Projects / Hardened Linux

Hardened Linux

Hardened Linux is a hardened and minimalized Linux distribution based on Slackware. It includes a grsecurity/PaX patched kernel, stack smashing protected and hardened packages, additional security scripts, and automatically enabled host intrusion detection.

Tags
Licenses
Operating Systems

RSS Recent releases

Release Notes: This release includes the new package system tool called 'cpfos'. Many package updates were made.

  •  06 Jul 2007 17:54

Release Notes: This is primarily a package update for the 1.6.6-snapshot release. It includes gcc 4.2, glibc 2.5 and kernel 2.6.21.3-grsec (this time with the ne2k_pci network driver).

Release Notes: Different packages were updated. The documentation package now includes HTML files instead of a PDF file. This release also includes permission fixes in the binutils package and a 2.6.20.10 kernel.

  •  11 Apr 2007 19:47

Release Notes: A lot of work has been done with the packages, and there are many new updates available. Kernel based features are the 2.6.19.7 update and support of eCryptfs. This release contains security updates for CVE-2007-1536.

Release Notes: Glibc is now patched with the ctermid() patch. The Linux kernel was updated to 2.6.19.4. Other packages were updated, including netcat (nc), OpenBSD-inetd, dnsmasq, gradm, iptables, rkhunter, openssh, openldap, nmap, and the tcpip package. sysklogd now also uses the Debian package source (but with ssp and -pie) and is compiled for 2.6.x kernels now. This release also includes security updates for gnupg, tcpdump, clamav, openldap, and spamassasin.

RSS Recent comments

18 Dec 2006 08:27 gvy

Re: funny base

> I cannot agree since slackware is very robust

Okay, then we have different definitions for "robustness" (which might be easy, guess you're no native English speaker too). Let it be.

> we currently do not audit glibc or the
> kernel because we don't have enough time
> but lots of packages are at least
> hardened now. we change default
> permissions, we change default
> configuration files, compile packages
> and libs with ssp and so on.

And that's done elsewhere for quite a time. BTW, you might be interested in control(8) which is a permission persistency framework developed and employed at Owl/ALT; if Slackware packages do equivalent of RPM %pre/%post package scripts (last time I checked, they couldn't), you could e.g. lock down SUID binaries to root-only exec bit *and* let local sysadmin choose the proper state (e.g. executable by "netadmin" or "wheel" group), with binary perms persisting after package upgrade.

You could also consider privilege-separated/chrooted services by default, and maybe look at chrooted package. BTW /people/ldv is probably worth investigating anyways, starting right with glibc patches.

Maybe if you think over what is already done for years elsewhere and what is needed to be "robust" for that (like, package manager which does checksums and {pre,}{un,}install scripts), you'll understand my previous posting better. Hope that things referenced and hinted would be useful anyways.

> there are so many pictures in the world.
> why the hell do paints just paint more
> and more of them? they do it, because
> they love to do it.

Hey, I am painter. One of my pictures in oil (ca. 1996) lurks somewhere in Germany now. No, I didn't call it "Pretty Picture" and post at www.prettypicture.com even if I loved working on that; and if you did not understand, then please note that "Hardened Linux" is as ambitious generic term abuse as is "Windows" or "Word", and with Slackware as a base, you're not going to pull it. Just as Slackware fans in Birmingham did fail, and it was 100% predictable. If I've met them two years ago proclaiming how they're gonna make it, I'd conduct similar rough advice to them.

> why do you tell me about this?

'Cause I try to help you avoid doing quite common mistakes -- why did you name and publish this work in the first place? Maybe for others to know about it and possibly help with development? Then you should care of what can go wrong and upset those invited.

While enjoying creativity, we have to be responsible too, right from naming and to the support. That was one of the points made, and believe me it has cost me a nice share of trouble to learn this well.

> we're heavily working on HL and we _do_
> answer posts in the ML and the forums.

Well I do wish you good luck. Don't take this as a personal offense or project dismissal, it's rather about not reimplementing the wheel from scratch that is done so much better already. I've been thankful to those who pointed me at e.g. GNU MP library seeing me busy reimplementing arbitrary precision maths on my own... it was just so much better.

PS: argh, and I with my anti-slackware stance must admit that I have yet to see proper _technical_ argument from Slackware fans, at best they're able to admit that their motivation is pure emotion. So be it. :-)

18 Dec 2006 07:20 cdpxe

Re: funny base

> % At the end I decided to use slackware

> as a base

> % because of its simplicity and size.

>

>

> Ouch. When these are prime factors, I

> wonder what's with "robustness" (in

> terms of system approach -- "what to do

> it $this breaks", "how to identify and

> fix problems", et al) and "security".

I cannot agree since slackware is very robust and realy includes everything I wanted. Okay, we need to re-build all packages with ssp and so on, but thats okay.

>

> Simplicity and small size do help to

> review things but I guess you don't

> really audit kernel and glibc, thus the

> point of "being simple" is somewhat

> selective: _overall_ simplicity is

> bottom-limited by the very same factors

> as everywhere.

>

we currently do not audit glibc or the kernel because we don't have enough time but lots of packages are at least hardened now. we change default permissions, we change default configuration files, compile packages and libs with ssp and so on.

>

> % is very easy to modify slackware and

> at

> % least IMPOV it was a very good

> choice.

>

>

> Well I respect your POV but decided to

> note that rolling yet another distro is

> quite boring thing,

there are so many pictures in the world. why the hell do paints just paint more and more of them? they do it, because they love to do it.

> You can try to google up "shigorin

> netwosix" to find my attempts to put

> reason into one Italian youngster's

> head; he was brave enough to spam

> bugtraq@ with "sec announces" and didn't

> even thank for pointing out that some of

> his tarballs were flawed, having

> improperly world-writable files or

> directories. The "server distribution"

> put out sec updates for some 3 or 6

> months, and left unanswered questions in

> a mailing list when things went silent.

why do you tell me about this? we don't do it this way. okay, at the moment some permissions on the system are still broken (notice, that we aren't stable!) but we heavily working on the fixes (what you can see, if you take a look in the last svn diffs of n/tcpip/tcpip.SlackBuild for example. we're heavily working on HL and we _do_ answer posts in the ML and the forums.

18 Dec 2006 05:46 gvy

Re: funny base

> We did not think about ALT linux as a base for HL.

I guess :-) (tried to point out why exactly it might be less convenient, actually, than a couple of other distros that immediately came to my mind)

> But we took a look at some other distributions like debian,

> adamantix and so on.

And they weren't enough as-is for that?

> At the end I decided to use slackware as a base

> because of its simplicity and size.

Ouch. When these are prime factors, I wonder what's with "robustness" (in terms of system approach -- "what to do it $this breaks", "how to identify and fix problems", et al) and "security".

Simplicity and small size do help to review things but I guess you don't really audit kernel and glibc, thus the point of "being simple" is somewhat selective: _overall_ simplicity is bottom-limited by the very same factors as everywhere.

> is very easy to modify slackware and at

> least IMPOV it was a very good choice.

Well I respect your POV but decided to note that rolling yet another distro is quite boring thing, tagging it "hardened" is quite a lot to fulfil to make it so. It's not about making a one-shot release or even keeping up with fixes for half a year, it's about building a platform (since toys don't need to be hardened, and non-toys usually require that they work flawlessly not only today but for the longest time possible with the minimum effort/money possible).

You can try to google up "shigorin netwosix" to find my attempts to put reason into one Italian youngster's head; he was brave enough to spam bugtraq@ with "sec announces" and didn't even thank for pointing out that some of his tarballs were flawed, having improperly world-writable files or directories. The "server distribution" put out sec updates for some 3 or 6 months, and left unanswered questions in a mailing list when things went silent.

Of course, it's not at all my right to try and tell folks what to do but it's a pity when someone starts another project with bold claims, then gathers some more or less naive community, and then quite foreseeable problems lead to project's demise leaving those who trusted initial bright words with their systems out in the cold.

So I try to convince folks at least have another look and think another minute about what's going be there in a year before giving birth to another project -- sometimes there are mature projects which are worth joining, not competing with or ignoring; OTOH an example of very nice and insightful reply to one of such questions is available here: freshmeat.net/projects...

Good luck, anyways!

18 Dec 2006 03:21 cdpxe

Re: funny base

> I guess starting with e.g. Owl or

> Adamantix for security-related

> development would be more reasonable

> than with Slackware... interesting to

> me, did you consider those?

>

> (ALT Linux is also heavily security

> oriented but being much more than

> specialized distro, it's not as sharp as

> Owl that way and it's rather

> Russian-spoken devel@ -- still this team

> seems right to me at least)

We did not think about ALT linux as a base for HL. But we took a look at some other distributions like debian, adamantix and so on. At the end I decided to use slackware as a base because of its simplicity and size. It is very easy to modify slackware and at least IMPOV it was a very good choice.

BTW: This does not mean that other security distributions would be a bad base for a new distribution.

15 Dec 2006 11:06 gvy

funny base
I guess starting with e.g. Owl or Adamantix for security-related development would be more reasonable than with Slackware... interesting to me, did you consider those?

(ALT Linux is also heavily security oriented but being much more than specialized distro, it's not as sharp as Owl that way and it's rather Russian-spoken devel@ -- still this team seems right to me at least)

Screenshot

Project Spotlight

General Configuration Form Manager

A minimalist Web server for configuration forms.

Screenshot

Project Spotlight

s6-portable-utils

Tiny, portable general Unix utilities.