 anyone who has a voice after Saturday night at Defconn? It wasn't really Saturday night at Defconn, right? Okay, so anyway, we'll start now. My name's Jay Veal. I'm here to talk about Mastio Linux, and we've done a lot more with the tool now, and I want to show you what we've done. It's been a little while since we've talked about Mastio at Defconn, and we've got some more to show. What's that louder? Yeah, how's that? Stick up any better? No. Okay. Try and type while I do this. Move closer. Like this. I will eat the microphone. I stole that from Raven. Okay. So I'm here to talk about Mastio Linux. My name's Jay Veal, and we've done lots of new stuff for some major, one major, one major new thing and a lot of little things, and I'll show you what we're doing. By the way, if you've got the slides that are on the CD, these are slightly updated. They're only minor updates. The stuff on the CD is pretty comprehensive. These just look a little bit nicer, so you can grab them from here. I'll let you write down the URL. I will let you stop writing down the URL. Okay, so I'm gonna talk to you. I'm gonna tell you about what Mastio did before, what it does now. We'll take a pretty in-depth look, and I'll even tell you a little bit about how you can extend it yourself, because well, it's open source, and we could always use the help, and heck, if you wanna do it yourself back home and not share, we'll be okay with that too. So Mastio Linux is a hardening program for Linux. That's a whole bunch of distributions. That's Red Hat and Mandrake and Sousa and Debian and Ubuntu and Gen2 and Turbo Linux, and there's probably one or two others, but I'm not sure. Not yet Slack. I'm so sorry. I know, I keep promising Slack one day. Okay, well Slack once I get a Slack VM, right? But it also works in HPUX because Hewlett Packard put in some programmers, and they've been helping a whole lot, and it works in OSX, except not 10.4 because Cisco's VPN client didn't work on 10.4, my first install, so they'll blow that away. Thank you. But yeah, so it works on plenty of Unixes, and we're expanding that list. The biggest thing that differentiated Mastio from other hardening scripts before was that, well, first that we shared it, right? And that instead of us all using our one-offs, but also that it educated the administrator about the process and educated the administrator about hardening and about what they could harden. It tried to get people to stop using telnet, for example. Tried to stop getting people, tried to stop getting people to stop using clear text protocols who seen the wall of sheep. I can't believe that wall's still scrolling. I just, how could you walk by there, see your picture there and not start telling everybody, oh my god, clear text, bad. Anyway, the new news is that Bastio now has a kind of audit or assessment function, and what it's doing is it can actually tell you how well-hardened the box is so far. It can say, these are all the hardening steps I know about, these are the ones that you've done, these are the ones that you haven't done. And the idea of well-hardened, it can also compute a score. So you can say, this is how well-hardened this box is, and well-hardened is something that you can define personally, you can kind of take the Bastio team's advice, or you can get a definitions file that talks about how well-hardened the box should be from your organization, whatever that organization is, employer or auditing board or whatever. So let me just show you how the two of them interact and hopefully I'll be able to keep this mic close enough to my throat, you guys can still hear me. But let me just demo and show you how it works, so I don't keep just talking about it. Tempting to keep mic, can you guys hear me in the back still? Oh man, choked on a microphone, what's that? How's that? Better? Tip it up, slightly in front of me. Stand on one foot, start typing. Okay, I can do that, that's easy. So, let's see. I'm SSH'd right now into a Fedora Core 4 system. So what I'm gonna do is, Bastio, can you guys see the bottom of the screen? Oh yeah, these are great screens. Okay, so I'm typing Bastio minus A for audit and it's gone and it's just finished the audit. It's kind of a fast process. And this is what our initial audit report looks like. What you've got here is a score out of 10 and I'll tell you more about that score over time. And this thing right here says how we got that score, what weights file we used. I'll talk about weights files some more, but basically who decided how your system should be scored is in that. Okay, so there are items here that don't have a weight. There are items here, here, let's see. So I'll show you basically the way this works. Bastio has a whole bunch of modules and you're gonna see these modules. I just want you to see the structure of the report. Okay, Bastio has a whole bunch of modules. So one of them is called file permissions or we'll page down a little bit. Okay, one of them is a send mail module here. So here's the DNS module here. Just at the top of the screen. And this basically is an item called charoute bind and that labels something you can redefine if you like. It can be item four dot three if you like. Here's a question, is bind in a charoute gel is it set to run non-route? Here's your current state, yes it is. Here's the weight of that question. Sorry, you didn't really get anything for it. It was weighted zero. That wasn't something that you were acquired to do or it wasn't something that you were considering is all that important. And then here's the score contribution based on that way. Does that make sense? So the idea is oh, and if we go to that question, you got a little pop up if you've got JavaScript on in this browser. This is all running locally so we want to talk about JavaScript issues and all that. Let's just trust me for now. This is running locally. You're not the idea that the browser isn't off doing other things. This browser's popped up by Bastio. You can have another browser hanging around. This is your separate one. So we've got a pop up. If you don't like pop ups, you can turn off JavaScript in it and you can just click on the question and we'll give you. Can you guys see that? No, okay. How's that? Okay, so this question is named in a charoute jail. This is the thing that's being checked. And it's also an item that can be hardened in Bastio and this explanation here basically says this is why you should do this. And I'll show you that some more but one of the Bastio's things is it says listen, here's why you should charoute named D. Because you could be a total newbie. You could be like, what does charoute mean? What's named D? And so we'll try to give you a feel for it. We'll say, okay, this is what you should know. This is why you should do this. Maybe this is when you shouldn't. This is when, because everyone's always concerned with hardening. What if that's gonna break something? Oh, it's gonna break something, right? So the idea is, okay, I understand that risk. Let us tell you when it would break something, when it wouldn't break something and let you make an informed decision. Does that make sense? So, so here's my report thing and it goes on for pages. You can print it out if you like but there's also something where you can just contract all the modules. We're working on a cooler looking version of this and I'll tell you a little bit about that as we go on. But you can contract all the modules and say just see one of them. So it's a fun little interface. It's a simple little interface but it does the job. There are of course people who are really into, who are really saying, listen, why can't I run this in text mode? I'm not really an ex person. If Bastio finds that you're not actually doing ex forwarding it'll pop up its own text browser to pop up links or W3M or links two or the other links or whatever it is. And then there's two other things here. There's also a text version of that. So you can see it like that. And then the other piece which I'm gonna refer to later is that there's something that's machine parsable. And by machine parsable the weird thing is this thing looks a whole like a Bastio config file. This will come up later. This thing looks, we can give you a version that says for each module, for each item number in there, what your current state is. Whether you're hardened, whether you're not hardened. The Y and Ns or whatever are basically the answers that it found on the system. Does that make sense? So I'll show you, let's take this and run Bastio normally. I'm running Bastio minus X to show it in X. Oh, there's something everybody should know. We all, remember when we always tell that into systems and you type X clock, you type Netscape and you see things pop up graphically and that was good. And then we did that with SSH and that was good. And then it stopped working. Like all of a sudden you SSH knew something and there was no X anymore. Everybody, anybody have that? Raise your hand if you had that happen. Maybe only a few people have had, maybe only a few people have had that happen. Just SSH minus X and it's like it used to be. It's a security thing almost sort of kind of. Anyway, so I've started up Bastio and I don't know, can you guys read this? I can't see from over here. Okay, well anyway, why don't I just, I'm gonna, fine. What this basically is is it's a bunch of, what this basically is is it's just a bunch of, there's a bunch of modules on the left side and I'll show you a screenshot later on that'll be a little bit easier to see. But there's a bunch of modules on the left side. There's a question up here that says would you like to do this thing? There's an explanation here that says here's why you would want to and here's why you wouldn't want to. It's the same one you saw on the auditing side and then there's like a yes or no. So we can kind of go through and just tell it we want to harden the system and I'm basically just choosing the defaults for now. The defaults for Bastio are basically chosen so that you won't get, so that you won't screw things up too badly if you just go through and never didn't make a decision if you always click yes or click no. You're losing a lot of the benefit if you do that the first time because we've probably got something to tell you about. Okay, Bastio's got a firewall that I'm skipping for anybody watching and another tool that I'm skipping I'll talk about later. So Bastio will go and it'll basically just go and say this is these are the things I did and there's an error in here because it's trying to work on iNetD.conf and there's one on the system and there's no X on it D either. But that's not something to really worry about. So what I've got right now is if I were to look at if I were to look at the number of things that are still running. Okay, well that should be all. Okay, well what I can do right now let me just rerun in audit mode and show you I just went through and hardened the system and I hardened the system with pretty significant speed because I wasn't trying to so much demo the tool. What we just did was we went from a score of five point something to a score of eight point something almost nine and if I'd chosen something stricter than the defaults all along we'd actually have a higher score. And we can see and we can look at basically each question and say okay what got turned off and what got turned on. Does that make sense? Is that kind of the idea is there are tools that have been auditing there are tools that have been auditing before and there are tools that have been hardening before and now we're kind of doing both and that's got a certain advantage and one of the advantages is that you can motivate people to harden more because they're like wow hey look I can see my score or you can well I've got slides I'll show you but the idea is that it's a pretty useful thing to be able to even have tools line up. Well let me show you, let me show you slides. Okay, here now I can probably be heard a whole lot better. So in essence the first question is kind of why do you do assessment at all right we just I just showed you hey we build an audit tool and you're like wow gee I'm not an auditor why do I care right maybe you're not thinking that maybe you're thinking this is really cool and that's what I hope you're thinking but if you're not maybe I can tell you why it's useful can you hear me or am I still not eating the mic sufficiently well? Okay I will keep trying to eat the microphone. Okay so in terms of why you do assessment in the first place the first reason you do assessment is because it teaches the system in about things they could harden it teaches them about hardening settings they could apply they might not have known about before and one of the weird things in the Unix world is we kind of all feel like we know everything and it's hard to find out you don't that there's something you don't know if you feel like you know everything and so it's kind of a you know and so the idea of this is to show you what you might not know or at least what hasn't been done to the system yet best deals always have this education thing as a second purpose this is a this is a normal screenshot this is what I was going through but a little more blown up before if we look at this what we're doing is this goes and says hey do you want to turn on stack protection in the kernel here's the reason you want to do this it turns out you can break tons of buffer flow exploits you can break lots of buffer reflows one of the major kinds of exploits out there if you just turn on the stack protection here's when you don't want to gdb is a mode that it doesn't work with if you turn on stack protection what else well not much else okay so we can tell you we can tell you here's what we'd like to do and find out if you want to do it why else do you do assessment triage right you basically take each of your systems you're like you're like I'd like to harden my systems I don't know where to start I can start at my work station yeah that's good right but I don't know where to start I can go with the most vital servers how about which one's worse how about pick the one that's least harden I'll pick the one that's in least in worse need so you can basically go and take best deal and generate that score or look at that config file look at what things what things matter if you know what things matter you could set weights according to these are the things that matter and then score your systems right the score thing lets you start the score thing the user configurable score thing lets you start saying okay these systems are worse I'm gonna take care of them first or these systems are worse I'm gonna maybe do a little bit of incident response because they're so bad right does that make sense or maybe I'll maybe I'll start with you know running my running my end map scans running my NASA scans I'll look for vulnerabilities in the system I'll look for back doors on the system is really what I care about here okay what else another reason to do assessment is that auditing is that auditing happens you will be audited we all get audited at some point maybe you don't but a lot of us do a lot of my clients do right so the idea is okay you know you're you know you're gonna get audited it'd be nice to find out what's gonna what's gonna show up what's gonna happen and be able to work kind of proactively and so this the idea here is to give you a tool that's equivalent to your auditors tools and you can use a weights file again that's basically to find the same way your auditors is and that's our hope if anybody if anybody's with any of the major auditing organizations I've worked with CIS if you're with ISACA if you're with one of the other organizations and you want to contribute something I would love it if you would help contribute work on weights files just help help us tell okay what are others looking for but I mean we've got a framework now where we can do that what else best deal could be helpful here with compliance okay if you've got if you've just gotten hit over the head in the last year with new legislation that says okay we've got to care about security now or you know we're gonna get measured on it we already always cared about it well maybe best deal help you in figuring out how well how well you are compliance you're in compliance the weird thing is that some of these compliances are actually really kind of fuzzy they say that you've got to do due diligence that you've got to do a pretty good job right well what's that mean well if we've got an idea if we've got an idea how systems scored and we can show okay well we went from here to here or we can say listen most of our industry does this they score at this on this weights file well then you start being able to say that you're basically keeping up with your peers which is what due diligence means it doesn't mean that you did everything everything possible it just basically means you did what most everybody else who's doing a good job is doing that's kind of fuzzy but we'll try to help you with that anyway what else you could go and say this is another thing that comes up in universities network protection it's saying listen I'd like to make sure that before systems put on my network before Unix systems put on my network I want to make sure that it's well patched and I want to make sure that it's well hardened and if it's well hardened to basically these standards then I'll let it on the network and if it's not well I'm sorry you know just come back in a day when you're done or actually since hardening is pretty fast as you guys saw you know come back in five minutes does that make sense this kind of interesting you guys useful okay cool the other thing is scoring has this awesome psychological power okay I worked on a I worked on another tool like this and I remember when we were developing it was the CIS Unix scoring tool and when we were developing it they said we're going to give you a score you know you want to compute a score and I'm like a score one number I mean I studied mathematics okay you know like I did physics too we don't have one number I was like oh god at worst like making a 10 element vector and then like you know can you know compute some kind of a mean of that or whatever you know computer metric based on like weights of that so it's like no no no no one number and I'm like one number okay fine management folks will like one number that was my first thought it turns out geeks like one number two one number is really kind of useful okay the score thing is really nice because people are naturally competitive and geeks are naturally competitive and hackers are really naturally competitive right so so the idea is that first people get around to hardening sooner people are like you know I'm meaning to harden that system I'll get around to it later on all of a sudden when they're like confronted with you know a score that says mediocre they're like wait I'm not mediocre I kick ass you know that's not the way this should be I should never score a four I'm not getting around to that later I'm doing it right freaking now okay so I'll I'll give you an example we had a we had a security instructor who is a sands instructor you know is an instructor teaching lots of people things he thought a lot of himself of course as we all do right and he said okay um I'll you know I'll beta test your software so he's beta testing and he ran this thing on his work station and his work station came up about a six out of ten and he got peeved he's like what are you saying this is the mediocre issue he said I'm not a six out of ten screw that and he sat down he didn't even talk to us he just sat down and started hardening his system and ten minutes later he ran the tool again and they gave him an eight and he's like ah that's more like it I'm not a six a six is like you know sixty percent that's like a D no no I'm I'm much better than that it's nice play against people's ego he didn't see himself as a six out of ten kind of guy find by me whatever gets him to take proactive security measures is good okay this has happened lots of times when we were developing this previous scoring tool we talked to a bank and the bank had set up a scoring tool they'd created their security folks had like you know like many security folks and organizations had no power whatsoever we couldn't you know it wasn't like hand of God you know you will harden it's not like that they were like ah we'd like to help how can we help and that's what a lot of that's what a lot of security folks and organizations are like so they went to their system and they said here's this tool why don't you try and run it once okay and so they ran it once they didn't have any mandated high score they didn't have any mandated anything the only thing was can you try this tool once let us know how it goes and so they did start using it and different groups had different groups of sysadmins and different reactions they're basically all positive but there were some sysadmins who started voluntarily posting their scores up on a cork board like outside their cube okay I know that sounds really really nerdy but you know okay we're all really nerds here right we're just pretending to be cool okay maybe you all are cool I'm just not um right but the idea is like okay it'd be really great if we got people competing and they and they do okay the start the start Linux system scores around a five this doesn't work on Solaris yet but I wouldn't be surprised if like a Solaris 8 system scored around a three right Solaris has got freaking everything on by default we will get around to porting best deal to Solaris it's just a whole lot of work um anybody wants to help we've got two people who are working already and we'd love to help um but there's but the nice that so that's that's why you do that's why you do assessment it's why you do audit these are the these are the useful things about pushing an auditing tool in your organization or pushing whatever so so why do you why do you like the two together why did I why did I you know why did we add auditing to best deal instead of just creating a new auditing tool right that'd be kind of cool well the idea is that when you're hardening a system when you're hardening a system it creates a policy file when you go through this interactive yes no yes no yes no yes no you get a policy file whether you like it or not it just gets saved they get saved in this given place and you can take that policy file and do something with it well one of the things you can do with it is you can feed it back in you can feed it back in and see how well you're doing against that policy file you could say okay it's been three months I've been patching I have just you know ordinary system rot I'd like to know how far off I am the other thing in terms of that policy files if you create since we created a policy file by default every time you harden you harden we create a policy file you can take that policy file and say this is my policy file for all my web servers and now you don't have to run through the whole best deal thing again right it just it's got a back end where you just feed the policy file it sucks it in hardens the system and you know two minutes later you're ready right you can take that policy file and reuse it and there's a lot of there's a lot of reuse I was just talking about skew detection if you take that policy file you've said this is my web server template suppose you've got a web server that's older maybe you can't harden it maybe the boss has said listen we don't want anyone making any substantial changes to the system you can make changes one at a time by hand fine you say all our other web servers are here I've got a policy file that says how they were hardened let's see how this one stacks up so I take this one and I stack and and I run the auditing tool on it and says okay these are the four things that you normally do to all your other web servers do you haven't done to this one because it's older is that cool does that make sense so it's called skew detection and it's a it's a decent thing there are some politics to this there's a reason I keep talking about psychological powers psychology is a really weird thing to be talking about with regard to hardening not necessarily with regard to DEF CON right you're all psyching each other out all the time this psychological games eh this is the weird thing psychological games in the workplace right we're all used to it if we're in the workplace politics there are lots of there are lots of times where you can't harden a system by hand or with a tool because someone says oh no I think that might break things or you can't touch that that's my system no changes right the nice thing about this is that you can say we've taken we've got all of our web servers we've got four web servers that I built we've got the one that you know that mad max is still maintaining and mad max says anyone who touches his system gets his fingers chopped off okay well you know listen mad max's boss my boss can you just ask mad max if he'd run this tool for you once like just run it just auditing read only won't modify a system in any way and if you survive the account of requesting that he run it what do we find out well we find out mad max's system scores far worse than the rest of the systems that do the exact same thing oh great now we've got another way to get we've got another way to get the worst systems hardened I don't care about hardening so much right I care about hardening so much because while it's kind of you know one of the least exciting areas of computer security right next to like policy and logging you know it's still it's extremely effective you don't get boxes rooted it's really nice to not get boxes rooted it's not a lot of work either if you're using a tool for it so anyway you can read you can run best deal and basically other auditing tools read only and the idea is okay we'll learn something about the system without having to modify it this really helps when you have a shop that does manual hardening people say okay we only modify things by hand we don't trust any tool whatsoever we don't trust any tool that doesn't come with a million dollar warranty from the vendor and an oiler that says you know we'll of course take care of any losses you incur from bugs in our product right if you can only do manual hardening fine we'll tell you what to do read only means you don't have to stop doing manual hardening it just means we'll help you out and tell you what you should do toward that end we're working to create best delix I don't know we're going to have to call it something else but basically nopix plus best deal so you've got a system you've got a system and we will you've got a system we'll basically just let you you shut it down you bring it back up booting best delix or whatever we call it okay and it starts up it says okay it's I'm not going to mount the drives read right mount them read only run best deal here's your score here's your score report no changes ever made to the system you can do this you can do this to Mad Max's system he's on his lunch break we're taking a sick day right as long as you have someone's permission or something okay so I've been talking about I've been talking about trying to convince people to harden I've been talking about the psychology I've been talking about how it is you do it you can use this tool to do it you can use this tool to find out how well you've hardened but the big question always comes up why the heck do I harden in the first place okay basically if you don't if I haven't made it very clear what hardening is already I'm about to hardening is just the process of trying to make a system harder to break into and the idea is that you take any settings you can tweak and you tweak them you turn things off and you can figure stuff that you left on better okay so the biggest the first objection we always get to hardening hopefully not at Defconn is that people say my box isn't interesting enough we're just a little K through 12 school you know why are we gonna why is anyone gonna attack us we're just a paint thinner company you know why is anyone actually gonna attack our computers they're not interesting you're not gonna get any money out of attacking our computers worst case you might have some extra paint thinner shift to you you know what hacker wants that can you do anything with paint thinner that I don't know about okay I don't know anyway so but everyone says I'm not interesting enough I won't be targeted is anybody at Defconn still think this okay don't raise your hand but if you think this and you put your laptop on the wireless network well try running an IDS for a few minutes or a packet capture packet capture program you see some very interesting attacks coming your way I wonder how many port scans everyone on the Defconn network sees per I don't know minute anyway low value targets aren't okay most targets aren't low value this is something we should all understand your box is useful as the next hop on the way to the target just to make it a little bit tougher to track the attacker back your box is good as a peer to peer host your box is good as a wears distribution site heck you could be low bandwidth your box would be useful as an IRC bot your box will be useful to someone the thing is that your box isn't usually targeted anyway most of our attacks don't come from don't come from from being targeted and when they do half the time probably at least half the time we don't know that we've even been compromised because people are that good but most of the attacks that we see are these are these scripted kids coming after us most of the attacks that we see aren't targets of choice they're targets of opportunity okay there's some your attacker had an exploit against say you know one particular version of PHP so they go and they scan a large swath of the internet they go and scan the entire Comcast at home network and they find your box along with a hundred others and they take those hundred systems and they they take those hundred systems and they poem them and write you know these boxes now belong to them but it's not because you were targeted it's because you had an IP on Comcast that day and that was the guy attacking that day right that was the that was the network this guy was scanning does that make sense okay I think that's kind of obvious at DEFCON okay so we do tons of patching right we do tons of patching we're constantly patching I mean we're all I spent all of yesterday patching and all the day before that and every single day patching we all patch and patch and patch and patch right well okay not really but we do lots of patching the problem is that if you patch you still get compromised you're like wait I patch every single day why do they get compromised do I patch every single day at midnight well you still get patched because you've still got these windows of vulnerability a window of vulnerability is basically the time during which somebody's got a working exploit and the time and when your systems and when and your systems are still vulnerable so the time where someone has a working exploit and your system is vulnerable that's your window of vulnerability it's broken apart into three parts two of which you have no control over the first one is can you guys still hear me or am I not liking well enough sorry the first one is the first part of your window of vulnerability is where the exploit exists but the vendor doesn't even know about the issue call this O-Day right you can do nothing about that if nobody knows about if nobody knows about the vulnerability except the people with the exploit and they're hitting you well you're vulnerable whether you like it or not we can do something about that hardening actually works on this the next piece is an exploit exists and the vendor isn't creating a patch they're not done creating a patch it takes them a little while say it takes them you know a week but really nowadays it's about a month okay and then the third is patch exists and you haven't applied it yet most of us patch kind of closer to monthly or you know weekly maybe it would be nice if weekly right but some people only patch quarterly and God some people patch yearly and some people never patch at all but the issue is that because you've got these first two parts of that window even if you patch perfectly you still end up with a vulnerable machine now and then you still end up with a vulnerable machine you're just kind of like rolling the dice hoping that today your machine isn't vulnerable and attacked at the same time does that make sense so the idea is we like hardening because this is reactive reactive is going and patching reactive is going and saying oh God we just got attacked on this port where people are attacking on this port maybe I should set my firewall to start blocking to start blocking SQL server queries right that's kind of the reactive process the proactive process is configuring that firewall ahead of time and saying wait there's no reason for anyone to do SQL queries from outside my network into my network or better yet I don't use these are the protocols I allow in and I don't allow the rest in so if SQL ends up to being the being and ends up being the worm tomorrow not so much the worries okay the other thing we do is we harden a host because we harden a host maybe it won't be vulnerable okay hardening is just the process of configuring an assistant for better security it means you turn off things you're not using it means you're better configuring the stuff you are using it doesn't involve the kernel level modification of the system like sd linux or pitbull or trusted bsd celeris or whatever what have you it does involve going and looking at permissions access controls and looking at whether the permissions are appropriate or to lax remember a couple releases ago Apple my trusty Apple right had a wonderful vulnerability to let any user on the system backdoor a bunch of third party applications because the permissions were rolled rightable anybody remember that that was a really good one Dave G found that it was awesome it was awesome multi-user systems I'm sure some people at universities had a really great time with the Apple X serves what else it just the other side of it is it involves basically tweaking tweaking settings in the system and in the applications to give users one access they need not really any more of it okay it comes down to two principles ones least privilege the others minimalism least privilege says basically or user or whatever only grants whatever privilege the other users need that the users need to get it right the users only get what privilege we want to give them minimalism says we can figure the system for fewer features we say these are the features we're using let's better tune the system you'll get some nice speed out of this right because you won't be running 50 applications you'll be running five just the five that we're supposed to be running here in essence okay this is now there's there's one thing people ask well what about stuff kernel level stuff the kernel level stuff is basically complementary to hardening you can you can basically do both fedora my fedora core four system has se linux turned on and I'm hardening it with best deal okay the thing with kernel level is that sometimes is that kernel level can be really awesome because it can contain a lot you can't do with hardening on the other end hardening can do some things that kernel level can't do one is that one is that kernel level very often contains the attacker after they've taken down the after they'd compromise buying you know they compromise buying falls down they don't get their powerful route shell because they're se linuxed on the other hand if we can configure the thing that the the thing that was being attacked the exploit doesn't work or the code the exploit was trying to hit isn't available at all maybe it's turned off maybe it's removed well then we don't get compromised at all the buying the server never goes down the best example I can give you is Apache most of Apache's real functionality comes in these Apache modules that you can turn off at start time it's not a recompile it's just like comments something out it doesn't load you have code that doesn't load because you configured it not to Apache is a great example too because it comes with like red hat ships it with say thirty four different Apache modules of which you might need five depending on what kind of site you're running so if you can turn off the ones you're not using and a vulnerability comes out and one of the ones that the one of the ones that was on before congratulations you don't get nailed by it is that cool does that make sense so the other side of kernel level hardening is that it's hard kernel level I mean kernel level kernel level technologies are hard writing the profile saying this program needs to write to this needs to read to this it needs to be able to do this capability but not this capability that takes that takes a lot of that takes understanding it takes a whole bunch of training to learn how to do that red hats made that possible with se linux because they've said okay we'll write a really good profile for the users and not require them to do it on the other hand the profiles are a little looser than you'd want them to be because red has to make sure that whatever you're going to do with that web server it still works does that make sense you can learn to make your own profiles it just takes some real training I mean they're they're like there's a book on se linux okay anyway you should continue looking at kernel level solutions they're nice I really like gr security I like se linux these are good they're just I consider that they're they're complimentary you can still harden and probably still should it's not a difficult thing to do it's a little bit it can be a little tedious if you're doing it all by hand but well we've got a tool for that right but it's not hard to do see I asked the center for that security rights guides and the guides are the the guides are designed to be used by junior levels junior level system men's okay people who you know you might not even know entirely how to work their their favorite editor just yet okay and it's still this this stuff can still be done black hat has a two day course I teach it right and that two day course is does solaris and linux and it's comprehensive there are five day courses at other organizations but but the fact you can learn it that quickly says something I mean I could teach you one operating system how to manually harden a day okay we do two and two days this is not hard stuff this isn't rocket science this isn't anywhere near rocket science there's you know anyway it's pretty easy to do it's also really effective and I'll tell you about two examples the first is the CIS guide NSA's NSA's IAD the information assurance guys that they're around to stop machines from being broken into put basically took a benchmark and ran it against a window system and when they were done 90% of the vulnerabilities that were in that window system were mitigated you couldn't hit them okay they either you either couldn't use them or you couldn't get anywhere by using them you can do the same thing with Linux if you will use one of if you basically do all the hardening guides you don't have an extremely useful system but 90 to 95% of your vulnerabilities are gone so Bastia Linux is just awaited to this programmatically when we created it we created it before Red Hat right when Red Hat 6.0 came out we just did a normal audit of Red Hat 6.0 system very very standard just look okay we wrote a program to do it it basically stopped or contained every major vulnerability that was in the system which was really nice bind it had a remote root hole WUFT WUFTPD it had a remote root hole LPD plus send mail the combination of those two got you another remote root dump restore local privilege escalation GPM was a console level console level privilege escalation all of those things were stopped by Bestial that's not because Bestial is just amazingly wonderful right I'd like to think it is but they've got in books that we've got on documentation got on websites or whatever this is what happens there are only two we didn't nail and they were just little commands that if root ran them and somebody created and somebody been able to like say create a hostile man page well that's not anything we could really do anything about that's one of those things that hardening won't get ya but that's okay so Bestial can kinda lock down this is our complete list of what Bestial locks down right now it does Red Hat all the old ones and Enterprise and Fedora Core and I'll release Fedora Core for tomorrow for that HPUX Mandraker Mandriever whatever you call it Debbie and Susage and two Mac OSX Solaris need help again one of the differences with Bestial is that it educated the system in educating the system is really good if you say want the system in to not end up on the on the wall of sheep right if you want the system to stop using Telnet you have to tell them Telnet's bad because otherwise they'll say I've been using Telnet for 10 years what's wrong with Telnet and you say well I can take it over I can sniff it I can sniff it or take it over and when you got switches don't use it use SSH instead and your system says okay I'll let you turn off Telnet does that make sense yeah okay so people have found it very educational they're organizations that use Bestial entirely for the educational component and don't actually have it hard in the system because they want to do it manually hopefully the assessment mode makes things easier for that okay it's really easy to automate you create a config two commands you SCP config over to another system and run Bestial over an SSH pipe and you can apply it to another system if you're using one of those mass SSHers they'll let you SSH to a thousand system to want the systems at once congratulations this gets really scalable okay the whole thing is written so that it's very easy to script around Bestial it's very easy to add onto without them to know any pearl okay the nice thing is so why do you use Bestial or why do you use an automated system well one of the reasons you do it is for consistency if you don't have a thousand systems fine you like to do this do this do one the same way every time maybe you do it if you create a standard build config file maybe you make this part of your maybe you make this part of your build process all you have to do is every time you basically you only have to update these config files when you get a new distro or when you get a new release of the distro HPX makes this really easy there are four different ways part of their install process they've shipped they're shipping with Bastille with the operating system what I want to do is let's see we're running a little low on time what I've got is a list of modules and kind of what they do would you guys rather see a list of modules and what they do or would you rather kind of see how you add on to this add on okay works for me skip skip skip skip skip Bastille is actually really easy to add on to we wrote it and then like so many open source projects six months later we rewrote it entirely and the rewrite is just to make it was just to make it easier to maintain and that happens on a lot of open source projects probably happens on a lot of commercial software because once you've written it once you understand how to make it a lot better so what we did is the whole things in pearl but if you don't know pearl we actually work to make it really understandable we actually work to make it really understandable so that you could so that you could work on this even if you don't know pearl and I'll show you an example of how you kind of add to add something to turn off the set you ID bit okay so if you wanted to add an item the first major thing you have to do is create a question for that item basically that text the explanation here's why you should do this here's why you shouldn't what the question is what the what the default answer could be you can add modules and we've had we've had people contribute modules before and it's pretty easy here's a here's just the question type stuff this first one is just every every item gets its own name there's a short explanation you can have a long explanation so you can give the user more detail there's a little explain less explain more so that lets them granularly decide I know a lot about this kind of stuff so tell me less there's a question there's what distributions it works on there's a default answer there's a regular expression answers have to match if you don't know what that means don't worry about it you can skip that part and there's some stuff that says what the next question is and what the previous question is and you can actually skip that part if you want to if I wanted to create a new thing that turned off setuid for dump and restore this is the dump and restore action I've got this if get global config the module name the question name you could copy paste that right equals yes if they answered yes to this question then I run be remove suid remove setuid it's one line from dump and this is a path name but you can also if that path differs from operating system operating system you can put in one of our get global things it says this is in a table somewhere but you could just put user sbin dump okay does that make sense this is really easy I'll show you the API the API is really simple okay it's you can go and you know be chimad chimad changes the permissions chone changes the ownership chagroup remove setuid create sim link the reason we've ended up a lot of these things are things that were present in pearl already we rappered them so that you can undo the whole thing the idea behind best deals you can either granularly undo it or we've got a big red button called revert and that big red button yanks the system all the way back to where it was before you were running best deal it's not something you want to run six months later because that part's hard but if you just ran best deal and you're like wait I answered yes to everything and I should have read revert you hit your big red button and you start over or you hit your big red button and you throw a best deal and curse my name right doesn't matter whatever you want to do so these are other things be check and fig off turns things off and the RC scripts and all that you can copy files these are kind of the fun ones be a pen line just sticks a line on the end of a file if it's not already there this is all made so that if you run best deal you can run it 8,000 times again with the same config file and not break the system because best deal will look for the stuff that it's trying to add you can insert lines you can insert lines before a given line in the file you can prepend a line put it in the beginning of the file you can replace a given line these are all basically this matches the way the Unix config files are done be hash comment line what could be easier you want to you want to turn a line off you don't have to delete it just comment it out with hash comment it out delete line is another thing you can do and all of these work they all work on pro regular expressions if you don't know that you can kind of use exact matches but this is all really simple to do and that's the idea that's the that's the API for adding things for adding new items it's really actually quite easy if you don't know pearl you still have a pretty good chance of being able to add an item especially if you can copy and paste something similar I added something yesterday to remove I added something yesterday in about five minutes to remove mdns responder that that rendezvous zero conf bonjour thing that's on apple it's also on red hat fedora core now it was really easy to turn it off I copy and pasted something that turned off gpm because that use check config and turn off mdns responder it's another check config it was really really quick eight lines of pearl and like you know these kind of lines not the kind of lines you can't read right does that make sense doing the same thing you create an audit item for it you can you can create an audit and we want you to create an audit item for anything you create a hardening item for and all it is is you have this thing just like this global test the module name and then that that name of the that name of the question equals sub and you basically have a sub routine that does whatever it was that should be tested and you return ask or ask or skip so if where you return one or zero this is this says if B is suede if ping is set you ID or ping sticks is set you ID then I say okay the test fails it's really kind of that easy and you can do the same thing with match lines you can everything that we basically could do to something now has a corresponding check B is service off we'll go and tell you if something it's I net D based or X and D based or RC based is on or off return match line is there a line in this file that matches this pattern if I was hash commenting or deleting a line now I can check and see if it's present so now I have an easy quick way to write a check at the same time that I'm writing the fix that makes a lot easier to develop the tool it also it makes it easier to write the right things for your environment and the whole idea is that all these things should be pretty self explanatory B is package installed tells you if it tells you if something's installed is process running the idea is that it should sound like English the idea is that this should be really easy for you to look at a few and then make your own and you can make your own you can use it in your environment people have written whole modules actually got a module author in the front row my crash hello anyway he wrote the port scan attack detector which is like port century except 8,000 times better it's just it just is you can look into it you'll agree there's you know these tests are really easy to write I'm going to stop now because we're basically about a minute before but I've got some things to give out I've got books I've got t-shirts the goons are desperate for me to get rid of them because they don't want to take them all home because they've got they've already they've already taken their own stash and right they've got the extra ones I'm going to be doing a book signing in the Snort 2.1 book but here's another this is another book that I worked on called stealing the continent and here's the t-shirt but it says call it fiction it helps you sleep better anyway who wants a t-shirt? oh wow wow this is I've always wanted to be a baseball player okay I'll do that I'm going to do the books now no, these are signing books I've got somebody's asked questions wow that guy's getting one just gonna take that one I'm gonna check I've got a Snort 2.1 book which is one of the ones I'll be signing I've got Mike Rashes in the front row it shows you convention and active response and I've got the Linus Enterprise Cluster for people who don't know how to take ones okay you can have this one now I will take three questions and three questions we'll get three books so you know ask one can you check for password complexity? can you check for what? password complexity can you check for password complexity? we can implement password complexity and we can check for it we turn that check off for now and we're turning it back on we ran into a bug with how it works on one distro versus another that's a good question what are you intrusion prevention? okay another question over there wow that's a good point can we check for SSH version one versus version two better configuration than SSH not yet but if you want to write it or I want to write it we'll do it that's a bonus that one wow can we check SSH if it's target or permissive mode no I'd love to talk about it if you are exiting the room please exit this way