March 11, 2008

After troublesome install, EnGarde proves it's secure

Author: Preston St. Pierre

EnGarde, a GNU/Linux-based operating system produced by Guardian Digital, aims to provide a secure system that is easy to manage from anywhere. Its philosophy of including only what you need to lessen possible vulnerabilities, combined with strict SELinux application policies and default configurations tuned for security, make EnGarde an excellent base for a server -- though it's not without its problems.

The installer for EnGarde is a good old-fashioned text-based system, which you might expect from a distribution with EnGarde's aims. The first step upon booting is to set a password to be used for both root and WebTool, the Web-based administration tool, on the live CD. Next, you choose your how you're assigned an IP address -- either DHCP, static, or no networking. The third decision is whether to launch the installer or the live CD. I note the order simply because the password that's required to be set in step one is not used if you run the installer, making it moot.

After selecting my language I was informed that pressing cancel at any point during the install would reboot the system -- there is no back button. You can choose automatic or manual disk partitioning, as you might expect. What you don't expect is the way the EnGarde manual partitioner works. You select the drive you wish to use, and EnGarde marks it as a clear drive, prompting you to add a boot, swap, and root partition in that empty space. However, I wished to use partitions I had already created. The Help button at this screen informed me that I could find additional documentation online and provided details about the buttons on the screen, but none of them allowed me to use existing partitions.


Not wanting to wipe my entire drive for EnGarde, I decided to cancel the install and check the documentation. There were a lot of how-to documents available for configuring various programs or carrying out tasks. The section under the Installer link, however, merely informed me that at this time there was no documentation available for the installer. I have since been in contact with a representative from Guardian Digital, who informed me that there is work being done on the installer and that the documentation for it is planned, but he gave me no estimated time.

There are also forums and a wiki available in addition to the main documentation, but I was not able to find a good install guide there either.

I ran the EnGarde installer again, this time on a system on which I could afford to have the drive wiped. After adding the partitions as prompted I came to the package selection screen, which offered options to install any or all of a database server, a DNS server, a firewall, mail services, network intrusion detection, or Web services. I chose all but the firewall for my install. I was then given the option to individually configure each of my network cards -- yet contrary to earlier claims by the installer, I was not given the option at this screen to choose DHCP. I instead had to use a static address. In doing so, because I intended to set up a local DNS server, I told my system to point to itself as a DNS server. I did not expect this would cause any problems, but that proved to be incorrect.

EnGarde copied the files quickly and I was shown a username and password screen for WebTool. I assumed that either this or the password I gave for the live CD at the beginning of the install would be my root password, as no other information about it was given. Upon first reboot I tried logging in to my system with both of the passwords, and neither worked. Puzzled, I opened up a Web browser and loaded the WebTool page using the username/password combo I had been given. WebTool then displayed a form that allowed me to perform the initial configuration on several aspects of the system, including setting the root password. At the top of the page, in what looked like a separate form, was the option to log in to the Guardian Digital network (and an option to register if you weren't already). However, upon filling out the initial configuration form and clicking submit, I was informed that I must log in to the Guardian Digital network before I could set any of that information. Yes, you heard me correctly -- EnGarde locks you out of your system until you register it. I wasn't told anywhere during the install or on the site that this would be the case. The distribution download was available without registration. Yet here I was, locked out of my own computer, forced to either register or overwrite the password from a live CD.


I was offended by the method used to enforce registration, but I was more or less obliged to do it at this point, which is probably what they're counting on. I clicked on the register button, but lo and behold, my system was unable to connect to the server. The error message it gave me, "Error creating account, please try again later and contact Guardian Digital if you have any further problems," was cryptic, but luckily I knew what the problem was. Remember back when I set the DNS server to localhost? My fault, yes, but I was never told that I would need to have Internet access from my machine in order to log in.

Changing the DNS server should have been the easiest thing in the world, but I couldn't edit the configuration file without being able to log in. I had to boot with a live CD to change it.

By now this was without a doubt the most trouble I had ever gone through from the time of inserting a Linux CD to the point where I could first log in. Finally my persistence paid off, and after registering for the Guardian Digital network I was able to set my root password and access my system.

Once past the initial configuration screen in WebTool, it became clear that I would only rarely, if ever, have to log in to the machine directly for regular maintenance. The install of EnGarde was painful and clunky, but WebTool is a work of art. The update module told me that my system was up-to-date, so I went through the easy process of setting up the various services I had installed, making sure to use as close to the default configuration as I could in order to test the professed security of the vanilla system.

After that the fun part started. I won't bore you with the details, but I tried through various means to break into the EnGarde system via the network. Any scans I did were picked up by Snort, logged, and made available through WebTool. My efforts were in vain, as I could locate no usable remote exploits against any running network services. I decided to go one step further and make myself a user account, then try to become root. I was not successful at this either. I make no claims at being a skilled cracker, but I have taken multiple security courses and I understand what is involved enough to be way beyond your average script kiddie. Guardian Digital has clearly taken steps to make the default system secure, even while it's running multiple services such as FTP, Web, database, and SMTP.

Once installed, EnGarde proved itself as a secure, easily manageable server. Overall, EnGarde seems to be very good at what it claims to do: security and easy administration. They left out the part about awful install and required registration, but if you can get past that, it's all gravy.


  • EnGarde
  • Reviews
  • Linux
  • Distributions
Click Here!