March 29, 2006

Review: Trustix Secure Linux lives up to its name

Author: Aditya Nag

Trustix Secure Linux is an interesting distro for servers that is designed to be all about security. While Linux, in general, is fairly secure, a distro that focuses on security and stability from the ground up should be a good choice for Internet servers. In our testing, we found Trustix lives up to its intentions.

I downloaded the stable 2.2 release of Trustix. You can also download the new version, 3.0, which is based on the 2.6 series kernel. However, if your focus is security, Trustix suggests that you use the stable version. The 450MB ISO is easy to download, especially since it's available via Bittorrent.

Trustix concentrates on keeping it simple. You won't get a GUI or the latest bells and whistles. What you do get with Trustix is a small and secure distribution that incorporates IBM's Stack Smash Protection, which protects the system and applications from stack-smashing attacks. This is one of the major forms of attacks, and many secure Linux distros have this turned on by default.

The developers have kept the number of packages to a minimum by including only the basic server-specific packages. Trustix contains no graphical desktop and few userland tools.

Installation

The text-based Trustix installation has some interesting features. The first notable feature is the boot loader password, which you must enter before you can boot the system. Other distros have this option as well, but it's generally buried inside a few menus. Trustix makes it an integral part of the installation process and recommends that you set a password.

Another interesting feature is the package selection process. Trustix gives you various task-based options, such as providing a Web server with PHP-5 or PHP-4, a mail server, FTP server, firewall, and more. There are 19 task-specific package groups. I like that Trustix gives you a choice for the servers, such as between Proftpd or Vsftpd for FTP and Courier or Cyrus for messaging.

The rest of the install is fairly standard, simple, and fast. There are the usual options to partition your hard drive and set your time zone. I chose to install everything, and the 500MB installation took about 15 minutes on my Athlon 2400 with 1GB of RAM.

Security and use

After the installation finished, I updated the system using Trustix's swup tool. The command to upgrade is swup --upgrade. Just like APT and YUM, swup handles dependencies, connects to specified servers, and generally does a good job of installation and updates. You can set it to run automatically every day.

A long list of updates is available, which is in keeping with Trustix's policy of releasing patches in a timely manner.

After I completed the update process, I ran a few security tests. A quick scan of the machine with Nmap showed that all the ports were closed. Most Linux distros enable SSH at least, but Trustix believes that admins should explicitly turn on whatever they need. On the flip side, the firewall is also disabled by default.

After finding that all the ports were closed, I used the latest version of Nessus to search for any vulnerabilities. The results were encouraging, as Nessus couldn't find any vulnerabilities. By default, therefore, Trustix seems fairly secure.

Production servers will be running some network services, so I enabled Samba, Apache, Squid, BIND, and MySQL and tested again. Once again, Nessus and Nmap did not detect any major vulnerabilities. The expected ports were open, of course, but there were no significant configuration holes. Nessus gave a few warnings, but defined the risk as low in every case.

A day after I updated, I ran the update again, and found 27 new patches available. Generally, the developers release patches for any new vulnerabilities within 24 hours; most of the patches are released within a few hours.

The Security Focus database lists several vulnerabilities for Trustix 2.2, but the few exploits that I tried didn't work. Since I tried the newest ones, this is a good sign.

The distro has a Web-based control panel called CP+, which allows you to configure various aspects of the system using a simple Web-based app. It's aimed toward ISPs and Web hosts, with specific options for creating virtual hosts, email forwards, FTP accounts, and the like. CP+ seems functional and easy enough to use.

Trustix does not have much official support or documentation. You have the usual support forums and the community wiki, but there's no real documentation in the form of official HOWTOs or guides. That said, the forums are friendly, and the developers often answer questions there. The wiki has a decent amount of content, though it is not well-organized. Of the two, I prefer the forums.

Conclusion

No operating system can claim to be completely secure. There will always be zero-day exploits, configurations errors, user errors, and other factors that can defeat the best security for any system. On the other hand, it's always good to start from a secure base and then add more security. Trustix provides a reliable and secure Linux distribution that you can build upon. There are no wasteful graphical displays and no wizards to set up your firewall. If you aren't comfortable with the command line, forget about Trustix.

Finally, Trustix is not the primary focus of Comodo, its parent company. If you expect a lot of support with comprehensive documentation, you're going to be disappointed. That said, Trustix does a good job of keeping your system up-to-date, and if you have the required experience, you'll find that it's a robust distro. As a simple server distro with a high level of security and customizability, Trustix is a worthy contender.

Category:

  • Linux
Click Here!