Slashdot Mirror
Battle of the Secure Distros
CrazyEd writes "LinuxSecurity is reporting that EnGarde Secure Linux has received the Network Computing Editor's Choice award to win the battle of the Secure Linux distributions. Well deserved, me thinks." Update: 06/10 15:16 GMT by T : An anonymous reader points out that Linuxlookup.com
reviewed this distro last week, awarding it a perfect score.
When I visit the site to check out the story, I see a banner ad for - EnGarde Secure Linux!
(I'd do the same, of course)
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
I am currently trying to write a HOWTO/make an RPM for the NSA SELinux to work with a SuSE distro (Vanilla kernel)...
Shell I stop doing so now and just install this distro instead?
Is it really more secure than LVM/RSBAC patched kernels with additional hardening?
For sure?
just my two cents...
IMHO, a 'secure distro' is secure by default. You plug in the CD, turn on the box, install it and just keep clicking 'ok'. At the end, you should end up with a secure box. Now it is up to the admin to open the holes.
However, many distros go a different path by enabling services and allowing installs with weak passwords (or no passwords).
For a nice security benchmark, see the Center for Internet Security. I wait for the day where a default install of RedHat will score a perfect 10 with it... (It is more around 5 right now on their 0-10 point scale).
---- join dshield.org Distributed Intrusion Detec
In any case, to be a properly secure distribution you need DoD/NSA style certifications. The Common Criteria go part of the way there, but again certification is slow and really not universally accepted. (There's a flame bait for you CC fans).
Bottom line - true security requires seriously lengthy evaluation and certification. And even so, a product like NT 4.0 is still being found to have security holes to this day.
Sigh.. anyone fancy rewriting Multics for the Intel platform? :)
Never email donotemail@WeAreSpammers.com
Too true, any secure system can be made insecure by a poor admin, but not all systems can be made secure by a competant admin.
These secure distros try to be by default very secure and should only normally become insecure by an admin doing something silly or not keeping up to date with patches. Some of the other distros don't pay as much attention to security, but a really good admin can nail these systems down too. I for one like the fact that this distro comes with no setuid-root programs, its a good precautionary measure.
In some systems, admins do not have a chance to secure the machine because of lack of control. This is normally the case where closed source software kindly leaves you with a gaping security hole, and until someone eventually comes out with a patch the best you can do is stop using it. Ofcourse you were probably using this software for a purpose, and so not using it for a while could not be an option, hence an all too common situation of knowingly running insecurely, and there is nothing the admins can do.
Infact millions of people have done this recently, with the realease of XP the installation was vulnerable to network based attacks from the start. The only way to correct the problem was to install a patch - which meant you had to connect to the internet using that machine to register the software and get the patch from 'the company that shall not be named'. When you have to make yourself vulnerable to get the patch that stops you being vulnerable, security is impossible.
The most valuable part of EnGarde Secure Linux is probably the patch system, if it (or something just like it) was taken up by more distros then securing boxes would be easier and therefor might happen more. I would like to see something similar in gentoo keeping me up to date, because finding out what is going on is often the hardest part. Was there a ptrace vulnerability I missed? Ohh damn.
and I am a professional sysadmin. I get paid a lot to do my job and I don't feel like there is anything mystical about it (that sort of nonsense is for university admins that have to deal with incompetent bosses -- more power to 'em, but I don't). What I feel adds value is not mere understanding of the protocols (relatively easy) but rather, the ability to choose the correct tool (protocol, framing, hardware, software) for the job, and make it work so that the rest of the people involved can do their jobs without noticing (or if they do, saying, "hey, that's really cool and easier than before!"). Needless to say I do a good deal of development to make this happen, and again, that is more challenging than administering boxes (IF you start with a sane rollout and upkeep process -- yes, RPM/apt/pkg_add is your friend; yes, CVS/CVSup/Rsync is your friend; no, ad-hoc changes are not the Better Way to proceed).
When you rattle off NNTP and crap like NIS/LDAP as if they were equivalent in complexity to full BGP4/MBGP routing, I think you belie a superficial understanding of the situation. Even something as nastily complicated as BGP route maps is not nearly as challenging as dealing with people, professionally and personally, in a fast-paced environment that values results over process or the latest fad technologies. In that respect I do not believe it is significantly harder to earn one's keep as a sysadmin than to do so as a VP Sales or a Comptroller. It's just a totally different set of technical skills used to do the job.
I don't doubt that you meant well, but really, choosing the right tool for the job (and then using it well) is not so difficult in most cases. 'Tis a poor craftsman who blames his tools!
Remember that what's inside of you doesn't matter because nobody can see it.
Because I'm always installing Linux for clients, RedHat is always specified, so I have no choice,...
;-), so you do have a choice.
;-).
;-)
I too regularly install GNU/Linux for clients, and more often than not they specify RedHat (occasionaly SuSE), but I've not installed anything other than Debian for years (except during RHCE/RHCX courses
The trick is to ask them why they specified RedHat. Most of them will cheerfully admit that they said that because it's the only distro.they've heard of so they were saying "RedHat Linux" in the same way they might say "Microsoft DOS", never realising there was a "DR-DOS" (once upon a time
It doesn't normally take too much effort to convince them that they are paying me for my expertise, so if I recommend a particular flavour they might as well listen.
The only time I'd take such a request seriously would be if they were already a RedHat shop, and had a lot of in-house RedHat expertise.
The last time that was claimed the "expert" turned out to be clueless, and the existing RedHat systems so broken (9GB swap, 800MB root, permissions all +rwx) that I ended up having to reinstall them anyway --- they're a Debian shop now
I've since decided that any RedHat shop that decides to hire me in, is probably not full of experts (otherwise they'd do it themselves), so take a lot of convincing that going with the flow is the wise thing to do.
If you have a good technical reason not to install RedHat, and you can justify it, give it a try.
The worst that happens is they say no (and you get to look smug if their decission bites them).
The best that might happen is that they decide to respect your opinion, which bodes well for the future business relationship, and means you get to work on the system you feel best fits the problem, which avoids stress and frustration.
Debian: GNU/Linux done the Linux way
Most federal agencies seem to evaluate Windows against proprietary Unix solutions and (duh) find that Windows is cheaper. If they *really* care about security they almost always have their own solution (often in hardware) that you will be asked to code to / talk with / work in conjunction with. Short of that, offering to use NSA SELinux (because of the NSA's "approved" cachet) really seems to open a lot of doors for Linux.
:-). But, the odds are against it.
En Garde may be better, for all I know. But I'll be using SELinux for gov't clients wanting high security, and OpenBSD for my need-to-be-hardened services, because I know they are excellent tools for those applications. (sorry folks...)
The above are just my experiences. For all I know it could be a vast conspiracy to provide disinformation
Remember that what's inside of you doesn't matter because nobody can see it.
--well, as an admited linux "newbie" who has redhat, could you elucidate some, so I can copy it and go through my own box here? Tell ya, trying to coordinate all this info off the web is hideously lame. I've spent days trying to figure all this out-what to turn off or on, how to do that, etc. And yes, that means if you have one connection you get owned pretty quickly. heh. I have yet to find anything written for a newbie that could actually explain in english and not programmer-ish how to go about "securing" a default redhat install BEFORE you go on the net. I check "high security" on install, check "no services" etc, but I know that isn't enough. What do you (or anyone elese) recommend for a simple home dialup not serving anything "solution" as regards redhat?
FWIW I have 7.2 right now
Thanks in advance!
it's much easier to find a RedHat admin to replace or support you, because of the RHCE courses.
Have you ever seen or taken the RHCE tests? Granted I haven't either, but I took the BOSON practice test. Now I am not saying that there is any relation between the two, but the practice test was full of questions such as "What is listed in the submenu when you right click the GNOME foot?" and "What's the best way to laugch NAUTILUS?" If that's the kind of test you have to take to pass, forget about it.
In general it's easier to find admins for RedHat, particularly less-experienced ones.
You get what you pay for.
SealBeater
-- Its survival of the fittest...and we got the fucking guns!!!
It is complicated as hell because the whole issue of clock synchronization across a medium with varying latencies (differing both along the axes of time and location, though without any linear dependence across those two axes) is horrifically complex.
Still, a working NTP infrastructure is a requirement not just for NDS, but (IMHO) for ANY scalable deployment of service that is meant to be reliable. How can you get anything interesting from your logfiles (on a correlation-across-the-site basis) without a standardized meaning for the timestamp?
Complicated, yes, but also valuable. I have had the misfortune of trying to read the RFC. I even read the source for ntpd and xntpd (v4). The complexity arises (and damned if this isn't going to sound familiar) as a result of multiple people in multiple locations trying to coordinate their metrics for timekeeping. LDAP and NIS complexity also arises from social interactions (upkeep) and scaling (emergent behavior of a system). NTP is a great tool for minimizing the chaos created by bugs in authentication schemes like LDAP, btw.
Aside:
If you want to get really sick, try running a Coda or AFS deployment (with IPSec or SSH tunnels to link nodes) across multiple timezones. Woo Hah!
All of my servers run NTP, from the routers, which in turn pull from tick and tock at the Naval Academy (or NRC, can't remember offhand which).
Remember that what's inside of you doesn't matter because nobody can see it.