I hadn't even considered that this app development would stall yet all signs point toward that very outcome. As an initial step to hardening any install, I place it above linuxconf even. What good is further configuration when your missing the inital secure baseline to build from?
I really hope someone picks this up or, at minimum, the Debian Testing package continues to be maintained and returns to the Stable branch with Debian 7 Weezy, if not Debian 6 Squeeze Stable through Backports.
For those not in the know; Bastille is a script that walks one through many security related settings with an explenation of why the setting change should be made. The user can choose to accept the change or not depending on there needs. For advanced users, it's handy for running as a quick baseline when building out a system; modify the config file full of your last selections and rerun it for quick changes. It even sets up the firewall rules; starts them at each system boot; provides a clear and simple way to add custom firewall rules. I could add any desired exceptions through post-rule-setup.sh and even had it call an auto-generated blacklist.
The various setting changes I can script myself for lack of having Bastille available. The firewall management it provided will be greatly missed though; seems I'm going to be doing firewall rules by hand and learning how the new init.d file format works.
(and what's with changing how init.d files work anyhow? The if statement method was rational and made creating a new init.d kicker script simple; even starting from a blank page. The new "better" method seems to remove clarity and simplicity for benefits I've yet to divine. bah.. I thought newer distro versions where supposed to improve on the older ones not remove valuable functionality.)
Discussion on:
View:
Show:
just cause debian isn't including it doesn't mean it's gone.
bastille is still included with mandriva.
though they are starting to promote tomoyo and css-tools as a replacement.
bastille is still included with mandriva.
though they are starting to promote tomoyo and css-tools as a replacement.
The reason Mandriva is promoting replacements is the same reason Debian has already removed it; the project appears to be dead.
Bastille isn't something I really use so it's not important to me.
what is odd is that Mandriva actually has enough of a community to keep Bastille alive, if the call for it was there. The fact that this distro that has collab services and project hosting available for the community hasn't had anyone start a fork of Bastille says it's not something in demand by many.
what is odd is that Mandriva actually has enough of a community to keep Bastille alive, if the call for it was there. The fact that this distro that has collab services and project hosting available for the community hasn't had anyone start a fork of Bastille says it's not something in demand by many.
On one hand, we have people who are knowledgeable enough to maintain Bastille, who are also prone to managing their own security configuration, and thus do not personally have much of a need for it.
On the other hand, we have those who use Ubuntu and have no idea how to configure a system for security, and who have no idea that something like Bastille could help them.
In the middle we have a dwindling number of people who are not numerous enough to sustain the userbase needed to bother maintaining the Bastille project.
Basically, for something like that to continue, it needs to be someone's "baby".
On the other hand, we have those who use Ubuntu and have no idea how to configure a system for security, and who have no idea that something like Bastille could help them.
In the middle we have a dwindling number of people who are not numerous enough to sustain the userbase needed to bother maintaining the Bastille project.
Basically, for something like that to continue, it needs to be someone's "baby".
I do make use of Lynis among my other toosl but Bastille was nice as a fairly comprehensive scripted starting point. If it was still actively developign upstream but Debian simply chose to drop it.. I'd be looking for a change.. probably Arc to get the rolling distro with balance of current software versions.
Now I'm on to rethinking my mail server setup. postfix/dovcot is the classic but the Auth setup sucks and it's always felt pretty conveluted. Courier is a nice step; less conveluted setup, more consolidated mail services but less traditional. Citadel is an absolute dream; it's pretty much a drop in, login and go. It's now my heavy option with Courier as the light option. I was really getting excited about doing a Citadel-webcit "administrator's" back end area with chat and todo lists with an eGroupware front end for regular users.
Today I learned something new; not all IMAP implementations are alike and how Citadel and Egroupware talk IMAP is not compatible (based on a half day's reading so maybe someone has solved this). Basically, Egroupware can get the list of folders and indicate new mail sitting in them but it can't actually display any messages from them (bit of an issue).
So, now I'm looking at giving up the easy spamassassin/clamd setup and user/alias management from Citadel so I can instead get Egroupware's email app working against Courier. Booo.. and WTF are different servers using different IMAP implementations for.. and, if that really is a good thing.. why is Citadel IMAP support missing from Egroupware.. seems like decisions that should have been made before someone started that night's drinking.
(but seriously.. anyone out there managed to get Egroupware's mail app talking to Citadel IMAP?)
Now I'm on to rethinking my mail server setup. postfix/dovcot is the classic but the Auth setup sucks and it's always felt pretty conveluted. Courier is a nice step; less conveluted setup, more consolidated mail services but less traditional. Citadel is an absolute dream; it's pretty much a drop in, login and go. It's now my heavy option with Courier as the light option. I was really getting excited about doing a Citadel-webcit "administrator's" back end area with chat and todo lists with an eGroupware front end for regular users.
Today I learned something new; not all IMAP implementations are alike and how Citadel and Egroupware talk IMAP is not compatible (based on a half day's reading so maybe someone has solved this). Basically, Egroupware can get the list of folders and indicate new mail sitting in them but it can't actually display any messages from them (bit of an issue).
So, now I'm looking at giving up the easy spamassassin/clamd setup and user/alias management from Citadel so I can instead get Egroupware's email app working against Courier. Booo.. and WTF are different servers using different IMAP implementations for.. and, if that really is a good thing.. why is Citadel IMAP support missing from Egroupware.. seems like decisions that should have been made before someone started that night's drinking.
(but seriously.. anyone out there managed to get Egroupware's mail app talking to Citadel IMAP?)
> and what's with changing how init.d files work anyhow?
It seems like every time I blink the Linux world is throwing away something perfectly clear and manageable in favor of something "better" that muddies the waters for the knowledgeable and eliminates some ability to customize. My most recent annoyance has been with Debian breaking some of the basics of text-based network configuration (I haven't checked on whether similar changes affect other major distribution families). The first time I noticed this happening was ALSA; it has been downhill ever since.
It seems like every time I blink the Linux world is throwing away something perfectly clear and manageable in favor of something "better" that muddies the waters for the knowledgeable and eliminates some ability to customize. My most recent annoyance has been with Debian breaking some of the basics of text-based network configuration (I haven't checked on whether similar changes affect other major distribution families). The first time I noticed this happening was ALSA; it has been downhill ever since.
and a lot of distros have moved to oss instead of alsa for the sound backend. :/
to much changing stuff that is working right just for the sake of changing it. usually to something not working right.
to much changing stuff that is working right just for the sake of changing it. usually to something not working right.
That makes me feel even better about my choice to stick with FreeBSD as my primary OS choice -- and even worse about the fact I'm kinda-sorta forced to use a Linux based system for a little while right now.
Stability, Security.. those where the project goals that attracted me along with the huge repositories.
Between distros.. I'm all for change provided the interconnecting standards aren't broken (IMAP should be IMAP not varoious mostly compatible implementations of it).
Big changes within a distro or between distro versions; those really need to be justifiable. Bastille stalled.. it makes sense to pull it from the stable archives. New init.d system versus the old.. the new method better provide some strong benefits.
Disapointing to hear more distros going OSS also.. I've been a fan of Alsa since they took over the Creative X-FI sound card drivers. The kernel mods compiled and installed clean and easy at a time when my distro of choice didn't have the hardware support natively.
On the BSD side, it primarily remains hardware support that holds me back. If FreeBSD decided to drop Nvidia's drivers in a non-free repository.. I'd have to take a much longer look.
Between distros.. I'm all for change provided the interconnecting standards aren't broken (IMAP should be IMAP not varoious mostly compatible implementations of it).
Big changes within a distro or between distro versions; those really need to be justifiable. Bastille stalled.. it makes sense to pull it from the stable archives. New init.d system versus the old.. the new method better provide some strong benefits.
Disapointing to hear more distros going OSS also.. I've been a fan of Alsa since they took over the Creative X-FI sound card drivers. The kernel mods compiled and installed clean and easy at a time when my distro of choice didn't have the hardware support natively.
On the BSD side, it primarily remains hardware support that holds me back. If FreeBSD decided to drop Nvidia's drivers in a non-free repository.. I'd have to take a much longer look.
There are a lot of good reasons to replace ALSA. For one thing, software developers who target more than one OS had to support ALSA for Linux and OSS for basically everything else. For another, ALSA's back end management is kind of inconsistent and overly complex. The architecture is just suboptimal, by all accounts.
> On the BSD side, it primarily remains hardware support that holds me back. If FreeBSD decided to drop Nvidia's drivers in a non-free repository.. I'd have to take a much longer look.
The last couple weeks constitute the first time I've ever really had any hardware issues with FreeBSD. Now that I'm "forced" to use a Linux-based system, I'm beginning to wonder if dealing with the shortcomings of FreeBSD hardware support for this laptop would be the lesser evil.
> On the BSD side, it primarily remains hardware support that holds me back. If FreeBSD decided to drop Nvidia's drivers in a non-free repository.. I'd have to take a much longer look.
The last couple weeks constitute the first time I've ever really had any hardware issues with FreeBSD. Now that I'm "forced" to use a Linux-based system, I'm beginning to wonder if dealing with the shortcomings of FreeBSD hardware support for this laptop would be the lesser evil.
Mind you, you may not be looking for a weekend project either. Could be fun though. My last week and a bit has been build script testing against Deb6.
I'm changing a lot when I push the home groupware server from Deb5 to current stable. I wouldn't suggest the recreational project for someone who didn't want to vm save point restores and some breakage (Egroupware doesn't talk Citadel IMAP.. that one is going to stick for a while even with Courier/Egroupware now in place).
OSS for sound is fine for me provided it works. Alsa's claim to fame was being able to work when the distro package was lagging behind driver support. Provided OSS keeps up with driver support and can get better support from hardware vendors, I'm ok with that change. I had to find and figure out configsnd back in the day (or was it soundcfg.. enver could remember). Had to find and un-mute alsamixer when that became the new thing. I'll find and figure out whatever OSS mixer settings too. For me, sound remains "whatever is default and supports my card".
I'm changing a lot when I push the home groupware server from Deb5 to current stable. I wouldn't suggest the recreational project for someone who didn't want to vm save point restores and some breakage (Egroupware doesn't talk Citadel IMAP.. that one is going to stick for a while even with Courier/Egroupware now in place).
OSS for sound is fine for me provided it works. Alsa's claim to fame was being able to work when the distro package was lagging behind driver support. Provided OSS keeps up with driver support and can get better support from hardware vendors, I'm ok with that change. I had to find and figure out configsnd back in the day (or was it soundcfg.. enver could remember). Had to find and un-mute alsamixer when that became the new thing. I'll find and figure out whatever OSS mixer settings too. For me, sound remains "whatever is default and supports my card".
The problem is that with the current state of support for Intel HD graphics on FreeBSD, I'd have to use the VESA driver, which only handles up to 1024x768 resolution. This laptop's display has a native 1600x900 resolution. I might be able to deal with lower resolution, but dealing with 4:3 aspect ratio displayed on a 16:9 aspect ratio display is not something I'm keen to do on a daily basis.
> I had to find and figure out configsnd back in the day (or was it soundcfg.. enver could remember). if they'll let you format the lappy.. give it a go
Who are "they"?
> I had to find and figure out configsnd back in the day (or was it soundcfg.. enver could remember). if they'll let you format the lappy.. give it a go
Who are "they"?
So, after actually taking the time to look at the new init.d script format; it makes sense.. or is easy to setup at least.
The old way was just an IF or Case for start|stop|restart|reload. I'd start with a blank file, write the if statement then drop my /path/script into place. Nice small row count.
The new way probably has it's benefits that I'm missing. You copy /etc/skeleton to your desired new file name.
NAME=myscript
DAEMON=/usr/bin/$NAME
DAEMON_ARGS="-g"
So, it runs "/usr/bin/myscript -g" or $DAEMON$NAME $DAEMON_ARGS
In my case, it runs /root/bin/nsFirewall which sets basic iptables rules then includes my /etc/bastille/firewall.d/post-firewall-setup.sh for rules by port/source and finally inserts blacklists from a third file.
So for me, it means giving up an easy to write from scratch init.d script for an easy to copy and edit init.d script (though that I've yet to become familiar with beyond the relevant header comments and variable settings).
The old way was just an IF or Case for start|stop|restart|reload. I'd start with a blank file, write the if statement then drop my /path/script into place. Nice small row count.
The new way probably has it's benefits that I'm missing. You copy /etc/skeleton to your desired new file name.
NAME=myscript
DAEMON=/usr/bin/$NAME
DAEMON_ARGS="-g"
So, it runs "/usr/bin/myscript -g" or $DAEMON$NAME $DAEMON_ARGS
In my case, it runs /root/bin/nsFirewall which sets basic iptables rules then includes my /etc/bastille/firewall.d/post-firewall-setup.sh for rules by port/source and finally inserts blacklists from a third file.
So for me, it means giving up an easy to write from scratch init.d script for an easy to copy and edit init.d script (though that I've yet to become familiar with beyond the relevant header comments and variable settings).
Have you looked at Security Blanket by Raytheon Trusted Computer Solutions? It can help to automate the grunt-work of locking down many (rpm based) Linux distros, as well as Solaris. The feature sets of Security Blanket and Bastille are somewhat different as are the supported platforms, and Security Blanket is a commercial product. Full disclosure - I work at RTCS on Security Blanket. http://www.trustedcs.com/securityblanket
But knowing Security Blanket is out there should I be working with a .rpm is great information. Also worth watching encase they do a Debian tuned version of it.
For sys admin - especially beginners, this is a very very helpful guide. I've been coming back on this application time and again as I am somewhat a desktop user but since I use my desktop as a server for web and other server, it's a good thing to have Bastille around to force you to adapt sound security practices.
In my Debian unstable/sid box, Bastille is still there so I hope it's still around in the coming years as security is one of the important aspect in network computing.
Used Laser Cutting Machines
Nitrogen Generation Equipment
In my Debian unstable/sid box, Bastille is still there so I hope it's still around in the coming years as security is one of the important aspect in network computing.
Used Laser Cutting Machines
Nitrogen Generation Equipment
That's my next step.. properly learn where Bastille was making all it's changes with the assumption that it's not coming back.
When it disapeared from Deb 6 Testing I did watch it sitting in Unstable and then watched it drop into Deb 7 Testing while remaining absent from Deb 6 Stable. Hopefully the debian maintainer will take over or enough Deb users with code skills will take interest to keep a Debian tuned version available.
When it disapeared from Deb 6 Testing I did watch it sitting in Unstable and then watched it drop into Deb 7 Testing while remaining absent from Deb 6 Stable. Hopefully the debian maintainer will take over or enough Deb users with code skills will take interest to keep a Debian tuned version available.
Yep, and I've endeavored to use the 'latest' edition of Bastille recently without success. The efforts were geared towards RHEL 5.x, of which it isn't natively suited. Spoke with Jay Beale through email about it specifically. I suspect without his daily involvement its going to continue to languish. I suggest folks turn to is the Center for Internet Security (cisecurity.org).
Haven't invested much time in Linux, but when I started out the only OS I used was SCO unix. Linux brings it to the masses. They can put any pretty shell they want over the top, but keep all Unix functionality available to those who want to delve a bit deeper.
they are breaking away from the Unix functionality and making drastic changes to how the os is interfaced with, in the command line environment.
there is a strong movement away from initd to nextgen init [ can't remember for proper name right now ] because it is supposed to reduce boot times. these changes are making the transferable skills from unix strength go away, losing that for no real benefit to anyone.
there is a strong movement away from initd to nextgen init [ can't remember for proper name right now ] because it is supposed to reduce boot times. these changes are making the transferable skills from unix strength go away, losing that for no real benefit to anyone.
If you miss that sense of community and camaraderie in Linux, then you should visit and get involved in the PCLinuxOS forum! By far, it's the friendliest Linux forum I've ever found, where "rtfm" is not allowed to be uttered.
As far as linuxconf, I wonder if there is anyone out there who could (or would) bring it back. It sounds very, very interesting.
As far as linuxconf, I wonder if there is anyone out there who could (or would) bring it back. It sounds very, very interesting.
Way ahead of its time. About 15 or 20 1.44M Floppies. The days when 14.4K modems were "fast", if you were lucky enough to have an ISP with dial-up ports that supported it, and phone lines good enough to handle it. The days of Trumpet WinSock and Chameleon.
X was the latest thing, but few had graphics cards or monitors that could do much useful with it.
X was the latest thing, but few had graphics cards or monitors that could do much useful with it.
hehe.. I know that joke's been recycled with every Windows release over the years but it started with Terminal vs. X
But Webmin will allow you to administer almost everything....
I've taken to editing config files directly once familiar with them; especially in the case of Apache where I want to be sure of seporate vhost.conf files but Webmin is a great point/click starter - even if one never leaves it for direct config editing.
I visited a LUG meeting in Biloxi, MS in the mid-90s, mostly out of curiosity. I had just been forced to convert from MS-DOS to Windows 3.0, had heard about Linux from an acquaintance, and wanted to know about the alternatives. I apparently chose the wrong night to attend...
When the over-40 me started asking basic questions about the operation and construction of Linux, the room full of 20-somethings and teenagers essentially told me to rtfm. The most obnoxious and officious of the little twits even asked why I was there when it wasn't beginners' night. I didn't consider Linux again for over 10 years; I'm sure I'm not the only one.
I can do condescending as well as some (and better than most), but it's unfortunate for Linux today that some of the same obnoxious 20-somethings and teenagers that made up the Linux community 15-20 years ago still seem to be around, and still have the same attitudes towards beginners.
When the over-40 me started asking basic questions about the operation and construction of Linux, the room full of 20-somethings and teenagers essentially told me to rtfm. The most obnoxious and officious of the little twits even asked why I was there when it wasn't beginners' night. I didn't consider Linux again for over 10 years; I'm sure I'm not the only one.
I can do condescending as well as some (and better than most), but it's unfortunate for Linux today that some of the same obnoxious 20-somethings and teenagers that made up the Linux community 15-20 years ago still seem to be around, and still have the same attitudes towards beginners.
I've felt the same way. I'm no dummy - member of Mensa, bachelor's degree in software development. But I'm not a sysadmin - actually, I'm an IT trainer/risk manager. But the forums have become such a strong community that outsiders either have to live in the community for some time or find their answers elsewhere.
Eventually I started using Ubuntu because I was able to do so without the need for support. The support model's strength (community) has become its weakness.
Eventually I started using Ubuntu because I was able to do so without the need for support. The support model's strength (community) has become its weakness.
The majority of long-term Linux users are, like Jack, more than willing to help the newly initiated. However, almost every Linux forum I've been on in the past year or two still seems to have one member who will go out of his way to make the "n00b" feel unwelcome.
It happens. The freebsd-questions mailing list has one of those -- though he's outnumbered.
If I'd have been in attendance, you'd have seen at least one 20 something telling the other's to get stuffed and climb down off there high horses. That elitist crap shouldn't fly in any group. There are some good communities out there and some very helpful people. Sadly, the vocal elitist minority seems bent on opening it's mouth for whatever self-satifaction they gain by putting other's down.
("some should keep there mouth shut and let other's think them a fool rather than open there mouth and prove it")
("some should keep there mouth shut and let other's think them a fool rather than open there mouth and prove it")
I had the shortest hair in the room by about five or six inches and was obviously military. Even into the 90s, Biloxi had a love-hate affair with Keesler AFB, and probably still does today.
They were sociable enough, but their topics were way over this newbie's head. University-based, the membership was mostly academics with a smattering of local programmers. I recall an in-depth discussion of someone's new security suite intended for government applications. Neither meeting had over 15 people in attendance. I don't think they'd done an install-fest in a couple of years. I did manage to move a dozen or so older boxes to one attendee.
I've never seen a LUG like that. All the LUGs whose meetings I've attended have been full of people who bend over backwards to make new users feel at home, and to help them out. It sounds like their behavior was atrocious and entirely uncalled-for. I'm sorry you had that experience.
Sorry to hear that bad experience. In my 5 years of using Linux (Debian and lately Ubuntu), I have yet to find these little obnoxious buggers. Though I mostly interact over the internet. Though I just don't get it why most teen and 20 somethings, when group together -- mostly acted obnoxious and officious, they think they own the world or something. Really sorry to read such bad experience, you could be one of Linux contributors if not an ardent user and evangelist of an alternative system.
Used Laser Cutting Machines
Nitrogen Generation Equipment
Used Laser Cutting Machines
Nitrogen Generation Equipment
There is a healthy community of Linux nerds that run a non-profit called "Free Geek" in Portland, Oregon.
http://www.freegeek.org/
It's an electronics recycling facility that collects unwanted computer equipment and loads Linux on it, only to give them away. They are called "Freek Boxes" and they are a great community resource. Surplus is donated to schools.
I bring it up because it's a non-stop Linux install fest.
http://www.freegeek.org/
It's an electronics recycling facility that collects unwanted computer equipment and loads Linux on it, only to give them away. They are called "Freek Boxes" and they are a great community resource. Surplus is donated to schools.
I bring it up because it's a non-stop Linux install fest.
Try Solaris. Oracle/Sun have gone out of their way to make it as hard as possible to get to grips with.
I don't like the dumbing down of Linux-based systems over the years, but I don't like perversely difficult systems either. I prefer something that empowers the knowledgeable user, even if it has to give up some newbie-friendliness to do so. That's one reason (of many) I prefer FreeBSD -- though FreeBSD can be set up to be incredibly user-friendly as well.
Is not that hard to install. On the plus side, once it's up, it's pretty easy to keep going., It takes 3x as long to install something in Linux as it does in Solaris because there is only ONE Solaris package to choose from, instead of 30-40 for Linux.
here in Vancouver FreeGeek does windowless wednessdays every week.
an weekly install fest.
[ though they do only provide disks of ubuntu, sadly. promoting that security butchered distro is not helping linux. ]
an weekly install fest.
[ though they do only provide disks of ubuntu, sadly. promoting that security butchered distro is not helping linux. ]
Maybe you should get involved and bring stacks of FreeBSD disks and USB installers. It turns out that the major Linux distributions I've checked out make it quite difficult to make an installer work from USB flash media, but FreeBSD makes it quite easy, offering an installer image specifically for USB flash media devices.
I'm trying to get them to look at other distros first 
then get them to look at other free software operating systems.
takes time to change peoples minds from the ubuntu golden child mentality though.
then get them to look at other free software operating systems.
takes time to change peoples minds from the ubuntu golden child mentality though.
It was more mismanagement and then denial of problems leading to implosion, than any problem with Linux game buyers. See http://web.archive.org/web/20030210183226/http://www.linuxandmain.com/features/lokistory.html ??? and then see how much of the recent Humble Indie Bundle's sales/contributes came from Linux users!
You used to have to give magic numbers to the reboot system call to get it to work right:
/*
* Reboot system call: for obvious reasons only root may call it,
* and even root needs to set up some magic numbers in the registers
* so that some mistake won't make this reboot the whole machine.
* You can also set the meaning of the ctrl-alt-del-key here.
*
* reboot doesn't sync: do that yourself before calling this.
*/
asmlinkage int sys_reboot(int magic, int magic_too, int flag)
{
if (!suser())
return -EPERM;
if (magic != 0xfee1dead || magic_too != 672274793)
return -EINVAL;
if (flag == 0x01234567)
hard_reset_now();
else if (flag == 0x89ABCDEF)
C_A_D = 1;
else if (!flag)
C_A_D = 0;
else
return -EINVAL;
return (0);
}
(from kernel 1.0)
/*
* Reboot system call: for obvious reasons only root may call it,
* and even root needs to set up some magic numbers in the registers
* so that some mistake won't make this reboot the whole machine.
* You can also set the meaning of the ctrl-alt-del-key here.
*
* reboot doesn't sync: do that yourself before calling this.
*/
asmlinkage int sys_reboot(int magic, int magic_too, int flag)
{
if (!suser())
return -EPERM;
if (magic != 0xfee1dead || magic_too != 672274793)
return -EINVAL;
if (flag == 0x01234567)
hard_reset_now();
else if (flag == 0x89ABCDEF)
C_A_D = 1;
else if (!flag)
C_A_D = 0;
else
return -EINVAL;
return (0);
}
(from kernel 1.0)
Unless you remember Slackware and Patrick Volkerding you have not been around very long{8^)
What do you mean "remember"? Slackware is still around, and it's still being developed by Patrick Volkerding.
. . . and I still don't want to use it. Its partitioning is user-hostile, for instance. I'd rather stick with FreeBSD, which works as advertised.
. . . and I still don't want to use it. Its partitioning is user-hostile, for instance. I'd rather stick with FreeBSD, which works as advertised.
Boy do I ever miss downloading tens of 1.44MB floppy images via 14.4K modem (Linux 0.99 + X11R5 circa 1992).
The reality of it is, there isn't a single thing I miss about any Linux of any year.
The reality of it is, there isn't a single thing I miss about any Linux of any year.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
