Trustix, a Worthy Contender?

Linux.com (also owned by OSTG) is running a quick look at Trustix, a Linux distro designed for servers that focuses on ground up security and stability. From the article: "No operating system can claim to be completely secure. There will always be zero-day exploits, configurations errors, user errors, and other factors that can defeat the best security for any system. On the other hand, it's always good to start from a secure base and then add more security. Trustix provides a reliable and secure Linux distribution that you can build upon. There are no wasteful graphical displays and no wizards to set up your firewall. If you aren't comfortable with the command line, forget about Trustix. [...] That said, Trustix does a good job of keeping your system up-to-date, and if you have the required experience, you'll find that it's a robust distro. As a simple server distro with a high level of security and customizability, Trustix is a worthy contender."

Chop shop

" Linux.com (also owned by OSTG) is running a quick look at Trustix, a Linux distro designed for servers that focuses on ground up security and stability."

I'm sorry. I like my security and stability in one piece. Thanks.

Re:NSA Linux?

[Poppler]

The NSA gave us SELinux.

Re:Benefits?

[g0sub]

Yup, this is especially valid since Trustix has been around since the late 90's.

Comparing Secure Linuxes?

[gbulmash]

Has anyone done a comparison or testing of a "ground-up" secured Linux like Trustix with a linux hardener like Bastille? It would be interesting to see what the advantages/disadvantages of each are.

- Greg

Re:NSA Linux?

[Coryoth]

Didn't the NSA put out a distro specifically for high security applications a few years ago??

The NSA produced a kernel patch and a set of userland tools called SELinux which provided a much richer and more fine grained security model for Linux, but no actual distribution. In practice this was essentially done as a "proof of concept" by the NSA who were frustrated by the lack of serious security architecture in modern operating systems - they decided the easiest way to get the ball rolling was to take something freely available and modifiable, like Linux, add the better security architecture and hand it back to show how things could be done. Since then that work has been converted into the Linux Security Module which provides support for the general architecture suggested by the NSA in a more modular fashion, and SELinux was adapted to work within such a system.

What does SELinux actually buy you? To quote the NSA FAQ:

"The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

The security of an unmodified Linux system depends on the correctness of the kernel, all the privileged applications, and each of their configurations. A problem in any one of these areas may allow the compromise of the entire system. In contrast, the security of a modified system based on the Security-enhanced Linux kernel depends primarily on the correctness of the kernel and its security policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole."

Jedidiah.

Trustix is supposed to be ok

[jd]

It has been around for a while, and I've not heard anything particularly bad about it. Not heard anything exceptionally good, either. One of the problems with security is that there are so many different kinds. The flavours that seem to be popular are:

• Security of the host against intrusion (eg: OpenBSD)
  
• Security of the host against usability attacks
  
• Security of the contents against a user (eg: Trusted Irix)
  

On top of that, you have several methods of ensuring that the software is correct. The methods that are popular are:

• Correct bugs as they are discovered (eg: Linux)
  
• Aggressively audit for bugs (eg: OpenBSD)
  
• Implement the software from a correct design (eg: Gemini)
  

Trustix does some of the auditing of OpenBSD, I believe, which is good. However, no auditing method will ever produce provable security. It can only ever produce probable security.

Linux (and so presumably Trustix) has various role-based mandatory access control systems, which provide a vastly higher level of protection against malicious use by someone already on the system. However, none of the mechanisms I am aware of provide mandatory access controls for packets or memory allocations. I am also very unclear if they provide additional security for shared memory or shared resources (using the P9000 filing system). As far as I know, OpenMOSIX and bproc have no mandatory access control support, so if you migrate a process, the rights do NOT migrate with it. (Also, if one node in a cluster has MAC, it should be impossible for threads to migrate from that to a non-MAC node, although the reverse should work, as MAC restrictions can be added but should not be removable outside of the established mechanism for doing so.)

MAC only appears on a very limited number of *BSDs, and most of those have vanished without a trace. SecureBSD and TrustedBSD are not exactly household names, and even those seemed to be limited to the narrow range of controls that SELinux supports. AFAIK, no other of the Open Source BSDs support mandatory access controls at all.

Note: MAC clusters would be wonderful for public server farms, as they would be a lot simpler and a lot safer than any of the other popular methods used.

Trusted computing and encryption often go hand-in-hand, but driver support for either is abysmal in the kernel. The number of trusted computing accelerators supported by Linux is feeble, and there's only one (RSA) crypto chip, even though many many others exist - and there's even specs and Open Source support for them. Why publicly specced devices aren't making it into Linux is beyond me, as that is the chief complaint of Linux driver developers. The way to reinforce that specs are good is to reward those who publish them. The way to reinforce that Linux doesn't matter is to have no impact.

(A good example is the Motorola S1 chip, for which the complete manual has been online for a long long time.)

Ultimately, until an Open Source system can beat the pants off an ancient closed-source system like Gemini, we've no business calling anything we have "secure" in any absolute sense. In a relative sense, most Open Source systems are infinitely more secure than any comparable system, but that only goes so far. It's about time we bit the bullet and gatecrashed the turf that has so far been reserved for the most secure of military systems.

Fedora w/ strict policy enabled

[r00t]

Fedora Core 5 does the job if you ask it to.

First, install the x86_64 version. This provides accurate memory permissions and more bits for address space randomization.

Enable the strict SE-Linux policy, or the MLS policy if you want military-style levels. (the default policy is "targeted", which is still better than the "off" setting)

During the install, or afterward via the setsebool command, change a few settings if not done already. Enable the policy that prohibits executing from files that are not specially marked, that were written to, or could be written to. Disable the app compatibility hacks.