System hardening with Lynis
Many people used Bastille Linux to harden their Linux systems. Unfortunately the website of Bastille seems very outdated, including the tool. This resulted in people searching for a great alternative to replace this tool. We found the alternative by actually combining different solutions, being more powerful. Security automation is hot, so forget Bastille and do it the right way.
Automatic hardening makes sense
Most system administrators can’t keep up with the new technologies and security threats. It is simply to much to investigate everything and stay up-to-date with the latest software. Besides that, the existing systems often need management, even years after the initial software was released.
Automatic hardening, or security automation, reduces the effort on the part of the system administrator. The tooling is ready to go and can tighten up security controls on the related system. The big benefit is that running a tool is quick, does not require much knowledge and at least provides additional protection.
Why it does not..
Tools make people lazy, sometimes even uneducated. Without understanding why a change has to be implemented, it might give a false sense of security. Then there is the risk of crippling the system by implementing a security control without proper testing. Additionally there is the fact that most systems are not equal, so exceptions might be applicable or needed.
The alternative to Bastille Linux
Lynis is not a hardening tool, but helps with hardening. Instead of just changing configuration files, it will perform an in-depth audit of the system and show the related findings. The administrator then can determine what controls are appropriate to be applied and create a custom automation script. This can be done via a normal shell script, or by using configuration automation tools like Cfengine or Puppet.
The big benefit of using an auditing tool is the flexibility and support for different operating systems. Often companies use different Linux distributions, resulting in a tool only support one or another. When it comes to hardening, each system has it’s own minor differences.
By combining the auditing and configuration automation, we have security automation with continuous monitoring. Both the automation tool will check for inappropriate conditions and so will the auditing tool. While it initially will take a little bit more time, it will outperform the benefits of an automatic hardening tool. It will give security insights for the system administrator(s) and includes checking the configuration on a regular basis.
For people who are known to the Plan-Do-Check-Act cycle, they will recognize the steps. It starts with your goal for hardening and planning the initial audit (Plan), up to the implementation (Do), checking for effectiveness (Check) and act upon new findings (Act). This way of working is more in line with security, being a process and not a product. It enhances security awareness and let people act upon new findings, instead of the “fire and forget” of a tool.
Bastille Linux is a great tool, or maybe we should say, was a great tool. Fortunately there are better alternatives nowadays, by combining tools and leverage the strengths of each tool. The combination of an auditing tool and a configuration automation tool, will provide more benefits. They include better educated personnel, more control over the implementation, continuous monitoring and working according to a process, enhancing security over time.
Did you find a better alternative for Bastille Linux? Share it in the comments!