Battle of the Secure Distros

CrazyEd writes "LinuxSecurity is reporting that EnGarde Secure Linux has received the Network Computing Editor's Choice award to win the battle of the Secure Linux distributions. Well deserved, me thinks." Update: 06/10 15:16 GMT by T : An anonymous reader points out that Linuxlookup.com reviewed this distro last week, awarding it a perfect score.

Admin

[sofist]

A distro is (or any software for that matter(yes Windows to)) only secure if the admin who runs the distro knows what is he doing.

Re:Admin

[alapalaya]

I disagree with you. I think that to be a good sysadmin is quite difficult and requires a lot of study, trial and error and passion. (Please note, I'm not a sysadmin, even if I can accomplish the easier sysadmin tasks).
In particular, you must know in deep detail all the technologies involved in a complex networking environment (they are countless: DNS, email, NEWS, NIS, LDAP, routing, and so on...).
It is difficult to barely know all of them, and to secure an installation you must know them good. And this is no easy...

Of course I agree with the point that the software must be "secure-able", otherwise you can be the best sysadmin... you system will always be full of flwas if the software you are using is bugged (...who said something about the windows?...).
Cheers

Re:Admin

[fruey]

The key is this: there are too many admins who patently don't know what they're doing, and some who will even admit it.

I spend a lot of time with other people's networks, and have yet to see one which stands up to how I would run my network. That's how I make money, incidentally - fixing other people's networks and securing them where possible.

A guage of how secure things are out-of-the-box is important. Some people will never switch off the default daemons, etc. Some people insist on using some Microsoft DCOM rubbish and opening holes over their firewalls to do it because they can't do anything else. They don't know how and don't care to know.

So, this kind of survey is important for those lesser admins who are probably not geeks and just trying to hold on to their jobs. Perhaps they are good at other things and valuable for the company, and the same is too tight to invest in a proper sysadmin so they dump him the job because he can hack a few basics together and get it to work.

All those of you saying "RedHat isn't secure out of the box" and all that OpenBSD stuff are already enlightened. These surveys are not for you. They are for all those other readers who don't fathom why you're mentioning OpenBSD in the first place.

NSA not even mentioned.

[bodin]

Interesting that the NSA security enhanced linux is not even mentioned.

http://www.nsa.gov/selinux/

--
I vote for OpenBSD

RedHat

[ranulf]

It's a shame given how easy it is to make a RedHat box secure that they don't just do it by default.

Because I'm always installing Linux for clients, RedHat is always specified, so I have no choice, but I've got it down to taking about 10 minutes to have a really secure box. It's just a case of knowing what needs to be done, which sadly, Linux newbies won't know.

In my opinion, security should be paranoid to start with. If that stops the users from doing something, fine. They'll have an incentive to try and figure out how to allow what they wan to do. Make it too easy, and they'll just live in blissful ignorance.

Re:RedHat

[ceswiedler]

A completely valid reason for insisting on RedHat, even when you the expert prefer Debian (for also valid reasons) is that it's much easier to find a RedHat admin to replace or support you, because of the RHCE courses. In general it's easier to find admins for RedHat, particularly less-experienced ones. Wizards tend to be capable of dealing with any flavor of OS, but you don't always want to pay for a wizard.

If you were going to set up a large and complex shop, and then turn the maintenance over to $60,000/yr worth of support personnel (whose turnover rate might be high), which distro would you recommend?

I know a shop where the head admin is having to get rid of Linux boxes (for Windows ones), because no one else in the company knows Linux. He understands that it's not just technical superiority that matters, but supporting the technology as well.

I don't give a flying filesystem check

[gd23ka]

... if some website or magazine issues an "editor's award" or whatever to product, _especially_ when we're talking about security.

Re:OpenBSD

They at least should have included OpenBSD in the testing, for comparison's sake.

That would be like letting tiger woods compete in the girl scout's golf tournament.

Securing Redhat, and Linux in general

[Raedwald]

Yep, got my home box r00ted six weeks ago. All because I hadn't taken all the usual basic precautions. (insert your sarcastic insult here). Being an ex sysadmin, I should have known better. Tightening up the security didn't take too long.

The hardest part was setting up ipchains to do packet filtering. Lord help a newbie doing this; you have to know a fair amount about TCP/IP. The various security HOWTOs make a brave effort of trying to explain it all, but I really wonder how many novices will understand it. I don't see how any Linux distribution can make this easy: there are too many variables about the intended use of the computer. The rules for a DMZ computer, a LAN computer, a lone dial-up computer and a firewall are completely different.

Re:Great!

[jpegNY]

It's sad how Redhat bashing has become another "in" thing to do like bashing MS. I've been using several distros of Linux at work and at home. Redhat distros are no more or less secure than other distros. 99.9% of the vulnerabilities in rh linux are also present in other distros. What, do you think redhat makes wu_ftpd or sendmail? The only diff. I see is that Redhat has no shame in admiting to the vulnerabilities and making the patches avail in an easy to find and download site. This is one of the reasons why people think redhat is unsecure etc etc, they see bug reports or the patch list from Redhat and say "omg look at all the bugs!" As far as running services by default Redhat has stopped running all services except ssh. by default.

OK, I'll call you (a little bit) ignorant.

[jabbo]

You ARE off base. Not every line of source code in (for example) the ports and packages can be audited by the development team, let alone all by Theo himself. The OpenBSD developers do a terrific job, and I trust it above any other OSes for my "hardened" public servers, but it simply is not possible for the degree of hardening and auditing you describe to be done by such a small group. The auditing is done to the kernel, the base utilities, and other aspects of the default install. Outside of that, you're on your own.

Furthermore, several of the services that run by default on a raw install of OpenBSD have been shown over time to have local root exploits possible. Not remote root, mind you, and not without a swift and comprehensive patch being released, but the moral is, No One Is Perfect.

That said, I have never had a compromise of any sort on my OpenBSD systems. I buy each and every release on CD direct from them to support the project, and have donated a little bit, too. If anyone who just runs Linux says "so what, it doesn't affect us" I request that you look at what version of SSH you're running. OpenSSH? Hmm, guess which dev team wrote that? Yeah, that's right. *BSD will be dead around the same time we see the paperless office (and the paperless restroom, and flying pigs, and...). OpenBSD is good stuff when you just can't take chances!

Re:I disagree (with your disagreement...)

[npsimons]

'Tis a poor craftsman who blames his tools!

Yes, but even a master carpenter can't build a house out of rotten wood.

This has been my mantra over the past couple of weeks as I've been forced to try to get low level hardware and software working with Windows.