Introducing the Bastille Hardening Assessment Tool

Presented at DEF CON 13 (2005), July 31, 2005, noon (50 minutes)

Bastille has been re-released as an assessment and hardening tool. With the help of the US Government's TSWG, we've added full hardening assessment capabilities, complete with scoring. This allows Bastille to measure and score an individual system's security settings against user-provided guidelines, possibly before allowing a system onto the network. Security or system administrators can use this to assess the relative state of a given system compared to Best Practices, to other systems in the organization, or to an organization-supplied minimum standards file. They can also use it to learn what hardening steps would be helpful for the given system. Bastille's new mode can even help in verifying compliance with new legislation, including Sarbanes Oxley, GLBA and HIPAA. It can also help in lowering insurance premiums – AIG, the largest provider of cybersecurity insurance, decreases premiums by 15% for organizations following best practices in proactive defense. Open source tools have hardened systems in the past (Bastille, Titan, YASSP), while free or open source tools have measured security settings in the past (COPS, CIS Unix Scoring Tool). No popular open source tool besides Bastille can do both, using the weaknesses found in an audit to harden systems. This functionality would normally be found only in a separate tool and thus warrants the re-release of Bastille. We originally released Bastille Linux/Unix in 1999 as a host hardening tool, built to tighten security settings on a system, set stronger policies on that system and educate system administrators. Bastille has been extremely popular and has since been ported to seven Linux distributions, OS X and HP-UX. Support for FreeBSD and Solaris is underway. Bastille ships by default with Gentoo, Debian(apt-get) and HP-UX, the latter of which has made it part of the installer and contributes two developers to the project.


  • Jay Beale - Lead Architect, Bastille Linux
    Jay Beale is a information security specialist, well known for his work on mitigation technology, specifically in the form of operating system and application hardening. He's written two of the most popular tools in this space: Bastille Linux, a lockdown tool that introduced a vital security-training component, and the Center for Internet Security's Unix Scoring Tool. Both are used worldwide throughout private industry and government. Through Bastille and his work with the Center, Jay has provided leadership in the Linux system hardening space, participating in efforts to set, audit, and implement standards for Linux/Unix security within industry and government. He also focuses his energies on the OVAL project, where he works with government and industry to standardize and improve the field of vulnerability assessment. Jay is also a member of the Honeynet Project, working on tool development. Jay has served as an invited speaker at a variety of conferences worldwide as well as government symposia. He's written for Information Security Magazine, SecurityFocus, and the now-defunct He has worked on four books in the Information Security space. Three of these make up his Open Source Security Series, while one is a technical work of fiction entitled <>"Stealing the Network: How to Own a Continent." Jay makes his living as a security consultant with the firm Intelguardians, which he co-founded with industry leaders Ed Skoudis, Eric Cole, Mike Poor, Bob Hillery and Jim Alderson, where his work in penetration testing allows him to focus on attack as well as defense. Prior to consulting, Jay served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the third largest retail Linux distribution.


Similar Presentations: