HP-LX 1.0 Secure Linux

kengreenebaum writes: "Webtechniques has a short but interesting article on HP's approach to a secure but expensive LINUX distro. Basically they started with RedHat 7.1 and added compartments; an extension to the age-old chroot jail concept where the processes representing major services run. Kernel extensions allow HP (or the administrator) to specify which compartments can access which kernel resources including individual files, network stacks, and each other. HP has Technical Product Brief as well as other material online. Interesting to compare HP's approach to that of the NSA's Secure Linux projects. These concepts sound like a solid way to prevent buffer overflow type security holes in individual services from compromising the entire machine. At $3000 HP-LX is too expensive for many to experiment with but the NSA's code seems to be more readily available. Anybody have experience with these distributions or with similar approaches to Linux security?"

What about GPL, GNU, etc?

[headkase]

Doesn't HP have to release their source code to comply with the GPL?

Re:What about GPL, GNU, etc?

[pmcneill]

Yes and no. They have to release the source to the people to whom the product is distributed. However, they don't have to make it publically available. The catch is that the people who receive the source can also redistribute it at will. As someone else pointed out, the source is available here.

I expect, however, that HP has some proprietary stuff that's included in non-GPLd binaries.

Re:What about GPL, GNU, etc?

[Mike+McCune]

The kernel modifications are released under GPL but the administration tools are traditional closed source, which complies with the GPL. Anyone is free to write their own administration tools if the wish. Many large companies would prefer the support of HP rather than "rolling their own".

Missed Point: HP all about business

[EchoMirage]

There's a missed point in discussing whether or not HP-LX is practical or whether or not it's worth $3000. HP's target market is and always has been big businesses. What they've done in providing a secure, robust Linux implementation is to take away IT manager's number one fear about Linux: that's it's somehow "insecure."

Practically speaking, it's safe to assume that nobody is going to run out and nuke HP-UX 11 off their servers in favor of this - HP-UX is still very far ahead of Linux (and some of its competition) in several important areas. However, for IT managers interested in considering a partial migration to Linux, this gives them a stable and secure path on which to begin to venture down, and undoubtedly one that's also covered by their existing support contracts with HP.

Re:Eh? How can they get away with selling that?

[inburito]

Uh.. How about you go download the GPLed code from hp's site right now instead of speculating about what people could do.

However.. You are not going to get the closed source administration tools without which the kernel mod's are almost worthless. You also don't get a fully set up distribution with all the configuration and will have to duplicate all the effort that went into creating it.

If you want to be reasonably sure that your version is secure you'd have to perform extensive testing on it and have a lot of really smart people take a look at it. This is actually the easiest part as it follows normal linux development method. Still, whose ass is on the line if things are not as secure as they should be?

And you can bet your ass that anything that doesn't need to be GPLed is not and it comes with a very strict HP license that specifically forbids any disassembly, resale, etc.. Support contracts probably also include a clause that you have to have purchased the official hp distribution..

Re:Low confidence in anything from HP

[Bruce+Perens]

I agree that the HPUX folks do sometimes seem to lose sight of the fact that there is an outside world that, for the most part, doesn't run HPUX. But fortunately I work on Linux. HP has contributed a lot to free software: the IA-64 port of the Linux kernel is led by David Mosberger of HP and is all GPL, of course. HP spends about 1/2 Million per year just on salaries, benefits, and overhead for 4 of the key Samba developers. And a number of HP projects like Cooltown have come under the GPL. And of course they pay for all of my political efforts on behalf of free software - working on software patent issues, speaking, writing, etc.

Bruce

Looks like "Secure Linux for Retards"

[dwbryson]

Ok, I feel that putting some peices of security in an OS kernel is a good idea. It allows you to have a lot of control over what goes on on a system, however it's not always the best idea for certain things. This distro it seems is that + *basic* system security...

HP-LX includes pretty much every security tool for Unix imaginable, and defaults are set up with security in mind right out of the box. For example, HP-LX allows command shell access only via the system console or SSH (encrypted) connections. HP forces you to use OpenSSH by including a procedure for creating and installing the keys during the OS installation.

This is a no brainer for anybody who is semi secruity concious. And

HP-LX's installer won't install unneeded services. This is probably one of the best things you could do on your existing server; remove everything that you don't absolutely need.

Comon people, every semi decent sysadmin knows this. Maybe I'm expecting too much from people (the number of people that complain to me about not being able to use telnet is disgusting) The added chroot jail stuff is neat, and no doubt helpful, but this distro really looks like it is not worth 3k. Any competent Linux admin could set this up with a couple days work. That doesn't mean his manager will approve... they would buy the MP distro because it would make them feel warm and fuzzy inside, even if their admin could design a better distro. When the article first off proclaims things like:

Pros: Currently the most secure commercially available Linux system.

I can generally discount most of what it has to say. Security is a process not a product.

Re:There are major problems with compartmentalizat

[SuiteSisterMary]

Not installing X doesn't cause the kernal to take note, and alter how it treats the system calls in question.

Re:There are major problems with compartmentalizat

[Oggust]

Well, kernel bugs will still get you, no doubt about that. You can compartmentalize the kernel itself, at least to some point, but that's kind of a separate problem.

Kernel bugs aren't the big problem though. Look thru bugtraq and see what the kernel/user-app ratio of security problems is.

Now look at how many of the kernel level bugs that are remotely exploitable. (Ummm, I mean exploitable from remote, not that they're unlikely.) Not to say that local problems aren't problems too, but they're a lot easier to manage.

You're right about the bug whack a mole, but this time you'll be playing on a table with most of the moleholes plugged.

The X thing is a bit of a red herring. The problem is that it has hardware access (disregarding fbdev and stuff like that), and hence (from a security POV) could almost just as well be part of the kernel. Solutions:

• Don't run it. And don't allow other processes the priviliges it would/could have had. (This is easy with any MAC and even DAC system, X is always a bit of a special case.) The Selinux system is very fine grained and you can grant a subject a capability or not depending on its' type.
• Compartmentalize X itself. To some extent this is getting worked at, but not (mostly at least) for that reason.

(X apps are a little different from other apps, since they have other IO options (Atoms, cut+paste buffer etc.) Look up CMW (Compartmented Mode Workstation) if you want to get into that.)

But even if you can't do a thing about X, this is still worthwhile. Think about someting like xntpd. It's root because it needs to open a low port and because it needs to be able to update the system time. But there's no reason that it needs to be able to, say, mount filesystems, read protected files, or load kernel modules. with traditional unix security we can't do that, but with this stuff we can. The attutude that "because it only fixes 99% of the problem, it's not worthwhile" has been a problem long enough.

/August, once a sysadmin on a B1 system.

What the price tag really means.

[lkaos]

What's most important about the price tag, is that HP is backing a secure version of Linux. It's not really 3K for some fancy GUI tools, but 3K for the tools and for HPs guarentee that this is actually going to work.

It's not really that expensive. In fact, I'll probably recommend it to the company I work for. If your company is security conscious, and you don't want to have to maintain something, then this seems like a great option.

This is probably one of the first really good business plans I've seen with Linux. The greatest part is that HP didn't try to mess around and not release the kernel stuff. So, they've helped out the community by adding a cool concept (I always hated that Linux does have jails) and they also are delivering a good, reasonably price, product.

I am of course assuming that this software works :)

If you do the math though for a server running Windows NT plus an email server, web server, and remote admin package that would be as robust as what Linux has, then it's a no brainer which one is cheaper.

Especially since alot of software is based on the number of users (especially email suites). So you kind of end up getting screwed when you hire more people.

Re:There are major problems with compartmentalizat

The thing is, even if kernel holes are not remotely exploitable, userland holes make it possible to exploit kernel holes locally...thus rendering compartmentalization irrelevant.

Yes, kernel holes are implementation or design bugs that should be fixed. Ideally, compartmentalization would be a decent security solution for userland, although if the kernel is secure then finer-grained access controls are just as good (and IMO nicer).