Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Red Hat Seeks to Deliver Most Secure Linux

ScuttleMonkey posted about 9 years ago | from the still-need-proper-configuration dept.

Operating Systems 262

Jack writes "ITO is running a story on Red Hat's plan to become the most secure Linux platform. From the article: "Red Hat officially joined The National Information Assurance Partnership to bring an improved level of security and assurance to Linux. This means that the next version of Red Hat Enterprise Linux will contain kernel and Security Enhanced Linux policy enhancements, developed by IBM, Red Hat, TCS, NSA and the community.""

Sorry! There are no comments related to the filter you selected.

Missed a link :) (5, Funny)

grub (11606) | about 9 years ago | (#13668412)


The article left out a hyperlink, corrected here :

Re:Missed a link :) (3, Insightful)

TheRaven64 (641858) | about 9 years ago | (#13668486)

Maybe this was intended as a joke, but it's a valid point. SELinux does not make anything more secure. Why? Because it's sufficiently complicated that most people are just going to turn it off. OpenBSD has a policy that security must be on by default, must not create a significant performance hit, and must be simple enough that people actually use it. This is the reason people trust it.

Re:Missed a link :) (3, Informative)

Homology (639438) | about 9 years ago | (#13668589)


Maybe this was intended as a joke, but it's a valid point. SELinux does not make anything more secure. Why? Because it's sufficiently complicated that most people are just going to turn it off. OpenBSD has a policy that security must be on by default, must not create a significant performance hit, and must be simple enough that people actually use it. This is the reason people trust it.


Indeed, something like http://pax.grsecurity.net/ [grsecurity.net] is clearly useful, but breaks too many applications, is a kernel patch to the standard kernel that you have to apply yourself, so it's not so widely used. Neither SuSE nor RedHat supports it. OpenBSD does similar things, but they make sure that the ports and the system does not break. As a OpenBSD you don't have to do anything special, apart from installing OpenBSD, to take advantage of the security enhancements.

Re:Missed a link :) (4, Insightful)

Anonymous Coward | about 9 years ago | (#13668656)

Except 'most people' and 'sufficiently large government organizations and corporations' are not interchangeable. The NSA or FBI doesn't look at the complexity of SELinux and say decide they are gonna turn it off for that reason. I don't need SELinux on my notebook or my desktop and I don't need it in my 20 man organization, so I turn it off. SELinux isn't designed for me or my organization or my desktop or a good majority of computers out there. But for what it is designed for it does it well.

Re:Missed a link :) (5, Insightful)

andyross (48228) | about 9 years ago | (#13668703)

SELinux does not make anything more secure. [...] OpenBSD has a policy that security must be on by default, must not create a significant performance hit, and must be simple enough that people actually use it.

Um, the SE linux configuration shipped with Fedora is on by default, does not create a significant performance hit, and is simple enough that most users (those who aren't making fundamental changes to the installed daemon processes, basically) don't even know it's turned on.

This is mostly a defensive flame. SELinux clearly is useful as a security tool. It provides MAC features that you simply can't get with traditional unix security model. Now, clearly, this kind of change in worldview brings complexity. And lots of installations, even secure ones, don't necessarily need it or want it. And early Fedora (FC2 prereleases, I think) implementations were far too restrictive, and cause much confusion and flamage. I have it turned off on my laptop, for example.

But to baldly claim that "SELinks does not make anything more secure" is just silly.

Misunderstanding of what Trusted means (1)

bullsbarry (862452) | about 9 years ago | (#13668623)

Even though you're trying to be funny, it does show a misunderstanding of what a "trusted" operating system provides. The biggest benefit is the ability to store information at various levels of classification, such as secret and top secret, on the same system and having access controls that are fine grained enough to make this secure. It's not just about keeping people who don't have access out, it's also enforcing need to know through the same system.

Re:Misunderstanding of what Trusted means (1)

adrianbaugh (696007) | about 9 years ago | (#13668723)

If Red Hat are genuinely aiming to provide a platform capable of mixing restricted, secret and TS material on the same system then good luck to them. But I don't see any real users with material genuinely warranting those classifications being ready to trust such a system until a long time and a vast amount of validation work have been done.

Re:Missed a link :) (1)

KillShill (877105) | about 9 years ago | (#13668625)

ironic, that a secure OS is called Open(BSD).

Re:Missed a link :) (1)

bhsx (458600) | about 9 years ago | (#13668746)

I must've missed the part in the article that was something other than PR. A little light on details; but this is only about getting certified under a certain configuration. I doubt RH will ship Enterprise with this config as the default as it is a bit less than user/admin friendly.
Having said that: Good for them.

security versus security model (1)

Dink Paisy (823325) | about 9 years ago | (#13668839)

These technologies seem to about the security model of Red Hat Linux. But security and security models are not the same thing. Guess what? Windows XP has a great security model, but buggy implementation and poor default policies made it insecure. OpenBSD has a primitive security model, but careful implementation and well chosen default policies have made it very secure.

Adopting stuff like SELinux will make Red Hat Linux closer to Windows in security model. Red Hat moved to good default policies faster than Microsoft did, but they both seem to be pretty good in that respect now. In terms of implementation quality, it is much harder to say. I suspect that Linux and Windows are on similar ground now, but that Microsoft is improving implementation quality faster.

One problem for Linux in that regard is that a single vendor can't make a decree that all existing and new code will be checked and reviewed more carefully, because no single vendor controls all of the code. But the future is not yet written, and we have to wait to see which of them will improve the implementation.

Re:security versus security model (1)

AuMatar (183847) | about 9 years ago | (#13668936)

Sure they can- they can review and check the code in their kernels, and not accept patches that are risky. Rarely do any of the big distros ship unmodified kernels anyway- they all add patches of some sort or another.

"Red Hat Seeks to Deliver Most Secure" OS (1)

sznupi (719324) | about 9 years ago | (#13669000)

So do these folks [microsoft.com] ;P

OpenBSD (2, Interesting)

biryokumaru (822262) | about 9 years ago | (#13668413)

Why don't the security conscious just use OpenBSD [openbsd.org] ?

Re:OpenBSD (1)

millahtime (710421) | about 9 years ago | (#13668432)

omg, you didn't just open that can of worms. This makes sense. That isn't allowed on /.

But seriously, OpenBSD may be a gerat solution if you need security now, which is what I do, but to bring linux better security is a worth while endevor.

Although, if you need security now, go openBSD.

Re:OpenBSD (1, Funny)

chez69 (135760) | about 9 years ago | (#13668452)

maybe because the servers we run are not in our parent's basement and need to be supported by our vendor's software?

Re:OpenBSD (0)

Anonymous Coward | about 9 years ago | (#13668545)

flamebait? the truth hurts, doesn't it?

Re:OpenBSD (0)

Anonymous Coward | about 9 years ago | (#13668587)

GGP was modded as flamebait too.

Re:OpenBSD (0)

Anonymous Coward | about 9 years ago | (#13668591)

I guess the US Military, US Governments (and governments worldwide), stock exchanges, major financial institutions, and major websites all count as our parent's basement, huh?

-Corporate OpenBSD user

Re:OpenBSD (1)

grub (11606) | about 9 years ago | (#13668599)


We run several critical OpenBSD servers in our facility and things Just Work Well. There has never been an issue for us that google couldn't turn an answer up for in moments.

Re:OpenBSD (1)

taylor_venable (911273) | about 9 years ago | (#13668483)

OpenBSD is great, but a lot of programs run only on Linux. Granted, a lot of these are closed down; but if you need to run the Sun JVM, or Borland's JBuilder (two programs I have to use for a computer science class), you need Linux. Even under FreeBSD's Linux Binary Compatibility, they don't work very good, if at all.

Re:OpenBSD (0)

Anonymous Coward | about 9 years ago | (#13668559)

The same can be said about Windows vs. Linux.

OpenBSD isn't about being a platform for your latest first person shooter or a desktop for Grandma, its about providing an unparalelled level of security for the real world, a level of security that Linux does not yet match in terms of track record (exploits, security features).

Re:OpenBSD (1)

taylor_venable (911273) | about 9 years ago | (#13668793)

The same can be said about Windows vs. Linux. You're absolutely right; but this thread wasn't about Windows vs. Linux, it was about Linux vs. OpenBSD. And sometimes, you need Linux for functionality more than you need OpenBSD for security.

Re:OpenBSD (1)

Zemplar (764598) | about 9 years ago | (#13668749)

Might I suggest you try Sun's Solaris 10 [sun.com] . The security is very good and rivals OpenBSD, Java is very well integrated (even preinstalled), and overall just a great OS.

Re:OpenBSD (0)

Anonymous Coward | about 9 years ago | (#13668846)

FWIW, I'm using VMWare 3 (Linux i386 binary) on OpenBSD 3.7, and it works fine. Later versions of VMWare don't though, but lucky for me the v3 is enough for my purposes. For the most part I tend to look down on programs that only run on one platform as they limit my freedom of choice (especially closed-source programs!) Thankfully VMWare is the only thing I haven't yet found a free (open-source, multiplatform) replacement for, but there are some things in the works, like qemu, that will eventually make VMWare moot.

BECAUSE THEO DE RAADT IS A TOTAL ASSHOLE (-1, Flamebait)

Anonymous Coward | about 9 years ago | (#13668489)

dfgf

Re:OpenBSD (1)

Homology (639438) | about 9 years ago | (#13668661)

Why don't the security conscious just use OpenBSD?

Some really clueless moderator modded you down as flamebait, go figure. I any case, the Linux kernel has had about 20-30 of local root exploits in the last year, and clearly the Linux kernel leaves something to be desired in this regard. It's also understandable that this happens due to the huge amount of new code, and the focus on performance (but not stability).

Re:OpenBSD (0)

Anonymous Coward | about 9 years ago | (#13668784)

The Linux kernel makes the Windows kernel look like Trusted Solaris.

Notice I'm only mentioning the kernels. I know overall, Windows is less secure.

Re:OpenBSD (4, Informative)

Anonymous Coward | about 9 years ago | (#13668716)

OpenBSD, from what I've heard, is good, but most of its security is based upon correct implementation. This is good, but the OpenBSD team can only audit and control the base system, meaning that applications and libraries added to the system can often degrade the security of the system as a whole.

Judging from the technologies and companies mentioned in the summary, this attempt at Linux security is based on providing better access controls and privilege models in the Linux kernel. By better, I mean that these mechanisms can:

1) Provide finer grain privileges so that fewer programs can be exploited to escalate privilege, and
2) Isolate unrelated programs and users from each other (e.g. an exploit in a DNS server is restricted to only accessing DNS files but is not able to manipulate web server pages).

These two techniques basically reduce the number of avenues an attacker can use to exploit a system. It is less likely that a piece of exploitable software will have sufficient access to whatever it is the attacker wants to get to. Granted, it is not a complete solution, but it's a handy thing to have in one's security toolbox.

I believe that the OpenBSD/OpenSSH teams are beginning to do similar things (e.g. OpenSSH privilege separation), but I don't think they've taken the leap to providing more sophisticated access controls in the kernel.

If you're interested, examples of trusted operating systems/access controls can be found at the following places:

Linux Capabilities:
http://ftp.kernel.org/pub/linux/libs/security/linu x-privs/kernel-2.4/capfaq-0.2.txt [kernel.org]

Trusted BSD:
http://www.trustedbsd.org/docs.html [trustedbsd.org]

Argus Systems Group (go to the Support section and take a look at the docs for PitBull LX and Foundation; they give a rather complete description of the mechanisms):
http://www.argus-systems.com/ [argus-systems.com]

Trusted Computer Solutions (mentioned in the article):
http://www.trustedcs.com/index.html [trustedcs.com]

Disclaimer: I used to work for Argus Systems Group, and I know a few of the TCS employees (as they are also ex-Argus employees).

Re:OpenBSD (0)

Anonymous Coward | about 9 years ago | (#13668957)

In the past, OpenBSD was entirely about fixing bugs in the code, and in turn eliminate exploits.
However, things have changed. Besides doing that, they now added some additional checks & balances in the OS, since they realized that no matter how well they audit the codebase, there will always be at least one bug somewhere.
These days OpenBSD ships with W^X (memory pages are marked write or execute, but not both), propolice-patched gcc, privilege-separation in most daemons, and other such methods to "raise the bar" for the potential attacker. This is all in the default OpenBSD install, the user doesn't have to do anything at all to benefit from these protections. Just install and go, it's that simple. That's why I switched to OpenBSD after 9 years of having to secure my own Linux boxes, doing kernel patches with GRSec, etc. and still risking getting pwned through a kernel exploit (they seem to be getting common lately!)
BTW, for ACL in OpenBSD, there is systrace:
http://www.openbsd.org/cgi-bin/man.cgi?query=systr ace [openbsd.org]

Re:OpenBSD (1, Informative)

Anonymous Coward | about 9 years ago | (#13668848)

Why don't the security conscious just use OpenBSD?

Because it's too complicated. People rave about this "ports" system, but what does it buy me that my Debian package repositories don't already have? When I tried to use OpenBSD it was a pain in the ass to upgrade, administer, and find applicatons for. I'll stick with Debian Linux.

OpenBSD (-1, Offtopic)

Anonymous Coward | about 9 years ago | (#13668414)

Just use OpenBSD.. it has a pheneomenal record in terms of security and its a proven solution. Why use Linux?

Slashdot is secure ... (1)

xmas2003 (739875) | about 9 years ago | (#13668418)

"Nothing for you to see here. Please move along."

Is this a magnet? (1, Interesting)

kpwoodr (306527) | about 9 years ago | (#13668420)

So does anouncing to the world that you want to be the most secure platform place a giant target on Redhat? It almost seems like an invitation for everone to come try and get a piece.

Granted, I think Red Hat has a much better head start on MS, but that may partly be due to the amount of market share they command. If they can pull it off, more power to Red Hat!

Re:Is this a magnet? (5, Informative)

LnxAddct (679316) | about 9 years ago | (#13668556)

Well Red Hat already is a key innovator into securing the kernel. As most know, Red Hat contributes more code to the kernel than any other entity. The kernel is their livelihood. SELinux patches work with the kernel now because Red Hat engineers worked closely with the SELinux NSA guys to get it to that point. Red Hat also created exec-shield which implements a number of security benefits including NX (NoExecute) and PIE (Position Independant Executables). They release both RHEL and Fedora with sane but secure SELinux policies, compile their major services with FORTIFY_SOURCE and other GCC options that find and/or block many types of overflows and other bugs. PIE is pretty neat in that it randomizes the memory layout so an attacker executing an attack can't know what memory lays ahead, often making the overflow useless. PIE has some performance impedements, so its only typically used on public facing services. Red Hat already forces yum and up2date to verify all gpg signatures by default, and they designed the RPM format so it is highly secure and you know what you're getting when you get it (gpg signing, double hashes (MD5 and SHA1 so that even if one is cracked, the other can act as a crutch until a new solution is found). Red Hat is also reknowned for getting security updates out sometimes days before others. Red Hat is responsible for many of those security patches, and one of the reasons Linux has such a good reputation for getting patches out quickly is a direct result of Red Hat. Anyway... if I had to put my money on someone doing this for Linux, Red Hat would be where I'd put it. They've already shown that they do much for the community, they gave us cygwin, they maintain GCC and libc, they created GCJ so we can run about 95% of java programs natively, including OpenOffice and Eclipse (albeit GCJ is still under heavy development), plus many more things from writing lots of code for projects like Apache and Gnome. (I can't forget to mention buying Netscape Directory Server and giving it to the community, as well as GFS, Global File System). Red Hat's legal department sometimes stirs trouble with derivatives using thier trademark, but the Red Hat engineers actively help CentOS and others. Red Hat is the only major linux player who depends on linux to succeed. All the others, IBM, Novell, Sun, etc.. have come onto the linux "train" to see if it can make them lots of money, if Linux fails however they'll just move on to the next big thing, like they've always done. Red Hat's entire being revolves around linux and its success, they have the motivation that is needed.
Regards,
Steve

Most Secure Unix .... (-1, Flamebait)

Anonymous Coward | about 9 years ago | (#13668434)

OS/X

Re:Most Secure Unix .... (1)

bonch (38532) | about 9 years ago | (#13668764)

You've committed #2 on the list of spelling and terminology sins. Congratulations.

1.) It's not MAC, it's Mac.
2.) It's not OS/X, it's OS X.
3.) It's not OS X86, it's OS X on x86.
4.) It's not Linux Torvalds, it's Linus Torvalds.
5.) It's not GNU/LINUX, it's GNU/Linux.
6.) It's not blog, it's journal, weblog, homepage, or personal website.
7.) It's not Micro$oft, it's Microsoft.

the NSA? (1)

J_Omega (709711) | about 9 years ago | (#13668437)

I didn't realize that ANYTHING they did was "open".

Re:the NSA? (1)

Doctor Memory (6336) | about 9 years ago | (#13668459)

Open is the new closed...

Re:the NSA? (1)

spellraiser (764337) | about 9 years ago | (#13668466)

NSA? What are you talking about? There's No Such Agency. Nothing for you to see here, move along ...

Yes the NSA does (2, Interesting)

jhines (82154) | about 9 years ago | (#13668504)

Yes they do http://www.nsa.gov/selinux/info/faq.cfm#I2 [nsa.gov] , the mentioned security enhancements are more like ACL's and policies.

Re:the NSA? (4, Funny)

ettlz (639203) | about 9 years ago | (#13668554)

I didn't realize that ANYTHING they did was "open".

Cavity searches.

Re:the NSA? (1)

2short (466733) | about 9 years ago | (#13668856)


All sorts of stuff actually. Their mission is twofold; in addition to breaking the bad guys codes or elsewise compromising their communications, they are also tasked with protecting the good guys communications from being compromised. Now it's important to remember that "good guys" and "bad guys" here is as defined by the US Government, but I for one agree with them at least ocasionally. In any case, if they have thought up some super secret tricky way to get around your security, I wouldn't expect them to help defeat it. But when it comes to the myriad run-of-the-mill security flaws that all sorts of people know how to exploit, the NSA has great expertise in how to deal with them, and can be expected to share it.

Hear hear! (0)

Anonymous Coward | about 9 years ago | (#13668446)

Here's to the IT Observer staff! They successfully copied and pasted a press release verbatim and now are going to get the page views from Slashdot!

RedHat poised to become the next Microsoft (3, Insightful)

kianu7 (886560) | about 9 years ago | (#13668455)

The book Animal Farm was about animals on a farm that resented being under the control of humans. Their motto was something to the effect of "4 legs good, 2 legs bad" meaning that everyone with 2 legs was bad. Over the course of the book, the pigs started to take over the leadership role, championing the causes of the other animals and ultimately displacing the humans. For a period of time all was well, but by the end of the book the pigs had started walking on 2 legs and were no better than the original, human leadership team.

As sections of the Linux community, such as RedHat, start merging with big businesses, such as IBM, we have to wonder how long it will be before the Red Hat team starts walking on 2 legs...RedHat could be well on it's way to becoming the next Microsoft.

Re:RedHat poised to become the next Microsoft (5, Insightful)

99BottlesOfBeerInMyF (813746) | about 9 years ago | (#13668582)

RedHat could be well on it's way to becoming the next Microsoft.

I think you are mistaken. It is entirely probable that RedHat the company will partner up with lots of big businesses. Big businesses, however, want a commodity OS, competitive advantages, and for that matter, open source at this point. Having been burned by MS for so long, many companies at the heart of the Linux community are unlikely to swiftly move to closed formats, APIs, code, etc. Even assuming RedHat did exactly that, introducing formats and closed source code as much as possible, they are still working on a base that is GPL and that they cannot close and still sell. That means there is nothing stopping others from modifying that code or even redistributing it. RedHat would basically have to write their own OS from scratch or based upon BSD licensed code in order to get us close to the situation we have with MS. Even were they to do that, we'd still be several steps ahead for compatibility and security from where we are now with Windows.

To summarize, sure RedHat can become "evil" but that does not stop Linux, and RedHat has no way to "take over" Linux since they don't own it. I'm just not too worried, they have a long hard road ahead to become MS, and they will need a new OS to do it.

Re:RedHat poised to become the next Microsoft (0)

Anonymous Coward | about 9 years ago | (#13668813)

Mod parent UP. GP is trolling

Re:RedHat poised to become the next Microsoft (4, Insightful)

An Onerous Coward (222037) | about 9 years ago | (#13668588)

I don't understand why people keep trying to make that comparison.

If you want to argue that RedHat has turned its back on the community, or jumped in bed with big business, or whatever, go right ahead. But it simply isn't possible for any Linux distributor to "become Microsoft", because unlike Microsoft, anybody who can obtain a copy of Distro X can legally rebrand, recompile, and sell it as Distro Y. Somebody running Distro Z can go through Distro X, figure out any new features, and bring those features to Distro Z.

RedHat can't do a thing to stop RH-based distros like CentOS and White Box. The GPL ensures that, while one distro might dominate the Linux landscape, nobody will ever have a lock on Linux itself. Linux World Domination would mean that nobody can dominate.

So please, elaborate your reasoning. What is RedHat doing that scares you?

Re:RedHat poised to become the next Microsoft (3, Insightful)

nine-times (778537) | about 9 years ago | (#13668776)

But it simply isn't possible for any Linux distributor to "become Microsoft", because unlike Microsoft, anybody who can obtain a copy of Distro X can legally rebrand, recompile, and sell it as Distro Y. Somebody running Distro Z can go through Distro X, figure out any new features, and bring those features to Distro Z.

And this is very important because it means that, in order to keep my business, Distro X must continue to represent a good choice. They must offer reliability, trustworthiness, and good service. Why do people continue to buy Redhat even as CentOS is released? Because they trust Redhat and like Redhat's support.

Open source vendors simply won't make any money unless their customers are happy.

Re:RedHat poised to become the next Microsoft (0, Flamebait)

Donny Smith (567043) | about 9 years ago | (#13668922)

>So please, elaborate your reasoning. What is RedHat doing that scares you?

Just one example - they threatened CentOS with legal action. They now can't even say they're Red Hat based (see their Web site, there's some mumbo-jumbo about being based upon a famous North American enterprise Linux distribution).
So in theory, yes, you're allowed to redistribute, even for commercial purposes. In reality, though, they'll screw you up if you start doing well.

Re:RedHat poised to become the next Microsoft (1)

RedHatRebel0 (800752) | about 9 years ago | (#13668595)

I don't understand why everyone stops trusting every company that has decent growth. I've even seen people fretting about Google already. I mean, come on.

And this is probably a bad thing to say, but while I feel that Linux is much better than Windows & haven't used Windows in years as my primary OS, there is a place for everything, including Microsoft.

Working with companies like Microsoft and RedHat are essential for industry and people with personal vendetas against every large company usually don't come out on top. Just a thought, but I like that RedHat is making the effort to become an even more secure Linux distribution instead of sitting around making petty comments about Microsoft.

Sorry, but I just had to vent...

Re:RedHat poised to become the next Microsoft (1)

Eberlin (570874) | about 9 years ago | (#13668626)

I've shared the same sentiment for a while now -- having hopped distros from RHAT to MDK to Ubuntu. Red Hat is THE brand-name Linux distro (at least here in the US). Then it spun off the Fedora project in the name of community building...which created a great backlash (Fedora being RHAT Enterprise Beta, etc.)

RHAT eventually moved to using SELinux, which seems like a great bold idea...and really put the impression of security onto something that's already more secure than Windows.

For a while, they were reluctant to join the LSB (being the big fish, it seems they didn't really NEED to play by anyone else's rules)...much to the dismay of a few geeks who believed that the LSB would create better interoperability in Linux distros.

In the end, though, there's a great deal of "grassroots" folks pulling for Linux...and lots of distros available. While Novell/Suse/Ximian comes very close to being corporate Linux, Red Hat still has the branding for being "The Man." Given the nature of Linux and Free Software in general, we're very wary of The Man...and would rather cheer for something less "corporate."

Re:RedHat poised to become the next Microsoft (1)

nine-times (778537) | about 9 years ago | (#13668840)

Cheer all you want for the little guy, but a lot of CIOs (and PHBs in general) don't trust anyone BUT "The Man". Redhat being "The Man" represents greater market penetration for Linux, as well as someone else in the "community" who is generating revenue from Linux and who has a financial interest in improving the code and marketing Linux.

Re:RedHat poised to become the next Microsoft (2, Insightful)

LnxAddct (679316) | about 9 years ago | (#13668633)

Umm... Red Hat has been the best thing the community has going for it. Red Hat is the only reason the kernel is of enterprise quality. Red Hat is the only reason the kernel has any kind of serious testing going on behind the scense. Red Hat has some defensive patents, but they come attached with an unrevokable allowance of OSS projects to use them in any way. Red Hat contributes more code to the kernel than anyone else, they also supply most of the security upates for it. They bought and gave us Cygwin, Fedora Directory Server, GFS (Global File System) and many other things. They maintain GCC and libc. They created GCJ so we can run java applications natively (its still under heavy development but compiles Eclipse and OpenOffice fine). They have done many other things for the community as well, but I won't go on as I've already done that in another post in this thread. Everything they release is GPLed, I could only hope that Red Hat eventually knocks Microsoft out of its position. Its not like they can get to that point and then undo their GPLed code... and by that time they will have invested billions in that GPL code, they aren't just going to turn their backs on it. They are currently a mulitbillion dollar company (I believe their market cap is around 3 billion) and they have yet to turn on the community. I can only hope that companies like Red Hat and Google dominate the future, it'd be in our best interest.
Regards,
Steve

Holy crap!!! (2, Funny)

Anonymous Coward | about 9 years ago | (#13668647)

We need to act before that happens!

Let's get together and make sure that all new versions of software that RedHat sells are covered by some kind of license that prevents them from locking the software up! Hell...we could even include some kind of restriction that forces them to release any changes they make. That'll stop them!

Analogies prove nothing (1)

vlad_petric (94134) | about 9 years ago | (#13668783)

And, as for RedHat becoming the next Microsoft - journalists have asked this rhetorical question for quite a while now (and redhat is still a niche player). My personal opinion is that there's not gonna be a next Microsoft (as in a company that makes billions out of selling proprietary operating systems). I believe that the OS market will be commoditized to the point that there is not gonna be another mammoth.

Furthermore, keep in mind that most of the code behind linux is under either GPL or LGPL, which means that others can take redhat's source code and build their parallel distribution of Linux (there are already parallel distributions of RHEL, btw, I don't see how that is going to change in the future). Sure, Redhat could start replacing software with proprietary versions, but the cost of doing that is very high, and simply against their current direction

Re:RedHat poised to become the next Microsoft (1)

fragmentate (908035) | about 9 years ago | (#13668836)

Google [google.com] is the next Microsoft. Duh.

Re:RedHat + Microsoft = (1)

mpapet (761907) | about 9 years ago | (#13668850)

a very viable way for Microsoft to keep Linux as weaker competitor.

1. In the corporate world where support is more valuable than the software in some cases, there is *not* a long list of viable Linux-based companies. I don't think Novell's going to dismantle Red Hat either.

2. The approach MS will likely take is to capture as many of the Linux dollars as they can. They know support is Linux's weakness and they can provide that. So, Microsoft bundles OSS application support to it's richest customers. Microsoft wins and OSS competitors are none the richer.

3. Microsoft chooses Red Hat, supports Red Hat, but that's all. It's the Devil they know and they make a new hybrid of vendor lock-in.

YMMV

4 legs good, 2 legs bad (1)

ajrs (186276) | about 9 years ago | (#13668990)

I'm not worried until they try Stalman for being a counter revolutionary and take to eating penguin eggs.

and this is why... (3, Funny)

mrbobjoe (830606) | about 9 years ago | (#13668469)

ITO is running a story...
...and probably running it as root, too, the stupid bastards.

Why not OpenBSD. (3, Insightful)

RLiegh (247921) | about 9 years ago | (#13668471)

Major corporations (such as oracle) target Linux; specifically RedHat. With RedHat, you gain all of the applications that already work with Linux plus security enhancements. With OpenBSD, even though they have a decent amount of applications, they have nowhere near the variety that Linux has, so that gives Redhat an edge.

Re:Why not OpenBSD. (-1, Flamebait)

tomstdenis (446163) | about 9 years ago | (#13668506)

Except Redhat is a pain in the ass to deal with. It's binary only packages are routinely out of date and horribly configured for anything but the most casual desktop user.

Screw redhat, go Gentoo.

Let the holy-distro wars begin!

[I'm serious, I hate RedHat. It's just as bad as Microsoft, perhaps worse because it scores huge amount of possible converts from Windows].

Tom

Distro wars are irrelevent (1)

RLiegh (247921) | about 9 years ago | (#13668538)

Redhat is the target OS of most corporations (as I pointed out), this is the advantage that Redhat has over OpenBSD. Any worthwhile features that this develops will eventually trickle down to the niche distros such as slackware and gentoo; so this initiative is a Good Thing.

As far as stealing users from windows; So Freaking What? The important thing is that people discover there are alternatives to using Windows and hopefully also discover the advantages of Free Software along the way.

Re:Why not OpenBSD. (4, Funny)

Mr. Underbridge (666784) | about 9 years ago | (#13668529)

So that's why OpenBSD is so secure - nothing runs on it. ;)

Slashdot Groupthink in Effect (0)

Anonymous Coward | about 9 years ago | (#13668651)

Suggest that Linux not be the best solution [slashdot.org] , -1 Flamebait. Make inaccurate and unfounded statements about OpenBSD, +3 Funny.

Re:Why not OpenBSD. (0)

Anonymous Coward | about 9 years ago | (#13668721)

$ find /usr/ports -type d -mindepth 2 -maxdepth 2 |grep -v CVS |wc -l
2308
pkg_info |wc -l
216
How many applications does one need anyway? That's my desktop machine, which runs OpenBSD 3.7, with fluxbox, gkrellm, links-2, firefox, etc.
Besides the ports and packages, a lot of other stuff compiles fine with "./configure --prefix=/usr/local/stow; make; make install". Some need minor tweaks and then work fine. Some don't work at all because they're hardcoded for Linux, and then those softwares don't run on any BSD, or Solaris, or OS/X... I tend to stick with softwares I can run on any machine I end up having to use (even if that means using Cygwin in win32).
Also it's worth nothing that the base OpenBSD install (without any ports/packages) is quite comfortable already, and has the most common daemons you might need (including apache), several text editors, a good shell (ksh), and anything you might expect to find on a Unix box. The ports/packages are just icing on the cake.

Re:Why not OpenBSD. (1)

Homology (639438) | about 9 years ago | (#13668826)

$ find /usr/ports -type d -mindepth 2 -maxdepth 2 |grep -v CVS |wc -l
2308
pkg_info |wc -l
216

How many applications does one need anyway? That's my desktop machine, which runs OpenBSD 3.7, with fluxbox, gkrellm, links-2, firefox, etc.

I don't really understand the people that chooses an OS because of the number applications available. What's is important is that the applications that you, as a user needs, are available.

Re:Why not OpenBSD. (1)

Homology (639438) | about 9 years ago | (#13668862)

Yadda, yadda, someday I might learn to use "preview" before hitting submit:
$ find /usr/ports -type d -mindepth 2 -maxdepth 2 |grep -v CVS |wc -l
2308
pkg_info |wc -l
216

How many applications does one need anyway? That's my desktop machine, which runs OpenBSD 3.7, with fluxbox, gkrellm, links-2, firefox, etc.

I don't really understand the people that chooses an OS because of the number applications available. What's is important is that the applications that you, as a user needs, are available.

Re:Why not OpenBSD. (0)

Zemplar (764598) | about 9 years ago | (#13668830)

Or just use Solaris 10 now and have OpenBSD level of security and wide Linux application availability.

More secure than BSD? (1, Funny)

Anonymous Coward | about 9 years ago | (#13668480)

Oh wait, nevermind . . .

Is it just me? (0, Troll)

FragHARD (640825) | about 9 years ago | (#13668542)

Or does this sound just like m$, and their constant rant about security, increasing security, and more security.... When all the while security is just non-existent (at least with m$)

There is a God! (1)

fragmentate (908035) | about 9 years ago | (#13668563)

MS-Windows is NOT in this exclusive group.

I'm both shocked, and amazed since most "exclusive groups" answer to the almighty dollar and not the true nature of their goals. Which, in this case, is "security."

I still see the rumors fly about Redhat being a sieve with regards to security. I've always used both Redhat and Slackware, and frankly haven't seen it. Is this the end of the accusations? Will this stop the inflammatory remarks in the my Penix is better than your Penix flame-wars? I say no! A Zealot is a Zealot.

San Dimas High School Football Rules!

Re:There is a God! (0)

Anonymous Coward | about 9 years ago | (#13668855)

I say no! A Zealot is a Zealot.

Indeed. A true Zealot will never hesistate to lay down his life for Aiur. En taro Adun!

In other news (4, Funny)

$RANDOMLUSER (804576) | about 9 years ago | (#13668570)

Microsoft says it plans to create and ship the most secure version of Windows.

Re:In other news (1)

Jambon (880922) | about 9 years ago | (#13668968)

Microsoft says it plans to create and ship the most secure version of Windows.

The only catch is the security guarantee is null after you take it out of the box.

Re:In other news (1)

Strixy (753449) | about 9 years ago | (#13668973)

Yes... just like "light" cigarettes are "lighter" than the same brands "regular" cigarettes.

The new Windows will be more secure (than the last Windows) and the new Red Hat will be more secure (than the last Red Hat).

Does this effort make either of them the most secure on the market with respect to all other OS's (or is that OSi ?) available?

Not by a long shot.

Secure operating systems... (5, Interesting)

Anonymous Coward | about 9 years ago | (#13668601)

First off, I should let it be known that I am a BSD fan, and not a Linux one. However, despite my many issues with Red Hat and Fedora Core, they have been integrating some really cool stuff of late, things I had wanted to have easy access to in a open source operating system for some time, such as the SELinux functionality.

It's absolutely fantastic work they are doing; making SELinux a default in their systems in meaningful ways, while at the same time, doing their damndest to make it as transparent as possible to the everyday user. No one else is doing that. OpenBSD are the kings of UNIX quality control, but they offer nothing in the way of mandatory access controls. FreeBSD has comparable technology in the form of the TrustedBSD MAC Framework (which is excelant), but they are not yet offering security policies that are transparent to ordinary users of the system, and like SELinux in most distributions that support it, it's a pain to set up correctly.

Now if only they (Fedora especially) would ship a basic "desktop install" on *one* CD image instead of requiring 2-4 CDs, my major gripes with their software would go away completely. This kind of hardcore but transparent security is most definately needed by everybody today, and right now, only Red Hat and the Fedora Project are providing it. As much as I prefer the saner development methodologies and more well thought out kernel architectures provided by the various BSDs, in an online world as inherrently dangerous as our own, employing an operating system that supports these security technologies is the only real way to go.

Come on FreeBSD! What are you waiting for? Keep up the (mostly) good work Fedora people!

Re:Secure operating systems... (1)

Mr2cents (323101) | about 9 years ago | (#13668728)

So your biggest problem is that it has 2-4 CD's chockful of applications? I don't get it..

Re:Secure operating systems... (0)

Anonymous Coward | about 9 years ago | (#13668771)

I am poor (recently graduated from college). I cannot afford more CDs (little income, many bills), and I do not have enough rewritables to spare for a basic desktop install ala Fedora (most of the rewritables are used for actual data, not OSes).

Not to mention the rediculous waste of time and bandwidth required to download such a behemoth.

Everyone (Fedora users and the project tiself) would be better served if they had a saner distribution method.

Re:Secure operating systems... (1)

GigsVT (208848) | about 9 years ago | (#13668971)

You can afford a $300-$1000 computer but you can't afford 4 CD-Rs at 10 cents each?

Re:Secure operating systems... (1)

99BottlesOfBeerInMyF (813746) | about 9 years ago | (#13668925)

I agree completely. I've been asking for some of these features with good defaults and a user friendly configuration on a usable desktop for years. Right now, only the most security conscious are looking to these systems, but as security tightens in general this type of system will become more and more needed. I still have my doubts that this sort of system will gain any popularity until newer version of Windows manage to take significant market share and remove some of the lowest hanging fruit for malware authors. It would certainly be nice to have a time-tested and well refined system by then though.

Re:Secure operating systems... (0)

Anonymous Coward | about 9 years ago | (#13668929)

Now if only they (Fedora especially) would ship a basic "desktop install" on *one* CD image

Pretty sure people are working on this. If you are interesting in getting involved with development of such a solution in the Fedora space please take a moment and
look at:
http://fedoraproject.org/wiki/Kadischi [fedoraproject.org]
and read up on discussions at: https://www.redhat.com/mailman/listinfo/fedora-liv ecd-list [redhat.com]

Trustix (4, Informative)

Rinisari (521266) | about 9 years ago | (#13668603)

Trustix Secure Linux [trustix.org] has been one of the most secure distributions since its inception. No services are on by default and only a minimal install is needed most of the time. Updates come out seemingly hourly (more like daily) and it's one of the smoothest and securest server operating systems out there. If you're looking for desktop, you're not going to find it with Trustix. I've been using it as my main server distribution for ~3 years without a single problem.

Re:Trustix (1)

Erwos (553607) | about 9 years ago | (#13668708)

"it's one of the smoothest and securest server operating systems out there"

I really doubt you can actually quantify this in any sort of believable fashion.

And, in any event, they don't have nearly the breadth of support offerings Red Hat does. 24/5 email support - what a treat! Better hope nothing goes wrong on the weekend!

-Erwos

I have the most secutiry... (2, Funny)

OctoberSky (888619) | about 9 years ago | (#13668642)

My Windows box has more security. It doesn't have internet. And it doesn't have an Enter key. Matter of fact, as long as I don't use it, don't let anyone else use it, and don't even turn it on, its secure as Fort Knox.

Re:I have the most secutiry... (2, Funny)

pharwell (854602) | about 9 years ago | (#13668674)

That's what you might think. But you're not taking into account the ninja hackers who boot up your PC while you sleep and install all sorts of nasty virii onto your machine. And they bring their own Enter keys!

History (3, Insightful)

eno2001 (527078) | about 9 years ago | (#13668659)

Titanic... couldn't be sunk
Windows 2000... unhackable
RedHat Server 2007... uncrackable

Don't think so...

That is all.

Re:History (1)

Nosf3ratu (702029) | about 9 years ago | (#13668678)

Parent should be modded up, but won't be.

Re:History (1)

Donny Smith (567043) | about 9 years ago | (#13668963)

Don't forget:
Oracle ... Unbreakable

There are always tradeoffs (1)

m50d (797211) | about 9 years ago | (#13668687)

I think this is a bad idea. There are always tradeoffs between security and functionality, so a most secure linux will always be niche. There's a place for such distros, and the great thing about linux is that different distros can be made to suit anyone, but a distro trying to be mainstream like red hat should not aim to be the best at any one thing, because that means neglecting other important things.

Most secure? Jabba's ass! (1, Funny)

Anonymous Coward | about 9 years ago | (#13668688)

They think they are so smart, encasing the distro CD in carbonite and placing 3 green pigfaced guards to keep it safe. But all it takes is ONE Organian rebel princess in a star trek Breen mask [m-nomura.com] with a raspy voice to defeat it.

But Red Hat you where the chose one ... (1)

Moulinneuf (844899) | about 9 years ago | (#13668690)

I Dont like Red Hat and this is in part why, they may seem good in theory, but they never fully embrace Open Source and what the GPL is all about.

Red Hat as bocked GNU/Linux on the desktop for years becaus ether enot ready at all and probably neve rwill be.

There also on eof the few major distribution to not at least somewhat fully support KDE , ( yes they compile it but it snot the same a sthere Gnome effort.

Thrusted computing is something really bad , eveyrone say its bad yet everyone will be force to play by it.

But can we trust them? (4, Funny)

ValuJet (587148) | about 9 years ago | (#13668706)

I like the idea of trusted computing [gnu.org] . It gives me this warm fuzzy feeling all the way down to my toes. Sure security is an ok word, but I like how the word trust makes me feel even more.

ok (0)

Anonymous Coward | about 9 years ago | (#13668747)

I use windows xp how does this effect me?

Secure desktops (3, Interesting)

shudde (915065) | about 9 years ago | (#13668774)

There are already a number of quality server distributions out there with security tools like SELinux, GRSecurity and PaX, but it will be interesting to see Redhat contribute to the mix. Personally, I use a number of modified Redhat patches while building HLFS-based systems.

While this is undoubtedly off-topic, what I really want to see (and continually try to create) is a desktop system with some of these advanced security concepts enabled. The problem seems to be finding the right balance between security and ease-of-use, it's a lot easier to create a server with non-standard access control than an xorg/KDE desktop.

Contributing to this problem (at least in my experience) are the documentation problems. These can occur in many opensource projects but seem to be magnified in security projects. Even with a fair working knowledge of relevant areas, incomplete and esoteric documentation provides a stumbling block for a lot of us.

I really don't want to troll, but... (2, Insightful)

Landak (798221) | about 9 years ago | (#13668786)

To me, the whole idea of one distro magically becoming more secure than another is slightly strange - it's not really so much the kernel itself - it's what's ontop of the kernel, the default install, uh, defaults, and the entire chain-of-trust ontop of that. Any production server *should* be competently administered - and locked down fairly tight (e.g. NOT running an nwn dæmon, as a certain webserver I've come across did due to the sysadmin thinking he could get away with it....), and then the only security troubles you'll come up against are those that are totally PEBKAC. (Yes, I know must security problems lie BKAC, but this really does seem to me nothing other than a /. sponsored PR-stunt...)

The flipside of this is linux on the desktop - which is where redhat could earn this title. However, all that really means is making sure wine is b0rken enough with windows viruses, not allowing samba or ssh access from outside the local subnet, and removing all instances of "rm -rf /" from the man pages....

But SELinux SUCKS for enterprise (0, Troll)

melted (227442) | about 9 years ago | (#13668860)

Here's a simple task that you CAN'T do with SELinux: set up Apache and Samba so that Apache's html directory is shared using samba. Should be simple, right? Bzzt. Wrong answer. You will have to either turn off SELinux for Samba or for Apache, you can't protect both because they need to access the same files. From what I've seen, most people just turn SELinux off.

Now, from theoretical security standpoint this totally makes sense - you can't guarantee complete isolation between two apps if both access the same set of files and one of them can write. However, in the real world this is a nightmare. SELinux folks rightfully refuse to fix this - they've created SELinux for an entirely different purpose - to build verifiably secure systems, even if they can't run Apache on them.

What Linux needs is a proper ACL implementation a-la Windows (don't laugh - they have a really good one) or Mac OS X.

Re:But SELinux SUCKS for enterprise (4, Interesting)

sabat (23293) | about 9 years ago | (#13668961)

Sure you can do it. Samba and Apache just have to be part of the same security domain. Study up, boy.

Re:But SELinux SUCKS for enterprise (1, Interesting)

Anonymous Coward | about 9 years ago | (#13668970)

Actually you can allow this if you write your own SElinux policy, which can actually be quite easy. Maybe spend a few minutes reading the man page of audit2allow perhaps ?

Ignorance is no excuse.

Secure and Usefull (1, Interesting)

Anonymous Coward | about 9 years ago | (#13668875)

What everyone seems to be missing here is that unlike BSD or the other so called secure Linux distros out there, when you install RedHat you actually have a usable platform from the get go. What is the point of having this ultra secure Linux server which has all services turned off by default. Not a very usefull server if you ask me. And while I like BSD, it does not have the software base available for it that RedHat does. Perhaps for the random home user none of this matters, but to anyone going to delpoy hundreds of Linux systems, this all makes a huge difference.

Summary: RedHat delivers both a secure and a usable Linux distro which is easily supportable and reproducable.

Common Criteria evaluation is mostly worthless (3, Insightful)

Wesley Felter (138342) | about 9 years ago | (#13668969)

Looks like it's time to trot out this link again:

Jonathan S. Shapiro, Ph.D: Understanding the Windows (and Red Hat) EAL4 Evaluation. [jhu.edu]

"In the case of CAPP, an EAL4 evaluation tells you everything you need to know. It tells you that Microsoft (Red Hat) spent millions of dollars producing documentation that shows that Windows 2000 (RHEL 5) meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case."

Granted, RHEL is being evaluated for LSPP as well, but EAL4 is still weak.

All the comments about OpenBSD are missing the point: Common Criteria isn't about actual security; it's about security documentation. It's also about certain government purchasing requirements. Nothing to see here.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?