Trustix, a Worthy Contender?

Linux.com (also owned by OSTG) is running a quick look at Trustix, a Linux distro designed for servers that focuses on ground up security and stability. From the article: "No operating system can claim to be completely secure. There will always be zero-day exploits, configurations errors, user errors, and other factors that can defeat the best security for any system. On the other hand, it's always good to start from a secure base and then add more security. Trustix provides a reliable and secure Linux distribution that you can build upon. There are no wasteful graphical displays and no wizards to set up your firewall. If you aren't comfortable with the command line, forget about Trustix. [...] That said, Trustix does a good job of keeping your system up-to-date, and if you have the required experience, you'll find that it's a robust distro. As a simple server distro with a high level of security and customizability, Trustix is a worthy contender."

Re:NSA Linux?

[Poppler]

The NSA gave us SELinux.

Re:Benefits?

[g0sub]

Yup, this is especially valid since Trustix has been around since the late 90's.

Comparing Secure Linuxes?

[gbulmash]

Has anyone done a comparison or testing of a "ground-up" secured Linux like Trustix with a linux hardener like Bastille? It would be interesting to see what the advantages/disadvantages of each are.

- Greg

Re:NSA Linux?

[Coryoth]

Didn't the NSA put out a distro specifically for high security applications a few years ago??

The NSA produced a kernel patch and a set of userland tools called SELinux which provided a much richer and more fine grained security model for Linux, but no actual distribution. In practice this was essentially done as a "proof of concept" by the NSA who were frustrated by the lack of serious security architecture in modern operating systems - they decided the easiest way to get the ball rolling was to take something freely available and modifiable, like Linux, add the better security architecture and hand it back to show how things could be done. Since then that work has been converted into the Linux Security Module which provides support for the general architecture suggested by the NSA in a more modular fashion, and SELinux was adapted to work within such a system.

What does SELinux actually buy you? To quote the NSA FAQ:

"The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

The security of an unmodified Linux system depends on the correctness of the kernel, all the privileged applications, and each of their configurations. A problem in any one of these areas may allow the compromise of the entire system. In contrast, the security of a modified system based on the Security-enhanced Linux kernel depends primarily on the correctness of the kernel and its security policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole."

Jedidiah.

Happy 5th

[plasticsquirrel]

Happy belated zeroeth birthday, Trustix!

The first full release of Trustix was over five years ago. It isn't a new, untested Linux distribution by any stretch of imagination.

As a Trustix User...

[vwjeff]

Disclaimer: I am not a Trustix employee but do believe in using the best tool for the job. For example, I am writing this from a new iMac (which I love.)

I use Trustix on my servers because it is designed specifically for servers. Unlike other distros, Trustix is completely CLI and bloat is minimal. By default, a base system is installed (basic GNU Utilities, and sshd.) The default config files for any installed service were created with security in mind. For example, sshd does not allow root login. Also, services are disabled by default. If you installed Samba along with the base system, smbd would not run at boot. I don't like to spread marketing propoganda but this link provides some usable information among the marketing department's BS.

Swup is my favorite feature of Trustix. Swup is to Trustix as Apt is to Debian. Swup offers the same features of Apt, dependency checking, software removal, ect. but Trustix is an RPM based distro. Before updating the system, a PGP key is checked and compared on the system and the remote server. IIRC, Trustix can trace its roots to Red Hat, as many other distros are such as SuSE can. My first experience with a Linux distro was with Red Hat, many years ago. I could use Fedora or CentOS but IMHO, they are bloated when compared to Trustix.

Finally, Trustix has a basic roadmap for future releases. I know that a year and a half from now, Trustix will no longer be releasing packaged updates for my TSL (Trustix Secure Linux) version. Also, there is only one type of TSL version available. If you or your company decides to purchase support for TSL, your PHB will be able to feel warm and cozy. The product you will be using is the exact same product you can download from trustix.org for free. If you are the sysadmin and PHB like me, support is not needed. I am lucky because I am basically my own boss. My only two objectives are using minimal monetary resources and maintaining a secure and stable IT infastructure. My superior feels that the Sysadmin is able to choose the best products and tools to follow these objectives. I respect him, he respects me, and I am happy with my job.

Members of the trustix.org mailing list are always willing to give help when needed. Surprisingly, if an issue cannot be resolved by list members, Trustix.com employees often step in to help. If I were to leave or be moved to a different position (hopefully promoted), support could be purchased for the existing system if needed.

I know that Trustix is a funny name but give it a try. At home I've got a 300 Mhz Celeron with 64 MB RAM running Trustix 2.2. I has 2x200 GB drives using software RAID 1. I have it configured as a Samba PDC for the Windows boxes in the house my family uses. I'm currently working on connecting my new iMac to the Domain. We have four PCs which use it for authentication and home directories; performance is never an issue. I have a duplicate box minus the 2x200 GB hard drives which I use for testing and it also runs Trustix 2.2. Give it a try.

Fedora w/ strict policy enabled

[r00t]

Fedora Core 5 does the job if you ask it to.

First, install the x86_64 version. This provides accurate memory permissions and more bits for address space randomization.

Enable the strict SE-Linux policy, or the MLS policy if you want military-style levels. (the default policy is "targeted", which is still better than the "off" setting)

During the install, or afterward via the setsebool command, change a few settings if not done already. Enable the policy that prohibits executing from files that are not specially marked, that were written to, or could be written to. Disable the app compatibility hacks.