Re: Bastille-Linux and Debian
Aside from this, Bastille also sets up a default ipchains firewall for
your system to prevent users to set up services on their own on your
machine, I think.
Regards,
Robert Varga
On Thu, 2 Nov 2000, Ethan Benson wrote:
> On Thu, Nov 02, 2000 at 09:26:27AM +0100, m_g_m@gmx.net wrote:
> > I'd like to know if Bastille-Linux (which was intended for Red Hat
> > 6.x-Systems) works fine on Debian, too, if anyone has experiences with it already
> > and / or if there's an equivalent for Debian aswell.
> > What do you think/know?
> > greetings,
> > Michael
>
> it would likely screw up your debian system. i believe the consensus
> is that you really don't need bastille on debian. one of the main
> things (last time i checked) that bastille does is remove stupid suid
> bits (*cough* /sbin/dump) and do some silly permissions changes, like
> changing /usr/sbin/adduser from 0755 to 0700, which is pointless since
> anyone can download adduser from debian mirrors, and it only spews
> errors when run as a normal user anyway. Debian is already VERY
> conservative about suid bits, there are not really many you would
> bother removing except on extremely hardened systems (say a firewall)
>
> other then that remove nfs-kernel-server, nfs-common, telnetd packages
> and comment out anything you are not using in /etc/inetd.conf and run
> /etc/init.d/inetd reload.
>
> also disable portmapper, which is the only real daemon that is a pain
> to get rid of on debian (no longer so on woody, yay!) simplest option
> is rm /etc/rcS.d/S41portmap. which works pretty well (you do have to
> rekill portmap on netbase upgrades but that does not happen too often)
>
> also add:
>
> ## security updates
> deb http://security.debian.org/debian-security/ potato/updates main contrib
> deb http://security.debian.org/debian-non-US/ potato/non-US main contrib
> deb-src http://security.debian.org/debian-security/ potato/updates main contrib
> deb-src http://security.debian.org/debian-non-US/ potato/non-US main contrib
>
> to your /etc/apt/sources.list and run apt-get update && apt-get dist-upgrade
> to get all the current security updates. add non-free to those lists
> if you have non-free in your other apt lines.
>
> --
> Ethan Benson
> http://www.alaska.net/~erbenson/
>
Reply to: