Re: Bastille-Linux and Debian

To: Ethan Benson <erbenson@alaska.net>
Cc: m_g_m@gmx.net, debian-user@lists.debian.org
Subject: Re: Bastille-Linux and Debian
From: Robert Varga <robi@piros.zold.net>
Date: Thu, 2 Nov 2000 15:25:53 +0100 (CET)
Message-id: <[🔎] Pine.LNX.3.96.1001102152503.5913B-100000@piros.zold.net>
In-reply-to: <[🔎] 20001102003902.B709@plato.local.lan>

Aside from this, Bastille also sets up a default ipchains firewall for
your system to prevent users to set up services on their own on your
machine, I think.

Regards,

Robert Varga

On Thu, 2 Nov 2000, Ethan Benson wrote:

> On Thu, Nov 02, 2000 at 09:26:27AM +0100, m_g_m@gmx.net wrote:
> > I'd like to know if Bastille-Linux (which was intended for Red Hat
> > 6.x-Systems) works fine on Debian, too, if anyone has experiences with it already
> > and / or if there's an equivalent for Debian aswell.
> > What do you think/know?
> > greetings,
> > Michael
> 
> it would likely screw up your debian system.  i believe the consensus
> is that you really don't need bastille on debian.  one of the main
> things (last time i checked) that bastille does is remove stupid suid
> bits (*cough* /sbin/dump) and do some silly permissions changes, like
> changing /usr/sbin/adduser from 0755 to 0700, which is pointless since
> anyone can download adduser from debian mirrors, and it only spews
> errors when run as a normal user anyway.   Debian is already VERY
> conservative about suid bits, there are not really many you would
> bother removing except on extremely hardened systems (say a firewall) 
> 
> other then that remove nfs-kernel-server, nfs-common, telnetd packages
> and comment out anything you are not using in /etc/inetd.conf and run
> /etc/init.d/inetd reload.  
> 
> also disable portmapper, which is the only real daemon that is a pain
> to get rid of on debian (no longer so on woody, yay!)  simplest option
> is rm /etc/rcS.d/S41portmap.  which works pretty well (you do have to
> rekill portmap on netbase upgrades but that does not happen too often) 
> 
> also add:
> 
> ## security updates
> deb http://security.debian.org/debian-security/ potato/updates main contrib
> deb http://security.debian.org/debian-non-US/ potato/non-US main contrib
> deb-src http://security.debian.org/debian-security/ potato/updates main contrib
> deb-src http://security.debian.org/debian-non-US/ potato/non-US main contrib
> 
> to your /etc/apt/sources.list and run apt-get update && apt-get dist-upgrade 
> to get all the current security updates.  add non-free to those lists
> if you have non-free in your other apt lines. 
> 
> -- 
> Ethan Benson
> http://www.alaska.net/~erbenson/
>

Reply to:

Follow-Ups:
- Re: Bastille-Linux and Debian
  - From: Ethan Benson <erbenson@alaska.net>

References:
- Re: Bastille-Linux and Debian
  - From: Ethan Benson <erbenson@alaska.net>

Prev by Date: finding dependencies
Next by Date: Re: Bastille-Linux and Debian
Previous by thread: Re: Bastille-Linux and Debian
Next by thread: Re: Bastille-Linux and Debian
Index(es):
- Date
- Thread