Tip of the Trade: Bastille Linux
Every wise old system and network administrator knows that security is a multilayer process. You have your firewalls and other border security, perhaps some internal network segmentation, and application and operating system security. However, locking down the operating system is probably the most crucial link in this chain. An excellent utility to help you probe, assess, and harden your Linux system is Bastille Linux. Locking down the operating system is perhaps the most crucial link in the enterprise security chain. Bastille Linux makes it easier to probe, assess and harden Linux systems.
Bastille operates in two modes: hardening, and assessment. It asks you a series of questions, and builds a security policy based on the answers. In the hardening mode it applies the policy. In assessment mode it generates an educational report.
One of the most valuable features of Bastille is how well it teaches security policy. Even for seasoned admins, Linux contains a number of potential security holes in odd little nooks and crannies, like Set User ID (SUID) programs. SUID allows ordinary users to run executables with root permissions, like the mount and umount programs, which enable the use of removable media. Bastille runs through all of these (you might be surprised at how many there are) and helps you strip the SUID bit from the ones that don't really need it.
Another often-overlooked area is the dangerous old r-programs: rsh, rlogin and rcp. These still linger on a lot of modern distributions.
Bastille inspects account security, looks for unnecessary services, inspects services for vulnerabilities, and performs a number of other checks. It's a systematic way to audit your entire system. As a bonus, the latest edition of Bastille can be run on old installations. Formerly, the recommendation was to start with a brand-new, guaranteed-clean system.
Finally, if you don't like the changes Bastille makes to a system, you can easily undo them. For downloads and information, visit Bastille-Linux.org.