Domain: engardelinux.org
Stories and comments across the archive that link to engardelinux.org.
Comments · 8
-
Re:Have they decided to implement security yet?Engarde Linux SELinux OpenBSD Integrated Cryptography
That is the battle you're discussing.
SELinux vs Integrated Cryptography.I'm pretty sure they are both going to have trade offs.
-
Re:Manage Unix/Linux Systems?
-
Re:Q: best way to learn it?My only experience with SELinix has been when an old reliable sysadmin procedure stopped working. I acknowledge that I need to know more. Should I pop for the (overpriced, IMO) O'Reilly book, or plow through the online stuffs?
The O'Reilly book is very outdated, most of it talks about the SELinux implementation in FC2 IIRC, and a LOT has changed since then. You'd be better off with the online stuff until that book gets revised.
<shameless plug>
I wrote a series of four articles on SELinux you can find here: 1 2 3 4 and the company I work for has an SELinux strict policy server distro available here.
</shameless plug> -
Re:Secure Computing Corporation
Yeah I did some googling after I posted, and the patent issue is pretty old. This LWN article is interesting on the subject, and apparently if the commenter ejhuff is correct the first two patents are already expired and the final patent expires in June 2006. It hasn't scared Red Hat away from implementing SELinux.
Either way, it hasn't stopped my employer from implementing SELinux in our product, either. Blatant plug: download our LiveCD if you'd like to check out our SELinux implementation. -
ResourcesYou should probably look at
lwn.net/Distributions/Specifically, lwn.net/Distributions/index.php3#secure and possibly also the special purpose distros (mini, floppy, cd, whatever).
Engarde, Immunix, and Openwall are all designed to be secure platforms for server or firewall development.
If you want something small, you might look at LEAF or Coyote or Wolverine. Coyote is free, Wolverine is $30-$120 depending on which license you need.
Personally, I'm using Astaro (free for personal use). It seems to be well designed from a security perspective (everything is chrooted, etc.), but it is not easy to customize the web interface, etc. A 'pluspack' is downloadable which includes gcc, etc, or you can compile on RedHat if you have the right versions of all the libraries.
-
Re:bug #285
Solar Designer wrote a patch for 3.3p1. It'll probably work on 3.4 as well.
-
Secure LinuxesAt the Linux Showcase in November I attended HP's presentation on Secure Linux and if you sweet talked the HP guys they would unlock the secret cabinet and give you a copy of Secure Linux. I also did a term paper on SE Linux last semester.
The two OSs are fairly similar in what they hope to accomplish -- isolate the risky software and users from the rest of the system so if something bad happens it doesn't take everything down. From the sound of the HP presentation, this is all HP Secure Linux does. You create compartments and then specify what the compartment can do. You can do the same thing with the NSA's SE Linux and much much more. I was really impressed with the flexibility offered by SE Linux. You can setup your system with about any security policy you like. The biggest problem is the great complexity. You need to do a good deal of research before even thinking about modifying the sample security rules that come with SE Linux. There are thousands of rules in the included security policy. This is where HP Secure Linux probably has an advantage--it's a bit simpler to user. Though I haven't had a chance to try it out yet.
You don't really need to pay $3000 for it either. The kernel patches are GPLed and part of the kernel security interface used by SE Linux also (NSA and HP have cooperated here). You are really paying for the tools, but those are just programs that make certain sys calls. It shouldn't be a problem to write your own open source versions. Though there might be a nice gui that would take more work to create.
If you are interested in secure linuxes also take a look at Immunix and EnGarde. Both also have kernel level security controls, but not to the level of NSA Linux. Immunix has a comparment system like HP Secure Linux called SubDomain. EnGarde uses the Linux Intrusion Detection Project.
A paper doing a detailed comparison of the four would be welcome!
-
Re:Question - How many security options do we haveI want know if there are OTHER secure (and/or ultra-secure) version of Linux distros out there?
These are the ones I know about:
Immunix (seem to ship a secured Red Hat)
Kaladix Linux
Can't say if they are any good, I'm afraid. I'm too happy running Debian!
-- shaka