News and Editorialsannounced early last month, while the new release of Trustix Secure Linux (version 2.1) was released just over two weeks ago. Despite the presence of a common word in the their respective product names, the two distributions take very different approaches towards security: the EnGarde developers concentrate their efforts on various kernel patches preventing common exploits, as well strict mandatory access control policies, while the developers of Trustix prefer simplicity and sensible defaults as their product's main features.
EnGarde Secure Linux
EnGarde Secure Linux has consistently managed to impress reviewers, especially when compared to other secure solutions. It is a product of Guardian Digital, Inc, an open source security company based in Allendale, New Jersey. The latest release is essentially a security update of EnGarde Secure Linux 1.3, originally released in April 2003. Users who are running the original release with updates are not required to upgrade.
How does EnGarde ensure a high level of security? Firstly, the distribution uses a hardened kernel provided by the Openwall project, together with Linux Intrusion Detection System (LIDS) to enforce strict mandatory access control. Secondly, it provides a host of preconfigured tools to monitor suspicious activity on the server, such as Tripwire and Snort. And thirdly, detailed attention is paid to simple, but effective security measures, such as preventing normal users from accessing system-wide configuration and log files, forcing users to explicitly enable services they need, or disallowing boot into a single user mode and logging in as root altogether.
All system configuration in EnGarde Secure Linux is done remotely via GD WebTool, a Webmin-like interface developed by Guardian Digital (see screenshots). This is an impressive utility that allows even non-expert administrators to configure various aspects of their server, such as managing users and services, setting up individual server components, viewing logs and monitoring system activity. Needless to say, it also provides an easy way to keep the system up-to-date with the latest security updates. To experience the features of GD WebTool, you can register for a demo account on the distribution's web site.
EnGarde Secure Linux comes in two editions: Professional and Community. The pricing for the Professional edition ranges from $729 to $1629 depending on the level of required support, while the Community edition is available for free download (registration is required to obtain details about activating the product). Besides the price, the two products differ in the number of available features: the Community edition excludes Engarde's Secure Suites (although they can be purchased separately), and its web, mail and DNS services are limited to 10 domains.
Trustix Secure Linux
In contrast to the wealth of features found in the EnGarde distribution, Trustix Secure Linux is a lot less ambitions when it comes to preventing buffer overflows. Instead, the developers have focused on creating a product that can be deployed with minimum of effort on servers in a variety of common scenarios, and on providing security updates in record-breaking time. The installation program lists several classes depending on the purpose of the server, including web server with PHP, mail server with either Courier or Cyrus imapd, FTP server with vsftpd, firewall, DNS server, MySQL/PostgreSQL database servers and other classes. Applications not required for a particular installation class are not installed. Once the system is installed, it is up to the users to enable all required services, as none of them, not even networking, is brought up automatically. This is one way to ensure that no unnecessary service is active.
One of the most interesting feature of Trustix is SwUp, the secure SoftWare UPdater for Trustix. Written in Python, SwUp is a command line utility designed to keep a Trustix installation up-to-date of security and bug fixes with minimal effort. In fact, installing and configuring a package called "swupcron" ensures that the system is kept up-to-date without any human interference. SwUp provides for automatic resolution of dependencies, poll-only functionality (without any actual package installation), strong authentication with GnuPG, filter and search capabilities, caching of downloads and use of HTTP proxies.
The development of Trustix Secure Linux has now entered a period of stability after the turmoil last year when the distribution's commercial entity, Trustix AS, declared bankruptcy. At first, the developers continued their work under the name of Tawie Server Linux, before the distribution, and the right to use the product's original name, was acquired by a UK-based Internet security company Comodo. The next version, Trustix Secure Linux 2.2, is scheduled for release in September 2004.
Distribution NewsDebian Weekly News for March 16, 2004 covers a proposed task for Ada development, a bug closed by spam, a new proposal to distribute non-free, and more.
The Debian popularity contest: As the Debian project drifts slowly toward its next stable release, it has a bit of a problem: this release looks like it will include over 13,000 packages on 13 binary CDs. The project is hoping to optimize downloads and installations by putting the most popular packages together on the low-numbered CDs. To make that happen, they must find out which packages are installed most often. So the call has gone out for Debian users to install the "popularity-contest" package and allow it to phone home with information on what they have installed. The results end up on the Debian Popularity Contest page.
The second call for votes is out, for the general resolution concerning non-free. Votes must be received by Sunday, March 21 23:59:59 UTC 2004.
The platforms for the candidates for the project leader are available on the on the web. There will be no IRC debate this year as the debian-vote mailing list has been extremely active with both election and non-free issues.
There will be a Bug Squashing Party this weekend, March 19 - 21, to help fix the release critical bugs in sarge.
The third beta release of the Debian sarge installer is now available for testing.talks with Bruce Perens about UserLinux. "UserLinux is taking the approach of "let's have a lot of support companies working together as equals on UserLinux, so that you can find the expert that you need, and so that competition drives quality up and prices down. Let's encourage service providers to differentiate themselves by specializing in niche markets that they know well. I want there to be so many UserLinux service providers that you'll be able to find a company that specializes in supporting dentists in Minnesota. And I don't want to own any part of that company - I just want to be its equal partner in developing the UserLinux system." And when you think of it this way, it turns out to be an approach that is particularly good for the more technically challenging markets because those are the markets that a Red Hat or SUSE can't go to. Red Hat is bound by strategies that enhance shareholder value, so they have to focus on the big market." announced it is now shipping the Xandros Business Desktop and Operating System (OS) for enterprise customers. plans to discontinue its secure distribution. "The most recent version of the Immunix OS, 7.3, was released in December, 2003, and it looks like it will be the last standalone one released, although [Immunix COO Frank] Rego says the company will continue to support current users." This 7.3 press release (PDF) promises support through March 2005. announced TimeStorm Linux Development Kits, the Eclipse-powered IDE and a complete embedded Linux distribution based on the Linux 2.6 kernel for the PowerPC 8260 processor. DistroWatch Weekly news looks at Mandrakelinux 10.0, creating new distributions, and more.
New DistributionsLinuxConsole is a "live" Linux distribution that comes from France. You can boot it from CD, HD, USB, or PXE. There is a "core" ISO image (55MB), with all the drivers (3D and ADSL included) needed to install it or just try it. LinuxConsole is initially based on Mandrakelinux 9.1 and it joins the list at version 0.4RC2, released March 10, 2004.
Minor distribution updatesAstaro Security Linux has released beta v4.744 with major bugfixes. "Changes: This new snapshot fixes the install issues (all Pentium and VIA CPUs), High Availability Config and Up2Date sync, Interface type PPPoA/PPTPC issues, and a Group definitions bug. It also includes fixes for 'Store logfiles remotely' via SMB and SSH, IPSec CRL fetching via LDAP, Surf protection (profile assignment via LDAP), and a lot of small bugfixes and improvements." Aurox Linux has released Aurox Live v1.4.1 with minor feature enhancements. "Changes: This release is based on a full (installable) version of Aurox Linux 9.3. It includes graphical environments such as KDE 3.1.5 and FLUXBOX, ACPI power management, FAT32 and NTFS support, OpenOffice.org 1.1, Flash plug-in for Mozilla, nVidia drivers, games such as Tuxracer, Neverball, and Glaxium, audio and video (DVD) players, and many other applications from Aurox 9.3." BLAG Linux And GNU by the Brixton Linux Action Group has released BLAG9002. "BLAG9002 (trike) is a significant update of BLAG9001. The major changes are lots of RedHat updates (kernel, XFree86, apache), many BLAG package updates, and piles of new packages." Buffalo Linux has released v1.1.5 with major feature enhancements. "Changes: The default kernel is now 2.6.4, with 2.4.24 still available for use. There are new optional packages: MySQL with mysqlcc and Scribus 1.1.5. There are a total of 9 new packages and 21 package upgrades. An Update from 1.1.4 to 1.1.5 is available. Separate downloads for the optional extra packages are available." Coyote Linux has released v2.10 Beta3 with minor feature enhancements. "Changes: This release adds the option of DHCP reservations to the Web admin and has several script cleanups." Devil-Linux has released v1.0.5 with minor security fixes. "Changes: This release fixes the mremap vulnerability, adds a patch for"Rusty's broken brain" error/failure, and updates a few applications." Linux Live has released v4.0.2 with minor bugfixes. "Changes: It was necessary to modify scripts from /tools to look for liblinuxlive functions in two directories: ./ and /usr/lib." NSA Security Enhanced Linux has released v2004031009 with minor feature enhancements. "Changes: Experimental SELinux NFS code has been made available. The base kernel version for 2.4 has been updated to 2.4.25. The base version for 2.6 remains 2.6.3, but the SELinux patch has been updated. Fine-grained boolean labeling support has been merged. The userspace AVC has been enhanced to handle netlink selinux notifications. MLS improvements have been merged, as well as updates to slat and the example policy." PXES Linux Thin Client has released v0.8-9 with major feature enhancements. "Changes: The memory footprint has been reduced by about 50% (squashfs), which solved some of the reported problems in memory constrained clients. This release adds USB flash disk support (coldplugging), an lpd server and local spool, rdesktop 1.3.1, Samba 2.2.8a, a local configuration tool, UDHCP 0.9.91, and a new style." Quantian has released v0.4.9.5 which fixes many bugs. wrt54g-linux has released v0.4 with minor feature enhancements. "Changes: This release adds full support for current Linksys firmware. The release has been tested on version 2.02.2, but it should work with all official Linksys firmware versions. Installation has been tested on Linux and OS X."
Distribution reviewsexamines the desktop features of several distributions. "When you're picking a distribution for your business you should consider a number of things: not only the user interface, but also vendor support and complementary offerings to the base desktop, especially with regards to applications and system updates." reviews Xandros 2.0 Business Edition. "Is Xandros Desktop 2.0 Business Edition a viable option for the corporate desktop? I would have to say a resounding yes. I was given a pre-release copy of the Business Edition to review, and I was able to install it on a spare laptop. The moment I finished the setup, I shutdown my Window 2000 workstation and have not used it since. The base O/S is rock solid, and the list of standard applications is impressive. If you do need a Windows-based application, you still have CrossOver Office installed to run MS Office, Quicken, or a host of other Windows-based applications." reviews Mandrakelinux 10. "My biggest welcome surprise was the fact that Mandrake now installs by default a video editor, KDEnLive! At last, a distribution that is sensitive enough to the sign of the times and includes a solution -- even if that solution is still very alpha." reviews Mandrakelinux 10.0. "Security control for the system is handled very well by using the Level Checks tool in the Mandrake Control Center. I was thoroughly impressed by the degree of fine tuning you are able to administer on your systems. From very basic options allowing/disallowing services and actions to complete granular control over permissions, logs, and alerts, the Level Checks applet is an appreciated addition to the system."
Page editor: Rebecca Sobol
Next page: Development>>
Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds