LINUX SECURITY --- January 02, 2001 Published by ITworld.com -- changing the way you view IT http://www.itworld.com/newsletters __________________________________________________________________________ ______ HIGHLIGHTS * Rick takes a peek at three secure Linux distributions -- SELinux, Bastille Linux, and Immunix __________________________________________________________________________ ______ Secure Distributions By Rick Johnson Time to build a new server? This time, make security the goal from the moment of install. A regular Linux distribution just is not enough for you; the security risks are too great. Maybe it is time to look into our favorite operating system's latest rage -- secure distributions. The available secure distributions vary from a series of patches for existing installs to complete replacements. Even the NSA joined the cause du jour developing a distribution of their very own. Each offers it's own security ideas, and no doubt one will possess the features you require. * Security-Enhanced Linux (http://www.nsa.gov/selinux/) - Based on kernel version 2.2.12 and Red Hat version 6.1 utilities, SELinux contains mandatory access controls for the major kernel subsystems and an example security policy configuration demonstrating how to use these controls to meet several security goals. Significant work remains ahead to provide mandatory access controls for all kernel services and to provide a complete general-purpose security policy configuration. To answer your first question: Yes, SELinux was released under the GPL, so you can examine the source code. As soon as time permits, I will be reviewing SELinux in depth. It's just too intriguing to pass up. * Bastille Linux (http://www.bastille-linux.org/) - Bastille Linux is a project to secure existing Linux distributions. Attempting to harden your current installation, Bastille Linux makes your server much more difficult to crack by locking down configurations on system daemons, replacing insecure protocols with encrypted ones, and disabling unused and insecure services. In addition, Bastille will actually educate you about each action presented as a possible change. Bastille currently supports Red Hat and Mandrake systems and, while it should be run on a fresh system, it is no longer required. Other useful features include an undo option for any files changed, a rerun ability to keep a system hardened, and a log option that writes all possible changes to a log file instead of actually changing system files. * Immunix OS (www.immunix.org) - Immunix OS from WireX rebuilt a Red Hat 6.2 distribution hardened with the Immunix tool set. Immunix hardens existing software components and platforms so that attempts to exploit security vulnerabilities will fail-safe, i.e. the compromised process halts instead of giving control to the attacker, and then is restarted. Immunix effectively "laminates" the software components with technologies to harden them against attack. Based mostly on the Red Hat Linux 7.0 distribution, Immunix System 7 Beta has been rebuilt with the latest Immunix StackGuard enhancements to the egcs compiler and Immunix FormatGuard enhancements to the glibc libraries. Naturally, you should always take the time to examine any distribution before bringing it into a production environment. But wouldn't it be great if there were no distributions labeled "secure"; imagine, one day, secure distributions being as standard as networking support -- nevermind, that would be too easy. About the author(s) ---------------- Rick Johnson is currently the Manager of Security Services for FusionStorm, a remote managed services company. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. __________________________________________________________________________ ______ ADDITIONAL RESOURCES A distribution by any other name? What you should know about the different Linux distributions http://www.itworld.com/jlw/linsec_nl/lw-1998-10/lw-10-linux101.html Are you sure that you're secure? Keeping intruders at bay http://www.itworld.com/jlw/linsec_nl/lw-2000-02/lw-02-expo-security.html Wireless acrobatics Is the convenience of wireless technology worth the security risks? http://www.itworld.com/jsw/linsec_nl/swol-12-2000/swol-1229-unixsecurity.h tml Advanced Security Techniques http://www.itworld.com/jitw/linsec_nl/CDA/Video/ITW_Advsecurity_Security/1 ,3542,,00.html Linus Torvalds: Happy new year^H^H^H^Hkernel.. http://www.itworld.com/jump/linsec_nl/www.linuxtoday.com/news_story.php3?l tsn=2000-12-31-014-04-NW-KN KTH Kerberos IV contains vulnerabilities http://www.itworld.com/jump/linsec_nl/www.nwfusion.com/newsletters/bug/200 0/00228970.html Beware the Computer Zombies http://www.itworld.com/jump/linsec_nlwww.wired.com/news/technology/0,1282, 40905,00.html __________________________________________________________________________ ______
<<attachment: winmail.dat>>