Bastille

This is part of an exercise to use Linux as a kiosk system and focuses on the use of Bastille (BastilleLinux) to lock down and harden the system. It's primarily oriented towards this Ubuntu kioks system but can be of use to other (kiosk) systems as well.

Hardening is more than just running a script. Before you apply any configuration, you should consider that this is a kiosk system, so it will offer (limited) functionality to untrusted, unsupervised users that have physical access to the machine. This is a potentially dangerous situation : the user may (willingly or unwillingly) damage the system, or attempt to abuse it. Therefore :

1. Start from a known baseline so you can be sure that everything will be covered - no surprises, no improvisation
2. Think about what your kiosk user should be able to do : browse the internet ? browse a file system ? print ? discover wireless networks ? read from or save to media (usb, CD, DVD, ... ? download files ? ...
3. consider the consequences of the previous point: you may allow the user to download files and save them to media so the can carry home information found on the internet. Do you also allow them to carry home the password file of the kiosk system so the can have a go at cracking it ? They're allowed to mount CD's but do you want them to run rogue applications from it ? You've locked down the kiosk - should they be able to boot a Live CD and run a system where they have full admin power ?
4. Do not install services, daemons and applications that are not needed. Remove them if they got installed by default
5. Think about what your system administratior will need to be capable of : do not remove features you may need for troubleshooting (but prevent other users from using them for less honorable purposes)
6. design a consistent policy : how should a sysadmin access the system for maintenance or troubleshooting if the machine is running a session for a user that is not allowed to reboot, log off, switch user or sudo, and you've disabled remote access ... ? On the other hand : If the sysadmin can get root privileges from a kioskuser session, what is to keep the kioskuser himself from trying to do the same ?

Bastille is a program that will walk you through a large number of configuration settings to help you harden the system, i.e. change the default general purpose configuration into a configuration specific to the role you've assigned to the computer, in this case a kiosk system. Here are some usefull settings. Of course you will have to consider exactly how you want to harden your kiosk in order to make the right choices : Bastille is just a handy tool to help you implement your choices (and a very usefull checklist, not to mention the explanations in the program which make up an excelent introduction to system hardening).

Probably a good idea for your kiosk :

set restricted file permissions

allows only root to run system commands

disable SUID root

don't allow applications to run as 'root'. You can specify to which applications this applies

set a default umask

sets default permissions to newly created files. umask=077 allows nobody to read or write your files

disallow root login

Ubuntu already implements a variation to this with the use of sudo. Keeps users from password guessing to get root access

disable remote login protocols that send credentials in clear text

always a good idea

set a default deny on TCP wrappers and (x)inetd

blocks all connection attemps from outside. Caution : if you plan remote administration, this may be not such a good idea. Make sure you leave a way for the system admin to perform admin tasks (eg local login, sudo, ...)

set a password for the GRUB boot loader menu

keeps people from accessing the GRUB command prompt to boot in ways you did not intend

disable potentially dangerous protocols/daemons that are irrelevant to a kiosk system anyway

telnet, ftp,

put limits on system resource usage

less relevant to a single user workstation, but it won't harm and prevents Denial of Service attacks against the system and keeps the user from running an obscene number of processes all at once.

create user-specific temp directory

a safety measure on multi-user systems, but in this case usefull to create a 'sandbox' for the temp user and a nice supplement to the DeepFreeze.

to consider and apply as appropriate to your situation / policy

disable SUID root

don't allow applications to run as 'root'. You can specify to which applications this applies. While this is generally a good idea, it may inconvenience users eg if you do not allow them to mount media (floppy, CD, DVD). On the other hands: does a kiosk user need to be able to use 'ping' ?

password aging

is probably not appropriate here : the kioskuser login will be used by any customer and you may not want to have to change the password.

disable reboot via Ctrl+Alt+Del ?

users can still force a reboot by unplugging the power chord so you may prefer allowing them to reboot cleanly, and use other options to keep them from abusing the ability to reboot GRUB password, runlevel 1 password, ...)

limit console login to specified users

here you can specify which users can login at the console. You don't want your kioskuser to login at the command prompt, so this seems like a good idea. But you don't also want the kiosk user to try and login with other users accunt name and password (re. "don't allow root to log in"). You will need to develop a consistent policy to adequately use this option : who should be allowed to log in, and how.

setting the default run level so that users log in in a GUI, and password-protecting GRUB and signle user mode so untrusted users can't force a text-mode login should be part of that policy.

implement additional logging

can be usefull, but only if you will also analyse these logs. Or you just keep them for future reference if something has gone wrong :-)

disable deamons

you don't want services (daemons) to be running if they're not necessary. Question is : what is necessary : do your users need printing ?

set up a (packet filtering) firewall

this configures an iptables script to firewall the system. You will need to think about what kind if network / internet access the kiosk system requires. Web access (http, any). How about other protocols : Instant Messaging ? access to the LAN (do download backup / default config files ? ? use proxy servers ...

your firewall should also not interfere with any remote administration you may have planned for

you may also opt to create your own iptables script, or to not setup a local firewall on the kiosk machine (eg. if you have multiple kiosks on a LAN that's already behind a suitable firewall.

Reproduce it ?

look at /etc/Bastille/config and /var/log/Bastille/TODO. Save a copy of those files. You can reproduce a Bastille configuration by copying the config file back to /etc/Bastille/config on the new system and running bastille -b . Obviously this will only work well if the new system's setup matches the original where Bastille was run first. Hence the need for a baseline.

---