EnGarde Secure Linux Professional 1.2
When I initially began to poke around the system, I was startled to find software with somewhat vintage version numbers. This includes the OpenSSH package and the 2.2.19 kernel.
To more thoroughly understand the reasons for this, as well as ensure that Guardian Digital knew what they were doing, I spoke with a company representative during the course of this evaluation. We had a productive conversation and many of my concerns were addressed.
Guardian Digital chose to use the 2.2 kernel series due to the company's concerns about the stability and security of the 2.4 kernels. The 2.4 kernel series was less mature during the development and engineering of EnGarde Secure Linux. As such, the Engineering team decided to go with proven technology, a wise move for a security product. Key features and fixes were back-ported.
Furthermore, the OpenWall kernel patch, which provides privacy enhancements and a non-executable stack, is production quality only for the 2.2 kernel series. So choosing security and stability over being cutting edge, EnGarde ships with a 2.2.19 kernel.
Similarly, the choice of having OpenSSH remain at version 2.3 was based on the principle of “if it isn't broken, don't fix it”. Again, this is a wise move for a security product or any core infrastructure product. Although features and enhancements have been integrated, there was no need to upgrade to a newer version until the recent remote hole was detected in OpenSSH. At that time, EnGarde quickly issued an OpenSSH 3.3p1 package and introduced the privsep capability in their version of OpenSSH.
All of these concerns were addressed in this conversation with a Guardian Digital representative. I agree with their choices to pick known security concerns and fixes over unknowns in both security and stability.
During the course of my testing EnGarde, I found several areas for improvement. Although some of these areas are addressed by other products or may not be appropriate for the nature of EnGarde Secure Linux 1.2, their inclusion would strengthen an otherwise leading-edge product.
An ability to modify the Tripwire database settings, such as where to store it and an improved UI for reports, would be nice. While the UI does do text reports, slogging through pages of flat text with no highlighting or coloration makes it difficult to spot changes. A different, write-once storage location for the database greatly would improve the security of the system as well.
Similarly, a configuration tool for the LIDS system also would be a wise addition. LIDS can be powerful, but the ability to change it requires a fairly in-depth understanding of capabilities. A simple UI to grant or revoke such capabilities would be useful for the the EnGarde system, much like the one IRIX offers. It wouldn't have to be complex, but enough to ensure that the LIDS features were being used in a manner consistent for the site.
Password management on EnGarde also could be improved. Several of the suggestions for passwords, useful for the mail server, for example, are rather weak and easily guessable. The integration of a password suggestion tool, one that does much stronger suggestions, would have been a welcome finding.
The firewall services are based on ipchains, which is a stateless firewall tool. This means it cannot understand connections, only flags on a per-packet basis, something that the 2.4 firewall package Netfilter can do. The addition of a tool such as SPF, which can add this capability to ipchains, would make their firewall more robust.
Lastly, a small office most certainly could use a robust web proxy service. The firewall configuration tool can allow you to use the built-in ipchains application assistants, but they're no equal to a solid proxy.
Some of these concerns cannot be addressed in the corporate product that EnGarde is aiming to be. However, some of them only can enhance what is shaping up to be a class leader.
Guardian Digital is making great strides with their EnGarde Secure Linux Professional distribution. With the 1.2 release of their product, they demonstrate how well a Linux solution can fit into a Windows-based organization. Furthermore, their solution is easy to set up and use, meaning you can secure your network without having to become an expert at everything. A recommended product.
Jose Nazario is a Biochemistry graduate student nearing the completion of his PhD. Side projects include Linux and other UNIX variants, software and security-related matters and hobbies outside his office, including fly-fishing and photography.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- The Italian Army Switches to LibreOffice
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Linux Mint 18
- Oracle vs. Google: Round 2
- The FBI and the Mozilla Foundation Lock Horns over Known Security Hole
- Varnish Software's Varnish Massive Storage Engine
- Petros Koutoupis' RapidDisk
- Devuan Beta Release
- Privacy and the New Math
Until recently, IBM’s Power Platform was looked upon as being the system that hosted IBM’s flavor of UNIX and proprietary operating system called IBM i. These servers often are found in medium-size businesses running ERP, CRM and financials for on-premise customers. By enabling the Power platform to run the Linux OS, IBM now has positioned Power to be the platform of choice for those already running Linux that are facing scalability issues, especially customers looking at analytics, big data or cloud computing.
￼Running Linux on IBM’s Power hardware offers some obvious benefits, including improved processing speed and memory bandwidth, inherent security, and simpler deployment and management. But if you look beyond the impressive architecture, you’ll also find an open ecosystem that has given rise to a strong, innovative community, as well as an inventory of system and network management applications that really help leverage the benefits offered by running Linux on Power.Get the Guide