Distributions
Subgraph OS, a new security-centric desktop distribution
Security-conscious Linux users have a new distribution offering to consider: Subgraph OS, a Debian-based operating system that implements system-hardening measures at a number of different levels. The kernel, filesystem, applications, and network configuration are all tweaked to isolate processes and connections and to safeguard the system against attackers. Although the project is a new one and not all of the promised features have been implemented yet, it appears to be well worth watching.
![[Subgraph OS boot menu]](https://static.lwn.net/images/2016/03-sgos-boot-sm.png "Subgraph OS boot menu")
At the project's home page, Subgraph OS is billed as a "difficult to
attack
" operating system built with "system hardening and
a proactive, ongoing focus on security and attack resistance.
"
There is a set of pages documenting
the project's approach. That said, users should be aware that, at
present, the only installable releases are "pre-alpha" ISOs for x86_64
machines. The latest
is from February 22. Although the project describes Subgraph OS
as a lightweight offering (in particular, shipping only a small
assortment of applications), the ISO is a not-insignificant 1.5GB. It
can be run in live-DVD mode or be used to install Subgraph OS onto a
hard disk.
This release is based on the current Debian "testing" distribution (which will become Debian 9 "stretch"). Some of the application-level features are still unstable enough that they are likely to produce more crashes than successes, but there are many other interesting choices implemented in Subgraph OS that make it worth a look.
Security measures
The kernel is version 4.4.2, but with a few notable changes. First, the grsecurity patches have been applied; the project makes particular note of its usage of PaX to guard against memory-corruption vulnerabilities. The paxrat utility is used to set the PaX flags for individual applications; these flags control the use of secure memory protections, address space layout randomization (ASLR), trampoline emulation, and non-executable pages, among others.
The full kernel configuration used is available on GitHub, where several other changes are documented. Most notable is the deactivation of multiple network protocols (such as IPX, IrDA, X.25, and CAN Bus). IPv6 is among those deactivated protocols, which the notes on the GitHub page chalk up to the fact that Subgraph OS uses Tor for all network connections, and so far Tor does not sufficiently support IPv6. Tor's IPv6 support is an ongoing effort, and it is certainly true that few existing Tor nodes support IPv6—perhaps few enough to make relying on it a gamble.
![[Subgraph OS firewalled applications]](https://static.lwn.net/images/2016/03-sgos-desktop-sm.png "Subgraph OS firewalled applications")
Full-disk encryption using LVM and LUKS is mandatory in the Subgraph OS installer—the option to install without disk encryption is not even presented to the user. Network usage is restricted by two separate means. First, the Metaproxy redirector transparently redirects all network connections to Tor. Second, a firewall is configured to only permit a whitelisted set of applications to access the network. At present, the firewall rules must be manually adjusted to allow a new application access to the network, although the project advertises plans to integrate this process into the desktop. There are (currently non-functional) menu entries to monitor firewall connection requests and firewall settings, and the documentation cites plans to pop up a dialog box asking the user to confirm or deny network requests from non-whitelisted applications.
Interestingly enough, the Subgraph OS installer and the live-DVD session both start with all networking disabled; the user must even switch on wired networking through an option in the GNOME Shell system menu. There is also a built-in MAC address spoofer, which is run at start-up, can also be re-run at will, and can be configured to automatically run whenever a new network device is added.
Tor is, perhaps, a given for security-focused distributions these days. But Subgraph OS goes further than some. Each of the major applications (browser, email client, etc.) is isolated in a separate Tor circuit, and the GNOME Shell user menu includes a button to drop the basic Tor circuit (that is, the one connected through the general-purpose Tor endpoint to which other traffic is redirected by Metaproxy) and establish a new one. The Tor package also includes support for pluggable transports, which can be used to hide tor traffic within other connection types, thus providing better resistance to deep packet inspection.
Application security
At the application level, all of the major applications are started inside a sandboxing system that the distribution calls Oz. The system uses standard containment methods like namespaces, capabilities, and seccomp filters, plus the Xpra X11 forwarding server. On top of that, the latest ISOs have added AppArmor profiles for all "at risk" applications (a designation that includes network-capable applications plus any that might need to open files from an untrusted source—such as the PDF viewer or LibreOffice).
![[Subgraph OS sandbox menu]](https://static.lwn.net/images/2016/03-sgos-menu-sm.png "Subgraph OS sandbox menu")
The Oz sandboxes are quite restrictive by default; applications cannot see any files in the user's home directory. To get around that access control, the user must use the Oz GNOME Shell extension. This provides a menu from which the user can manually grant access to a specific file, as well as perform some utility functions like opening a terminal within the sandbox.
The applications themselves are standard fare: Tor Browser, LibreOffice, the VLC media player, IRC and instant-messaging clients, a terminal emulator, and the Icedove email client. Interestingly enough, although a Tor Browser launcher is included on the panel, the first time it is launched it proceeds to download and install the latest Tor Browser release. This is a handy workaround for coping with how often Tor Browser receives important updates, although the initial wait time can be irritating.
The project site highlights a new email client in the works called Subgraph Mail, although it has not yet been released. Perhaps the most intriguing aspect of Subgraph Mail is that it is said to eschew traditional identity-verification systems like the OpenPGP "web of trust," and rely on a verification service run by Subgraph as a Tor hidden service. That service will certainly be worth investigating when it becomes available.
Looking forward
It is somewhat disappointing to see that the Subgraph project speaks of Subgraph Mail and the desktop firewall tools as current features when they are not yet available, but all free-software projects are subject to similar limitations in time and resources, so one must make allowances. Icedove will no doubt suffice for many early adopters, and the command-line firewall-control tools are there for those who truly need them.
There are other pressing issues to be dealt with before Subgraph OS is ready for mainstream adoption. Perhaps the biggest is that the distribution currently uses the Debian package repositories—although, happily, it does access them over Tor. Moving forward, the project will be managing its own repositories (no doubt periodically re-synchronizing with Debian); the web site notes that it plans to implement reproducible package builds as an additional security measure. In the long run, the project will have to address other issues—such as issuing security updates. Developing on top of Debian no doubt makes that an easier job, but not a trivial one.
In design, Subgraph OS is most similar to Tails, although Tails is explicitly designed to run in live mode from removable media. Another clear comparison could be made to Qubes OS, which is similarly security-focused and takes measures to isolate applications. But Qubes OS uses a distinctive system architecture, with the Xen hypervisor managing several virtual machines to hold various applications. Subgraph OS is a more lightweight solution, which might make it more appealing to users already familiar with desktop distributions like Debian and with the various sandboxing and containerization efforts underway in the community. When security is the goal, some additional competition is always welcome; Subgraph OS looks to be a well-thought-out distribution that the security-minded would do well to explore.
Brief items
Distribution quotes of the week
Looks like we finally have the proof that Debian helped a lot in the detection of gravitational waves :)
Announcing the KDE community's Distribution Outreach Program (KDE.news)
KDE.news has an announcement of a new program to foster better cooperation between KDE and distributions. "KDE is distro-agnostic. We do not prefer any distributions over others, and want our software to run everywhere. This extends beyond Linux; we want our software to work for our users on Windows, Mac, BSD and Android as well. Our focus is always on our users having the best experience possible. We are aware that the more closely we cooperate, the better the experience for all, including those who package our software, and we think that open and free communication is the best way to cooperate. KDE developers should be able to tell distributions what our software needs from a distribution in order to work best. And in turn, distributions should be able to tell us what makes our software easy to distribute." A new mailing list has been created to host these conversations.
Distribution News
Debian GNU/Linux
Debian "Stretch" release delayed slightly
The Debian "Stretch" release isn't expected for more than a year, but it just has been pushed back a couple of months, with the full freeze now scheduled for February 5 of next year. The reason is to be able to ship with the first kernel of the year (expected to be 4.10) that, by current plans, should be a long-term support release. "For the avoidance of doubt, this change is a one-off to align with an expected release of Linux only. We aren't in a position to try and accommodate other projects, however much we'd like to be able to."
Debian Project Leader Elections 2016: Call for nominations
Nominations are open for Debian Project Leader elections until March 12. "Prospective leaders should be familiar with the constitution, but just to review: there's a one week period when interested developers can nominate themselves and announce their platform, followed by a three week period intended for campaigning, followed by two weeks for the election itself."
Newsletters and articles of interest
Distribution newsletters
- DistroWatch Weekly, Issue 651 (March 7)
- openSUSE Tumbleweed – Review of the week (March 4)
- Tails report (February)
- Ubuntu Weekly Newsletter, Issue 457 (March 6)
elementary OS: A Distro that Dreams of Disrupting the Linux Desktop (Linux.com)
Swapnil Bhartiya takes a look at elementary OS on Linux.com. "elementary OS is trying to disrupt the desktop Linux world in a couple of ways. It’s aim is to create a distribution that approaches the desktop from a design point of view instead of the crude “there-is-a-command-for-everything” approach that’s popular in the Linux world. So far, the company has been successful in achieving this goal. The latest release of elementary OS, Freya, is one of the most polished and good-looking distributions I’ve seen. One reason behind such this design-centric focus is that the founder of the project comes from a design background."
If You Like Fedora, You'll Love Korora (LinuxInsider)
LinuxInsider reviews the Fedora remix, Korora 23. "Korora's use-it-out-of-the-box philosophy is one of the reasons the distro keeps getting better. If you want a better, more user-friendly Linux distro that reaches beyond Fedora's enterprise appeal, you can't go wrong with any of Korora's five desktop versions. It leaves little for users to desire and makes choosing another distro unnecessary to get your preferred interface. Korora stays true to its mission. It promised an easier Linux for new users without sacrificing either power or features for seasoned Linuxers."
Page editor: Rebecca Sobol
Next page:
Development>>