Loading
EnGarde Secure Linux Professional 1.2
When I initially began to poke around the system, I was startled to find software with somewhat vintage version numbers. This includes the OpenSSH package and the 2.2.19 kernel.
To more thoroughly understand the reasons for this, as well as ensure that Guardian Digital knew what they were doing, I spoke with a company representative during the course of this evaluation. We had a productive conversation and many of my concerns were addressed.
Guardian Digital chose to use the 2.2 kernel series due to the company's concerns about the stability and security of the 2.4 kernels. The 2.4 kernel series was less mature during the development and engineering of EnGarde Secure Linux. As such, the Engineering team decided to go with proven technology, a wise move for a security product. Key features and fixes were back-ported.
Furthermore, the OpenWall kernel patch, which provides privacy enhancements and a non-executable stack, is production quality only for the 2.2 kernel series. So choosing security and stability over being cutting edge, EnGarde ships with a 2.2.19 kernel.
Similarly, the choice of having OpenSSH remain at version 2.3 was based on the principle of “if it isn't broken, don't fix it”. Again, this is a wise move for a security product or any core infrastructure product. Although features and enhancements have been integrated, there was no need to upgrade to a newer version until the recent remote hole was detected in OpenSSH. At that time, EnGarde quickly issued an OpenSSH 3.3p1 package and introduced the privsep capability in their version of OpenSSH.
All of these concerns were addressed in this conversation with a Guardian Digital representative. I agree with their choices to pick known security concerns and fixes over unknowns in both security and stability.
During the course of my testing EnGarde, I found several areas for improvement. Although some of these areas are addressed by other products or may not be appropriate for the nature of EnGarde Secure Linux 1.2, their inclusion would strengthen an otherwise leading-edge product.
An ability to modify the Tripwire database settings, such as where to store it and an improved UI for reports, would be nice. While the UI does do text reports, slogging through pages of flat text with no highlighting or coloration makes it difficult to spot changes. A different, write-once storage location for the database greatly would improve the security of the system as well.
Similarly, a configuration tool for the LIDS system also would be a wise addition. LIDS can be powerful, but the ability to change it requires a fairly in-depth understanding of capabilities. A simple UI to grant or revoke such capabilities would be useful for the the EnGarde system, much like the one IRIX offers. It wouldn't have to be complex, but enough to ensure that the LIDS features were being used in a manner consistent for the site.
Password management on EnGarde also could be improved. Several of the suggestions for passwords, useful for the mail server, for example, are rather weak and easily guessable. The integration of a password suggestion tool, one that does much stronger suggestions, would have been a welcome finding.
The firewall services are based on ipchains, which is a stateless firewall tool. This means it cannot understand connections, only flags on a per-packet basis, something that the 2.4 firewall package Netfilter can do. The addition of a tool such as SPF, which can add this capability to ipchains, would make their firewall more robust.
Lastly, a small office most certainly could use a robust web proxy service. The firewall configuration tool can allow you to use the built-in ipchains application assistants, but they're no equal to a solid proxy.
Some of these concerns cannot be addressed in the corporate product that EnGarde is aiming to be. However, some of them only can enhance what is shaping up to be a class leader.
Guardian Digital is making great strides with their EnGarde Secure Linux Professional distribution. With the 1.2 release of their product, they demonstrate how well a Linux solution can fit into a Windows-based organization. Furthermore, their solution is easy to set up and use, meaning you can secure your network without having to become an expert at everything. A recommended product.
Jose Nazario is a Biochemistry graduate student nearing the completion of his PhD. Side projects include Linux and other UNIX variants, software and security-related matters and hobbies outside his office, including fly-fishing and photography.
______________________
White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers
Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Readers' Choice Awards
- Home, My Backup Data Center
- What's the tweeting protocol?
- New Products
- RSS Feeds
- One Hand Slapping
Enter to Win an Adafruit Prototyping Pi Plate Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Prototyping Pi Plate Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- Next winner announced on 5-21-13!
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
Developer Poll
7 hours 14 min ago
9 hours 47 min ago
11 hours 4 min ago
11 hours 39 min ago
12 hours 2 min ago
16 hours 50 min ago
17 hours 37 min ago
19 hours 11 min ago
20 hours 47 min ago
22 hours 45 min ago