia -
Niki Rahimi -
Stuart Ellis