EnGarde Secure Linux v2 Out

Chuck writes "I came across EnGarde Secure Linux about two years ago when it was first released, and I see they just released the newest version. Improved Mandatory Access Control using LIDS, awesome web-based manager, code from the Openwall Project and winner of the Network Computing Hardened Linux product of the year. I love EnGarde."

Commercial?

I thoght EnGarde was strictly commercial nowadays?? No?

Re:Commercial?

No, there is a community edition for the open source community and small businesses, as well as a supported version for enterprises.

Oh Engarde

Oh Engarde Linux,
We stand on guard for thee...

Advertising shmadvertising...

[CoolVibe]

Guess this is one of those slashdot sponsored "advertisement" advertising stories huh?

Anyway, LIDS is great. Played with it, and deemed it cool. Now I wish FreeBSD had something that cool (since that's my main OS of choice), but LOMAC comes pretty close.

Heck, I just might give this a whirl on one of my testboxes...

Re:Advertising shmadvertising...

[DASHSL0T]

Heck, I just might give this a whirl on one of my testboxes...

So, the advertising worked, is what you're saying. :-D

--
Have you taken the SCO poll?
Linux-Universe

Re:Advertising shmadvertising...

How can you use FreeBSD as your main OS while it doesn't support the latest VMware?

I couldn't live without VMware.

Re:Advertising shmadvertising...

[BSDevil]

At least Chuck is a real user, unlike last time (I don't remember the exact story) where no one could find any record of the user in the database and his domain belonged to an advertising company.

Re:Advertising shmadvertising...

How can you use FreeBSD as your main OS while it doesn't support the latest VMware?

I've a dedicated linux server in which i run VMware, usually 4-7 sessions at a time. This lets me reboot my main (OpenBSD in my case) machine while not interfering with the VMware servers.

Re:Advertising shmadvertising...

[CoolVibe]

I never use VMware. I have used it once or twice, but I never really have a use for it. And it's way to expensive for me.

*shrug*

Re:Advertising shmadvertising...

[caluml]

I prefer the GRSecurity patches to LIDS. They contain a lot more than just ACLs.

Re:Advertising shmadvertising...

[pacman+on+prozac]

I wish FreeBSD had something that cool

I understand filesystem ACL's are coming in fbsd-5.

I'm not sure how they compare to lids but if you have fbsd 5.0 you can read about them in /usr/src/sys/ufs/ufs/README.acls.

this page describes the openbsd port so might be useful.

And of course theres always trusted bsd

Alternatives

[schroet]

We like Astaro a lot.

http://www.astaro.de/php/statics.php?action=asl& la ng=gb

Could anyone compare the 2?

Re:Alternatives

[warez]

Astaro is a hybrid firewall (stateful packet filter, application proxy), with a bunch of other nifty features. I 'discovered' it a couple of months ago on freshmeat when I was about to put together my own security box. After playing with it, I am nothing short of impressed, and its FREE for home use. it is a refined product. Engarde is a hardened linux distro; it's most practical use is turning it into a secure pubic server. The two actually goes hand in hand, as they aren't competing products.

Re:Alternatives

[feldy]

it's most practical use is turning it into a secure pubic server.

Oh man, that's exactly what I need 'cause right now my pubic server is anything but secure.

Re:Alternatives

http://www.astaro.com/ is the english site ( since lang=en creates a php error )

"I love EnGarde."

[MacOS_Rules]

Quoth the poster: "I love EnGarde."

The best part: it automatically uses protection! Just don't try a backdoor!

---OWWW! Stop hitting me!---

Wait

Isn't this kinda risky? Shouldn't they have waited to see what happens with SCO first?

so many?

n00b alert. ok i understand the need for a secure platform like this one, but why are there so many different distros out. wouldn't it be more competitve to merge certain distros?

Is it as secure as Ninnle?

Ninnle Linux is the current gold standard for system and network security. I don't understand why people keep reinventing the wheel.

No skills required?

[IO+ERROR]

No Linux administration skills required.

HUH? This is supposed to be an uber-secure system and you don't have to administer it? Somebody explain this to me like I'm a two year old, because I just don't get it.

Re:No skills required?

[questamor]

All ports are turned off by default, with no way to turn them on. Also, networking hasn't been compiled into the kernel.

Not only that, no users are allowed. not even root.

It's supplied preinstalled on a PC with no powerswitch. hell, no PSU even.

They think of everything...

Re:No skills required?

What they mean is you don't need to be a Linux guru to set up the box. Everything is using web browser with a few clicks, even updating your system. The only thing is you have to sign up with GDSN to keep up with updates and support. I believe they have 30 days trial for it on the new version just released few weeks ago. Originally one could update the system without signing up for GDSN account (they publish updates through ftp) but that doesn't seem like gonna happen with this new release. I could understand. They need to make $$$. The download version (Community version) does have some limitations as how many domains you could have. You could still update your system if you decide to use it by download the src packages and roll your own updates. It could be tedious.

In short, if you are willing to pay $229, IIRC, for GDSN account per year then it is well worth it. From biz stand point, I don't think that is too much at all. If not, roll your own updates or use something else that fit you.

Re:No skills required?

[What_about_CHOMSKY]

I think you are missing something. What would CHOMSKY say about this?

Good stuff!

[sokkelih]

I hope these guys do some co-operation with thingies like OpenBSD. I would love to see outcome of that. Great!

Re:Good stuff!

Since OpenBSD is BSD licensed (big surprise!), the secure Linux distro's can pull just about anything they like from it. Unfortunately it can't work the other way. The common goal of the projects have the potential to yield benefits for OpenBSD, but because of the license differences, you're not likely to see much more that 'good will' when it comes to active cooperation ....

rsbac

RSBAC is, in many ways superior to LIDS.

I urge people who have tried, or interested in trying LIDS/SELinux, to give rsbac a go.

Available at rsbac.org

Re:We were considering implementing it

Buh? So what?

It's not a security problem...

Something Different

[Ween]

Offtopic, but along the same vein, I would like to find a distribution of linux or *bsd that provides out of the box support for virtual mail hosting (many domains, 1 ip), name based virtual hosting, and the like. All with a simple to use console configuration. I've built my own several times, but thats time consuming. Anyone got any suggestions?

Re:Something Different

[3.5+stripes]

Have a look at e-smith

http://www.e-smith.org

Re:Something Different

[notestein]

I use this Mail Toaster for FreeBSD.

Re:Something Different

[mchallis]

You might try This is qmail, vmailgr, courier, and squirrelmail on RH 7.3
Icon's rpm's for Redhat 7.3 and his guide will get you what you want in about 25 minutes. Just remember to install the rpm's before you run up2date or the updates will break parts of it.

Re:Something Different

This is exactly what EnGarde was designed to do.

why wed based stuff?

You had me going with improved MAC but threw me off with the web based manager. Web Based interfaces to security products feel very very wrong. I guess they can be done safely if only listening to loopback and using https.

EnGarde Linux Flavors

Engarde comes in two flavors: commercial and community. Community is the free version.

Re:EnGarde Linux Flavors

[jroysdon]

From http://www.guardiandigital.com/downloads/:

"EnGarde Secure Linux Community Edition ...
Limited virtual Web, DNS, e-mail domain support"

WTF does that mean? Two domains? Five? Ten?

Hehe... slashdot effect

[GC]

Let's see how this baby performs against a Distributed Denial of Service attack....

Distro Consolidation

[The+Monster]

wouldn't it be more competitve to merge certain distros?

They tried that. It's called UnitedLinux. And one of the partners in that enterprise has decided to serially sue everyone else in the Linux business, based on an exotic theory of IP violation. You may have seen something about this recently here on Slashdot

Re:Distro Consolidation

So your point is that Linux companies aren't mature enough to work together?

Re:Distro Consolidation

[The+Monster]

So your point is

I'm old. I don't have to have a point.

(See if you recognize that one.)

Re:We were considering implementing it

[RedOregon]

What? You decided not to implement because it requires you to configure it? And if you don't, it gives a benign error?

(Link points at an advisory stating that log check emails will bounce by default if not configured)

Braino

[wowbagger]

While reading the summary, I misread

Openwall Project

as

Orwell Project

which, I personally feel would be an interesting name for a security enhancing project - right up there with Big Brother.

ENOCAFFINE

Re:Braino

Gosh that's really interesting.... NOT!!!!!

We aren't interested in your diary of Adventures Reading Slashdot... Here is an idea... Go learn to read and then come back, but please wash your hair, take a shower and move out of your parents basement mmmmmkay! Bye now!

Re:Braino

Let me guess... An American I presume??

Re:Braino

Hey pal... Americans built this website. Hell, americans built the internet, just ask Al Gore.

Sounds like..

[o1d5ch001]

OpenBSD lite. For the only interested in a partial code review...

Re:Sounds like..

code review != security

it just helps reduce bugs/vulnerabilities

LIDS etc OTOH protect when a bug is found, something OBSD does not.

furthermore, OBSD audits the base intall, which is essentially usefull.

Secure by default only, 'cept noone only runs default.

Re:We were considering implementing it

[freuddot]

OVERVIEW
--------
A bug was recently discovered in the default configuration of the
daily log summaries. The default address is set incorrectly causing
daily summaries to bounce until the system is ran through the initial
configuration process or the admin e-mail address is changed.

Err. That's probably the mildest bug/security problem I've ever seen. Care to explain me what is the problem of either

- applying the update ?
- running the initial configuration process ?

Or were you simply googling for a defect to post and that's the ony one you found ?

you think that's cool?

Well my name is Dr. Richard Daystrom and I'm working on the M5 advanced protocol unit, the most ambitious computer ever made.

Of course, if you have an A7 computer classiciation you already know all this.

Re:The debian server could use it!

[c.derby]

beware the goatse.cx link in the parent.

You ask why people keep reinventing the wheel?

[CQ]

Because there are too many distros and add-ons!

Linux is in danger of losing direction much as UNIX did 20 years ago! Everyone can and does write Yet Another Add-On:

"Yaooooooooooo! I'm going to be rich!"

And they do this before they learn what is already out there, identify the good and bad parts (PROPERLY), and document what makes their solution worth the effort.

Properly: It is amazing how many people are willing to "take a look at" something and consider themselves versed enough to criticize! Most of the time, they are just criticizing the default UI and the way it installs!

Without the discipline of identifying and documenting the ideas that make a product unique, we're all just pzzzing in the wind!

Without some form of Intellectual Property protection, there is no money to pay for the analysis that MUST proceed real progress. ....but never mind. Survival of the fittest means that eventally MOST of us (and most Linux add-ons) will ultimately starve and die off.

I foolishly dream of the world in which we can pursue our ideas without bloodlust and the ripping and gnashing of teeth!

Nah! It's so much more fun being so sure of ourselves and blaming our failures on everybody else. That's the way, right?

Re:You ask why people keep reinventing the wheel?

But if you have Ninnle, and it does everything you could ever need, why even bother with the add-on? It just makes things more complicated and bloated. Ninnle is already pretty fast and stable, but improvements could still be made, I agree. But (re)writing an entire new distro just strikes me as a waste. I'm sure all the other Ninnle Linux users reading this agree with me.

Pricing.

[Qbertino]

What's this supposed to be?
Is this such a big fat hairy deal that you have to charge a minimum of 800$ for a "oh-so-extra-special-secure-Linux" distro?
Ok, if it's so easy to install that any Webdesigner could get it on right out of the box I say ok, let them Dreamweavers pay the price if they're to cheap for hiring a sysadmin to their team.
But I seriously doupt that this one pulls the trick better than a securepatched SuSE, Debian or OpenBSD.
Does anybody have solid expierience with this distro and can they testify that its bizar retail price is justified?

Re:Pricing.

[div_2n]

At a place I used to work we had two Engarde boxes sitting in a DMZ acting as DNS servers. In two years I was there they NEVER went down and as far as we could tell had never been cracked. Our IDS did record quite a few attempts though.

I can't say the same for our Citrix servers . . .

IMHO the price is definitely worth it. I have spoken with the CEO Dave Wreski many times and he has helped me through several tough problems. Hands down their tech support has been unbelievable. I recommend their product to every company that I believe has a need that their products can fill.

For most /. users their products won't make much sense because they are targeted to an enterprise level customer.

If you happen to work for one of these companies you will not find a more out of the box secure solution for Web, DNS, E-mail or file serving.

Re:Pricing.

I have extensive experience, and yes, the price is justified for the professional version. As a consultant who deploys numberous boxes/OSes at clients with no internal IT department and low resources to pay for securing a box, EnGarde is perfect. I've also extensively audited the box and it really is secure OOB.

Download and check out the community version; it's free and has all of the same basic security features as the professional version.

"Pioneering OpenSource Security"?

[Fefe]

Ah, so these are the people OpenBSD learned everything from, right?

What a great idea

[The+Tyro]

"turning it into a secure pubic server"

That's truly a noble endeavor... From my experience, most insecure pubic servers are loaded with viruses and trojans.

Has it occured to anyone that...

[Spleen]

"Improved Mandatory Access Control" would be iMAC ?

Re:Something Different...try Ninnle

Ninnle Linux does that.

EnGarde is a good step forward

[jzarzosa]

It's good to see a distro that focuses on security. I've used version 1.0, and it did a decent job "out of the box". It'll be interesting to try out this latest version since some of the new features look very appealing.

Is there anyone out there that uses EnGarde in their production environment?

Re:EnGarde is a good step forward

[Koatdus]

Is there anyone out there that uses EnGarde in their production environment?

I have been using the community version of Engarde's last release as a 10 user email server for about a year. It has run flawlessly. The only downtime I have had the whole time was for a reboot after a kernel up grade.

Engarde has a very nice HTML front end that will get you started. I found however, that after I had been using the system for a little while I had modified things to the point that I didn't trust the HTML front end not to overwrite something. If you keep the system stock however that is not a problem.

in other news...

Solar Designer sues EnGarde Linux for alleged
intellectual property theft.

and our headline today...

SCO sues Solar Designer of Openwall and his ISP, the russian Dataforce, for alleged intellectual property theft, as they claim to own the source code and the tradmark of IP-suing cases.

LIDS vulnerability :)

[sneakybilly]

The installation howto for LIDS says that you can turn it off by appending security=0 as a kernel parameter in your boot loader. This seems silly since they go to a lot of trouble to ensure that even the root user can't kill its processess and stuff. What is stopping the root user from just editing the boot loader conf and rebooting with these parameters.

Re:We were considering implementing it

Looks to me like it was mis-marked. It's a bugfix advisory only.