It's impossible to give complete instructions on how to configure any given machine; the details vary greatly depending on what version of Unix you're running and exactly what you intend to do with the machine. This chapter is intended to give you an outline of what needs to be done, and how to figure out how to do it. For more complete configuration details, you will need to look at resources that are specific to your platform.
Useful Unix CapabilitiesEvery operating system has certain special capabilities or features that can be useful in building a bastion host. We can't describe all these capabilities for all systems, but we'll tell you about a few special features of Unix because it's a common bastion host platform:
- Every Unix user has a numeric user identification (uid ) in addition to his or her login name and belongs to one or more groups of users, also identified by numbers (gids). The Unix kernel uses the uid and the various gids of a particular user to determine what files that user has access to. Normally, Unix programs run with the file access permissions of the user who executes the program. The setuid capability allows a program to be installed so that it always runs with the permissions of the owner of the program, regardless of which user is running the program. The setgid capability is similar; it allows the program temporarily (while running the program) to grant membership in a group to users who are not normally members of that group.
Environmental modifications, such as those made by setuid/setgid and chroot, are inherited by any subsidiary processes a program starts. A common way of restricting what the programs on a bastion host can do is to run the programs under "wrapper" programs; the wrapper programs do whatever setuid/setgid, chroot, or other environmental change work is necessary, and then start the real program. chrootuid is a wrapper program for this purpose; Appendix B, "Tools", gives information on how to get it.
- The chroot mechanism allows a program to irreversibly change its view of the filesystem by changing the program's idea of where the root of the filesystem is. Once a program chroots to a particular piece of the filesystem, that piece becomes the whole filesystem as far as the program is concerned; the rest of the filesystem ceases to exist from the program's point of view. This can provide a very high level of protection, but it is by no means perfect. Programs may not need access to the filesystem to achieve nefarious ends, particularly if they have large numbers of other permissions.
Although Unix suppliers differ vastly in their openness about security issues, the difference in the actual security between different general-purpose versions of Unix is much smaller. Don't assume that the publicity given to security holes reflects the number of security holes; it's a more accurate reflection of the popularity of the operating system and the willingness of a vendor to admit and fix security problems. Don't assume that proprietary versions of Unix are more secure than open source versions, either; paying money to a vendor doesn't guarantee that they care about security, only that they care about money. Ironically, the operating systems with the most worrisome tales may be the most secure ones, because they're the ones getting fixed.
Some versions of Unix are particularly designed for security and are therefore particularly suited for use in bastion hosts. "Designed for security" means different things to different vendors. It ranges from relatively minor changes to the packages that are installed (for instance, the Debian Linux distribution tries to install securely, and the SuSE Linux distribution provides a post installation security script) to major changes to the internals (for instance, OpenBSD has made significant changes to all parts of the operating system).
Several commercial vendors offer secure versions of their operating systems that are designed to meet government security needs. These versions usually lag behind the main releases (the government approval process is slow) and may not support all the add-on products that the main releases do. On the other hand, the auditing capabilities they offer are useful for bastion hosts. If you can afford the extra cost and the delayed release schedule, these operating systems are a good choice for bastion hosts.
|10.12. Protecting the Machine and Backups||11.2. Securing Unix|
Copyright © 2002 O'Reilly & Associates. All rights reserved.