Defend Your Kingdom
Security-enhanced distributions use several techniques to let you rise above this reactive mind-set. One method involves enhancing access-control mechanisms. Unfortunately, however, at its inception the Unix operating system did not have security as a design goal. The all-powerful root account is a major liability to maintaining host security because it forces you to keep all your eggs in one basket. One poorly written application running with root privileges is all it takes to allow a complete compromise of your system. By providing file- and network-access control at a finer grain and giving applications only the privileges they need to run--rather than the keys to the kingdom--you can avoid getting taken down by the latest buffer overflow in a network daemon.
We discussed covered some of the major security-enhanced Linux distributions in our November 26, 2001, issue (see "Locked Down Out of the Box"). Here, we've done a full-fledged evaluation. Our ground rules: The product must be a full Linux distribution, not an add-on. It must also be a general distribution on which a range of Linux applications can be run, not just a router- or firewall-oriented product. Finally, it must be at least version 1.0 and out of beta. That left us Guardian Digital's EnGarde Secure Linux 1.1, Hewlett-Packard Co.'s Secure OS Software for Linux 1.0, Trustix AS' Trustix Secure Linux 1.5 and Wirex Communication's Immunix 7.0 (for a look at some distributions that didn't make the cut, see "OpenBSD, PitBull, SE Get Caught in our Filter").
Both Guardian Digital and Wirex offer their software products preinstalled on hardware in appliance form. In addition to the time savings, the prepackaged wares will get you a support contract to keep the server humming in time of need.
A Chink in the Armor
One metric by which we measured the distributions is their reaction to past security issues. We also considered the vendors' responses to security issues, including how quickly they sent out advisories and patches. And we analyzed how well the each worked against two critical, recent Linux vulnerabilities. The first, the ptrace vulnerability discovered in October 2001 (see "linux-ptrace-race-condition (7311)"), lets a local attacker gain root privileges by exploiting a race condition in the kernel. The second is a serious vulnerability involving the improper use of dynamically allocated memory in the zlib compression library used in many applications in a typical Linux distribution, including the kernel (see "CERT Advisory CA-2002-07 Double Free Bug in zlib Compression Library").
Security is always a trade-off, and any security mechanism implemented at a low level, such as the process level, will inevitably affect performance. Comprehensive performance tests fell outside the scope of this article, but we didn't notice any major performance hits in the lab.
EnGarde walked away with our Editor's Choice award thanks to the depth of its security strategy, which covers nearly all the bases. Everything from the low-level mechanisms (binary integrity checking and stack protection) to high-level usability issues (including an excellent patching interface) demonstrate the serious effort the Guardian Digital crew has invested in EnGarde. The company also told us it is looking to expand on this solid foundation. On the other hand, if you're a Red Hat aficionado and want an easy introduction to a secure Linux platform, take Wirex's Immunix for a spin. The protections it offers are time-proven and the most mature in this market. Both of these distributions in their commercial forms (especially the appliances) offer a high degree of usability, making them suitable for novice to intermediate Linux users.
The new face in the crowd, HP's Secure OS Software for Linux, is more specialized--it's designed for high-security environments run by experienced administrators. Once it gets a little more polish and some miles under its belt, this product will be one to watch.