From: engarde-announce-admins@linuxsecurity.com To: engarde-announce@engardelinux.org Subject: EnGarde Secure Newswire - Aug/Sept Date: Tue, 28 Aug 2001 19:08:05 -0400 (EDT) +---------------------------------------------------------------------+ | EnGarde Secure Linux Monthly Newswire | | August 28, 2001 Issue #2 | | | | http://www.EnGardeLinux.org info@engardelinux.org | +---------------------------------------------------------------------+ Welcome to the EnGarde Secure Newswire! This monthly newsletter contains details on EnGarde development, usage tips, news & reviews pertaining to EnGarde, and information on the latest software released by Guardian Digital for EnGarde. EnGarde Secure Linux is a secure distribution of Linux that features improved access control, host and network intrusion detection, Web based secure remote management, complete e-commerce using AllCommerce, and integrated open source security tools. In the time since our previous Newswire, EnGarde has received additional critical acclaim for its security, ease of use, features, and versatility. "The system is very secure, very focused on security, and is easy to manage," writes Daniel Christle of the Duke of URL. Read on for the latest news and reviews, information for EnGarde developers, the best QuickTips of the month, info from Guardian Digital on the future of EnGarde, and how to get started using EnGarde if you're new to the world of secure Linux computing! Guardian Digital is the original open source security company, and sponsors of EnGarde Secure Linux. Security is pervasive. No longer can an organization operate on the Internet without concern for security, and leveraging open source is one component of an overall secure infrastructure. --------------------------- Translated Versions in HTML English: http://www.engardelinux.org/news/newswire-08-en.html Portugese: [ Courtesy LinuxSecurity.com.br ] http://www.engardelinux.org/news/newswire-08-pt.html Spanish: [ Courtesy Erich Brown ] http://www.engardelinux.org/news/newswire-08-es.html In the spirit of the Open Source community, we want your feedback! Since EnGarde was released, we have accumulated thousands of requests for additional features, suggestions for improved usability, and contributed software and documentation. Guardian Digital is continually making improvements to EnGarde, and with your input the next release will be even more secure, include more features, and faster than the current release! Send a note to contribute@engardelinux.org if you have an idea to improve EnGarde, or would like to participate with development. -------------------- EnGarde in the News! For such a young distribution, we're honored to have received so much press coverage recently, awarding EnGarde for its maturity, stability, and best of all, security. If you've found a mention of EnGarde in the press, send it in! If you'd like a free copy to evaluate for your user group or publication, drop us a line! * Guardian Digital Announces Corporate Partnership Program "The Guardian Digital Partnership Program provides cost-effective tools to participating vendors for profitably deploying secure network solutions utilizing EnGarde Secure Linux and the Guardian Digital Linux Lockbox secure turnkey server appliance." http://www.engardelinux.org/press/affiliates-pr-071601.html * The Duke of URL reviews EnGarde Secure Linux Great marks from the Duke of URL for "excellent documentation" and "the serious choice" for eBusiness. "The security features are intrusion detection (what system doesn't need this?), extensive system logging, and security policy enforcement. The intrusion detection is fine-grained and easy to setup. If a service is accessed by unauthorized means the administrator is notified immediately. It's just a matter of clicking a few options and things are completely set up. You can also restrict the commands that a user may access." http://www.thedukeofurl.org/reviews/misc/engarde101/printable.shtml * EnGardeLinux.com Named Site of the Week! The largest repository of open source computer security programs recently honored EnGarde with its "Site of the Week" award. We would like to thank our friends at PacketStorm for the prestigious honor." http://www.linuxsecurity.com/articles/projects_article-3478.html * Were you affected by Code Red? If you were using Linux you weren't. The most recent security vulnerability to afflict Microsoft web servers spread fast and became more of a hinderance to Linux users. The EnGarde community created a fun PHP script that determined how many times their web servers would have been attacked had they been using IIS. Counts nearing the thousands were reported, despite having an "unadvertised box", as one user reports. http://mail-archives.engardelinux.org/engarde-users/2001/Aug/0171.html * Guardian Digital Announces Solutions Reseller Program The newly-formed Guardian Digital Solutions Reseller Program will empower you with the tools necessary to promote, sell and integrate Guardian Digital's solutions to the small and medium business, educational, ISP, and government markets. Interested in working with the Guardian Digital team and entering the world of secure Linux computing? Sign up today! http://www.engardelinux.org/reseller.html ------------------------- EnGarde in the Enterprise EnGarde is a stable, production-ready secure collection of open source tools, coupled with the security and Linux expertise of Guardian Digital. With the ability to support hundreds of virtual Internet sites, SSL, and built-in intrusion detection, it makes for the perfect solution in the enterprise. And it shows. Bob Compton, Internet Consultant for San Diego System Services writes, "It has also solved several of my security concerns ... I still have problems with customers, web sites and bandwidth, but at least EnGarde lets me concentrate on those troubles without handing me a whole other list of problems. They've really put some thought into what a web server should be and addressed that issue with EnGarde Linux." Bob continues by saying that he "was using Turbo Linux Server for 2 web servers and was having problems with configuring and maintaining virtual hosts and e-mail forwarding as well as performance problems. I read a few reviews of EnGarde Linux, bought a copy and installed it. EnGarde solved ALL my performance issues since it doesn't even load X or anything unrelated to being a web server." Our fellow users in Europe can read a great review of EnGarde Secure Linux in the September issue of the leading LinuxEnterprise Magazine. "Guardian Digital takes up [security] and offers a small distribution, whose focus is not only on security but also on simple operation." http://www.linuxenterprise.de Guardian Digital offers a comprehensive suite of support options for deploying EnGarde Secure Linux in your enterprise. ---------------- Development News It is in the area of security where open source really shows its benefits. The security benefits gained as a result of the "many eyes" philsophy ensure even the smallest potential vulnerability will be scrutinized and fixed quickly. Recent discussions on the EnGarde mailing lists have improved the filesystem quota feature, network intrusion detection using snort, and even spam filtering! The creation of the engarde-dev@engardelinux.org mailing list is a great gathering place for discussion of issues pertaining to compiling your kernel, troubleshooting elusive encryption issues, running Samba on EnGarde, and more! Thanks to Jeff Baldwin, Linux and security developer for the University of North Carolina and one of the community's most active participants, we have a greatly improved mailing list archive site. Be sure to check it out at http://mail-archives.engardelinux.org. Share your intrusion detection, DNS security, encryption, or other area of expertise with fellow EnGarde users, or feel free to ask a question about how to configure SSH to build a VPN, get Samba running, or any other issues you may be struggling with to our developers list. The Guardian Digital engineers have made great progress towards the next release, and they expect to send it off to QA very soon. Greatly improved intrusion detection, support for high-end RAID systems as well as features appealing to home users, numerous encryption improvements, and virtually spam-proof mail services are just a few of the improvements for the next release! ----------------- Obtaining EnGarde Our list of EnGarde Secure Linux mirrors grows larger by the day. The latest list of mirrors include volunteers from all over the globe: - Australia ftp://karl.planetmirror.com/pub/engarde - Austria ftp://ftp.univie.ac.at/systems/linux/metalab/distributions/engarde - Germany ftp://ftp.tu-chemnitz.de/pub/linux/sunsite.unc-mirror/distributions/engarde ftp://ftp.informatik.rwth-aachen.de/pub/linux/sunsite.unc-mirror/distributions/engarde - Netherland ftp://ftp.nluug.nl/vol/3/metalab/distributions/engarde/1.0.1/ ftp://ftp.surfnet.nl/vol/3/metalab/distributions/engarde/1.0.1/ - Portugal ftp://ftp.fct.unl.pt/.1p/linux/sunsite/distributions/engarde/1.0.1/ - United States ftp://ftp.ibiblio.org/pub/linux/distributions/engarde ftp://ftp.lug.udel.edu/pub/linux/distributions/engarde http://rpmfind.net/linux/RPM/engarde/index.html http://www.linuxiso.org/engarde.html http://www.download.com/downloads We're always seeking to increase our list of mirrors. Have some bandwidth and the desire for serious security? Send a note to mirrors@engardelinux.org. ----------- Quick Tips! The EnGardeLinux.org Web site has an ever-increasing knowledgebase of tips for new and advanced users, pointers to security-related documentation, tweaking EnGarde for your environment, and much more. - Pete O'Hara, Postfix hacker, skydiver, and health nut, recently updated his authoritative document on using the Postfix secure mail server, and tips on how to improve it on EnGarde. http://www.linuxsecurity.com/feature_stories/feature_story-91.html - What is a chroot, and why would I want to use it? Normally, network daemons have access to system devices, the filesystem, and standard system binaries and libraries. Using a "chroot jail", a process can be relegated to a specific region of the filesystem and only that region. This effectively limits the resources available to the particular program. Combined with running a daemon as a standard user and not as root, this adds a significant additional layer of security to the system. Should the daemon be compromised, it will still have a restricted view of the system, limiting the amout of damage that can be done. Nearly all of the daemons available on EnGarde have been configured to use chroot jails, including BIND, MySQL, Snort, and Postfix. See "EnGarde: The Design of the Secure Linux Platform" for more. http://ftp.engardelinux.org/pub/engarde/1.0.1/docs/EnGarde-Design.pdf - How can I build packages to run on EnGarde? EnGarde includes by default only those packages necessary to operate a secure server on the Internet. It is recommended that an EnGarde development server is used to build RPMs for use with EnGarde. There are easy to follow directions available on the EnGarde Web site: http://www.engardelinux.org/building_howto.html ---------------- Software Updates In the spirit of Open Source, we believe in the full-disclosure security model, and regularly publish security vulnerabilities and updates typically within hours of being publicized. Included below are the security advisories released during the month of July and August. Be sure to visit http://www.engardelinux.org/advisories.html for further information and past updates. Package: openssl ESA-20010709-01 July 09, 2001 A weakness exists in the pseudo-random number generator (PRNG) in all version of OpenSSL up to and including 0.9.6a. Given knowledge of past results of PRNG queries an attacker can predict future results. ADVISORY: http://www.linuxsecurity.com/advisories/other_advisory-1483.html Package: AllCommerce ESA-20010711-01 July 11, 2001 There is a temporary file creation vulnerability in AllCommerce which can allow an attacker to exploit a victim via a symlink attack as the 'webd' user. ADVISORY: http://www.linuxsecurity.com/advisories/other_advisory-1492.html Package: sudo ESA-20010711-02 July 11, 2001 The configuration file for the sudo package which shipped with EnGarde Secure Linux 1.0.1 can allow users in the 'admin' group to gain elevated privileges by leveraging certain commands. ADVISORY: http://www.linuxsecurity.com/advisories/other_advisory-1493.html Package: fetchmail-ssl ESA-20010816-01 August 16, 2001 There is a remotely exploitable memory overwrite vulnerability in the fetchmail-ssl package. An exploit is known to exist. ADVISORY: http://www.linuxsecurity.com/advisories/other_advisory-1555.html