Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trustix, a Worthy Contender?

Posted by ryuzaki0 on from the #-and-other-favorite-hangouts dept.

Linux.com (also owned by OSTG) is running a quick look at Trustix, a Linux distro designed for servers that focuses on ground up security and stability. From the article: "No operating system can claim to be completely secure. There will always be zero-day exploits, configurations errors, user errors, and other factors that can defeat the best security for any system. On the other hand, it's always good to start from a secure base and then add more security. Trustix provides a reliable and secure Linux distribution that you can build upon. There are no wasteful graphical displays and no wizards to set up your firewall. If you aren't comfortable with the command line, forget about Trustix. [...] That said, Trustix does a good job of keeping your system up-to-date, and if you have the required experience, you'll find that it's a robust distro. As a simple server distro with a high level of security and customizability, Trustix is a worthy contender."

5 of 107 comments (clear)

  1. Re:NSA Linux? by Poppler · · Score: 3, Informative

    The NSA gave us SELinux.

    --
    What's the ugliest part of your body? Some say your nose, some say your toes, but I think it's your mind. -Zappa
  2. Re:Benefits? by g0sub · · Score: 5, Informative

    Yup, this is especially valid since Trustix has been around since the late 90's.

  3. Comparing Secure Linuxes? by gbulmash · · Score: 4, Informative
    Has anyone done a comparison or testing of a "ground-up" secured Linux like Trustix with a linux hardener like Bastille? It would be interesting to see what the advantages/disadvantages of each are.

    - Greg

    --
    Start a happiness pandemic
  4. Re:NSA Linux? by Coryoth · · Score: 4, Informative
    Didn't the NSA put out a distro specifically for high security applications a few years ago??

    The NSA produced a kernel patch and a set of userland tools called SELinux which provided a much richer and more fine grained security model for Linux, but no actual distribution. In practice this was essentially done as a "proof of concept" by the NSA who were frustrated by the lack of serious security architecture in modern operating systems - they decided the easiest way to get the ball rolling was to take something freely available and modifiable, like Linux, add the better security architecture and hand it back to show how things could be done. Since then that work has been converted into the Linux Security Module which provides support for the general architecture suggested by the NSA in a more modular fashion, and SELinux was adapted to work within such a system.

    What does SELinux actually buy you? To quote the NSA FAQ:

    "The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

    The security of an unmodified Linux system depends on the correctness of the kernel, all the privileged applications, and each of their configurations. A problem in any one of these areas may allow the compromise of the entire system. In contrast, the security of a modified system based on the Security-enhanced Linux kernel depends primarily on the correctness of the kernel and its security policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole."


    Jedidiah.
    --
    Craft Beer Programming T-shirts
  5. Fedora w/ strict policy enabled by r00t · · Score: 3, Informative

    Fedora Core 5 does the job if you ask it to.

    First, install the x86_64 version. This provides accurate memory permissions and more bits for address space randomization.

    Enable the strict SE-Linux policy, or the MLS policy if you want military-style levels. (the default policy is "targeted", which is still better than the "off" setting)

    During the install, or afterward via the setsebool command, change a few settings if not done already. Enable the policy that prohibits executing from files that are not specially marked, that were written to, or could be written to. Disable the app compatibility hacks.