EnGarde Secure Linux is aimed at members of the point-and-click crowd who are concerned about security. ESL is essentially a Web-based user interface wrapped around a hardened Linux core. Installation is a snap. From there, you can click your way through the configuration. ESL is clearly designed for those who want a product that is prepackaged and ready to go out of the box.
ESL can run any of the following applications: secure e-mail server (SSL-POP3 and SSL-IMAP), FTP server, SMB (Server Message Block) for Microsoft Windows file/print sharing, DHCP/DNS, HTTP including SSL and virtual host support, and PPTP (Point-to-Point Tunneling Protocol) server, which is included (among other services) with the optional $49 Secure Workgroup Suite. As long as your requirements are simple, you may never need to leave your browser. However, if you need to run other applications or have to tweak the configurations beyond what is presented in the limited Web-based interface, you will need to be familiar with the Linux CLI (command-line interface).
The hardened Linux core in ESL covers several areas. First, the Openwall patch is applied to the kernel and provides protection against some buffer-overflow attacks by making the stack nonexecutable. The patch also places restrictions on /proc, links in /tmp and several other security-enhancing modifications. The Openwall patch is highly regarded in the security community, as is its creator, SolarWall. The patch is also applied to the Immunix distribution.
ESL implements the Linux Intrusion Detection System. LIDS is not a traditional host- or network-based IDS but rather provides a lightweight form of Mandatory Access Control. Unfortunately, LIDS is referenced both on the EnGarde Web site and in the hardcover documentation without mentioning the LIDS project, which offers a wealth of information useful to EnGarde system owners. LIDS allows limitations to be placed on processes that need to run as root and implements strong file-access controls that go beyond the traditional DACLs (Discretionary Access Control Lists) provided by Unix.
In addition, processes that need to run with root privilege can be assigned only those capabilities they must run. In that way, the administrator can limit which processes are allowed to do tasks such as configuring the network interface. This includes putting the NIC into promiscuous mode, reading raw memory and changing user IDs (see LIDS FAQ: Sample Configurations for some example configurations).
Unfortunately, in its short history LIDS has had a few devastating security holes (see LIDS Linux Intrusion Detection System vulnerability), so it is only partially trusted. Keep this in mind for any system on which you are employing LIDS. Guardian Digital says it has taken steps to address these issues.
ESL's Guardian Digital Secure Network provides a textbook example of an ideal patching interface--automatic notification, simplified downloading and straightforward descriptions are all included. We were up to current patch levels in a matter of minutes.
EnGarde holds up well in the line of fire, escaping without a scratch on the ptrace vulnerability. In fact, the company was able to say in an advisory: "Please note that EnGarde Secure Linux does not ship with the 'newgrp' utility, nor does it ship with any other setuid/setgid executables, which can be used to exploit this bug. Thus, EnGarde Secure Linux is not vulnerable to the ptrace flaw."
That's the name of the game in the security-enhanced Linux world: dodging the bullet when everyone else falls. On the other hand, the zlib bug was too entrenched to be avoided, and EnGarde suffered the same fate as nearly every other distribution. Fortunately, like most of the major vendors, Guardian Digital was able to push out patches the day the vulnerability was publicized.
If you want to take a test drive, Guardian Digital offers the ESL Community release, a free version with fewer tools and missing the Guardian Digital Secure Network. Patching has to be done the old-fashioned way--using FTP and the command line.
EnGarde Secure Linux. Guardian Digital, (866) 435-4689, (201) 934-9230. www.guardiandigital.com
Wirex Communications Immunix 7.0
Immunix is the granddaddy of the secure Linux world, the logical culmination of the StackGuard compiler enhancements developed by Wirex. The company takes a stock Red Hat release and compiles a good number of the packages (all the important ones, from a security perspective) with StackGuard to produce Immunix.
StackGuard is a set of patches for the standard GCC (GNU Compiler Collection) that causes the binaries produced to perform additional checks on stack operations. Buffer-overflow attacks work by overwriting a buffer with more data than the program expects (see "Smashing the Stack for Fun and Profit"). In doing so, rather than placing the expected data of size X on the stack, the attack blasts data X plus 1,300 bytes (for example). The additional data is specially crafted to overwrite the return pointer of the function and execute the attack's choice of code, which has also been included in the overflow data. If the attacked network daemon is running as root, the entire system has probably been successfully compromised. StackGuarded binaries write on the stack a small, additional "canary" value, which is checked when a function returns. If the canary value has changed, which happens in a typical buffer-overflow attack because the entire stack is overwritten in a brute-force manner, the program halts execution and logs an entry to syslog indicating the violation.
Because buffer-overflow attacks still account for many serious root-level vulnerabilities in Unix systems, Immunix is successful in a variety of situations. Buffer-overflow attacks can still nail a StackGuarded binary in certain situations if designed to bypass stack-integrity-checking defenses. The good news is that the majority of exploits are not designed that way because, from an attacker's standpoint, there is not much of a need to do so: Most Linux network daemon binaries are not StackGuarded. Most nonbuffer-overflow attacks, such as heap-based attacks or race-condition attacks, will affect an Immunix distribution, creating the familiar "window of vulnerability" that follows a security advisory.
Immunix does, however, defend against format-string vulnerabilities (for information on format-string attacks, see Format String Attacks: 101). FormatGuard, a modified version of the glibc shared library, ensures that dangerous functions such as printf() do not receive additional arguments indicative of an attack.
Mandatory Access Control (MAC): A mechanism that enforces separation of processes, containing potential damage if a process is compromised. MAC prevents malicious code from running by eliminating a single point of authority, the root account (for more on MAC, go to www.nwc.com/1312/1312rd2.html).
The final tool in the Immunix arsenal, SubDomain, enforces file-level Mandatory Access Control. SubDomain is included but is completely unconfigured, and the task of setting it up is left up to the user.
How well does Immunix fare in the face of adversity? The answer depends on the type of attack. Immunix fell victim to both the ptrace and the zlib vulnerabilities because neither are buffer-overflow or format-string bugs. The ptrace vulnerability was patched quickly, but the zlib vulnerability was still unpatched at the time of this writing. Apparently, Immunix is working on so many patches that it can't release them in a timely manner. Rather, it is developing an Immunix 7+ distribution, which will act as a security-patch rollup. Needless to say, this new model does not sit well with the extremely security-conscious Immunix user community. Detailed information (and some lively reading) can be found on this thread from the users' mailing list. We recommend new users wait for 7+, which was unavailable at press time.
Immunix 7.0. Wirex Communications,(503) 222-9660. www.wirex.com or firstname.lastname@example.org
Hewlett-Packard Co. Secure OS Software for Linux 1.0
HP Secure OS Software for Linux is a mouthful, so we'll call it HP-LX. HP-LX is based on Red Hat 7.1 and is the only product we tested that has an option to come with X Windows installed. Unlike the rest of the distributions we tested, which use the 2.2 kernel, HP-LX includes a modified 2.4 kernel.
The guts of HP-LX are proprietary Mandatory Access Control tools that provide what HP calls compartmentalization. All network services should be run in their own compartments that define the domains in which the services are allowed to run. File access, as well as all other system resources, is controlled and enforced by HP's custom kernel. Only processes that share the same compartment label may talk to one another. The theory is: If one network service is compromised, the damage is limited to the compartment in which it runs. Therefore, the chances of the attacker extending his or her access and compromising the entire server are greatly reduced.
Essentially, HP-LX is an ultrasecure Web server in a can. Apache and the Tomcat server (a Java Servlet and JSP engine) run in their own compartments. Even if a serious security vulnerability is discovered in the Java interpreter, the damage from an attacker leveraging the hole can be limited--a good thing, considering the security history of Java. For example, if someone manages to break into the Tomcat server, he or she won't be able to access the Apache's binaries or configuration files since those are in a different compartment. Using the Multi-Compartment Gateway Agent tool, the administrator defines how processes running in different compartments can communicate, ensuring that only minimal exposure is created between compartments.
A common incorrect assumption is that HP-LX is a port of HP Virtual Vault, a hardened system available on the traditional HP-UX RISC systems. HP-LX was designed by some of the same computer scientists, but their design goals were different. They aimed to make HP-LX a lighter-weight system that is easier to configure and use--and they've succeeded. The tlutils are well-documented and easily managable once you get the hang of it. Sure, implementing a new service versus using your typical Red Hat server will take more work, but you'll gain a significantly higher level of security in the process.
Patching HP-LX can be confusing. Because most of the distribution is stock Red Hat, you must monitor the Red Hat security mailing list to stay patched. Plus, you'll need to implement additional patches from HP for the proprietary parts of the system. We believe a slick updater that integrates patches from both sources is in order, given the hefty price of this package and its focus on security.
Our test security cases, the ptrace and zlib bugs, were not handled very well by HP. Given that the distribution devotes most of its effort to protecting network-based services, this isn't surprising. Still, we would have liked to have seen the ptrace bug addressed in a more timely fashion--it took HP a month and a half to release the patch.
HP hosts online Web forums for discussion and technical support. Activity here is pretty light, but don't read too much into this; the product was introduced less than a year ago, and the market is relatively small and specialized. The product does show promise, as long as it can withstand the security testing it is bound to undergo in the market and in the labs that get hold of it. (A seemingly serious security vulnerability was discovered soon after the product's release and has since been patched; see hp-secure-unauth-privileges).
For the most part, HP-LX's documentation is excellent. More advanced administrators, especially those with security experience, however, will wish HP had skipped the chapters on passwords and other basic tools in lieu of more interesting material.
Secure OS Software for Linux. Hewlett-Packard Co., (800) 633-3600. www.hp.com
Trustix Secure Linux 1.5
Trustix Secure Linux 1.5 ended up the odd man out in this lineup. The goals of this slightly hardened Linux distribution are unclear. Some clues can be gathered from the company's mission statement, but very little in the product warrants the trade-offs of moving from a mainstream distribution to Trustix Secure Linux.
The product is not based on a traditional distribution, but rather is packaged from the ground up by Trustix. What enhanced features does this buy you? All network services are disabled by default. Secure defaults are provided for packages. Secure alternative packages are included in place of those with nasty security histories; for example, Postfix is included in lieu of Sendmail. Unfortunately, the user's guide includes almost no information about security. The bottom line is that it would take only a few minutes to tweak a mainstream distribution install to get it to the same level of security that Trustix Secure Linux provides.
Presumably, this product is not Trustix's primary source of revenue. Rather, it forms the base for the company's more expensive, specialized products: Trustix Firewall, Trustix Proxy Server, Trustix Mail Server, Trustix Web Server and Trustix LAN Server. These products fall outside the scope of this review, but given our low opinion of the effort that went into the foundation of these solutions, the buyer should do his or her homework first. Trustix needs to address some of the issues the rest of the competition covers, including buffer overflow protection, file integrity checking and Mandatory Access Controls.
As expected, Trustix Secure Linux was not impervious to the ptrace and zlib vulnerabilities. In the company's defense, however, Trustix is quick on the draw when releasing patches, and patches did come out immediately after the vulnerability announcements. In addition, the swup command, written by the Trustix folks, simply rocks. (Attention Linux vendors: Swup is released under the GNU license and is therefore freely available for inclusion with other distributions.) To upgrade a system to the current patch levels, simply execute swup-upgrade. Unlike RPM (Red Hat Package Manager), Swup takes care of any dependencies, such as Debian's apt-get, and uses PGP (Pretty Good Privacy) signatures to ensure authenticity.
Trustix Secure Linux 1.5. Trustix, (408) 291-8645. www.trustix.com
Patrick Mueller is a senior security analyst for Chicago-based security consultancy Neohapsis. Send your comments on this article to him at email@example.com.