Bastille on F10?
Todd Denniston
Todd.Denniston at ssa.crane.navy.mil
Mon Dec 15 14:19:57 UTC 2008
Kevin Fenzi wrote, On 12/13/2008 07:56 PM:
> On Thu, 11 Dec 2008 11:06:54 -0500
> DAVID.C.MCGUFFEY at saic.com ("McGuffey, David C.") wrote:
>
>> Anyone tested the Bastille hardening process on F10? In a few days
>> I'll be building an F10 box and plan to lock it down. Would be nice
>> to start with Bastille rather than having keep tweaking old scripts.
>
> I have never been too clear about the reason for the existance of
> Bastille. If there are improvements to be made in Fedora's security out
> of the box, perhaps we could just make them?
>
> In any case if you have selinux enabled, apply updates in a timely
> manner and use a firewall you should be in pretty good shape.
>
Certain paranoid (they are out to get us :) organizations have rules that
indicate that: if certain capabilities of a computer system are not needed to
accomplish the job assigned for that computer, then
remove|block|disable|destroy that capability.
i.e., if the job does not need USB capability, remove USB capability from the
OS or put hotglue in the ports.
Bastille has been getting upgrades lately to check and set things in the Linux
based OSs to the standards of some of those organizations, leaving the
hardware available for use if the machine gets repurposed.
>> Dave McGuffey
>> Principal Information System Security Engineer // NSA-IEM, NSA-IAM
>> SAIC, IISBU, Columbia, MD
>
> kevin
>
>
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
More information about the fedora-list
mailing list