LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-04-2010, 10:23 PM   #1
lowlifeish
Member
 
Registered: Oct 2002
Location: San Francisco, CA
Distribution: redhat
Posts: 50

Rep: Reputation: 16
Linux Distribution with auditing of packages


I have been out of the UNIX world for some time preoccupied with real life problems. I'm interested in getting a home system up and running, but having difficulties deciding on a base platform.

I am leaning towards a Linux, versus a BSD due to the tremendous amount of employers seeking people with that technology. However, I am attracted to the auditing performed on packages on the BSD end, particularly NetBSD/OpenBSD.

Is there a Linux distribution that performs auditing of third party packages? I understand there are some commercial distributions, but wonder if they are more reactive than proactive?

Thanks for your time and support in digging into this decision!

Regards,
stonee

Last edited by lowlifeish; 01-04-2010 at 10:25 PM.
 
Old 01-04-2010, 10:36 PM   #2
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Please be specific. There are a number of different audits conducted on packages in the BSDs that also apply to gnu/linux distros.
 
Old 01-04-2010, 11:46 PM   #3
lowlifeish
Member
 
Registered: Oct 2002
Location: San Francisco, CA
Distribution: redhat
Posts: 50

Original Poster
Rep: Reputation: 16
I am not familiar with the actual testing/auditing done. These are two links that I've been able to gather from the sites:

http://www.netbsd.org/about/features.html#security

http://www.openbsd.org/security.html#process

As you can see, I am very much in the dark and scratching the surface. If some type of comparison is available or additional details can be provided it would be very much appreciated.

In terms of my specific usage, I am unclear but certainly plan on setting up a multitude of services for my own pleasure and advancement. This is probably not to receive much traffic, but I don't think that this should mean that quality, stability, and security are not important. I don't just want to install something.

In the near future I may be living in a moderately high crime area, and need to somewhat rely on a surveillance system for peace of mind and safety.
 
Old 01-05-2010, 12:52 AM   #4
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
link1 - manual code audits - they look through the kernel code for exploits.
link2 - dedicated team of 6 people looking for bugs in key files.

Both are talking about auditing the source code.

OK: linux kernel project has 1000s of people auditing the code, including top academics around the world and phd students wo get to write a paper on it if they discover something ... so they are motivated.

Individual projects will use different methods. Core systems get similar treatment.

The two BSDs in your example tend towards a Cathedral development model.
http://catb.org/~esr/writings/cathedral-bazaar/

The gnu/linux projects are strongly biased to the bazaar model, and so tend to be more reactive in terms of bug fixes ... the user is also the auditor. This is usually fine because the bugfixes occur very fast, in general, compared with other models.

I think the jury is still out about which methods gets you the most secure code in practise.

GNU/Linux distros respond to the variability in the wider community by having hierarchies or repositories where core files undergo additional development, including bugfixing, before they get included, and others allow a range of tested third-party code if you want that stuff.
 
Old 01-20-2010, 11:13 PM   #5
lowlifeish
Member
 
Registered: Oct 2002
Location: San Francisco, CA
Distribution: redhat
Posts: 50

Original Poster
Rep: Reputation: 16
After some research, it seems that OpenBSD may be the only OS that performs auditing of packages. EnGarde does the next best thing by attempting to provide a safe, minimally configured environment with SELinux. Moreover, EnGarde ships without X11.

The Owl linux distribution also looks awfully appetizing, since it does package auditing of networked packages. But the lack of a general community and momentum steers me away. It seems like a secluded group of people making an OS. It may require extensive verification. Who knows what interesting surprises are found there with the extensive modification on the behalf of the skillful developers?

I'll need to look over these development models as soon as I get a chance! I've seen this mentioned here and there, but never really read over the essay.

Last edited by lowlifeish; 01-20-2010 at 11:14 PM.
 
1 members found this post helpful.
Old 01-27-2010, 08:40 PM   #6
MannyNix
Member
 
Registered: Dec 2005
Location: ~
Distribution: Slackware -current, OpenBSD
Posts: 451

Rep: Reputation: 42
Interesting post, I'm also wondering if there's an OS that audits packages.

Quote:
Originally Posted by lowlifeish View Post
After some research, it seems that OpenBSD may be the only OS that performs auditing of packages.
From what I understand they don't audit 'packages' or 'applications' but only the base system from a default install. That means:
Code:
*  bsd - This is the Kernel. Required
    * bsd.mp - Multi-processor (SMP) kernel (only some platforms)
    * bsd.rd - RAM disk kernel
    * base46.tgz - Contains the base OpenBSD system Required
    * etc46.tgz - Contains all the files in /etc Required
    * comp46.tgz - Contains the compiler and its tools, headers and libraries.
    * man46.tgz - Contains man pages
    * misc46.tgz - Contains misc info, setup documentation
    * game46.tgz - Contains the games for OpenBSD
    * xbase46.tgz - Contains the base libraries and utilities for X11
    * xetc46.tgz - Contains the /etc/X11 and /etc/fonts configuration files
    * xfont46.tgz - Contains X11's font server and fonts
    * xserv46.tgz - Contains X11's X servers
    * xshare46.tgz - Contains manpages, locale settings, includes, etc. for X
In 15.3.3 - Configuration of the ports system, from the OpenBSD FAQ they mention:
Code:
Because the OpenBSD project does not have the resources to fully review the source code of all software in the ports tree...
I also found an interesting article about OpenBSD, not sure I understand it all, but it's an interesting read. Anyways, I like OpenBSD and from the GNU/Linux distributions, Slackware is my favorite.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Linux System Auditing by Example LXer Syndicated Linux News 0 05-11-2007 12:01 AM
Linux Server Auditing mshajan Linux - Software 1 05-05-2005 01:37 PM
Make own distribution of Linux with some added modules and packages op4_u Linux - Software 1 09-15-2004 07:32 AM
How to update packages within Fedora Distribution before installation Raskolnikow Linux - Software 2 04-04-2004 06:51 AM
Harware auditing for Linux? vrillusions Linux - Hardware 0 04-06-2003 12:25 AM


All times are GMT -5. The time now is 07:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration