Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

EnGarde Secure Linux v2 Out

Hemos posted more than 11 years ago | from the lock-it-down dept.

Security 70

Chuck writes "I came across EnGarde Secure Linux about two years ago when it was first released, and I see they just released the newest version. Improved Mandatory Access Control using LIDS, awesome web-based manager, code from the Openwall Project and winner of the Network Computing Hardened Linux product of the year. I love EnGarde."

cancel ×

70 comments

Sorry! There are no comments related to the filter you selected.

GNU (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6040172)

Thats GNU/Linux and a firstpost.

Commercial? (4, Interesting)

Anonymous Coward | more than 11 years ago | (#6040173)

I thoght EnGarde was strictly commercial nowadays?? No?

Re:Commercial? (0)

Anonymous Coward | more than 11 years ago | (#6043400)

No, there is a community edition for the open source community and small businesses, as well as a supported version for enterprises.

Oh Engarde (1, Funny)

Anonymous Coward | more than 11 years ago | (#6040179)

Oh Engarde Linux,
We stand on guard for thee...

Advertising shmadvertising... (3, Interesting)

CoolVibe (11466) | more than 11 years ago | (#6040181)

Guess this is one of those slashdot sponsored "advertisement" advertising stories huh?

Anyway, LIDS is great. Played with it, and deemed it cool. Now I wish FreeBSD had something that cool (since that's my main OS of choice), but LOMAC comes pretty close.

Heck, I just might give this a whirl on one of my testboxes...

Re:Advertising shmadvertising... (4, Funny)

DASHSL0T (634167) | more than 11 years ago | (#6040210)

Heck, I just might give this a whirl on one of my testboxes...

So, the advertising worked, is what you're saying. :-D

--
Have you taken the SCO poll?
Linux-Universe [linux-universe.com]

Re:Advertising shmadvertising... (0)

Anonymous Coward | more than 11 years ago | (#6040221)

How can you use FreeBSD as your main OS while it doesn't support the latest VMware?

I couldn't live without VMware.

Re:Advertising shmadvertising... (0)

Anonymous Coward | more than 11 years ago | (#6040286)

How can you use FreeBSD as your main OS while it doesn't support the latest VMware?

I've a dedicated linux server in which i run VMware, usually 4-7 sessions at a time. This lets me reboot my main (OpenBSD in my case) machine while not interfering with the VMware servers.

Re:Advertising shmadvertising... (1)

CoolVibe (11466) | more than 11 years ago | (#6040415)

I never use VMware. I have used it once or twice, but I never really have a use for it. And it's way to expensive for me.

*shrug*

What an asswipe (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6040494)

Just because YOU use VMWare, everyone is obligated to use it?

You are an A1 asswipe!

Re:Advertising shmadvertising... (2, Interesting)

BSDevil (301159) | more than 11 years ago | (#6040235)

At least Chuck is a real [slashdot.org] user, unlike last time (I don't remember the exact story) where no one could find any record of the user in the database and his domain belonged to an advertising company.

Re:Advertising shmadvertising... (3, Interesting)

caluml (551744) | more than 11 years ago | (#6040452)

I prefer the GRSecurity patches [grsecurity.net] to LIDS. They contain a lot more than just ACLs.

Re:Advertising shmadvertising... (1)

pacman on prozac (448607) | more than 11 years ago | (#6041728)

I wish FreeBSD had something that cool

I understand filesystem ACL's are coming in fbsd-5.

I'm not sure how they compare to lids but if you have fbsd 5.0 you can read about them in /usr/src/sys/ufs/ufs/README.acls.

this page [lucq.org] describes the openbsd port so might be useful.

And of course theres always trusted bsd [trustedbsd.org]

MooKore, at the herd ot the game! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6040184)

/ The Mad Cow Disease \
\ doesn't affect us helicopters! /
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||

Alternatives (5, Informative)

schroet (244506) | more than 11 years ago | (#6040186)

We like Astaro a lot.

http://www.astaro.de/php/statics.php?action=asl& la ng=gb

Could anyone compare the 2?

Re:Alternatives (5, Informative)

warez (669723) | more than 11 years ago | (#6040737)

Astaro is a hybrid firewall (stateful packet filter, application proxy), with a bunch of other nifty features. I 'discovered' it a couple of months ago on freshmeat when I was about to put together my own security box. After playing with it, I am nothing short of impressed, and its FREE for home use. it is a refined product. Engarde is a hardened linux distro; it's most practical use is turning it into a secure pubic server. The two actually goes hand in hand, as they aren't competing products.

Re:Alternatives (1)

feldy (71897) | more than 11 years ago | (#6040786)

it's most practical use is turning it into a secure pubic server.


Oh man, that's exactly what I need 'cause right now my pubic server is anything but secure.

What a great idea (4, Funny)

The Tyro (247333) | more than 11 years ago | (#6040994)

"turning it into a secure pubic server"

That's truly a noble endeavor... From my experience, most insecure pubic servers are loaded with viruses and trojans.

Re:Alternatives (0)

Anonymous Coward | more than 11 years ago | (#6041636)

http://www.astaro.com/ is the english site ( since lang=en creates a php error )

"I love EnGarde." (5, Funny)

MacOS_Rules (170853) | more than 11 years ago | (#6040189)

Quoth the poster: "I love EnGarde."

The best part: it automatically uses protection! Just don't try a backdoor!

---OWWW! Stop hitting me!---

Re:"I love EnGarde." (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6040310)

Is that a floppy in your pocket or are you just...

Wait (1, Funny)

Anonymous Coward | more than 11 years ago | (#6040190)

Isn't this kinda risky? Shouldn't they have waited to see what happens with SCO first?

We were considering implementing it (-1, Interesting)

Anonymous Coward | more than 11 years ago | (#6040193)

Re:We were considering implementing it (0)

Anonymous Coward | more than 11 years ago | (#6040231)

Buh? So what?

It's not a security problem...

Re:We were considering implementing it (4, Insightful)

RedOregon (161027) | more than 11 years ago | (#6040300)

What? You decided not to implement because it requires you to configure it? And if you don't, it gives a benign error?

(Link points at an advisory stating that log check emails will bounce by default if not configured)

Re:We were considering implementing it (4, Informative)

freuddot (162409) | more than 11 years ago | (#6040322)

OVERVIEW

--------
A bug was recently discovered in the default configuration of the
daily log summaries. The default address is set incorrectly causing
daily summaries to bounce until the system is ran through the initial
configuration process or the admin e-mail address is changed.


Err. That's probably the mildest bug/security problem I've ever seen. Care to explain me what is the problem of either

- applying the update ?
- running the initial configuration process ?

Or were you simply googling for a defect to post and that's the ony one you found ?

Re:We were considering implementing it (0)

Anonymous Coward | more than 11 years ago | (#6042729)

Looks to me like it was mis-marked. It's a bugfix advisory only.

so many? (0, Insightful)

Anonymous Coward | more than 11 years ago | (#6040195)

n00b alert. ok i understand the need for a secure platform like this one, but why are there so many different distros out. wouldn't it be more competitve to merge certain distros?

Distro Consolidation (5, Informative)

The Monster (227884) | more than 11 years ago | (#6040288)

wouldn't it be more competitve to merge certain distros?
They tried that. It's called UnitedLinux. And one of the partners in that enterprise has decided to serially sue everyone else in the Linux business, based on an exotic theory of IP violation. You may have seen [slashdot.org] something [slashdot.org] about [slashdot.org] this [slashdot.org] recently [slashdot.org] here [slashdot.org] on [slashdot.org] Slashdot [slashdot.org]

Re:Distro Consolidation (0)

Anonymous Coward | more than 11 years ago | (#6041468)

So your point is that Linux companies aren't mature enough to work together?

Re:Distro Consolidation (1)

The Monster (227884) | more than 11 years ago | (#6043252)

So your point is
I'm old. I don't have to have a point.

(See if you recognize that one.)

Is it as secure as Ninnle? (0)

Anonymous Coward | more than 11 years ago | (#6040198)

Ninnle Linux is the current gold standard for system and network security. I don't understand why people keep reinventing the wheel.

You ask why people keep reinventing the wheel? (1)

CQ (15101) | more than 11 years ago | (#6040447)

Because there are too many distros and add-ons!

Linux is in danger of losing direction much as UNIX did 20 years ago! Everyone can and does write Yet Another Add-On:

"Yaooooooooooo! I'm going to be rich!"

And they do this before they learn what is already out there, identify the good and bad parts (PROPERLY), and document what makes their solution worth the effort.

Properly: It is amazing how many people are willing to "take a look at" something and consider themselves versed enough to criticize! Most of the time, they are just criticizing the default UI and the way it installs!

Without the discipline of identifying and documenting the ideas that make a product unique, we're all just pzzzing in the wind!

Without some form of Intellectual Property protection, there is no money to pay for the analysis that MUST proceed real progress. ....but never mind. Survival of the fittest means that eventally MOST of us (and most Linux add-ons) will ultimately starve and die off.

I foolishly dream of the world in which we can pursue our ideas without bloodlust and the ripping and gnashing of teeth!

Nah! It's so much more fun being so sure of ourselves and blaming our failures on everybody else. That's the way, right?

Re:You ask why people keep reinventing the wheel? (0)

Anonymous Coward | more than 11 years ago | (#6040522)

But if you have Ninnle, and it does everything you could ever need, why even bother with the add-on? It just makes things more complicated and bloated. Ninnle is already pretty fast and stable, but improvements could still be made, I agree. But (re)writing an entire new distro just strikes me as a waste. I'm sure all the other Ninnle Linux users reading this agree with me.

Anon coward (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6040207)

Oh my god I got the FIRST PSOT!

No skills required? (4, Funny)

IO ERROR (128968) | more than 11 years ago | (#6040208)

No Linux administration skills required.


HUH? This is supposed to be an uber-secure system and you don't have to administer it? Somebody explain this to me like I'm a two year old, because I just don't get it.

Re:No skills required? (4, Funny)

questamor (653018) | more than 11 years ago | (#6040294)

All ports are turned off by default, with no way to turn them on. Also, networking hasn't been compiled into the kernel.

Not only that, no users are allowed. not even root.

It's supplied preinstalled on a PC with no powerswitch. hell, no PSU even.

They think of everything...

Re:No skills required? (2, Insightful)

Anonymous Coward | more than 11 years ago | (#6040379)

What they mean is you don't need to be a Linux guru to set up the box. Everything is using web browser with a few clicks, even updating your system. The only thing is you have to sign up with GDSN to keep up with updates and support. I believe they have 30 days trial for it on the new version just released few weeks ago. Originally one could update the system without signing up for GDSN account (they publish updates through ftp) but that doesn't seem like gonna happen with this new release. I could understand. They need to make $$$. The download version (Community version) does have some limitations as how many domains you could have. You could still update your system if you decide to use it by download the src packages and roll your own updates. It could be tedious.

In short, if you are willing to pay $229, IIRC, for GDSN account per year then it is well worth it. From biz stand point, I don't think that is too much at all. If not, roll your own updates or use something else that fit you.

Re:No skills required? (0)

What_about_CHOMSKY (675095) | more than 11 years ago | (#6040498)

I think you are missing something. What would CHOMSKY say about this?

Good stuff! (2, Interesting)

sokkelih (632304) | more than 11 years ago | (#6040211)

I hope these guys do some co-operation with thingies like OpenBSD. I would love to see outcome of that. Great!

Re:Good stuff! (0)

Anonymous Coward | more than 11 years ago | (#6040673)

Since OpenBSD is BSD licensed (big surprise!), the secure Linux distro's can pull just about anything they like from it. Unfortunately it can't work the other way. The common goal of the projects have the potential to yield benefits for OpenBSD, but because of the license differences, you're not likely to see much more that 'good will' when it comes to active cooperation ....

rsbac (0)

Anonymous Coward | more than 11 years ago | (#6040220)

RSBAC is, in many ways superior to LIDS.

I urge people who have tried, or interested in trying LIDS/SELinux, to give rsbac a go.

Available at rsbac.org

Something Different (2, Interesting)

Ween (13381) | more than 11 years ago | (#6040241)

Offtopic, but along the same vein, I would like to find a distribution of linux or *bsd that provides out of the box support for virtual mail hosting (many domains, 1 ip), name based virtual hosting, and the like. All with a simple to use console configuration. I've built my own several times, but thats time consuming. Anyone got any suggestions?

Re:Something Different (3, Informative)

3.5 stripes (578410) | more than 11 years ago | (#6040256)

Have a look at e-smith

http://www.e-smith.org

Re:Something Different (1)

notestein (445412) | more than 11 years ago | (#6040618)

I use this Mail Toaster [simerson.net] for FreeBSD.

Re:Something Different...try Ninnle (0)

Anonymous Coward | more than 11 years ago | (#6041214)

Ninnle Linux does that.

Re:Something Different (1)

mchallis (462385) | more than 11 years ago | (#6041914)

You might try This is qmail, vmailgr, courier, and squirrelmail on RH 7.3
Icon's rpm's for Redhat 7.3 and his guide will get you what you want in about 25 minutes. Just remember to install the rpm's before you run up2date or the updates will break parts of it.

Re:Something Different (0)

Anonymous Coward | more than 11 years ago | (#6043367)

This is exactly what EnGarde was designed to do.

why wed based stuff? (0)

Anonymous Coward | more than 11 years ago | (#6040253)

You had me going with improved MAC but threw me off with the web based manager. Web Based interfaces to security products feel very very wrong. I guess they can be done safely if only listening to loopback and using https.

The debian server could use it! (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6040254)

Re:The debian server could use it! (1)

c.derby (574103) | more than 11 years ago | (#6040364)

beware the goatse.cx link in the parent.

EnGarde Linux Flavors (2, Informative)

Anonymous Coward | more than 11 years ago | (#6040271)

Engarde comes in two flavors: commercial and community. Community is the free version.

Re:EnGarde Linux Flavors (1)

jroysdon (201893) | more than 11 years ago | (#6041335)

From http://www.guardiandigital.com/downloads/ [guardiandigital.com] :

"EnGarde Secure Linux Community Edition ...
Limited virtual Web, DNS, e-mail domain support"

WTF does that mean? Two domains? Five? Ten?

Hehe... slashdot effect (1)

GC (19160) | more than 11 years ago | (#6040278)

Let's see how this baby performs against a Distributed Denial of Service attack....

Braino (3, Funny)

wowbagger (69688) | more than 11 years ago | (#6040301)

While reading the summary, I misread
Openwall Project


as

Orwell Project


which, I personally feel would be an interesting name for a security enhancing project - right up there with Big Brother [bb4.com] .

ENOCAFFINE

Re:Braino (0)

Anonymous Coward | more than 11 years ago | (#6040410)

Gosh that's really interesting.... NOT!!!!!

We aren't interested in your diary of Adventures Reading Slashdot... Here is an idea... Go learn to read and then come back, but please wash your hair, take a shower and move out of your parents basement mmmmmkay! Bye now!

Re:Braino (0)

Anonymous Coward | more than 11 years ago | (#6040491)

Let me guess... An American I presume??

Re:Braino (1, Funny)

Anonymous Coward | more than 11 years ago | (#6040516)

Hey pal... Americans built this website. Hell, americans built the internet, just ask Al Gore.

Sounds like.. (1)

o1d5ch001 (648087) | more than 11 years ago | (#6040304)

OpenBSD lite. For the only interested in a partial code review...

Re:Sounds like.. (1, Insightful)

Anonymous Coward | more than 11 years ago | (#6040505)

code review != security

it just helps reduce bugs/vulnerabilities

LIDS etc OTOH protect when a bug is found, something OBSD does not.

furthermore, OBSD audits the base intall, which is essentially usefull.

Secure by default only, 'cept noone only runs default.

you think that's cool? (0)

Anonymous Coward | more than 11 years ago | (#6040358)

Well my name is Dr. Richard Daystrom and I'm working on the M5 advanced protocol unit, the most ambitious computer ever made.

Of course, if you have an A7 computer classiciation you already know all this.

Pricing. (4, Interesting)

Qbertino (265505) | more than 11 years ago | (#6040504)

What's this supposed to be?
Is this such a big fat hairy deal that you have to charge a minimum of 800$ for a "oh-so-extra-special-secure-Linux" distro?
Ok, if it's so easy to install that any Webdesigner could get it on right out of the box I say ok, let them Dreamweavers pay the price if they're to cheap for hiring a sysadmin to their team.
But I seriously doupt that this one pulls the trick better than a securepatched SuSE, Debian or OpenBSD.
Does anybody have solid expierience with this distro and can they testify that its bizar retail price is justified?

Re:Pricing. (2, Informative)

div_2n (525075) | more than 11 years ago | (#6041643)

At a place I used to work we had two Engarde boxes sitting in a DMZ acting as DNS servers. In two years I was there they NEVER went down and as far as we could tell had never been cracked. Our IDS did record quite a few attempts though.

I can't say the same for our Citrix servers . . .

IMHO the price is definitely worth it. I have spoken with the CEO Dave Wreski many times and he has helped me through several tough problems. Hands down their tech support has been unbelievable. I recommend their product to every company that I believe has a need that their products can fill.

For most /. users their products won't make much sense because they are targeted to an enterprise level customer.

If you happen to work for one of these companies you will not find a more out of the box secure solution for Web, DNS, E-mail or file serving.

Re:Pricing. (0)

Anonymous Coward | more than 11 years ago | (#6046573)

I have extensive experience, and yes, the price is justified for the professional version. As a consultant who deploys numberous boxes/OSes at clients with no internal IT department and low resources to pay for securing a box, EnGarde is perfect. I've also extensively audited the box and it really is secure OOB.

Download and check out the community version; it's free and has all of the same basic security features as the professional version.

"Pioneering OpenSource Security"? (2, Funny)

Fefe (6964) | more than 11 years ago | (#6040635)

Ah, so these are the people OpenBSD learned everything from, right?

Has it occured to anyone that... (2, Funny)

Spleen (9387) | more than 11 years ago | (#6041080)

"Improved Mandatory Access Control" would be iMAC ?

EnGarde is a good step forward (1)

jzarzosa (584990) | more than 11 years ago | (#6041606)

It's good to see a distro that focuses on security. I've used version 1.0, and it did a decent job "out of the box". It'll be interesting to try out this latest version since some of the new features look very appealing.

Is there anyone out there that uses EnGarde in their production environment?

Re:EnGarde is a good step forward (1)

Koatdus (8206) | more than 11 years ago | (#6049657)

Is there anyone out there that uses EnGarde in their production environment?


I have been using the community version of Engarde's last release as a 10 user email server for about a year. It has run flawlessly. The only downtime I have had the whole time was for a reboot after a kernel up grade.

Engarde has a very nice HTML front end that will get you started. I found however, that after I had been using the system for a little while I had modified things to the point that I didn't trust the HTML front end not to overwrite something. If you keep the system stock however that is not a problem.

in other news... (0)

Anonymous Coward | more than 11 years ago | (#6041626)

Solar Designer sues EnGarde Linux for alleged
intellectual property theft.

and our headline today...

SCO sues Solar Designer of Openwall and his ISP, the russian Dataforce, for alleged intellectual property theft, as they claim to own the source code and the tradmark of IP-suing cases.

LIDS vulnerability :) (1)

sneakybilly (537969) | more than 11 years ago | (#6042153)

The installation howto for LIDS [lids.org] says that you can turn it off by appending security=0 as a kernel parameter in your boot loader. This seems silly since they go to a lot of trouble to ensure that even the root user can't kill its processess and stuff. What is stopping the root user from just editing the boot loader conf and rebooting with these parameters.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>