Most Linux vendors provide information on available updates. For instance, Red Hat publish their list at www.redhat.com/security/updates/notes. (Information on Red Hat’s update and support policies, including how to sign up for automatic notification of errata is at www.redhat.com/security/updates.)

Other distro users can find links at Linux-Sec.net’s list of online security patches and updates by vendor.

Bastille

With the basics of manual hardening down pat, let’s check out a free open-source tool to automate and simplify the process. Bastille will disable unnecessary services and install operating system updates as well as configure a firewall, enforce password policies, create a second root-level account and more. What’s nice is that Bastille leads the user through a simple series of yes/no questions, giving a detailed explanation of why each question is asked and what will happen if ‘yes’ is chosen. It doesn’t merely expect guesswork, nor does it blindly alter your system – instead, it genuinely hardens your computer and educates on security in the process.

Pleasantly, you’re also not locked in to Bastille’s changes should you decide some of the setting changes weren’t for you. Running RevertBastille automatically restores the state of all config files and settings to just how they were before Bastille made any changes. Obviously, if you make changes to your system manually after running Bastille, you will lose these too so it is best to test changes as soon as possible after applying to ensure you won’t harm anything else if you need to revert.

Unfortunately, Bastille is not for everyone: versions exist for Red Hat, SUSE, Debian, Gentoo and Mandrake (as well as non-Linux UNIX variants HP-UX and MacOS X). If you do run one of those systems, you really are well-advised to run Bastille. You can download the latest version from SourceForge.

Let's give Bastille a run-through.