![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: engarde-announce-admins@linuxsecurity.com
To: engarde-announce@engardelinux.org
Subject: EnGarde Secure Newswire - Aug/Sept
Date: Tue, 28 Aug 2001 19:08:05 -0400 (EDT)
+---------------------------------------------------------------------+
| EnGarde Secure Linux Monthly Newswire |
| August 28, 2001 Issue #2 |
| |
| http://www.EnGardeLinux.org info@engardelinux.org |
+---------------------------------------------------------------------+
Welcome to the EnGarde Secure Newswire! This monthly newsletter contains
details on EnGarde development, usage tips, news & reviews pertaining to
EnGarde, and information on the latest software released by Guardian
Digital for EnGarde.
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web based
secure remote management, complete e-commerce using AllCommerce, and
integrated open source security tools.
In the time since our previous Newswire, EnGarde has received additional
critical acclaim for its security, ease of use, features, and versatility.
"The system is very secure, very focused on security, and is easy to
manage," writes Daniel Christle of the Duke of URL.
Read on for the latest news and reviews, information for EnGarde
developers, the best QuickTips of the month, info from Guardian Digital on
the future of EnGarde, and how to get started using EnGarde if you're new
to the world of secure Linux computing!
Guardian Digital is the original open source security company, and
sponsors of EnGarde Secure Linux. Security is pervasive. No longer can an
organization operate on the Internet without concern for security, and
leveraging open source is one component of an overall secure
infrastructure.
---------------------------
Translated Versions in HTML
English:
http://www.engardelinux.org/news/newswire-08-en.html
Portugese: [ Courtesy LinuxSecurity.com.br ]
http://www.engardelinux.org/news/newswire-08-pt.html
Spanish: [ Courtesy Erich Brown ]
http://www.engardelinux.org/news/newswire-08-es.html
In the spirit of the Open Source community, we want your feedback! Since
EnGarde was released, we have accumulated thousands of requests for
additional features, suggestions for improved usability, and contributed
software and documentation. Guardian Digital is continually making
improvements to EnGarde, and with your input the next release will be even
more secure, include more features, and faster than the current release!
Send a note to contribute@engardelinux.org if you have an idea to improve
EnGarde, or would like to participate with development.
--------------------
EnGarde in the News!
For such a young distribution, we're honored to have received so much
press coverage recently, awarding EnGarde for its maturity, stability, and
best of all, security. If you've found a mention of EnGarde in the press,
send it in! If you'd like a free copy to evaluate for your user group or
publication, drop us a line!
* Guardian Digital Announces Corporate Partnership Program
"The Guardian Digital Partnership Program provides cost-effective tools to
participating vendors for profitably deploying secure network solutions
utilizing EnGarde Secure Linux and the Guardian Digital Linux Lockbox
secure turnkey server appliance."
http://www.engardelinux.org/press/affiliates-pr-071601.html
* The Duke of URL reviews EnGarde Secure Linux
Great marks from the Duke of URL for "excellent documentation" and "the
serious choice" for eBusiness.
"The security features are intrusion detection (what system doesn't need
this?), extensive system logging, and security policy enforcement. The
intrusion detection is fine-grained and easy to setup. If a service is
accessed by unauthorized means the administrator is notified immediately.
It's just a matter of clicking a few options and things are completely set
up. You can also restrict the commands that a user may access."
http://www.thedukeofurl.org/reviews/misc/engarde101/printable.shtml
* EnGardeLinux.com Named Site of the Week!
The largest repository of open source computer security programs recently
honored EnGarde with its "Site of the Week" award. We would like to thank
our friends at PacketStorm for the prestigious honor."
http://www.linuxsecurity.com/articles/projects_article-3478.html
* Were you affected by Code Red?
If you were using Linux you weren't. The most recent security
vulnerability to afflict Microsoft web servers spread fast and became more
of a hinderance to Linux users. The EnGarde community created a fun PHP
script that determined how many times their web servers would have been
attacked had they been using IIS. Counts nearing the thousands were
reported, despite having an "unadvertised box", as one user reports.
http://mail-archives.engardelinux.org/engarde-users/2001/Aug/0171.html
* Guardian Digital Announces Solutions Reseller Program
The newly-formed Guardian Digital Solutions Reseller Program will empower
you with the tools necessary to promote, sell and integrate Guardian
Digital's solutions to the small and medium business, educational, ISP,
and government markets. Interested in working with the Guardian Digital
team and entering the world of secure Linux computing?
Sign up today! http://www.engardelinux.org/reseller.html
-------------------------
EnGarde in the Enterprise
EnGarde is a stable, production-ready secure collection of open source
tools, coupled with the security and Linux expertise of Guardian Digital.
With the ability to support hundreds of virtual Internet sites, SSL, and
built-in intrusion detection, it makes for the perfect solution in the
enterprise.
And it shows. Bob Compton, Internet Consultant for San Diego System
Services writes, "It has also solved several of my security concerns ... I
still have problems with customers, web sites and bandwidth, but at least
EnGarde lets me concentrate on those troubles without handing me a whole
other list of problems. They've really put some thought into what a web
server should be and addressed that issue with EnGarde Linux." Bob
continues by saying that he "was using Turbo Linux Server for 2 web
servers and was having problems with configuring and maintaining virtual
hosts and e-mail forwarding as well as performance problems. I read a few
reviews of EnGarde Linux, bought a copy and installed it. EnGarde solved
ALL my performance issues since it doesn't even load X or anything
unrelated to being a web server."
Our fellow users in Europe can read a great review of EnGarde Secure Linux
in the September issue of the leading LinuxEnterprise Magazine.
"Guardian Digital takes up [security] and offers a small distribution,
whose focus is not only on security but also on simple operation."
http://www.linuxenterprise.de
Guardian Digital offers a comprehensive suite of support options for
deploying EnGarde Secure Linux in your enterprise.
----------------
Development News
It is in the area of security where open source really shows its benefits.
The security benefits gained as a result of the "many eyes" philsophy
ensure even the smallest potential vulnerability will be scrutinized and
fixed quickly. Recent discussions on the EnGarde mailing lists have
improved the filesystem quota feature, network intrusion detection using
snort, and even spam filtering!
The creation of the engarde-dev@engardelinux.org mailing list is a great
gathering place for discussion of issues pertaining to compiling your
kernel, troubleshooting elusive encryption issues, running Samba on
EnGarde, and more!
Thanks to Jeff Baldwin, Linux and security developer for the University of
North Carolina and one of the community's most active participants, we
have a greatly improved mailing list archive site. Be sure to check it out
at http://mail-archives.engardelinux.org.
Share your intrusion detection, DNS security, encryption, or other area of
expertise with fellow EnGarde users, or feel free to ask a question about
how to configure SSH to build a VPN, get Samba running, or any other
issues you may be struggling with to our developers list.
The Guardian Digital engineers have made great progress towards the next
release, and they expect to send it off to QA very soon. Greatly improved
intrusion detection, support for high-end RAID systems as well as features
appealing to home users, numerous encryption improvements, and virtually
spam-proof mail services are just a few of the improvements for the next
release!
-----------------
Obtaining EnGarde
Our list of EnGarde Secure Linux mirrors grows larger by the day. The
latest list of mirrors include volunteers from all over the globe:
- Australia
ftp://karl.planetmirror.com/pub/engarde
- Austria
ftp://ftp.univie.ac.at/systems/linux/metalab/distributions/engarde
- Germany
ftp://ftp.tu-chemnitz.de/pub/linux/sunsite.unc-mirror/distributions/engarde
ftp://ftp.informatik.rwth-aachen.de/pub/linux/sunsite.unc-mirror/distributions/engarde
- Netherland
ftp://ftp.nluug.nl/vol/3/metalab/distributions/engarde/1.0.1/
ftp://ftp.surfnet.nl/vol/3/metalab/distributions/engarde/1.0.1/
- Portugal
ftp://ftp.fct.unl.pt/.1p/linux/sunsite/distributions/engarde/1.0.1/
- United States
ftp://ftp.ibiblio.org/pub/linux/distributions/engarde
ftp://ftp.lug.udel.edu/pub/linux/distributions/engarde
http://rpmfind.net/linux/RPM/engarde/index.html
http://www.linuxiso.org/engarde.html
http://www.download.com/downloads
We're always seeking to increase our list of mirrors. Have some bandwidth
and the desire for serious security? Send a note to mirrors@engardelinux.org.
-----------
Quick Tips!
The EnGardeLinux.org Web site has an ever-increasing knowledgebase of tips
for new and advanced users, pointers to security-related documentation,
tweaking EnGarde for your environment, and much more.
- Pete O'Hara, Postfix hacker, skydiver, and health nut, recently updated
his authoritative document on using the Postfix secure mail server, and
tips on how to improve it on EnGarde.
http://www.linuxsecurity.com/feature_stories/feature_story-91.html
- What is a chroot, and why would I want to use it?
Normally, network daemons have access to system devices, the filesystem,
and standard system binaries and libraries. Using a "chroot jail", a
process can be relegated to a specific region of the filesystem and only
that region. This effectively limits the resources available to the
particular program. Combined with running a daemon as a standard user and
not as root, this adds a significant additional layer of security to the
system. Should the daemon be compromised, it will still have a restricted
view of the system, limiting the amout of damage that can be done.
Nearly all of the daemons available on EnGarde have been configured to use
chroot jails, including BIND, MySQL, Snort, and Postfix.
See "EnGarde: The Design of the Secure Linux Platform" for more.
http://ftp.engardelinux.org/pub/engarde/1.0.1/docs/EnGarde-Design.pdf
- How can I build packages to run on EnGarde?
EnGarde includes by default only those packages necessary to operate a
secure server on the Internet. It is recommended that an EnGarde
development server is used to build RPMs for use with EnGarde. There are
easy to follow directions available on the EnGarde Web site:
http://www.engardelinux.org/building_howto.html
----------------
Software Updates
In the spirit of Open Source, we believe in the full-disclosure
security model, and regularly publish security vulnerabilities and
updates typically within hours of being publicized. Included below
are the security advisories released during the month of July and
August. Be sure to visit http://www.engardelinux.org/advisories.html
for further information and past updates.
Package: openssl
ESA-20010709-01 July 09, 2001
A weakness exists in the pseudo-random number generator
(PRNG) in all version of OpenSSL up to and including
0.9.6a. Given knowledge of past results of PRNG queries
an attacker can predict future results.
ADVISORY:
http://www.linuxsecurity.com/advisories/other_advisory-1483.html
Package: AllCommerce
ESA-20010711-01 July 11, 2001
There is a temporary file creation vulnerability in
AllCommerce which can allow an attacker to exploit a
victim via a symlink attack as the 'webd' user.
ADVISORY:
http://www.linuxsecurity.com/advisories/other_advisory-1492.html
Package: sudo
ESA-20010711-02 July 11, 2001
The configuration file for the sudo package which
shipped with EnGarde Secure Linux 1.0.1 can allow users
in the 'admin' group to gain elevated privileges by
leveraging certain commands.
ADVISORY:
http://www.linuxsecurity.com/advisories/other_advisory-1493.html
Package: fetchmail-ssl
ESA-20010816-01 August 16, 2001
There is a remotely exploitable memory overwrite
vulnerability in the fetchmail-ssl package. An exploit
is known to exist.
ADVISORY:
http://www.linuxsecurity.com/advisories/other_advisory-1555.html