Slashdot Mirror
Battle of the Secure Distros
CrazyEd writes "LinuxSecurity is reporting that EnGarde Secure Linux has received the Network Computing Editor's Choice award to win the battle of the Secure Linux distributions. Well deserved, me thinks." Update: 06/10 15:16 GMT by T : An anonymous reader points out that Linuxlookup.com
reviewed this distro last week, awarding it a perfect score.
NSA SELinux is (currently) not meant to be a secure Linux distribution. It's rather something like a "Demo"-Implementation of MAC in the Linux-Kernel.
Quotes: NSA SE-Linux FAQ
13.Is it secure?
[...] Put another way, "secure system" means safe enough to protect some real world information from some real world adversary that the information owner and/or user care about. Security-enhanced Linux is only a research prototype that is intended to demonstrate mandatory controls in a modern operating system like Linux and thus is very unlikely to meet any interesting definition of secure system. [...]
16.Did you try to fix any vulnerabilities?
No, we did not look for or find any vulnerabilities in the course of our work. We only changed enough to add our new mechanisms.
You can find the full SE-Linux FAQ here
The i386 (i486 and i586) version
i386 "Bonus" Package
The i686 version
i686 "Bonus" Package
------
Random, useless fact: I type in startx entirely with my left hand.
If the the EGOVOS announcement goes beyond vapor, CC may be in the future of Linux. For some reason though Slashdot just won't accept that as a story.
BTW, you might want to get a handle on the basic background of CC before shooting your mouth off. TCSEC is no longer accepting new products for evaluation, though those who started the old process can finish it. Common Criteria really means it now. Read the friendly website.
~~ What's stopping you?
SELinux isn't designed to be a standalone distro, but a set of enhancements to common software that is in all distros.
Later,
Phil
LinuxSecurity is the same company as EnGarde Secure Linux, but they didn't write the review, they just linked to it (as they should, it's good and free marketing for them). The review was done by Network Computing who is not affiliated with them.
http://www.networkcomputing.com/1312/1312f33.html# filter
try reading the article before making false claims.
Even Linuxlookup.com ( http://www.linuxlookup.com/html/reviews/software/e ngarde1.1.html ) gave Engarde Linux a perfect score last week and they don't even have ads!
Doesn't mean the editors at Network computing were bias during the review for selling ad space.
bah
A week ago I probablly would have answered Slackware, being a die-hard Slackware geek for my entire Linux life. But last week I found out about Gentoo, and I have to say I like it. Especially for security. After you're done the install you're left with a VERY minimal system, there are ZERO services running, hell there are no services installed on the box. You have to explititly install any services that you wish, which is nice because you don't have any weird weird stuff installed on your system without your knowledge. Yes, this isn't for newbies who can't spell ls, but for the long-time unix geek who does everything manually already, this is the way to go.
I'm disappointed that they didn't include Kevin's Red Hat Uber Distribution. Kevin Fenzi is the author of the Linux Security HOW-TO, and the hardened version of Red Hat that they produce has served me quite well for over a year.
this is getting old and so are you
blog
I start with a shell alias like this:
alias nsl='netstat -alnp --protocol=inet|cut -c-6,21-94|tail +2|grep -v ESTABLISHED|grep -v CLOSE_WAIT'
At a glance you will see what services are running and listening to ports. The "Local Address" column is the most useful. Anything starting 127.0.0.1 can be safely ignored, the rest will be based on what you feel you need.
As a general rule, boxes I configure offer WWW (port 80), SMTP (port 25), POP3 (port 110) and DNS (port 53). I turn everything else off, or if I do need it, I firewall it (see later).
Now, how to get rid of things. Obviously, this varies from thing to thing, but take for example the lines starting
udp 0.0.0.0:2599
tcp 0.0.0.0:
udp 0.0.0.0:111
Now, as I'm not running NFS or NIS, I don't need any of these services. If you're not sure what, say, port 111 is, the -p option to netstat is great - it lists the PID and process name, so we know to close down portmap. Now, this is started by /etc/rc.d/init.d/portmap via a symlink in /etc/rc.d/rc3.d (assuming you start in runlevel 3). Simply rename the link there to start with a K, like this:
/etc/rc.d/rc3.d/
./K86nfslock_S14 stop
./K87portmap_S13 stop
[root@pootle init.d]# cd
[root@pootle rc3.d]# mv S14nfslock K86nfslock_S14
[root@pootle rc3.d]# mv S13portmap K87portmap_S13
[root@pootle rc3.d]#
[root@pootle rc3.d]#
Now, run netstat again, and see what ports remain for you to tidy up. You'll probably remain with ones that you really do want to keep, e.g. postgres on 5432, tomcat control on 8008, MySQL on 3306, etc...
This would normally be a job for the firewall. If you have one, use it! However, just in case a machine inside your net is compromised, you can run additional filtering rules on every machine. For instance, my /etc/sysconfig/ipchains file looks like this:
# open up the POP server
-A input -p tcp -s 0/0 -d 0/0 110 -y -j ACCEPT
# open up the WWW server
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
...
# close all reserved ports
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
# protect mysql
-A input -p tcp -s 0/0 -d 0/0 3306 -y -j REJECT
# protect postgres
-A input -p tcp -s 0/0 -d 0/0 5432 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 1026 -j REJECT
and so on. Basically, the theory is, explicitly open up the ports <1024 that you want to allow access to, and block anything else to the priviledged ports. Then, by default allow all higher ports access (otherwise, you'll get problems connecting from the machine to other machines), but explicitly close services you don't want publically available, e.g. databases, etc...
Other stuff you'll want to do is remove telnet and ftp from your machine and install openssh. With both of those protocols, you run the risk of passwords being snooped along the way, and ftp gets hacked fairly regularly. If you do need to upload files regularly from Windows machines, check out WinSCP2 - it's really good.
Next off is protecting services that have a track record of being hacked, such as named. There are several tricks; running as a non-root user is always best if you can, running in a chrooted environment is better still. The first gives the program so few privileges that it can basically only access files it owns. Good, unless you have have local root-exploitable holes. The second runs the application completely in a sandbox, where it sees a very restricted view of the directory system, e.g. on my machine, all DNS data lives under /chroot/named, and if it was hacked, the best they'd be able to do is destroy DNS data. This can be complicated to set up, and I'd advise you to search the web for in-depth discussions.
I will often use a combination of techniques, e.g. DNS on my systems run as user named, live in a chrooted filesystem, and also have packet filtering rules, so that they only talk to machines which are dedicated secondary DNS servers.
Of course, you also need to audit anything that is left available. If you run CGI scripts that will accept data unchecked and pass it to a shell command, your machine will be compromised. Keep an eye on security mailing lists or websites - if you run software that vulnerabilites are discovered in, you need to patch them quick, e.g. SSH bugs found a few months ago, etc... But by keeping things down to an absolute minimum (using seperate boxes for each service if you can) and really considering who needs to use them, you stand a good chance of being really secure.
This is getting too long now! Hope some of this helps...