Bastille Linux head preaches Linux lockdowns

While all the hoopla was going on upstairs at the Jacob Javits Center in New York where LinuxWorld was being held last week, one of the most packed sessions I’d ever seen at the show was going on in the bowels of the conference center.

The session was titled “Locking Down Linux,” and the crowd, which flowed out the door, was listening intently to Jay Beale, lead developer for the Bastile Linux Project. Beale, who started Bastille Linux in 1999 as a security lock-down script for Red Hat, has evolved the project to cover other major Linux distributions such as SuSE, Mandrake, Debian and TurboLinux, along with HP’s Unix flavor HP-UX and Apple’s Mac OS X (which is based on FreeBSD).

In his presentation, Beale discussed the ins and outs of Bastille Linux, a utility that allows users to turn off the processes, applications and packages on Linux systems that could make them vulnerable to hackers. These include simple things like disabling telnet access, to more complex tweaks, such as disabling network-accessible daemons and applications that can be executed with root authority – a common approach hackers take when attacking a Linux system. 

The most important thing enterprises must consider when deploying Linux, Beale said, is a strategy for auditing and verifying the security of their software.

“Auditing a Linux system deployment, and making sure the auditor isn’t the same person who set up the system – those kinds of things are necessary to ensure against problems.”

Although reports of Linux worms and hacked Linux-based Web servers have been on the rise in recent years, Beale says these incidents reflect the wider usage of Linux, and not an inherent weakness in the software.

“Linux isn’t more vulnerable now than it was before,” Beale said. “It’s just that no one really started paying attention to Linux security until people started getting hacked …  It’s just a matter of being more vigilant now.”