After reading through all the information in the previous chapters you might be wondering "I have to do quite a lot of things in order to harden my system, couldn't this things be automated?". The question is yes, but be careful with automated tools. Some people believe, that a hardening tool does not eliminate the need for good administration. So do not be fooled to think that you can automate all the process and will fix all the related issues. Security is an ever-ongoing process in which the administrator must participate and cannot just stand away and let the tools do all the work since no single tool can cope: with all the possible security policy implementations, all the attacks and all the environments.
Since woody (Debian 3.0) there are two specific packages that are useful for
security hardening. The harden which takes an approach based on
the package dependencies to quickly install valuable security packages and
remove those with flaws, configuration of the packages must be done by the
administrator. The bastille that implements a given security
policy on the local system based on previous configuration by the administrator
(the building of the configuration can be a guided process done with simple
yes/no questions).
The harden package tries to make it more easy to install and
administer hosts that need good security . This package should be used by
people that want some quick help to enhance the security of the system. To do
this it conflicts with packages with known flaws, including (but not limited
to): known security bugs (like buffer overflows), use of plaintext passwords,
lack of access control, etc. It also automatically installs some tools that
should enhance security in some way: intrusion detection tools, security
analysis tools, etc. Harden installs the following virtual packages
(i.e. no contents, just dependencies on others):
harden-tools: tools to enhance system security (integrity
checkers, intrusion detection, kernel patches...)
harden-doc: provides this same manual and other security-related
documentation packages.
harden-environment: helps configure a hardened environment
(currently empty).
harden-servers: removes servers considered insecure for some
reason.
harden-clients: removes clients considered insecure for some
reason.
harden-remoteflaws: removes packages with known security holes
that could be used by a remote attacker to compromise the system (uses
versioned Conflicts:).
harden-localflaws: removes packages with known security holes that
could be used by a local attacker to compromise the system (uses versioned
Conflicts:).
harden-remoteaudit: tools to remotely audit a system.
Be careful because if you have software you need (and which you do not wish to
uninstall for some reason) and it conflicts with some of the packages above you
might not be able to fully use harden. The harden packages do not
(directly) do a thing. They do have, however, intentional package conflicts
with known non-secure packages. This way, the Debian packaging system will not
approve the installation of these packages. For example, when you try to
install a telnet daemon with harden-servers, apt will
say:
# apt-get install telnetd
The following packages will be REMOVED:
harden-servers
The following NEW packages will be installed:
telnetd
Do you want to continue (Y/n)
This should set off some warnings in the administrator head, who should reconsider his actions.
Bastille Linux is an
automatic hardening tool originally oriented towards the RedHat and Mandrake
Linux distributions. However, the bastille package provided in
Debian (since woody) is patched in order to provide the same functionality for
the Debian GNU/Linux system.
Bastille can be used with different frontends (all are documented in their own manpage in the Debian package) which enables the administrator to:
InteractiveBastille(8))
BastilleChooser(8))
AutomatedBastille(8))
Securing Debian Manual
2.6 10 October 2002Wed, 18 Sep 2002 14:09:35 +0200jfs@computer.org