LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Linux Distribution with auditing of packages (https://www.linuxquestions.org/questions/linux-newbie-8/linux-distribution-with-auditing-of-packages-779863/)

lowlifeish 01-04-2010 10:23 PM
Linux Distribution with auditing of packages
 
I have been out of the UNIX world for some time preoccupied with real life problems. I'm interested in getting a home system up and running, but having difficulties deciding on a base platform.

I am leaning towards a Linux, versus a BSD due to the tremendous amount of employers seeking people with that technology. However, I am attracted to the auditing performed on packages on the BSD end, particularly NetBSD/OpenBSD.

Is there a Linux distribution that performs auditing of third party packages? I understand there are some commercial distributions, but wonder if they are more reactive than proactive?

Thanks for your time and support in digging into this decision!

Regards,
stonee

Simon Bridge 01-04-2010 10:36 PM
Please be specific. There are a number of different audits conducted on packages in the BSDs that also apply to gnu/linux distros.

lowlifeish 01-04-2010 11:46 PM
I am not familiar with the actual testing/auditing done. These are two links that I've been able to gather from the sites:

http://www.netbsd.org/about/features.html#security

http://www.openbsd.org/security.html#process

As you can see, I am very much in the dark and scratching the surface. If some type of comparison is available or additional details can be provided it would be very much appreciated.

In terms of my specific usage, I am unclear but certainly plan on setting up a multitude of services for my own pleasure and advancement. This is probably not to receive much traffic, but I don't think that this should mean that quality, stability, and security are not important. I don't just want to install something.

In the near future I may be living in a moderately high crime area, and need to somewhat rely on a surveillance system for peace of mind and safety.

Simon Bridge 01-05-2010 12:52 AM
link1 - manual code audits - they look through the kernel code for exploits.
link2 - dedicated team of 6 people looking for bugs in key files.

Both are talking about auditing the source code.

OK: linux kernel project has 1000s of people auditing the code, including top academics around the world and phd students wo get to write a paper on it if they discover something ... so they are motivated.

Individual projects will use different methods. Core systems get similar treatment.

The two BSDs in your example tend towards a Cathedral development model.
http://catb.org/~esr/writings/cathedral-bazaar/

The gnu/linux projects are strongly biased to the bazaar model, and so tend to be more reactive in terms of bug fixes ... the user is also the auditor. This is usually fine because the bugfixes occur very fast, in general, compared with other models.

I think the jury is still out about which methods gets you the most secure code in practise.

GNU/Linux distros respond to the variability in the wider community by having hierarchies or repositories where core files undergo additional development, including bugfixing, before they get included, and others allow a range of tested third-party code if you want that stuff.

lowlifeish 01-20-2010 11:13 PM
After some research, it seems that OpenBSD may be the only OS that performs auditing of packages. EnGarde does the next best thing by attempting to provide a safe, minimally configured environment with SELinux. Moreover, EnGarde ships without X11.

The Owl linux distribution also looks awfully appetizing, since it does package auditing of networked packages. But the lack of a general community and momentum steers me away. It seems like a secluded group of people making an OS. It may require extensive verification. Who knows what interesting surprises are found there with the extensive modification on the behalf of the skillful developers?

I'll need to look over these development models as soon as I get a chance! I've seen this mentioned here and there, but never really read over the essay.

MannyNix 01-27-2010 08:40 PM
Interesting post, I'm also wondering if there's an OS that audits packages.

Quote:
Originally Posted by lowlifeish (Post 3834472)
After some research, it seems that OpenBSD may be the only OS that performs auditing of packages.
From what I understand they don't audit 'packages' or 'applications' but only the base system from a default install. That means:
Code:
*  bsd - This is the Kernel. Required
    * bsd.mp - Multi-processor (SMP) kernel (only some platforms)
    * bsd.rd - RAM disk kernel
    * base46.tgz - Contains the base OpenBSD system Required
    * etc46.tgz - Contains all the files in /etc Required
    * comp46.tgz - Contains the compiler and its tools, headers and libraries.
    * man46.tgz - Contains man pages
    * misc46.tgz - Contains misc info, setup documentation
    * game46.tgz - Contains the games for OpenBSD
    * xbase46.tgz - Contains the base libraries and utilities for X11
    * xetc46.tgz - Contains the /etc/X11 and /etc/fonts configuration files
    * xfont46.tgz - Contains X11's font server and fonts
    * xserv46.tgz - Contains X11's X servers
    * xshare46.tgz - Contains manpages, locale settings, includes, etc. for X
In 15.3.3 - Configuration of the ports system, from the OpenBSD FAQ they mention:
Code:
Because the OpenBSD project does not have the resources to fully review the source code of all software in the ports tree...
I also found an interesting article about OpenBSD, not sure I understand it all, but it's an interesting read. Anyways, I like OpenBSD and from the GNU/Linux distributions, Slackware is my favorite.


All times are GMT -5. The time now is 12:16 AM.