Bastille
How secure is your server?
While there is no single checklist, analysis tool, or script that will tell you the answer to this question, a good place to start is Bastille.
This free tool is available from:
http://bastille-linux.sourceforge.net/running_bastille_on.htm
This is a great tool to learn more about the areas that are commonly used to exploit systems and assist you in hardening your server.
The installation instruction are also there. It is extremely easy to install, but note it does require the perl-curses package to be installed to provide the interface used when run in the shell.
(Note as well you can run the X front end and use X forwarding to have this tool forward the GUI to the system you are ssh'ing in from. However, this may require you to install additional packages on your server. It may be easier just to use the shell version, it works pretty good.)
Analysis Mode
A description of this is available at:
http://bastille-linux.sourceforge.net/assessment.htm
Once installed, you can run Bastille in analysis mode which will generate a .txt and .html report. This is a great way to get a general overview and see where things stand. This also provides descriptive information for each of the security points so you can learn more about the nuts and bolts of how that affects you.
bastille --report
This is where to start - review this report and see which things may apply to you. You may not need all of these things. Having a grub password for example is of limited value when your sever is secured in a data center and may just complicate support when you do need it.
One note: the report gets put into:
/var/log/Bastille/Assessment/
Just move the entire Assessment folder to a site or your Apache document root to view it. You will likely need to chmod -r 744 Assessment (or 755 it). Also, you will need to chown it to the proper user:group for your environment.
Once it is moved and permissions are set, pull up the report in a browser and read away. You can see what areas can be improved and how critical they are. You also can see the overall raw score of how secure you are at the top of the report.
(If you want to be fancy: edit /Assessment/assessment-report.html to direct it to use the included graphic, or use your own. For the html challenged, you want to include the image source, so modify the assessment report like:
</HEAD> <BODY> <script language="JavaScript" type="text/javascript" src="wz_tooltip.js"></script> <img src="bastille.jpg"> <CENTER> <H3>Bastille Hardening Assessment Report</H3> </CENTER>
Running Bastille
NOTE: Is is very unwise to make some of the changes recommended without understanding the implication. Read the descriptions of what each change does. The worst thing is to go through and enable everything with no thought given to how it might affect users, etc.
You might want to run this in a non production environment and experiment with it first, then use it on production servers.
There is an option to restore back to default settings, but this should be a last resort scenario - don't count on this alone. If needed you can revert the changes with
bastille -r
That said . . .
Bastille is pretty cool, just run it in shell mode with:
bastille -c
It will walk you thorough, step by step, and provide information on a variety of security points and recomend actions to take. The changes are made after you answer all the questions. You can then re-run it in analysis mode and see how the score has changed.
There are additional options available in Bastille, including creating a config file to perform identical hardening on multiple server, etc. See the man page and site for more information
