Justement je viens de l’installer, mais je l’ai pas encore lancé, un peu inquiet de voir le message d’avertissement :

[quote]# bastille
ERROR: System is not running a stable Debian GNU/Linux version. Setting to 3.0.
ERROR: System is not running a stable Debian GNU/Linux version. Setting to 3.0.

NOTE: Valid display found; defaulting to Tk (X) interface.
NOTE: Using Tk user interface module.
NOTE: Only displaying questions relevant to the current configuration.

Copyright © 1999-2002 Jay Beale
Copyright © 1999-2001 Peter Watkins
Copyright © 2000 Paul L. Allen
Copyright © 2001-2003 Hewlett Packard Company
Bastille is free software; you are welcome to redistribute it under
certain conditions. See the ‘COPYING’ file in your distribution for terms.

DISCLAIMER. Use of Bastille can help optimize system security, but does not
guarantee system security. Information about security obtained through use of
Bastille is provided on an AS-IS basis only and is subject to change without
notice. Customer acknowledges they are responsible for their system’s security.
TO THE EXTENT ALLOWED BY LOCAL LAW, Bastille (SOFTWARE) IS PROVIDED TO YOU
AS IS WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN,
EXPRESS OR IMPLIED. JAY BEALE, THE BASTILLE DEVELOPERS, AND THEIR SUPPLIERS
DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Some countries, states and provinces do not allow exclusions of implied
warranties or conditions, so the above exclusion may not apply to you. You may
have other rights that vary from country to country, state to state, or province
to province. EXCEPT TO THE EXTENT PROHIBITED BY LOCAL LAW, IN NO EVENT WILL
JAY BEALE, THE BASTILLE DEVELOPERS, OR THEIR SUBSIDIARIES, AFFILIATES OR
SUPPLIERS BE LIABLE FOR DIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR OTHER
DAMAGES (INCLUDING LOST PROFIT, LOST DATA, OR DOWNTIME COSTS), ARISING OUT OF
THE USE, INABILITY TO USE, OR THE RESULTS OF USE OF THE SOFTWARE, WHETHER BASED
IN WARRANTY, CONTRACT, TORT OR OTHER LEGAL THEORY, AND WHETHER OR NOT ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. Your use of the Software is entirely at your
own risk. Should the Software prove defective, you assume the entire cost of all
service, repair or correction. Some countries, states and provinces do not allow
the exclusion or limitation of liability for incidental or consequential
damages, so the above limitation may not apply to you.

You must accept the terms of this disclaimer to use
Bastille. Type “accept” (without quotes) within 5
minutes to accept the terms of the above disclaimer

ERROR: System is not running a stable Debian GNU/Linux version. Setting to 3.0.
ERROR: Waited for 300 seconds. No response received.
Quitting.
[/quote]
Qu’en pensez vous ? BorisTheButcher ?
Et qu’est ce que c’est que ce message : “System is not running a stable Debian GNU/Linux version” ?? faut être en stable ?
De la doc : packages.debian.org/stable/admin/bastille
bastille-linux.org/
NB: $ apt-cache policy bastille bastille: Installé : 1:2.1.1-12 Candidat : 1:2.1.1-12 Table de version : *** 1:2.1.1-12 0 501 http://ftp.fr.debian.org etch/main Packages

Ben bastille c’est bien oui c’est mieux que… sans bastille.
Un must non!!
C’est comme tout, croire qu’on est protégé avec 1 et 1 seul logiciel c’est tres dangereux. Il n’y a pas de “must” en quelque sorte (cf la premiere ligne DISCLAIMER. Use of Bastille can help optimize system security, but does not
guarantee system security)

Je trouve ca bien fait, pas intrusif (ca modifie pas ton kernel) et se desinstalle facilement.

Il te dit que t’es pas en stable pour bien te faire comprendre que si tu veux le plus secure possible (ce qui ne veut pas dire 100% secure hein…) il faut deja commencer par rester en stable. Ca parait logique… Si c’est un serveur , il faut rester en stable. Le hic c’est quand t’as du materiel non supporté c’est une autre histoire.

Vas-y, installe; je le conseille. En stable,etch ou sid, pas de problème.
Ce que j’aime le plus c’est le banner du ssh.

“
Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. By using this system, the user consents to such interception, monitoring,recording,copying,auditing,inspection and disclosure at the discretion of such personnel or officials.
LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.”

C’est plutot inutile (legalement en france je pense que ca sert à rien et meme aux us.) mais je trouve qu’il calme vraimment

Il y a un autre paquet de ce type qui fait plein de verification tip-top mais me rappele plus, ca me reviendra j’espere.

Tu as l’impression d’etre espionné par les chinois du fbi?

Merci BorisTheButcher … j’ai changé le titre, j’ai rajouté snort héhé.

ça serait pas snort justement ? je viens de l’installer, je cherche un how-to pour le configurer, c’est complexe

[quote=“BorisTheButcher”]Tu as l’impression d’etre espionné par les chinois du fbi? [/quote] non, mais c’est de lire tout ce qu’on a dit ces derniers temps ici (kikoo ricardo … … moi aussi remarque) … je suis parti ya quelques heures des règles élémentaire de sécurité debian, et me vla dans la config de bastille , psad, et snort … c’est hyper interessant, mais j’ai pas pied …

Nan c’est pas snort.
Je parle d’un soft qui modifie ton système pour le rendre plus sur (hardening)
Un truc automatisé en plus…

ça y’est, j’ai lancé bastille, ben ya du logs :

[quote]{Fri Aug 11 11:36:38 2006} ERROR: open /etc/pam.d/xdm failed.
{Fri Aug 11 11:36:38 2006} # Couldn’t prepend line to /etc/pam.d/xdm, since open failed.
{Fri Aug 11 11:36:38 2006} ERROR: open /etc/pam.d/kde failed.
{Fri Aug 11 11:36:38 2006} # Couldn’t prepend line to /etc/pam.d/kde, since open failed.
{Fri Aug 11 11:36:39 2006} ERROR: Unable to open /etc/pam.d/xdm as the
swap file /etc/pam.d/xdm.bastille
already exists. Rename the swap file to allow Bastille
to make desired file modifications.
{Fri Aug 11 11:36:39 2006} ERROR: open /etc/pam.d/xdm.bastille failed…
{Fri Aug 11 11:36:39 2006} ERROR: open /etc/pam.d/xdm failed.
{Fri Aug 11 11:36:39 2006} # Couldn’t append line to /etc/pam.d/xdm, since open failed.
{Fri Aug 11 11:36:39 2006} swap file /etc/pam.d/kde.bastille
already exists. Rename the swap file to allow Bastille
to make desired file modifications.
{Fri Aug 11 11:36:39 2006} ERROR: open /etc/pam.d/kde.bastille failed…
{Fri Aug 11 11:36:39 2006} ERROR: open /etc/pam.d/kde failed.
{Fri Aug 11 11:36:39 2006} # Couldn’t append line to /etc/pam.d/kde, since open failed.
{Fri Aug 11 11:36:39 200${Fri Aug 11 11:36:39 2006} # Couldn’t append line to /etc/logrotate.d/syslog, since open failed.
[/quote]j’ai pas kde et xdm … en plus. peut-être d’anciens fichier …
j’ai vu “Network Flight Recorder” : NFR en version d’éval … mais c’est pas du hardening ça …

NFR oui c pas mal mais c comme snort je crois. J’ai les cd d’install d’une ancienne version.

hello,

Y a pas de must en matiere de sécu…faut commençer par les bases.

64.233.183.104/search?q=cache:sP … =firefox-a

merci, je note que ouah a traduit les “know your enemy I, II et III” de The Honey Net Project

[quote]Ouah volunteered his time to translate these papers into French/Francais.
Know Your Enemy I
Know Your Enemy II
Know Your Enemy III
[/quote]
et ça : debian.org/doc/manuals/secur … ex.fr.html
c’est pas des bases aussi ? trop pointu ?
ps: je pose juste naïvement la question …

C’est pas SeLinux ?

Perso ça m’interesse la sécurité je crois que je vais me plonger dans ces progs.

SELinux a l’air interessant, mais attention, c’est une modification du kernel,
voir un autre kernel… Il est recommandé d’avoir un kernel fiable de rechange si on veut tester SELinux.
J’ai recueilli un peu de doc, et je sais pas encore bien si c’est au point pour debian, quand je lis ça : selinux.alioth.debian.org/ on dirait,
mais quand je lis ça : lists.alioth.debian.org/pipermai … 00000.html,
pas vraiment …
j’ai cherché les options décrites ici : wiki.debian.org/SELinuxSetup, je n’ai trouvé que les options relatives à xattr, rien sur selinux, alors je suppose qu’il faut vraiment modifier le kernel, le patcher.
ps : plus de lien:
selinux.sourceforge.net/distros/debian.php3
crypt.gen.nz/selinux/faq.html#WWW.1
nsa.gov/selinux/code/download5.cfm
Quelqu’un connait ?

Non je pensais pas a un soft intrusif a la selinux mais ma memoire est toujours pas revenu lol
SElinux c’est la couche de protection de linux, c’est clairement le truc a installer en premier, j’aurai du y penser.
Quand on voit les modifications qu’il apporte (j’ai regardé directement le code source de selinux surtout niveau reseau), on comprends que ca ajoute une violente couche de sécurité. Mais faut pas s’etonner si son système se bloque en cas de fausse manip… Je n’ai pas plus d’info, je ne connais pas bien.
Il y a les patchs anti stackoverflow aussi. ssp dans gcc-4.1. Tous les paquets debian ont été recompilés avec cette option, aucun problème. Mais certaines attaques plus pointues sont encore possibles (ce qui n’est pas une raison pour ne pas les installer)
Y a aussi un sysctl (adress space random) mais j’ai pas l’info sous la main je suis sous windows

J’ai peut-être trouvé le(s) paquet(s) qu’on cherche :

jcode@debian:~$ apt-cache search hardening bastille - Security hardening tool jcode@debian:~$ apt-cache search harden bastille - Security hardening tool harden - Makes your system hardened harden-clients - Avoid clients that are known to be insecure harden-development - Development tools for creating more secure programs harden-doc - Useful documentation to secure a Debian system harden-environment - Hardened system environment harden-nids - Harden a system by using a network intrusion detection system harden-remoteaudit - Audit your remote systems from this host harden-servers - Avoid servers that are known to be insecure harden-surveillance - Check services and/or servers automatically harden-tools - Tools to enhance or analyze the security of the local system jcode@debian:~$ apt-cache show harden Package: harden Priority: extra Section: admin Installed-Size: 28 Maintainer: Ola Lundqvist <opal@debian.org> Architecture: all Version: 0.1.17 Depends: harden-environment, harden-servers, debconf (>= 0.5) | debconf-2.0, debconf (>= 1.2.0) Recommends: harden-tools Suggests: sudo, harden-clients, harden-nids, harden-remoteaudit, harden-surveillance Filename: pool/main/h/harden/harden_0.1.17_all.deb Size: 7868 MD5sum: e0282a7d92b2bcc421202eebcbd9060c Description: Makes your system hardened This package is intended to help the administrator to improve the security of the system, or at least make the host less susceptible. . NOTE! This package will not make your system uncrackable, and it is not intended to do so. Making your system secure involves a LOT more than just installing a package. You are recommended to read at least some documents in addition to installing this package. The documents can be found in the harden-doc package. This is of course just a start because there are LOT of information on how to make your system more secure. . For more information on how to secure your system see: http://www.debian.org/doc/manuals/securing-debian-howto/

Mais avant, comme je rencontre des problemes avec bastille, qui me plaisait bien pourtant, tu pourrais m’expliquer ces logs :

[quote="/var/log/Bastille/error-log"]{Sat Aug 12 18:47:12 2006} Failed to place /psadwatchd as /usr/sbin/psadwatchd
{Sat Aug 12 18:47:13 2006} Failed to place /kmsgsd as /usr/sbin/kmsgsd
{Sat Aug 12 18:47:13 2006} Failed to place /diskmond as /usr/sbin/diskmond
{Sat Aug 12 18:47:13 2006} #ERROR: chmod: File /usr/sbin/diskmond doesn’t exist!
{Sat Aug 12 18:47:13 2006} Failed to place /psad-init as /etc/rc.d/init.d/psad
{Sat Aug 12 18:47:13 2006} #ERROR: chmod: File /etc/rc.d/init.d/psad doesn’t exist!
{Sat Aug 12 18:47:13 2006} Failed to place /whois as /usr/bin/whois.psad
{Sat Aug 12 18:47:21 2006} ERROR: Unable to open /etc/pam.d/xdm as the
swap file /etc/pam.d/xdm.bastille
already exists. Rename the swap file to allow Bastille
to make desired file modifications.
{Sat Aug 12 18:47:21 2006} ERROR: open /etc/pam.d/xdm.bastille failed…
{Sat Aug 12 18:47:21 2006} ERROR: open /etc/pam.d/xdm failed.
{Sat Aug 12 18:47:21 2006} # Couldn’t prepend line to /etc/pam.d/xdm, since open failed.
{Sat Aug 12 18:47:21 2006} ERROR: Unable to open /etc/pam.d/kde as the
swap file /etc/pam.d/kde.bastille
already exists. Rename the swap file to allow Bastille
to make desired file modifications.
{Sat Aug 12 18:47:21 2006} ERROR: open /etc/pam.d/kde.bastille failed…
{Sat Aug 12 18:47:21 2006} ERROR: open /etc/pam.d/kde failed.
{Sat Aug 12 18:47:21 2006} # Couldn’t prepend line to /etc/pam.d/kde, since open failed.
{Sat Aug 12 18:47:23 2006} ERROR: Unable to open /etc/pam.d/xdm as the
swap file /etc/pam.d/xdm.bastille
already exists. Rename the swap file to allow Bastille
to make desired file modifications.
{Sat Aug 12 18:47:23 2006} ERROR: open /etc/pam.d/xdm.bastille failed…
{Sat Aug 12 18:47:23 2006} ERROR: open /etc/pam.d/xdm failed.
{Sat Aug 12 18:47:23 2006} # Couldn’t append line to /etc/pam.d/xdm, since open failed.{Sat Aug 12 18:47:23 2006} ERROR:
Unable to open /etc/pam.d/kde as the
swap file /etc/pam.d/kde.bastille
already exists. Rename the swap file to allow Bastille
{Sat Aug 12 18:47:23 2006} ERROR: open /etc/pam.d/xdm.bastille failed…
{Sat Aug 12 18:47:23 2006} ERROR: open /etc/pam.d/xdm failed.
{Sat Aug 12 18:47:23 2006} # Couldn’t append line to /etc/pam.d/xdm, since open failed.{Sat Aug 12 18:47:23 2006} ERROR:
Unable to open /etc/pam.d/kde as the
swap file /etc/pam.d/kde.bastille
already exists. Rename the swap file to allow Bastille
to make desired file modifications.
{Sat Aug 12 18:47:23 2006} ERROR: open /etc/pam.d/kde.bastille failed…
{Sat Aug 12 18:47:23 2006} ERROR: open /etc/pam.d/kde failed.
{Sat Aug 12 18:47:23 2006} # Couldn’t append line to /etc/pam.d/kde, since open failed.{Sat Aug 12 18:47:23 2006} ERROR:
Unable to open /etc/logrotate.d/syslog as the
swap file /etc/logrotate.d/syslog.bastille
already exists. Rename the swap file to allow Bastille
to make desired file modifications.
{Sat Aug 12 18:47:23 2006} ERROR: open /etc/logrotate.d/syslog.bastille failed…
{Sat Aug 12 18:47:23 2006} ERROR: open /etc/logrotate.d/syslog failed.
{Sat Aug 12 18:47:23 2006} # Couldn’t append line to /etc/logrotate.d/syslog, since open failed.
[/quote] Je comprend à peu prés ce que ça raconte (quoique … kde, xdm, j’ai pas), mais je vois pas pourquoi ça se produit …

Je pense que je vais tester harden plutôt …
Alors, si on récapitule, on a quelques bons outils de sécurisation avancée parmi :

• bastille (qui me fait suer avec ces 3000 questions)
• aide (que je dois découvrir)
• harden (à voir)
• SELinux ( la nouveauté, intrusive)
  C’est embêtant, bastille, ça fait aussi firewall, faudrait donc que je vire firestarter (depuis que j’ai installé bastille, j’ai plus d’alerte sur firestarter dons …).

[quote=“BorisTheButcher”]Non je pensais pas a un soft intrusif a la selinux mais ma memoire est toujours pas revenu lol[/quote]ça y’est je l’ai :

[quote=“Cahiers de l’Admin”]Le NIDS snort (Network Intrusion Detection System) est trés répandu, mais il compte depuis peu un concurrent moins éprouvé que lui : prelude, qui jouit d’une architecture plus modulaire … [/quote] Et hop, un de plus à tester : prelude-nids.

Je crois que c’etait checksecurity mais j’en suis pas sur du tout.
edit: a !!! c’etait tiger je crois bien )
Sinon oui ce weekend j’ai decouvert harden qui chappote tout le hardening. Donc faut jouer avec ca.
Et aussi ca:

[quote]x@debian:~$ debtags tagsearch security
protocol::ssl - SSL/TLS
security (facet) - How the package is related to system security
security::TODO - Need an extra tag
security::antivirus - Anti-virus
security::authentication - Authentication
security::cryptography - Cryptography and privacy tools
security::firewall - Firewall
security::ids - Intrusion Detection System
securit::integrity - File integrity verification
security::log-analyzer - Log file analyzer
security::special:not-applicable - Not applicable
security::special:not-yet-tagged - Not yet tagged
x@debian:~$ debtags search security::* | wc -l
553

[/quote]exemple:

[quote]x@debian:~$ debtags search security::ids
snort-pgsql - Flexible Network Intrusion Detection System [PostgreSQL]
aide - Advanced Intrusion Detection Environment
psad - The Port Scan Attack Detector
checksecurity - basic system security checks
tiger - Report system security vulnerabilities
tripwire - file and directory integrity checker
fcheck - IDS filesystem baseline integrity checker
chkrootkit - Checks for signs of rootkits on the local system
libselinux1 - SELinux shared libraries
harden-environment - Hardened system environment
harden-nids - Harden a system by using a network intrusion detection system
snort - Flexible Network Intrusion Detection System
idswakeup - tool for testing network intrusion detection systems
honeyd - Small daemon that creates virtual hosts simulating their services and behaviour
honeyd-common - Honeyd’s honeypot documentation and scripts
labrea - a “sticky” honeypot and IDS
osiris - network-wide system integrity monitor control interface
osirisd - network-wide system integrity monitor scanning agent
osirismd - network-wide system integrity monitor central management daemon
piwi - P(erl|relude) IDS Web Interface - A frontend to your Prelude database
portsentry - Portscan detection daemon
prelude-lml - Hybrid Intrusion Detection System [ Log Monitoring Lackey ]
prelude-manager - Hybrid Intrusion Detection System [ Report Manager ]
scanlogd - A portscan detecting tool
snort-rules-default - Flexible Network Intrusion Detection System ruleset
snort-common - Flexible Network Intrusion Detection System [common files]
snort-doc - Documentation for the Snort IDS [documentation]
tiger-otheros - Scripts to run Tiger in other operating systems
tinyhoneypot - Small honeypot to trap attackers[/quote]

Pour bastille, je viens de le reinstaller pour tester ton problème.
Effectivement j’ai des erreurs (peut-etre pas fatales) en activant psad, que je n’avais jamais activé:

root@debian:~# cat /var/log/Bastille/error-log {Wed Aug 16 12:51:48 2006} Failed to place /psad as /usr/sbin/psad {Wed Aug 16 12:51:48 2006} Failed to place /psadwatchd as /usr/sbin/psadwatchd {Wed Aug 16 12:51:48 2006} Failed to place /kmsgsd as /usr/sbin/kmsgsd {Wed Aug 16 12:51:48 2006} Failed to place /diskmond as /usr/sbin/diskmond {Wed Aug 16 12:51:48 2006} #ERROR: chmod: File /usr/sbin/diskmond doesn't exist! {Wed Aug 16 12:51:48 2006} Failed to place /psad-init as /etc/rc.d/init.d/psad {Wed Aug 16 12:51:48 2006} #ERROR: chmod: File /etc/rc.d/init.d/psad doesn't exist! {Wed Aug 16 12:51:48 2006} Failed to place /whois as /usr/bin/whois.psad {Wed Aug 16 12:51:49 2006} ERROR: Unable to open /etc/logrotate.d/syslog as the swap file /etc/logrotate.d/syslog.bastille already exists. Rename the swap file to allow Bastille to make desired file modifications. {Wed Aug 16 12:51:49 2006} ERROR: open /etc/logrotate.d/syslog.bastille failed... {Wed Aug 16 12:51:49 2006} ERROR: open /etc/logrotate.d/syslog failed. {Wed Aug 16 12:51:49 2006} # Couldn't append line to /etc/logrotate.d/syslog, since open failed.root@debian:~#

Je vais regarder qu’est ce qui va pas.

merci boristhebutcher
mais bon c’est pas trés grave, ça m’a pas trop convaincu bastille, je retenterai pas je pense … (trop de questions, en anglais lol, pour la config).
j’ai testé un truc (oui tiger [ c’est pas pour tester un server web seulement ça ? ] aussi, psad, snort) qui m’a l’air pas mal du tout :
nessus :

• nécessite un server -daemon nessusd et un client pour s’y connecter
• scan une cible
• aprés 2 minutes, on se retrouve avec 4 fenêtres :

• subnet > un click sur la ligne active l’affichage des infos dans la fenetre suivante
• host > id
• ports > id
• severity > un click affiche le rapport complet
  ça m’a l’air pas mal du tout …

Tiger:

[quote]Description: Report system security vulnerabilities
TIGER, or the ‘tiger’ scripts, is a set of Bourne shell
scripts, C programs and data files which are used to perform
a security audit of UNIX systems. TIGER has one primary goal:
report ways ‘root’ can be compromised.
.
Debian’s TIGER incorporates new checks primarily oriented towards
Debian distribution including: md5sums checks of installed files,
location of files not belonging to packages, check of security
advisories and analysis of local listening processes.[/quote]

Sinon pour la sortie de la future stable (etch):
lists.debian.org/debian-devel-an … 00005.html

[quote]SELinux support

Etch will not ship with SELinux turned on by default. However, Etch
shall ship with all the SELinux components required for users to run an
SELinux enabled machine, including an optimized version of the reference
policy. The policy would be tested to work for a bare-bones "standard"
installation (that is, a base system with all packages with priority
standard or higher) and with some popular packages like apache, bind,
postfix and sendmail (in other words, most common server packages).

At this point, some non-SELinux packages (coreutils, pam, sysvinit) are
running with older SELinux patches. These need to be updated, and
respective bugs will be filed in the next few days.[/quote]
Un lien sur SELinux:
www-128.ibm.com/developerworks/l … linux.html

Nessus est un trés bon scanneur de vulnérabilités. Malheureusement je crois qu’il n’est plus opensource…

Bastille t’achetes pas alors? ton commentaire sur la traduction est legitime, c’est vrai que si tu parles pas l’anglais et que tu captes pas l’etendue des modifs, t’es un peu mal.
Dommage… t’as vu que le mainteneur est aussi l’excellent auteur de securing-debian-howto. Il en a découvert des bugs dans le monde opensource… principalement les insecure links, mktemp tout ca,…

merci merci …
ah ben non j’avais pas vu pour le mainteneur …
non mais j’ai pas dis que c’était pas bien hein … j’ai pas dis … si ? j’ai dit ?
(tu m’étonnes, et encore, j’ai de bonnes notions d’anglais …).