In the last six months, Linux has encountered some particularly nasty security problems, from temporary file vulnerabilities to buffer overflows. Linux vendors have scrambled to help ensure that your Linux system is secure. This is reactive security, though, and unfortunately, sometimes that isn’t enough when a problem hits your system before the solution is made available.
Some new distributions offer more proactive security. One is Immunix, a direct derivative of Red Hat. Produced by WireX Communications, Inc., Immunix boasts some heavy protection over a stock Red Hat installation through its StackGuard, FormatGuard, and SubDomain tools. I’ve taken a look at Immunix System 7, the newest version of Immunix that is shipping and publicly available. WireX says that Immunix will benefit public Web servers, e-commerce systems, mail servers, firewalls, security scanners, and authentication servers. I’d put these into two categories: mission-critical servers and public servers. The strong security countermeasures taken in Immunix System 7 are suitable for all of these.
Why would you want to move to or upgrade to Immunix System 7? About 95 percent of the system is derived straight from Red Hat, so if you’re moving from Red Hat to Immunix, it will feel very much like running the same distribution. But some very distinct differences make using Immunix a more pleasurable experience. One difference is that you will end up having to monitor or babysit your Immunix box less than a similar system running Red Hat. This is due to some of the hardening tools that make Immunix more secure by default and less vulnerable to attack. While Red Hat offers reactive security by providing security updates to known problems, Immunix offers more active security by building security into multiple layers, including the packages and the operating system. This isn’t to say that Immunix doesn’t provide updates for flawed programs; it does and in a very timely fashion. However, in most cases, these updates are not prompted by very real threats because Immunix can beat most common problems out there.
It’s nice to know that Immunix can repel attacks more easily than Red Hat, but you won’t take that assurance to heart until you know how and why. Let’s take a look at some of the special components that Immunix includes and uses and why these protect the system right out of the box.
The first version of Immunix used the StackGuard compiler as its sole claim to system protection. StackGuard compiles code that is hardened against “stack smashing” attacks, which are exploits via buffer overflows in programs. Because stack smashing takes advantage of such a common programming error, it is perhaps the most frequent form of penetration attack on any system. With StackGuard, compiled programs are largely immune to stack smashing attacks. The great thing about using StackGuard is that you do not need to change your source code at all to use it.
StackGuard monitors the programs that it compiles. When a vulnerable program is attacked, StackGuard detects the attack, raises an intrusion alert, and then halts the vulnerable program. This prevents the program from doing anything further, such as escaping to a root command prompt, which would provide the attacker with root access to your system.
Non-StackGuarded programs tend to run slightly faster than those compiled with StackGuard. In many cases, it’s a difference of milliseconds; such a performance cost in using StackGuard is complemented by the extra protection it offers. You will probably never notice the difference between a StackGuard-protected program and one without that protection; Immunix provides a comparison chart.
Everything distributed with Immunix is protected with the StackGuard compiler except the kernel. Because of the complex nature of the kernel and because it knows how stack frames are supposed to work (which is what StackGuard changes during compiling), you cannot StackGuard the kernel. Doing so might render your system unable to boot. It is comforting to know, however, that every other aspect of the system is protected. The distribution even comes with a StackGuard-enabled egcs compiler, so when you compile new applications on your Immunix system, they will be built with StackGuard. This means you can’t download any binary RPM and install it, but you can simply download the source RPM and rebuild it on your Immunix system.
Another ideal tool that WireX implemented in Immunix is FormatGuard, which was written as a direct response to a number of format-string vulnerabilities discovered last year. FormatGuard, like StackGuard, protects programs from some widely known exploits of improperly written programs, such as many well-known BIND errors. Programs that are to be protected by FormatGuard must be compiled with it. For FormatGuard to be effective, it must be implemented as a patched version of glibc 2.2 because this is where all of the printf functions and related header files are available. Immunix System 7 is completely protected with FormatGuard.
The final tool that Immunix System 7 provides to protect your system with proactive security is SubDomain. This is a very cool program, one that anyone who has used chroot jails for programs will appreciate.
SubDomain is a kernel extension. It was designed to provide the least amount of privilege to suspect programs by confining the programs to certain sets of activities; it lists the files that a program may access and the operations that the program may perform. This restriction is referred to as a domain that can be specified by the system administrator. SubDomain complements the kernel’s native access controls so that in order for any files to be accessed, they must first pass the native kernel access controls and then the SubDomain restrictions. If either of these is not passed, access to the file in question is denied.
This is very similar to using a chroot jail for programs, such as BIND or wu-ftpd, but it’s much easier to use. Instead of constructing a chroot environment by copying the files that the program will need to access, you simply define in /etc/subdomain which files a particular program may use. If wu-ftpd needs to use the ls program, you do not need to copy ls into the chroot jail; you simply define that wu-ftpd has access to ls in your configuration file. The configuration can be used to limit read, write, and execute permissions on files. You can even include a computed md5 hash of the file you are giving permission to. If the md5 hash in the file doesn’t match with that computed from the file to run, access is denied. Pay attention when you upgrade programs because their md5 hashes will change. If you don’t change that value, your SubDomain-protected programs may not run correctly.
Having previously installed and played around with version 6.2, I was very impressed with the version 7 installation. It uses the Anaconda GUI installer from Red Hat, but this time, WireX has put its name all over it. With 6.2, you knew that you were installing Immunix but the text on the screen consistently said that you were installing Red Hat 6.2. I’m glad to see that WireX invested some time in customizing Anaconda in this regard.
If you’re familiar with a Red Hat install, Immunix will be a breeze. The installation screens are clean and easy to follow. During the install, you can select an installation mode: Server, Custom System, or Upgrade. There is no Workstation install class, as Immunix was meant to be a secure server system, not a desktop OS (although it can be used as one). A little further on, you can select which server type you want to run or a combination of the available classes: News Server, NFS Server, Web Server, or DNS Name Server.
You can also select which packages you want to install individually. This is where you can tailor the installation for a secure workstation. Browse the package list and you’ll see that there are a number of programs that would only be of interest if you were running a desktop. Unfortunately, Immunix does not come with GNOME or KDE, and you can only select from Enlightenment and FVWM2 as window managers. This is a strange selection, considering some other alternatives. I was puzzled as to why they chose the heaviest window manager out there (Enlightenment) and one of the most archaic (FVWM2).
While browsing the individual packages, I noticed that PostgreSQL is offered as a database server but MySQL isn’t offered. Like Red Hat, Immunix provides the OpenSSH tools and OpenSSL, so your cryptographic needs are directly met. It also includes the nmap scanner, which is nice, and the Kerberos system, with the Kerberized applications like PAM. It installs the latest version of BIND, 8.2.3, for which there are no known exploits. It was also nice to see that the kernel installed is 2.2.19, which is the most recent 2.2 or 2.4 kernel known to have no security problems.
Strangely enough, for a distribution preoccupied with security, the r tools are installed by default: rsh-server, rusers, rwho, etc. It is my opinion that the r tools should be abolished completely and certainly not installed by default.
The install itself went quickly, and soon enough, I was ready to reboot the system and take a look.
Upon booting, I noticed an error when lpd attempted to start (which was strange since I didn’t define any printers). Luckily, this problem with loading shared libraries was minor, considering the fact that I never planned to use the printer. I also noticed that the networking options I had configured during the install all stuck except the hostname of the machine, which reverted back to the default “localhost.localdomain” when I first booted after install.
The other odd thing I noticed had to do with X. Immunix is obviously meant to be a server distribution. The strange thing is that it installed xfs, the X Font Server, from XFree86 4.0.1 as well as the XFree86 4.0.1 libraries. Along with this, it installed the Mach64 drivers for my video card but for XFree86 version 3.3.6. However, despite this odd mixture of X versions, no X server was installed.
Having wu-ftpd enabled by default also didn’t impress me much. Strangely enough, even though I selected the DNS Name Server installation class, BIND did not start at bootup.
Immunix has taken the bad from Red Hat along with the good. Almost every daemon on the system was started during boot. When you don’t have an X server, there isn’t much point in starting xfs; when you don’t have a printer defined, why start lpd? It would be a good idea to minimize the number of services running or allow the user to select which services to start during the installation.
The benefits of using Immunix over Red Hat should be evident. The tools provided by Immunix are impressive and well designed and provide added layers of protection to your system so that you are protected before you are attacked. This kind of proactive security is something that all distributions should be using.
If you use Red Hat, you can download the StackGuard, FormatGuard, and SubDomain tools to use with your existing installation. Unfortunately, to take advantage of them, you’ll spend a lot of time recompiling programs. By switching to Immunix, you won’t have to invest that time; all the compiling is done for you, and the OS is adequately protected. While there are no claims that using these tools will provide 100 percent system security, they provide much more security than most other distributions provide.
While there could definitely be some improvements to the distribution itself, the few problems and quirks I encountered were small enough that they can be easily fixed with some additional reconfiguring. The benefits of using Immunix and the associated security tools outweigh some small, post-install inconveniences.
All in all, if you are looking for a good Linux distribution for use on your server, you may want to consider and evaluate Immunix, especially if your first choice is to go with Red Hat. For a desktop OS protected by a firewall, Immunix may not be the best choice due to the lack of desktop tools.
Immunix System 7 recently became available for download and purchase; it retails for $100 U.S. Keep in mind that this new Immunix is based on Red Hat 7.0 and errata updates, so you will most likely need to apply some updates on installation.