I'm thinking about making a "secure your Fedora" script

The thing with Fedora is the same as with Ubuntu. Its a safe OS but has a lot of bloat and security hassards running by default, its optimised for usability and not as much for security.

So my Idea was to make a simple script somehow that asks the users questions and configure Fedora based on their needs and according to NSA guidlines + the fedora security manual and of course what the user need.

Instead of what the user may need. Note however that I plan on having it ONLY make changes that the user wishes for, but the program should guide the users to what changes could be a good idea to make.

The idea is to have questions like: Will you be using IPv6? If not the program disable it all togheter, if yes the program pops up a lot of options (text based) and helps the user to take action and configure the protocoll more securley (if they wish, or they move to the next thing..).

And possible also have this program run a security check to see how well the system is configured according to these guidelines. The thing here is that I wasn't planning on using anything graphical, just a simple "Y/N" questions and "cat", "cd", "rm" etc basic commands and stuff of that nature, the script will be acessing and altering a lot of files, however what would you guys reccomend that I use to make this happen?

Also is there any stuff of this nature out there?

And whats your thoughts on a small "project" like this? Will it come to any use?

[jpollard]

By the time you research all the alternatives, things will have changed...

But you would have a document that would be VERY helpful.

Quote:

Originally Posted by jpollard

By the time you research all the alternatives, things will have changed...

But you would have a document that would be VERY helpful.

I understand that it may not have all the alternatives (tweaks) offered at all the given time but at least most of the suggested (important changes) should be possible to set with my program.

Covering a few security hassards is better than covering nothing is my motto. I won't be presenting anything new except making the process of making most of the documentated security changes a bit more automatic.

It will be for people that enjoy tweaking or just want a higher security setting but are too lazy to read manuals and manually change all the things. Ofc it won't have all the possible tweaks in the world, but hopefully the basics from NSA (that apply to Fedora) is a good start. I plan on covering the standard setup basically. Meaning the programms that comes with a fresh installation.

Now I need some suggestions as to what I should use to make this happen. I have a lot of experience coding stuff in PHP/ajax and databases, but not so much in coding native applications.
I really hope I can make the "program" ready for the Fedora 16 release, tho I understand that my expetations may be unrealistic. Lol.

[beaker_]

Quote:

I understand that it may not have all the alternatives (tweaks) offered at all the given time but at least most of the suggested (important changes) should be possible to set with my program.

Covering a few security hassards is better than covering nothing is my motto. I won't be presenting anything new except making the process of making most of the documentated security changes a bit more automatic.

It will be for people that enjoy tweaking or just want a higher security setting but are too lazy to read manuals and manually change all the things. Ofc it won't have all the possible tweaks in the world, but hopefully the basics from NSA (that apply to Fedora) is a good start. I plan on covering the standard setup basically. Meaning the programms that comes with a fresh installation.

Now I need some suggestions as to what I should use to make this happen. I have a lot of experience coding stuff in PHP/ajax and databases, but not so much in coding native applications.
I really hope I can make the "program" ready for the Fedora 16 release, tho I understand that my expetations may be unrealistic. Lol.

The most vulnerable system is one you don't understand. Those systems will always have or suffer from ID10T and between keyboard & chair failures. But +1 for it being a very good document.

Quote:

Originally Posted by beaker_

The most vulnerable system is one you don't understand. Those systems will always have or suffer from ID10T and between keyboard & chair failures. But +1 for it being a very good document.

Ok, do you have any suggestions for a good language to use when I attempt to make this "project"? I would appriciate a language that can do this but also with a learning curve that isn't too high.

[jpollard]

I would suggest starting with English.

Document what you want to do - finding the appropriate implementation language should be relatively easy once you know how complex the solutions will need to be. Initial guess would be python, as it is easily tested, has GUI capability, and can perform rather complex tasks that are awkward to do in other scripting languages.

Quote:

Originally Posted by jpollard

I would suggest starting with English.

I know my spelling isn't perfect tho I do my best to become better.

Quote:

Originally Posted by jpollard

Document what you want to do - finding the appropriate implementation language should be relatively easy once you know how complex the solutions will need to be. Initial guess would be python, as it is easily tested, has GUI capability, and can perform rather complex tasks that are awkward to do in other scripting languages.

Can you reccomend a pyton package that works with Fedora and also has a GUI? : )

[jpollard]

Fedora includes python, though I'm not familiar with the GUI, a number of the menu utilities are written in python.

[fedvasu]

i second python , anaconda is written in python (GUI).

yum is written in python (CLI)

two of the most popular and important programs.

---------- Post added at 07:14 AM ---------- Previous post was at 07:10 AM ----------

a quick update, you may wanna use either tkinter for writing GUI,which is in standard library of cpython but in Fedora you have install it

yum install tkinter

but there are very good bindings to QT4 both in legacy python 2.x and python 3.x.

GTK thing is kinda complicated, so don't worry about GTK.

[markkuk]

Quote:

Originally Posted by birdwatcher

So my Idea was to make a simple script somehow that asks the users questions and configure Fedora based on their needs and according to NSA guidlines + the fedora security manual and of course what the user need.
(...)
Also is there any stuff of this nature out there?

Yes, Bastille does basically what you intend your script to do. Its development seems to have stagnated a couple of years ago.

[jpollard]

Bastille pretty much collapsed after SELinux was merged into the kernel.

What it did was pretty basic - check uids/gids, check processes, validate file configurations. I believe it also could establish chroot jails for some services.

What it couldn't do was be general use - there were just too many different configurations people wanted. It also couldn't secure services that were locally developed, or came from outside the distribution.

SELinux can do that.

Guys I checked out Python but also I looked at shell scripting. Anyway I made a simple script in shell, no way complete.

If someone is willing to test my script I would be happy...

anyway:

http://www.mediafire.com/?zfb4rgwyr3ew1j2

This script is meant to be running on Fedora 15 and only covers some basics, it shuldn't mess up anything since I only included so little, and I purposley left out stuff that I felt was very dangerous. as stated: its only some of the very basics, as of now. If this script is usefull I may improve it and make sure that its more complete and more fault tollerant. Feel free to test it and tell me if this is a keeper.

To run this script:

1) place it in your home folder.
2) right click -> properties. Permissions -> thick the box "allow executing file as program"
3) open a terminal window, log in as 'su -' lunch the file from the terminal (one way to do this is by draging "my file" to the terminal window when running as su -).
4) the program should have started by now..

[sea]

Hmm had a 1 minute waiting on mediafire, nothing happend (there was a loading symbol though)t, so i closed it.

Thats odd, download link works from here. Thanks for letting me know and showing intresst, here is 2 new links if you still want to try it out:

http://www.sendspace.com/file/sp32i4
http://www.speedyshare.com/files/309...uxsecscript.py

The script only covers very little as of now, but I may expand it if its useful to someone.

Mostly I want some feedback on the way changes are made and if the program is understandable if possible.

[droidhacker]

Don't waste your time writing scripts. Unless the script is validated and included in Fedora itself, it will be useless. The NUMBER ONE WORST possible thing that ANYONE can do, is running some script they downloaded from the internet as root. Even if you make it with the best of intentions, it would be SO ABSOLUTELY STUPID for anyone to actually run it without understanding EVERY SINGLE LINE OF IT, that it should be CRIMINAL.

If somebody is going to go to the trouble of learning every single line of your code, they would be far better off just securing everything themselves.

FOCUS ON DOCUMENTATION AND RECOMMENDATIONS. Give people suggestions about what they can do to secure their systems. Don't give them code to run, since their acceptance of that code would prove that they are complete retards.

I.e., how can they possibly know that you are trustworthy? Maybe you're a hacker and built a rootkit and are passing it off for the complete opposite. I'm not saying that you are, but how do "they" know?