Slashdot Mirror
Battle of the Secure Distros
CrazyEd writes "LinuxSecurity is reporting that EnGarde Secure Linux has received the Network Computing Editor's Choice award to win the battle of the Secure Linux distributions. Well deserved, me thinks." Update: 06/10 15:16 GMT by T : An anonymous reader points out that Linuxlookup.com
reviewed this distro last week, awarding it a perfect score.
When I visit the site to check out the story, I see a banner ad for - EnGarde Secure Linux!
(I'd do the same, of course)
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
In particular no problem at $550 a pop...
---- join dshield.org Distributed Intrusion Detec
A distro is (or any software for that matter(yes Windows to)) only secure if the admin who runs the distro knows what is he doing.
Interesting that the NSA security enhanced linux is not even mentioned.
http://www.nsa.gov/selinux/
--
I vote for OpenBSD
I am currently trying to write a HOWTO/make an RPM for the NSA SELinux to work with a SuSE distro (Vanilla kernel)...
Shell I stop doing so now and just install this distro instead?
Is it really more secure than LVM/RSBAC patched kernels with additional hardening?
For sure?
just my two cents...
Because I'm always installing Linux for clients, RedHat is always specified, so I have no choice, but I've got it down to taking about 10 minutes to have a really secure box. It's just a case of knowing what needs to be done, which sadly, Linux newbies won't know.
In my opinion, security should be paranoid to start with. If that stops the users from doing something, fine. They'll have an incentive to try and figure out how to allow what they wan to do. Make it too easy, and they'll just live in blissful ignorance.
I have the most secure distro,
but unfortunatly you can't have a copy, just incase you find a bug.
Logon requires you press ctrl+alt+delete , because it's oh so hard for memory resident apps to not die when this happens.
My mouse has only 1 button to confuse any computer literate people, and allow me to catch them in the act.
I've remapped the keyboard, to confuse those who touch type.
No network (because the kernel dosn't have the correct drivers),
No-ones hacked it yet.
thank God the internet isn't a human right.
... if some website or magazine issues an "editor's award" or whatever to product, _especially_ when we're talking about security.
In any case, to be a properly secure distribution you need DoD/NSA style certifications. The Common Criteria go part of the way there, but again certification is slow and really not universally accepted. (There's a flame bait for you CC fans).
Bottom line - true security requires seriously lengthy evaluation and certification. And even so, a product like NT 4.0 is still being found to have security holes to this day.
Sigh.. anyone fancy rewriting Multics for the Intel platform? :)
Never email donotemail@WeAreSpammers.com
OpenBSD 3.1!!! =))
Sorry, could not resist...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
They at least should have included OpenBSD in the testing, for comparison's sake.
----
Open mind, insert foot.
What, no mention of Tinfoil Hat Linux? :)
and I am a professional sysadmin. I get paid a lot to do my job and I don't feel like there is anything mystical about it (that sort of nonsense is for university admins that have to deal with incompetent bosses -- more power to 'em, but I don't). What I feel adds value is not mere understanding of the protocols (relatively easy) but rather, the ability to choose the correct tool (protocol, framing, hardware, software) for the job, and make it work so that the rest of the people involved can do their jobs without noticing (or if they do, saying, "hey, that's really cool and easier than before!"). Needless to say I do a good deal of development to make this happen, and again, that is more challenging than administering boxes (IF you start with a sane rollout and upkeep process -- yes, RPM/apt/pkg_add is your friend; yes, CVS/CVSup/Rsync is your friend; no, ad-hoc changes are not the Better Way to proceed).
When you rattle off NNTP and crap like NIS/LDAP as if they were equivalent in complexity to full BGP4/MBGP routing, I think you belie a superficial understanding of the situation. Even something as nastily complicated as BGP route maps is not nearly as challenging as dealing with people, professionally and personally, in a fast-paced environment that values results over process or the latest fad technologies. In that respect I do not believe it is significantly harder to earn one's keep as a sysadmin than to do so as a VP Sales or a Comptroller. It's just a totally different set of technical skills used to do the job.
I don't doubt that you meant well, but really, choosing the right tool for the job (and then using it well) is not so difficult in most cases. 'Tis a poor craftsman who blames his tools!
Remember that what's inside of you doesn't matter because nobody can see it.
The i386 (i486 and i586) version
i386 "Bonus" Package
The i686 version
i686 "Bonus" Package
------
Random, useless fact: I type in startx entirely with my left hand.
Yep, got my home box r00ted six weeks ago. All because I hadn't taken all the usual basic precautions. (insert your sarcastic insult here). Being an ex sysadmin, I should have known better. Tightening up the security didn't take too long.
The hardest part was setting up ipchains to do packet filtering. Lord help a newbie doing this; you have to know a fair amount about TCP/IP. The various security HOWTOs make a brave effort of trying to explain it all, but I really wonder how many novices will understand it. I don't see how any Linux distribution can make this easy: there are too many variables about the intended use of the computer. The rules for a DMZ computer, a LAN computer, a lone dial-up computer and a firewall are completely different.
Ne mæg werig mod wyrde wiðstondan, ne se hreo hyge helpe gefremman.
"Score:0, Insightful"
/fun/."
Freeeowww! it was a joke!! Tchuh!
"Organic lifeforms have *no* sense of
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Most federal agencies seem to evaluate Windows against proprietary Unix solutions and (duh) find that Windows is cheaper. If they *really* care about security they almost always have their own solution (often in hardware) that you will be asked to code to / talk with / work in conjunction with. Short of that, offering to use NSA SELinux (because of the NSA's "approved" cachet) really seems to open a lot of doors for Linux.
:-). But, the odds are against it.
En Garde may be better, for all I know. But I'll be using SELinux for gov't clients wanting high security, and OpenBSD for my need-to-be-hardened services, because I know they are excellent tools for those applications. (sorry folks...)
The above are just my experiences. For all I know it could be a vast conspiracy to provide disinformation
Remember that what's inside of you doesn't matter because nobody can see it.
I don't use Redhat on my desktop. I use debian. I've used EnGarde, and it is a might darn secure distro. It's redhat w/o NO services running.
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
It’s just me or other people also noted EnGarde’s installer looks just like the Debian one? Would it be Debian-based?
I haven’t seen them at Debian’s derived distributions list, so maybe I’m mistaken.
Leandro Guimarães Faria Corcete DUTRA
DA, DBA, SysAdmin, Data Modeller
GNU Project, Debian GNU/Lin
http://www.networkcomputing.com/1312/1312f33.html# filter
try reading the article before making false claims.
A week ago I probablly would have answered Slackware, being a die-hard Slackware geek for my entire Linux life. But last week I found out about Gentoo, and I have to say I like it. Especially for security. After you're done the install you're left with a VERY minimal system, there are ZERO services running, hell there are no services installed on the box. You have to explititly install any services that you wish, which is nice because you don't have any weird weird stuff installed on your system without your knowledge. Yes, this isn't for newbies who can't spell ls, but for the long-time unix geek who does everything manually already, this is the way to go.
I'm disappointed that they didn't include Kevin's Red Hat Uber Distribution. Kevin Fenzi is the author of the Linux Security HOW-TO, and the hardened version of Red Hat that they produce has served me quite well for over a year.
this is getting old and so are you
blog
It's sad how Redhat bashing has become another "in" thing to do like bashing MS. I've been using several distros of Linux at work and at home. Redhat distros are no more or less secure than other distros. 99.9% of the vulnerabilities in rh linux are also present in other distros. What, do you think redhat makes wu_ftpd or sendmail? The only diff. I see is that Redhat has no shame in admiting to the vulnerabilities and making the patches avail in an easy to find and download site. This is one of the reasons why people think redhat is unsecure etc etc, they see bug reports or the patch list from Redhat and say "omg look at all the bugs!" As far as running services by default Redhat has stopped running all services except ssh. by default.
It is complicated as hell because the whole issue of clock synchronization across a medium with varying latencies (differing both along the axes of time and location, though without any linear dependence across those two axes) is horrifically complex.
Still, a working NTP infrastructure is a requirement not just for NDS, but (IMHO) for ANY scalable deployment of service that is meant to be reliable. How can you get anything interesting from your logfiles (on a correlation-across-the-site basis) without a standardized meaning for the timestamp?
Complicated, yes, but also valuable. I have had the misfortune of trying to read the RFC. I even read the source for ntpd and xntpd (v4). The complexity arises (and damned if this isn't going to sound familiar) as a result of multiple people in multiple locations trying to coordinate their metrics for timekeeping. LDAP and NIS complexity also arises from social interactions (upkeep) and scaling (emergent behavior of a system). NTP is a great tool for minimizing the chaos created by bugs in authentication schemes like LDAP, btw.
Aside:
If you want to get really sick, try running a Coda or AFS deployment (with IPSec or SSH tunnels to link nodes) across multiple timezones. Woo Hah!
All of my servers run NTP, from the routers, which in turn pull from tick and tock at the Naval Academy (or NRC, can't remember offhand which).
Remember that what's inside of you doesn't matter because nobody can see it.
I did not mean to imply that SELinux actually offers a greater level of security than the alternatives, nor to imply that it was blessed by the NSA (or for use in NSA projects, for that matter).
;-).
Rather, my experience has been that other three-letter agencies find it helpful in the decision-making process if a solution based on Linux also has the imprimatur of the NSA (eg., "we can do this on NSA SELinux if it suits you better") so that it need not be seen as a rogue deployment of something outside the norm.
I am sorry if anyone got the idea that SELinux is Orange Book or NSA approved or in any other way superior to a properly-implemented kernel MAC implementation. What I was commenting on is the "aura", if you will, of offering a product that is Linux-based, but NSA-Linux-based. It makes life easier. I had trouble the first time I explained this to my boss, so clearly I need to work on my presentation of the issues some more
YMMV...
Remember that what's inside of you doesn't matter because nobody can see it.
You ARE off base. Not every line of source code in (for example) the ports and packages can be audited by the development team, let alone all by Theo himself. The OpenBSD developers do a terrific job, and I trust it above any other OSes for my "hardened" public servers, but it simply is not possible for the degree of hardening and auditing you describe to be done by such a small group. The auditing is done to the kernel, the base utilities, and other aspects of the default install. Outside of that, you're on your own.
Furthermore, several of the services that run by default on a raw install of OpenBSD have been shown over time to have local root exploits possible. Not remote root, mind you, and not without a swift and comprehensive patch being released, but the moral is, No One Is Perfect.
That said, I have never had a compromise of any sort on my OpenBSD systems. I buy each and every release on CD direct from them to support the project, and have donated a little bit, too. If anyone who just runs Linux says "so what, it doesn't affect us" I request that you look at what version of SSH you're running. OpenSSH? Hmm, guess which dev team wrote that? Yeah, that's right. *BSD will be dead around the same time we see the paperless office (and the paperless restroom, and flying pigs, and...). OpenBSD is good stuff when you just can't take chances!
Remember that what's inside of you doesn't matter because nobody can see it.
Everyone knows that. The interesting question is this: assuming you have a good admin, which distro is most secure?
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
You can do most of the above using a tool like Timbuktu, which allows remote use of a mac using the GUI; you can do most of what you want through that. A better way is to use the Remote Admin Extension, which allows you to administer MacOS (pre-X of course) through a telnet client. Most Mac webservers also have remote administration capabilities built in. I administered a headless Mac webserver for about 5 years using these tools (The OS was 7.1 and I was running Webstar 1.1; this stuff worked faithfully (though slowly) for a long time.
Of course, the real reason Macs are perceived as more secure is because fewer people have spent time hacking them, because there are fewer Macs. Every service you offer can be coded for the Mac, and many have been, but every service opens the potential for security risks. You can stay up to date on Mac security issues at http://securemac.com, among other sites.
Finally, you can always install linux on the Mac and do what you want, but that really doesn't answer your question.
1) yes, if you open up some potential security holes such as the AppleShare IP server (which is probably far more secure than SMB/CIFS).
2) no, unless you run extra software which may not be secure, such as VNC.
3) Jobs demonstrated a diskless netbooting iMac on stage a couple years ago; the client ran Mac OS 9 but the server was Mac OS X. Of course the same can be done with OSX clients. I'm not sure what all this allows you to do; it's not something I've played with at all. Of course, you should be able to netboot a *nix OS on Mac hardware, but the hardware is a bit pricey for that sort of thing.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Mac OS 9 does not have any security.
Umm... it ships out of the box with all ports closed. If the web server you install on top is actually secure (as you say), then how can the OS be compromised remotely?
I'm not questioning that there is no local security, but if you've got physical access to the box anyway, most systems aren't very secure.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I don't mean to be flip but you sould consider buying a book or two. For example Postgres is a wonderful free database, with the ten thousand dollars you saved you could spend $100.00 on a couple of good books.
War is necrophilia.
Oh, I do buy books. But even so, I don't have time to read them all. It takes a lot of effort even with books to setup EVERY system that I use.
:)
I really love Linux. It's power, flexibility and open source philosophy is wonderful. But really, business people just don't have the time to read all of the books that it takes to configure all of the various parts of a Linux server. And small businesses can't afford to hire an expert every time that they need something done.
The answer, I feel, is to have configuration tools for the complete idiots. I know I would use them!
The race isn't always to the swift... but that's the way to bet!
Most business people I know (and I know a ton) know nothing, read nothing, configure nothing, install nothing. They hire people to do that for them. Most businesses with more then two or three employees rely on local consultants to manage their IT work. Bigger ones employ bigger companies.
And you know what manually configuring things is no longer required. With programs like linuxconf and webmin (especially webmin) any body can configure just about anything. Install webmin you won't be sorry.
War is necrophilia.