A Look at EnGarde Secure Linux 3.0

October 5, 2005

This article was contributed by Ladislav Bodnar

EnGarde Secure Linux is a relatively old name in the world of Linux distributions. In development since 1999 by Guardian Digital, the product was originally based on Red Hat Linux, but reduced in size to include server-only applications and enhanced with a web-based system administration utility called "WebTool". Besides its high-end enterprise range of products, the company has also released several "Community" editions - somewhat limited in features but free for non-commercial use. EnGarde's previous versions were frequently praised by reviewers so when the company announced a new version 3.0 late last week (its first new release in over two years), we were eager to take it for a test drive.

EnGarde Secure Linux 3.0 "Community" comes on a single CD available for both the i386 and x86_64 architectures. Its default installation method starts rather unconventionally - with setting up the root password and networking, before proceeding with package installation. This might seem like an odd sequence for a "secure" distribution; given that all the necessary packages are on the CD, why would anyone want to perform a system installation with networking enabled? Soon the reason becomes apparent: the EnGarde installation CD also serves as a live CD so users can evaluate the product without having to install it to their hard disks. Since all system configuration is performed remotely through a web browser, having functional networking on the system running EnGarde is essential.

Nice idea in theory, but in practice we couldn't get it to work. While we had no trouble connecting to the EnGarde system with https://ip_address:1023, after typing in the user name ("admin") and password ("lock&%box"), we were greeted with an error message - an undefined subroutine in sysstat.pm. So much for trying to evaluate EnGarde Secure Linux in a "live CD" mode!

Next, we decided to do a full installation, hoping for better luck. Disappointingly, bugs continued to plague us here as well; although the installer detected both hard disks, it did not acknowledge the presence of any of the several Linux partitions on the first one, claiming "no partitions defined" and forcing us to create new ones. However, not wanting to repartition the first disk, we couldn't find a way to create new partitions on the second disk - the installer insisted on creating /dev/hda1, no matter which hard disk we had selected! Only after physically unplugging the power supply from the first hard disk and disabling it in the BIOS, we were finally able to install EnGarde on the second disk (/dev/hdc).

Granted, most users who intend to use EnGarde Secure Linux in a production environment are unlikely to dual boot their system so they won't face these kinds of problems. Nevertheless, if the installer has options which they don't work as advertised, then something is not quite right.

Eventually we installed the system where we wanted it. The package selection screen gave us an option to select one or more installation classes from a short list containing "Databases", "DNS", "Firewall", "Mail Services", "Network Intrusion Detections" and "Web Services", before proceeding to the network configuration part. Here, the opening screen promised support for network configuration with a static IP address, DHCP or PPPoE, but once we pressed the "next" button, we were forced to set up a static IP address, with options for DHCP or PPPoE nowhere to be seen (presumably because the machine only had one network card, which would have a static IP address in most common configurations). After this final step, we were prompted to reboot the system.

Up until this point our experiences with EnGarde Secure Linux 3.0 were mixed at best. Fortunately, things improved dramatically once the system was installed and when we finally had a chance to investigate the distribution's web-based administration interface - Guardian Digital WebTool. Written in Perl, WebTool has obviously been inspired by Webmin, although it sports a considerably different (and arguably more pleasant) user interface (see screenshots). After the first login, we were required to change the system's root password and WebTool's login password, set up IP address(es) with permissions to connect to the EnGarde system, and effect a few other configuration changes. Once completed, we had the first taste of what it feels like administering a remote system from a web browser when we rebooted the system with a single mouse click.

Shortly afterward we were once again logged into WebTool. Due to a few early bugs reported on the distribution's mailing lists (and impressively fast responses by EnGarde developers), we decided to start with updating the system. This can be done through the free and convenient Guardian Digital Secure Network (GDSN), but before we were allowed to proceed, we had to obtain an activation number and password by registering the product on the company's web site. After the update, we continued looking through the user interface and checking out all the configuration and reporting options. Although not as comprehensive as we had expected, WebTool had pages for most important server administration tasks, including a backup and restore utility, a UPS configuration module, as well as the usual pages for managing DNS, web, mail, SSH and FTP servers. Certain services had extensive configurations options (we especially enjoyed the Firewall configuration page), while others were very basic (e.g. the Apache configuration page only allowed adding, modifying and deleting Virtual Hosts).

What does the word "Secure" represent in EnGarde Secure Linux? By default, the distribution installs in "secure" mode, with SE Linux and Mandatory Access Control (MAC) enabled. It has carefully tuned file permissions of important system, configuration and log files so that they are not accessible to unprivileged users who might login to the system. There are other small enhancements, such as the unavailability of a "single user mode" and the presence of several intrusion detection and network monitoring tools, with real-time reporting facilities in WebTool. The company also maintains the very useful LinuxSecurity.com portal. On the negative side, the documentation on the distribution's web site has not been updated since version 1.5, so most new features in the latest release are not yet documented.

Overall, EnGarde Secure Linux 3.0 "Community" is a mixed bag. Obvious bugs in the installer and lack of up-to-date documentation are two big negatives. On the other hand, the developers have been very responsive to bug reports and the updated WebTool, combined with new security enhancements in the distribution, will appeal to those users who need an intuitive and easy-to-administer server system. Perhaps the product could have been much more impressive if it had been given a longer beta testing period, rather than just one rushed week between the only release candidate and the final release. With version 3.0 looking more like an unfinished and poorly tested beta release, perhaps a bug fix version won't be too far away; hopefully, by that time the developers will have also updated their documentation and completed the help files.

Index entries for this article
GuestArticles	Bodnar, Ladislav