Owl (Openwall GNU/*/Linux) is a small security-enhanced Linux distribution for servers. Owl also makes a good base system for customized virtual machine images and embedded systems, and Owl live CDs with remote SSH access are good for recovering or installing systems (whether with Owl or not). A single Owl CD includes the full live system, installable packages, the installer program, as well as full source code and the build environment capable of rebuilding the entire system from source. Owl supports multiple architectures (x86, x86-64, SPARC, and Alpha) and offers some compatibility for packages developed for other Linux distributions. The primary approaches to security are proactive source code review, privilege reduction, privilege separation, careful selection of third-party software, safe defaults, and "hardening" to reduce the likelihood of successful exploitation of security flaws.
|Tags||Operating Systems Software Distribution Security Systems Administration Cryptography|
|Operating Systems||POSIX Linux|
|Implementation||Assembly C C++ Perl Unix Shell|
Release Notes: Relevant updates from Owl-current have now been merged into 3.0-stable, including rebasing of the kernel on OpenVZ/RHEL 5.9, GnuPG and xinetd updates, and minor bugfixes in glibc. The kernel is now compressed with Zopfli (pigz -11) instead of gzip -9. New ISOs and OpenVZ templates have been generated for i686 and x86_64.
Release Notes: The Linux kernel has been rebased on the latest from OpenVZ's RHEL5-based branch (RHEL 5.9-based currently), fixing a number of vulnerabilities including a PTRACE_SETREGS vs. process death race condition (CVE-2013-0871), which could allow for a local root compromise and OpenVZ container escape. GnuPG has been updated to 1.4.13 (fixing CVE-2012-6085). Assorted minor changes have been made. New ISOs and OpenVZ templates have been generated for i686 and x86_64.
Release Notes: The Linux kernel has been rebased on the latest from OpenVZ's RHEL5-based "testing" branch. binutils, tcsh, xinetd, and OpenSSL have been updated to new upstream versions, and assorted minor changes have been made to many Owl packages. The system has been rebuilt with the new binutils, which required some tweaks in various packages (now included, so further rebuilds work seamlessly), and new ISOs and OpenVZ templates have been generated for i686 and x86_64. Overall, this mostly conservative update is a precursor to a similar update to Owl 3.0-stable, and to more aggressive changes in Owl-current.
Release Notes: The Linux/OpenVZ kernel has been rebased on RHEL 5.8's. GCC has been updated to 4.6.3, and "gcc -Wl,-z,relro -Wl,-z,now" is now the default as a security hardening measure. The bootloader for the ISOs has been switched to ISOLINUX. Building of glibc's UTF-8 locales has been enabled by default. OpenSSL, lftp, strace, and hdparm have been updated to new versions. John the Ripper has been updated and is now built with OpenMP parallelization, AVX, and XOP support enabled. New ISO images and OpenVZ container templates have been generated for i686 and x86_64.
Release Notes: GCC has been updated to 4.6.1, and packages of GMP, MPC, and MPFR have been added (these are arbitrary precision arithmetic libraries required by recent GCC releases). The system has been rebuilt with the new GCC. VLAN support has been added to networking startup scripts. Timezone data has been updated, primarily for the latest reconsideration by Ukraine. Security fixes have been made to pam_env (not used on default installs of Owl, but available for use). The hardlink(1) program has been added. New ISO images and OpenVZ container templates have been generated for i686 and x86_64.