Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Linux Software

Battle of the Secure Distros 158

CrazyEd writes "LinuxSecurity is reporting that EnGarde Secure Linux has received the Network Computing Editor's Choice award to win the battle of the Secure Linux distributions. Well deserved, me thinks." Update: 06/10 15:16 GMT by T : An anonymous reader points out that Linuxlookup.com reviewed this distro last week, awarding it a perfect score.
This discussion has been archived. No new comments can be posted.

Battle of the Secure Distros

Comments Filter:
  • Ad Revenue? (Score:3, Interesting)

    by bLanark ( 123342 ) on Monday June 10, 2002 @05:48AM (#3671918)
    When I visit the site to check out the story, I see a banner ad for - EnGarde Secure Linux!

    (I'd do the same, of course)

  • Admin (Score:5, Insightful)

    by sofist ( 556213 ) on Monday June 10, 2002 @06:02AM (#3671941)
    A distro is (or any software for that matter(yes Windows to)) only secure if the admin who runs the distro knows what is he doing.
    • Re:Admin (Score:2, Funny)

      by nickread ( 217474 )
      And that is of course the easy part
      • Re:Admin (Score:5, Insightful)

        by alapalaya ( 561911 ) on Monday June 10, 2002 @06:12AM (#3671962)
        I disagree with you. I think that to be a good sysadmin is quite difficult and requires a lot of study, trial and error and passion. (Please note, I'm not a sysadmin, even if I can accomplish the easier sysadmin tasks).
        In particular, you must know in deep detail all the technologies involved in a complex networking environment (they are countless: DNS, email, NEWS, NIS, LDAP, routing, and so on...).
        It is difficult to barely know all of them, and to secure an installation you must know them good. And this is no easy...

        Of course I agree with the point that the software must be "secure-able", otherwise you can be the best sysadmin... you system will always be full of flwas if the software you are using is bugged (...who said something about the windows?...).
        Cheers

        • by jabbo ( 860 ) <jabboNO@SPAMyahoo.com> on Monday June 10, 2002 @07:20AM (#3672093)
          and I am a professional sysadmin. I get paid a lot to do my job and I don't feel like there is anything mystical about it (that sort of nonsense is for university admins that have to deal with incompetent bosses -- more power to 'em, but I don't). What I feel adds value is not mere understanding of the protocols (relatively easy) but rather, the ability to choose the correct tool (protocol, framing, hardware, software) for the job, and make it work so that the rest of the people involved can do their jobs without noticing (or if they do, saying, "hey, that's really cool and easier than before!"). Needless to say I do a good deal of development to make this happen, and again, that is more challenging than administering boxes (IF you start with a sane rollout and upkeep process -- yes, RPM/apt/pkg_add is your friend; yes, CVS/CVSup/Rsync is your friend; no, ad-hoc changes are not the Better Way to proceed).

          When you rattle off NNTP and crap like NIS/LDAP as if they were equivalent in complexity to full BGP4/MBGP routing, I think you belie a superficial understanding of the situation. Even something as nastily complicated as BGP route maps is not nearly as challenging as dealing with people, professionally and personally, in a fast-paced environment that values results over process or the latest fad technologies. In that respect I do not believe it is significantly harder to earn one's keep as a sysadmin than to do so as a VP Sales or a Comptroller. It's just a totally different set of technical skills used to do the job.

          I don't doubt that you meant well, but really, choosing the right tool for the job (and then using it well) is not so difficult in most cases. 'Tis a poor craftsman who blames his tools!

          • 'Tis a poor craftsman who blames his tools!


            Yes, but even a master carpenter can't build a house out of rotten wood.


            This has been my mantra over the past couple of weeks as I've been forced to try to get low level hardware and software working with Windows.


            • Yes, but even a master carpenter can't build a house out of rotten wood.

              This has been my mantra over the past couple of weeks as I've been forced to try to get low level hardware and software working with Windows.


              Fair enough. I've been in that exact situation with Windoze before (trapped into it, in fact) and you just have to trudge through as best you can. I hate Microsoft server OSes (and attempts to use their client OSes, or more pointedly, crippled versions of the same thing they sell as server OSes, to do anything reliably).

              The upside to this (IMHO again) is that most shops which run everything on Windows are such amateurs that they won't notice downtime until it is on the order of "one nine" (eg. vs. "five nines") :-)

              Doing anything interesting with Windows and hardware that needs to run reliably... well, best wishes, my heart goes out to you. ;-)

              If it helps you debug the whole get-up (eg. if you need it to run in lock-step across multiple sites) there is one piece of good news -- NTP runs on Windows and is documented (both in an O'Reilly book and elsewhere on the Web). Just something that came to mind after an earlier poster brought up NTP. Good luck.

    • Re:Admin (Score:5, Interesting)

      by UnderAttack ( 311872 ) on Monday June 10, 2002 @06:15AM (#3671967) Homepage
      IMHO, a 'secure distro' is secure by default. You plug in the CD, turn on the box, install it and just keep clicking 'ok'. At the end, you should end up with a secure box. Now it is up to the admin to open the holes.

      However, many distros go a different path by enabling services and allowing installs with weak passwords (or no passwords).

      For a nice security benchmark, see the Center for Internet Security [cisecurity.org]. I wait for the day where a default install of RedHat will score a perfect 10 with it... (It is more around 5 right now on their 0-10 point scale).

      • Well, then by this standard RedHat (7.1 and up) is fairly secure against external threats because a minimal number of services are running by default and all ports under 1024 are firewalled off.
        • Are you sure? Every redhat box I've set up seems to end up with stuff like NFS and network printing setup by default. I think you have to select "maximum security" option in the firewalling before anything is really firewalled off. One thing I wish redhat would do by default is put ALL:ALL in hosts.deny - at least jack up the security a bit by default and make people sift through a few things to enable services.
          • NFS locking and portmap are running but both ports are firewalled off by default. NFSD is not running unless you enabled it. LPD is running but it is also firewalled off. Medium security (which is the default) is all that you need for this kind of fireall. Highest security level is wayyy .. too restrictive.
      • I can not find the CIS benchmarks on the CIS page. Do they only release tools and not the result of benchmark tests?
    • Re:Admin (Score:5, Interesting)

      by dgym ( 584252 ) on Monday June 10, 2002 @06:42AM (#3672012)
      Too true, any secure system can be made insecure by a poor admin, but not all systems can be made secure by a competant admin.

      These secure distros try to be by default very secure and should only normally become insecure by an admin doing something silly or not keeping up to date with patches. Some of the other distros don't pay as much attention to security, but a really good admin can nail these systems down too. I for one like the fact that this distro comes with no setuid-root programs, its a good precautionary measure.

      In some systems, admins do not have a chance to secure the machine because of lack of control. This is normally the case where closed source software kindly leaves you with a gaping security hole, and until someone eventually comes out with a patch the best you can do is stop using it. Ofcourse you were probably using this software for a purpose, and so not using it for a while could not be an option, hence an all too common situation of knowingly running insecurely, and there is nothing the admins can do.

      Infact millions of people have done this recently, with the realease of XP the installation was vulnerable to network based attacks from the start. The only way to correct the problem was to install a patch - which meant you had to connect to the internet using that machine to register the software and get the patch from 'the company that shall not be named'. When you have to make yourself vulnerable to get the patch that stops you being vulnerable, security is impossible.

      The most valuable part of EnGarde Secure Linux is probably the patch system, if it (or something just like it) was taken up by more distros then securing boxes would be easier and therefor might happen more. I would like to see something similar in gentoo keeping me up to date, because finding out what is going on is often the hardest part. Was there a ptrace vulnerability I missed? Ohh damn.
    • Re:Admin (Score:5, Insightful)

      by fruey ( 563914 ) on Monday June 10, 2002 @06:58AM (#3672048) Homepage Journal
      The key is this: there are too many admins who patently don't know what they're doing, and some who will even admit it.

      I spend a lot of time with other people's networks, and have yet to see one which stands up to how I would run my network. That's how I make money, incidentally - fixing other people's networks and securing them where possible.

      A guage of how secure things are out-of-the-box is important. Some people will never switch off the default daemons, etc. Some people insist on using some Microsoft DCOM rubbish and opening holes over their firewalls to do it because they can't do anything else. They don't know how and don't care to know.

      So, this kind of survey is important for those lesser admins who are probably not geeks and just trying to hold on to their jobs. Perhaps they are good at other things and valuable for the company, and the same is too tight to invest in a proper sysadmin so they dump him the job because he can hack a few basics together and get it to work.

      All those of you saying "RedHat isn't secure out of the box" and all that OpenBSD stuff are already enlightened. These surveys are not for you. They are for all those other readers who don't fathom why you're mentioning OpenBSD in the first place.

    • Everyone knows that. The interesting question is this: assuming you have a good admin, which distro is most secure?
  • by bodin ( 2097 ) on Monday June 10, 2002 @06:07AM (#3671953) Homepage
    Interesting that the NSA security enhanced linux is not even mentioned.

    http://www.nsa.gov/selinux/ [nsa.gov]

    --
    I vote for OpenBSD [openbsd.org]
    • Sorry, it was.
    • The NSA / SELinux is still in the beta stage right now. I don't think it can count as a full production distro at this point.
    • by octogen ( 540500 ) <g...bobby@@@gmx...at> on Monday June 10, 2002 @06:22AM (#3671980)
      NSA SELinux is (currently) not meant to be a secure Linux distribution. It's rather something like a "Demo"-Implementation of MAC in the Linux-Kernel.

      Quotes: NSA SE-Linux FAQ
      13.Is it secure?
      [...] Put another way, "secure system" means safe enough to protect some real world information from some real world adversary that the information owner and/or user care about. Security-enhanced Linux is only a research prototype that is intended to demonstrate mandatory controls in a modern operating system like Linux and thus is very unlikely to meet any interesting definition of secure system. [...]

      16.Did you try to fix any vulnerabilities?
      No, we did not look for or find any vulnerabilities in the course of our work. We only changed enough to add our new mechanisms.

      You can find the full SE-Linux FAQ here [nsa.gov]
    • SELinux isn't designed to be a standalone distro, but a set of enhancements to common software that is in all distros.
    • Did you even read the article? SE Linux and OpenBSD are _both_ mentioned in a sidebar with explinations as to why they "didn't make the cut".
  • I am currently trying to write a HOWTO/make an RPM [sourceforge.net] for the NSA SELinux to work with a SuSE [suse.com] distro (Vanilla kernel)...

    Shell I stop doing so now and just install this distro instead?

    Is it really more secure than LVM/RSBAC patched kernels with additional hardening?

    For sure?

    just my two cents...
  • Hmm (Score:1, Redundant)

    by sofist ( 556213 )
    Look at Linux Security [linuxsecurity.com] in the left upper coner thers a interesting Sponsor of LS.
  • LINUX BG (Score:3, Funny)

    by oliverthered ( 187439 ) <oliverthered&hotmail,com> on Monday June 10, 2002 @06:34AM (#3671998) Journal
    I have the most secure distro,
    but unfortunatly you can't have a copy, just incase you find a bug.

    Logon requires you press ctrl+alt+delete , because it's oh so hard for memory resident apps to not die when this happens.

    My mouse has only 1 button to confuse any computer literate people, and allow me to catch them in the act.

    I've remapped the keyboard, to confuse those who touch type.

    No network (because the kernel dosn't have the correct drivers),

    No-ones hacked it yet.
  • by gd23ka ( 324741 ) on Monday June 10, 2002 @06:41AM (#3672009) Homepage
    ... if some website or magazine issues an "editor's award" or whatever to product, _especially_ when we're talking about security.
  • Orange Book etc (Score:2, Interesting)

    by Dynamoo ( 527749 )
    Because someone always mentions DOD-5200.28-STD Trusted Computer System Evaluation Criteria ("Orange Book") [dynamoo.com] compliance let me just say by the time it would get round to being certificated as a proper defense-grade OS it will be hideously obsolete - the latest Micro$oft OS to be certified "secure" (hahahahah) is NT 4.0 which shows how long the process takes. Take a history trip and look at some of the Certified Products [dynamoo.com].

    In any case, to be a properly secure distribution you need DoD/NSA style certifications. The Common Criteria [commoncriteria.org] go part of the way there, but again certification is slow and really not universally accepted. (There's a flame bait for you CC fans).

    Bottom line - true security requires seriously lengthy evaluation and certification. And even so, a product like NT 4.0 is still being found to have security holes to this day.

    Sigh.. anyone fancy rewriting Multics [multicians.org] for the Intel platform? :)

    • Re:Orange Book etc (Score:2, Informative)

      by broody ( 171983 )
      If the the EGOVOS announcement goes beyond vapor, CC may be in the future of Linux [yahoo.com]. For some reason though Slashdot just won't accept that as a story.

      BTW, you might want to get a handle on the basic background of CC [commoncriteria.org] before shooting your mouth off. TCSEC is no longer accepting new products for evaluation [ncsc.mil], though those who started the old process can finish it. Common Criteria really means it now. Read the friendly website [commoncriteria.org].
    • That's because... (Score:5, Interesting)

      by jabbo ( 860 ) <jabboNO@SPAMyahoo.com> on Monday June 10, 2002 @07:48AM (#3672185)
      Most federal agencies seem to evaluate Windows against proprietary Unix solutions and (duh) find that Windows is cheaper. If they *really* care about security they almost always have their own solution (often in hardware) that you will be asked to code to / talk with / work in conjunction with. Short of that, offering to use NSA SELinux (because of the NSA's "approved" cachet) really seems to open a lot of doors for Linux.

      En Garde may be better, for all I know. But I'll be using SELinux for gov't clients wanting high security, and OpenBSD for my need-to-be-hardened services, because I know they are excellent tools for those applications. (sorry folks...)

      The above are just my experiences. For all I know it could be a vast conspiracy to provide disinformation :-). But, the odds are against it.
      • offering to use NSA SELinux (because of the NSA's "approved" cachet) really seems to open a lot of doors for Linux.

        While stipulating that SELinux is the best design I've see *by far* for linux;

        NSA has absolutely not 'approved' this for any use, nor do they represent it as a system that's either in any production operation at NSA, nor that it is an appropriate system for such use.

        As said in posts above SELinux is a research project / reference implementation. Yes many folks are planning on offering commercial solutions based on SELinux, and for good reason, it's a fine design with good attention to detail.

        There is a serious set of issues involved in applying SELinux to a production environment. SEL development (and LSM on which it depends) tracks the stable and -dev kernels. This means the platform is updated often and no attempts are being made to maintain fixes/changes compatible with prior releases / kernels.

        Also all versions since the first reference impelementations are based on the Linux Security Modules LSM [immunix.org] which are an attempt by the security industry to build a common interface for securing / auditing Linux's security - relevant interfaces.

        LSM is an impressive piece of work, and has come a long way in the roughly 1 year that they've been coding! When one of the participants (IBM) provides a programmatic analysis tool that finds there are some oversights in the design, you know that this is still a work in progress / and I hope that any serious security implementer will take these things into consideration.

        The upside of course is that these tools are being built and both LSM and SELinux are doing very good detail work on thinking about how to get Unix (Linux in this implementation) to a place where the OS itself can eliminate the reliance on root-privilege. WinNT was supposed to be such an implementation, I think most observers agree that intent didn't make it into the release code due to the complexity and competing design objectives.

        • I did not mean to imply that SELinux actually offers a greater level of security than the alternatives, nor to imply that it was blessed by the NSA (or for use in NSA projects, for that matter).

          Rather, my experience has been that other three-letter agencies find it helpful in the decision-making process if a solution based on Linux also has the imprimatur of the NSA (eg., "we can do this on NSA SELinux if it suits you better") so that it need not be seen as a rogue deployment of something outside the norm.

          I am sorry if anyone got the idea that SELinux is Orange Book or NSA approved or in any other way superior to a properly-implemented kernel MAC implementation. What I was commenting on is the "aura", if you will, of offering a product that is Linux-based, but NSA-Linux-based. It makes life easier. I had trouble the first time I explained this to my boss, so clearly I need to work on my presentation of the issues some more ;-).

          YMMV...
    • It's also worth mentioning that the second you attach that NT system to a LAN (or any other network iirc) it is no longer C2 certified.

      Bit more info here [winntmag.com]

      If you rely on NT's C2 security rating in your security decisions, you must keep in mind two important considerations. First, a C2 security rating is different from a C2 security certification. OSs and programs earn ratings, but individual installations must be certified. This distinction means that most NT installations are not C2 certified.

      NT earned its C2 rating as a standalone system, with no networking enabled. If you take your C2Config C2-certified system and attach it to your LAN, your system loses its C2 certification.
      • It's also worth mentioning that the second you attach that NT system to a LAN (or any other network iirc) it is no longer C2 certified.

        That is not the case for NT4. The cited report refers to the NT 3.51 evaluation since the NT4 evaluation had not been published when it was written. The summary of the NT4 evaluation [ncsc.mil] says "A networked configuration was evaluated for interconnecting the various hardware with Windows NT workstations and servers.". The full evaluation report is available for those who want to read it.

        Windows NT4 (with specified SPs and fixes) also has an ITSEC E3/F-C2 certificate, and networking is mentioned in that one too - search from the CESG certified products page [cesg.gov.uk] if you want details.

        These certificates do not necessarily mean much in practice, but we should refer to up to date ones if we refer to them at all.

    • It's worth mentioning that the above poster doesn't know what he's talking about. No operating system in the history of the series has ever been rated as anything. Why? Because the rating takes into account all of the other important factors for computer security, like hardware, setup, physical location, and so on. So, yeah, the last time Microsoft submitted a system to be tested, I believe it was compaq hardware, it got the coveted C2 rating. But they never bothered since, because you need a full and functional installation (and I mean physical, not software) to be rated. I'll also point out that "Linux" as it stands doesn't even meet the basic requirements, such as ACLs. Yes, they can be bolted on, but....
    • dynamoo listed UNICOS as secure. I rememebr UNICOS when I was in the service. That was truly a beautiful UNIX. I would HOPE they call it secure, since the Dept of Defense is the major purchaser of Cray IIs!
    • 1) TCSEC (the "Orange" book) has been replaced by the Common Criteria as noted in NSTISSAM
      COMPUSEC/1-99, Sec II item 5.
      2) CC has a much wider acceptance internationally.
      3) Win2K HAS been undergoing CC evaluation (Evaluation Assurance Level 4).

      Moderators: How in the heck did Dynamoo's post rate a 3?
    • Trusted IRIX [sgi.com] was recently re-evaluated B1 [sgi.com] and IRIX C2 for version 6.5.13 (which was released only about 9 months ago) on currently available hardware. So it is possible with the common criteria to be evaluated within a reasonable timeframe (unlike TCSEC).

      It is also worth noting that Microsoft have had Windows 2000 going through a C2 evaluation [microsoft.com] for over 18 months with a proper hardware configuration unlike the previous NT 4.0 evaluation.


  • OpenBSD 3.1!!! =))

    Sorry, could not resist...

  • OpenBSD (Score:1, Troll)

    by dirtyhippie ( 259852 )
    Call me a troll if you like, but if you want a secure, free UNIX-like system, you don't use Linux. You use OpenBSD [openbsd.org]. The primary reasons for this are numerous - 1) it's "secure by default", all but the simplest daemons are turned off until you explicitly enable them. 2) it's always being proactively audited, with less-clean and less-safe being fixed all the time - fewer bugs = fewer potential exploits (as opposed to linux, where it sometimes seems developers are just busy adding extra command line switches and a scripting language based on brainfuck to their program ;-) - point being it's been around longer, and the interfaces are much more stable, thus making bug-fixing (not to mention administration) much easier. 3) Cutting edge support for crypto/security tools. OpenSSH was made by many of the same developers, Ipsec, skey authentication, kerberos, support for hardware cards etc. you name it, it's there. Even a tripwire-esque program is included in the default install. I'm sure I'm forgetting much more.

    Other pluses: it's Really Free(TM) Software - as opposed to Redhat and others which bundle non-free software in the default distro, it's manpages don't suck, etc.

    • They at least should have included OpenBSD in the testing, for comparison's sake.
      • Re:OpenBSD (Score:1, Insightful)

        by Anonymous Coward
        They at least should have included OpenBSD in the testing, for comparison's sake.

        That would be like letting tiger woods compete in the girl scout's golf tournament.
      • they didn't compare it to open bsd because this was a comparison of "secure" linux distros.

        yeah OBSD would have taken it ;)

        there needs to be a group of people to do exactly what open bsd does... thorough code reviews, not just in the kernel, but glibc, etc..
  • by Anonymous Coward on Monday June 10, 2002 @07:16AM (#3672085)
    What, no mention of Tinfoil Hat Linux? [shmoo.com] :)
  • Downloads (Score:3, Informative)

    by NewbieSpaz ( 172080 ) <nofx_punkguy&linuxmail,org> on Monday June 10, 2002 @07:23AM (#3672101) Homepage
    The i386 (i486 and i586) version [udel.edu]
    i386 "Bonus" Package [guardiandigital.com]
    The i686 version [udel.edu]
    i686 "Bonus" Package [guardiandigital.com]
  • It’s just me or other people also noted EnGarde’s installer [guardiandigital.com] looks just like the Debian one? Would it be Debian-based?

    I haven’t seen them at Debian’s derived distributions list [debian.org.], so maybe I’m mistaken.

  • http://www.networkcomputing.com/1312/1312f33.html# filter

    try reading the article before making false claims.
  • Even Linuxlookup.com ( http://www.linuxlookup.com/html/reviews/software/e ngarde1.1.html [linuxlookup.com] ) gave Engarde Linux a perfect score last week too. Think I'll give it a whirll.
  • Bastille [bastille-linux.org] is a script that asks you questions, and proceeds to tighten down your Redhat or Mandrake installation, extra effort has been put into explaning the choices, and making sure you understand WHY something was done.
    Here's the summary:
    The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems, with support on the way for Debian, SuSE, TurboLinux and HP-UX. We attempt to provide the most secure, yet usable, system possible. The project is run by Jon Lasser, Lead Coordinator and Jay Beale, Lead Developer, and involves a number of developers, beta-testers and concept-creators. Bastille Linux was developed with several major goals:
  • Gentoo?? (Score:2, Informative)

    by hardave ( 87702 )
    A week ago I probablly would have answered Slackware, being a die-hard Slackware geek for my entire Linux life. But last week I found out about Gentoo, and I have to say I like it. Especially for security. After you're done the install you're left with a VERY minimal system, there are ZERO services running, hell there are no services installed on the box. You have to explititly install any services that you wish, which is nice because you don't have any weird weird stuff installed on your system without your knowledge. Yes, this isn't for newbies who can't spell ls, but for the long-time unix geek who does everything manually already, this is the way to go.
  • KRUD (Score:3, Informative)

    by the_rev_matt ( 239420 ) <slashbot&revmatt,com> on Monday June 10, 2002 @09:23AM (#3672622) Homepage
    I'm disappointed that they didn't include Kevin's Red Hat Uber Distribution [tummy.com]. Kevin Fenzi is the author of the Linux Security HOW-TO, and the hardened version of Red Hat that they produce has served me quite well for over a year.

    • Actually Mr. Fenzi is the CO-author of the Security-HOWTO. Who is the other author? Dave Wreski of Guardian Digital.

      -r
  • But surely OpenBSD 3.1 should have won the prize for the most secure distro. According to the web page, each line of source code is actively audited by Theo De Ratdt, to ensure there is no remote exploits. Also, it is designed to be secure out of the box, no services are enabled in the default install which would give hackers a way in. Or am I way off base here ?
    • You ARE off base. Not every line of source code in (for example) the ports and packages can be audited by the development team, let alone all by Theo himself. The OpenBSD developers do a terrific job, and I trust it above any other OSes for my "hardened" public servers, but it simply is not possible for the degree of hardening and auditing you describe to be done by such a small group. The auditing is done to the kernel, the base utilities, and other aspects of the default install. Outside of that, you're on your own.

      Furthermore, several of the services that run by default on a raw install of OpenBSD have been shown over time to have local root exploits possible. Not remote root, mind you, and not without a swift and comprehensive patch being released, but the moral is, No One Is Perfect.

      That said, I have never had a compromise of any sort on my OpenBSD systems. I buy each and every release on CD direct from them to support the project, and have donated a little bit, too. If anyone who just runs Linux says "so what, it doesn't affect us" I request that you look at what version of SSH you're running. OpenSSH? Hmm, guess which dev team wrote that? Yeah, that's right. *BSD will be dead around the same time we see the paperless office (and the paperless restroom, and flying pigs, and...). OpenBSD is good stuff when you just can't take chances!

  • i really hate the phrase "me thinks".
  • Daemons that are run by default are reduced to a minimum.

    Easy upgrading of security-critical packages (no, that's no ad for Debian, of course :-;)

    Ability to a install a minimum system with a minimum number of packages.

    Careful file permissions and special user groups (i.e. "dialup","audio")

    Use of "secure" programs for a particular purpose (i.e. ssh instead of telnet, not sendmail as MTA, ...)
    Any other ideas?

  • "ESL is clearly designed for those who want a product that is prepackaged and ready to go out of the box."

    One of the problems with setting security to paranoid is that it usually means that nothing works. Let's face it; most small businesses are not going to have a Linux guru working for them. Unless they can afford to hire a guru to come in and set things up, they will have to figure it out for themselves.

    We need distros that run "out of the box" and are secure. I know my way around a Linux box fairly well but I do not consider myself a guru. For me, there are few things more frustrating than setting the security level to paranoid and having nothing work. What makes it worst yet is that rarely (if ever) will you find adequate utilities for the non-guru to properly configure a service once setting the system's security has broken that service.

    This has got to change. I don't have time to be a Postfix guru and a MySQL guru and a apache guru and..... Further, I don't know what sadistic bastard wrote these manuals but they appear to all be written by one guy and maybe his brother. I am NOT a stupid person but twenty minutes of reading Linux man pages makes me want to go up to the roof and sit naked with a high powered rifle! Maybe some people can read that stuff and get a warm fuzzy feeling but I want something that I don't need a PHD to understand. Believe it or not, most of us want to spend more time using our Linux boxes than we spend trying to configure them.
    • I don't mean to be flip but you sould consider buying a book or two. For example Postgres is a wonderful free database, with the ten thousand dollars you saved you could spend $100.00 on a couple of good books.
      • Oh, I do buy books. But even so, I don't have time to read them all. It takes a lot of effort even with books to setup EVERY system that I use.

        I really love Linux. It's power, flexibility and open source philosophy is wonderful. But really, business people just don't have the time to read all of the books that it takes to configure all of the various parts of a Linux server. And small businesses can't afford to hire an expert every time that they need something done.

        The answer, I feel, is to have configuration tools for the complete idiots. I know I would use them! :)
        • Most business people I know (and I know a ton) know nothing, read nothing, configure nothing, install nothing. They hire people to do that for them. Most businesses with more then two or three employees rely on local consultants to manage their IT work. Bigger ones employ bigger companies.

          And you know what manually configuring things is no longer required. With programs like linuxconf and webmin (especially webmin) any body can configure just about anything. Install webmin you won't be sorry.

Talent does what it can. Genius does what it must. You do what you get paid to do.

Working...