This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Linux

Review: Trustix Secure Linux lives up to its name

By Aditya Nag on March 29, 2006 (9:00:00 AM)

Share    Print    Comments   

Trustix Secure Linux is an interesting distro for servers that is designed to be all about security. While Linux, in general, is fairly secure, a distro that focuses on security and stability from the ground up should be a good choice for Internet servers. In our testing, we found Trustix lives up to its intentions.

I downloaded the stable 2.2 release of Trustix. You can also download the new version, 3.0, which is based on the 2.6 series kernel. However, if your focus is security, Trustix suggests that you use the stable version. The 450MB ISO is easy to download, especially since it's available via Bittorrent.

Trustix concentrates on keeping it simple. You won't get a GUI or the latest bells and whistles. What you do get with Trustix is a small and secure distribution that incorporates IBM's Stack Smash Protection, which protects the system and applications from stack-smashing attacks. This is one of the major forms of attacks, and many secure Linux distros have this turned on by default.

The developers have kept the number of packages to a minimum by including only the basic server-specific packages. Trustix contains no graphical desktop and few userland tools.

Installation

The text-based Trustix installation has some interesting features. The first notable feature is the boot loader password, which you must enter before you can boot the system. Other distros have this option as well, but it's generally buried inside a few menus. Trustix makes it an integral part of the installation process and recommends that you set a password.

Another interesting feature is the package selection process. Trustix gives you various task-based options, such as providing a Web server with PHP-5 or PHP-4, a mail server, FTP server, firewall, and more. There are 19 task-specific package groups. I like that Trustix gives you a choice for the servers, such as between Proftpd or Vsftpd for FTP and Courier or Cyrus for messaging.

The rest of the install is fairly standard, simple, and fast. There are the usual options to partition your hard drive and set your time zone. I chose to install everything, and the 500MB installation took about 15 minutes on my Athlon 2400 with 1GB of RAM.

Security and use

After the installation finished, I updated the system using Trustix's swup tool. The command to upgrade is swup --upgrade. Just like APT and YUM, swup handles dependencies, connects to specified servers, and generally does a good job of installation and updates. You can set it to run automatically every day.

A long list of updates is available, which is in keeping with Trustix's policy of releasing patches in a timely manner.

After I completed the update process, I ran a few security tests. A quick scan of the machine with Nmap showed that all the ports were closed. Most Linux distros enable SSH at least, but Trustix believes that admins should explicitly turn on whatever they need. On the flip side, the firewall is also disabled by default.

After finding that all the ports were closed, I used the latest version of Nessus to search for any vulnerabilities. The results were encouraging, as Nessus couldn't find any vulnerabilities. By default, therefore, Trustix seems fairly secure.

Production servers will be running some network services, so I enabled Samba, Apache, Squid, BIND, and MySQL and tested again. Once again, Nessus and Nmap did not detect any major vulnerabilities. The expected ports were open, of course, but there were no significant configuration holes. Nessus gave a few warnings, but defined the risk as low in every case.

A day after I updated, I ran the update again, and found 27 new patches available. Generally, the developers release patches for any new vulnerabilities within 24 hours; most of the patches are released within a few hours.

The Security Focus database lists several vulnerabilities for Trustix 2.2, but the few exploits that I tried didn't work. Since I tried the newest ones, this is a good sign.

The distro has a Web-based control panel called CP+, which allows you to configure various aspects of the system using a simple Web-based app. It's aimed toward ISPs and Web hosts, with specific options for creating virtual hosts, email forwards, FTP accounts, and the like. CP+ seems functional and easy enough to use.

Trustix does not have much official support or documentation. You have the usual support forums and the community wiki, but there's no real documentation in the form of official HOWTOs or guides. That said, the forums are friendly, and the developers often answer questions there. The wiki has a decent amount of content, though it is not well-organized. Of the two, I prefer the forums.

Conclusion

No operating system can claim to be completely secure. There will always be zero-day exploits, configurations errors, user errors, and other factors that can defeat the best security for any system. On the other hand, it's always good to start from a secure base and then add more security. Trustix provides a reliable and secure Linux distribution that you can build upon. There are no wasteful graphical displays and no wizards to set up your firewall. If you aren't comfortable with the command line, forget about Trustix.

Finally, Trustix is not the primary focus of Comodo, its parent company. If you expect a lot of support with comprehensive documentation, you're going to be disappointed. That said, Trustix does a good job of keeping your system up-to-date, and if you have the required experience, you'll find that it's a robust distro. As a simple server distro with a high level of security and customizability, Trustix is a worthy contender.

Share    Print    Comments   

Comments

on Review: Trustix Secure Linux lives up to its name

Note: Comments are owned by the poster. We are not responsible for their content.

This sounds...

Posted by: Anonymous Coward on March 30, 2006 02:28 AM
...quite retarded. Linux is crap. Get a Mac, or at least a PC. Friggin' office junkies.

Linux servers are excellent for dropping on people, though. I killed a guy only one floor below me once.

#

Re:This sounds...

Posted by: Anonymous Coward on March 30, 2006 08:45 PM
Shut the fuck up troll.

#

Is that the quality where Linux.com is at lately?

Posted by: Anonymous Coward on March 30, 2006 08:03 AM
After finding that all the ports were closed, I used the latest version of Nessus to search for any vulnerabilities. The results were encouraging, as Nessus couldn't find any vulnerabilities.



And that just about completely discredits the whole article. Which was not quite up to any standards in the first place anyway.

#

Secure you said

Posted by: Anonymous Coward on March 30, 2006 10:04 AM
Secure is what you said the server <a href="http://www.trustix.org/" title="trustix.org">http://www.trustix.org/</a trustix.org> is down

#

Re:Secure you said

Posted by: Anonymous Coward on March 30, 2006 08:46 PM
No problems here. I can see the site.

#

Wikipedia article

Posted by: Anonymous Coward on March 30, 2006 10:43 PM
Trustix on Wikipedia;
* <a href="http://en.wikipedia.org/wiki/Trustix" title="wikipedia.org">http://en.wikipedia.org/wiki/Trustix</a wikipedia.org>

#

Re:Wikipedia article

Posted by: Anonymous Coward on March 30, 2006 11:28 PM
x86 only. Nice.

#

Trustix is the best

Posted by: Anonymous Coward on March 31, 2006 03:53 AM
For routers and servers, Trustix 2.2 is the best. Is fast, very stable and secure.

#

Re:Trustix is the best

Posted by: Anonymous Coward on April 01, 2006 02:44 AM
We have run Trustix here at work on several servers for several years. We find it to be quite a good performer and resistant to attacks; one was an experiment that we put bare on the Internet (no firewalling of any sort) for six months to see just how resistant to attack it is (we certainly did our security updates regularly!). In addition to OpenSSH, we ran Apache and BIND on it, which we felt would simultaneously simulate what our public Web and DNS servers, respectively, would be running. After the six months, we took it down to do some forensic analysis, and we found that it had not been compromised.

The next week, we stood up our two public DNS servers, and our public Web server, using Trustix 2.2 as the platform. It's good stuff. If only management would allow us to replace our Windoze servers with Trustix!<nobr> <wbr></nobr>:-)

#

Voo

Posted by: Anonymous Coward on June 06, 2006 03:35 AM

Review: Trustix Secure Linux lives up to its name

Posted by: Anonymous [ip: 222.155.82.181] on September 03, 2007 12:29 PM
both www.trustix.org and comodo's commerical site www.trustix.net have both been down for well over a week now! AGAIN! USELESS! and after I have used trustix opensource version for many years. but whats with the site being down. I have to consider whether or not to ditch it, or not. Go with something that has a community site. All their serivces are down.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya