Annvix Development Blog

Just for kicks, I downloaded Bastille 3.0.9 and tossed it on a vmware install of Annvix that’s a pretty basic un-tweaked default install (not too much extra installed). I had to muck with Bastille a bit since it doesn’t recognize Annvix, so I made it think it was a Mandriva 2006.0 install (Bastille doesn’t look to be overly updated in terms of keeping up with the distros).

Out of the box it gave Annvix a 7.11 score (out of 10) although some of it is a little bogus. A full assessment report can be seen on the Bastille site so you can see what its’ checking for.

Some of the bogus module responses included the “Are clear-text r-protocols that use IP-based authentication disabled?” (Bastille said no, but the r-protocols aren’t available on Annvix so it should have been a yes); “Are root logins on tty’s 1-6 prohibited” (Bastille said no, which is sorta accurate… root logins are only available on tty1, not any others); there was one question about xinetd and another about inetd that were both no’s, but since Annvix uses neither, they should have been yes instead. The combined score modifier there would have been an additional +3.00 at least, although I’d give it a +3.17 since 1/6 tty’s allow root.

Not quite sure where that would have put the overall score since these contribute a 1.00 score, but there are some 50+ items, so I assume it must be some kind of division although I wouldn’t want to put an arbitrary number on it.

Of course, a few things are quite simple and account for personal taste and wouldn’t be something I’d foster on someone by default, such as server-wide disabling of following symlinks, disabling SSI, and CGI scripts (all in apache), there’s an item about more restrictive permission on administration utilities, but doesn’t indicate all of the items and I’m assuming is only checking whether they’re mode 700, instead of being something like 750 and owned root:admin or something similar. Also, it mentions the default umask being minimal… well, tried that, and it somewhat borked a whole lot of services so that had been quickly reverted.

It did point out that perhaps we should password-protect single-user mode. That may be an item to add to the installer at some point. It also notes “Authorized Use” messages being displayed at login.. not something I would add by default. It also noted that process accounting wasn’t activated, and I just realized that Annvix is missing psacct, so should probably add that.

All in all, the assessment came out pretty good. A few little things that need to be dealt with I guess, but nothing critical or urgent. It’s a shame I don’t have a copy of Mandriva 2006 to see how it scored out of the box as a comparison.