This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: EnGarde

After troublesome install, EnGarde proves it's secure

By Preston St. Pierre on March 11, 2008 (4:00:00 PM)

Share    Print    Comments   

EnGarde, a GNU/Linux-based operating system produced by Guardian Digital, aims to provide a secure system that is easy to manage from anywhere. Its philosophy of including only what you need to lessen possible vulnerabilities, combined with strict SELinux application policies and default configurations tuned for security, make EnGarde an excellent base for a server -- though it's not without its problems.

The installer for EnGarde is a good old-fashioned text-based system, which you might expect from a distribution with EnGarde's aims. The first step upon booting is to set a password to be used for both root and WebTool, the Web-based administration tool, on the live CD. Next, you choose your how you're assigned an IP address -- either DHCP, static, or no networking. The third decision is whether to launch the installer or the live CD. I note the order simply because the password that's required to be set in step one is not used if you run the installer, making it moot.

After selecting my language I was informed that pressing cancel at any point during the install would reboot the system -- there is no back button. You can choose automatic or manual disk partitioning, as you might expect. What you don't expect is the way the EnGarde manual partitioner works. You select the drive you wish to use, and EnGarde marks it as a clear drive, prompting you to add a boot, swap, and root partition in that empty space. However, I wished to use partitions I had already created. The Help button at this screen informed me that I could find additional documentation online and provided details about the buttons on the screen, but none of them allowed me to use existing partitions.

Not wanting to wipe my entire drive for EnGarde, I decided to cancel the install and check the documentation. There were a lot of how-to documents available for configuring various programs or carrying out tasks. The section under the Installer link, however, merely informed me that at this time there was no documentation available for the installer. I have since been in contact with a representative from Guardian Digital, who informed me that there is work being done on the installer and that the documentation for it is planned, but he gave me no estimated time.

There are also forums and a wiki available in addition to the main documentation, but I was not able to find a good install guide there either.

I ran the EnGarde installer again, this time on a system on which I could afford to have the drive wiped. After adding the partitions as prompted I came to the package selection screen, which offered options to install any or all of a database server, a DNS server, a firewall, mail services, network intrusion detection, or Web services. I chose all but the firewall for my install. I was then given the option to individually configure each of my network cards -- yet contrary to earlier claims by the installer, I was not given the option at this screen to choose DHCP. I instead had to use a static address. In doing so, because I intended to set up a local DNS server, I told my system to point to itself as a DNS server. I did not expect this would cause any problems, but that proved to be incorrect.

EnGarde copied the files quickly and I was shown a username and password screen for WebTool. I assumed that either this or the password I gave for the live CD at the beginning of the install would be my root password, as no other information about it was given. Upon first reboot I tried logging in to my system with both of the passwords, and neither worked. Puzzled, I opened up a Web browser and loaded the WebTool page using the username/password combo I had been given. WebTool then displayed a form that allowed me to perform the initial configuration on several aspects of the system, including setting the root password. At the top of the page, in what looked like a separate form, was the option to log in to the Guardian Digital network (and an option to register if you weren't already). However, upon filling out the initial configuration form and clicking submit, I was informed that I must log in to the Guardian Digital network before I could set any of that information. Yes, you heard me correctly -- EnGarde locks you out of your system until you register it. I wasn't told anywhere during the install or on the site that this would be the case. The distribution download was available without registration. Yet here I was, locked out of my own computer, forced to either register or overwrite the password from a live CD.

I was offended by the method used to enforce registration, but I was more or less obliged to do it at this point, which is probably what they're counting on. I clicked on the register button, but lo and behold, my system was unable to connect to the server. The error message it gave me, "Error creating account, please try again later and contact Guardian Digital if you have any further problems," was cryptic, but luckily I knew what the problem was. Remember back when I set the DNS server to localhost? My fault, yes, but I was never told that I would need to have Internet access from my machine in order to log in.

Changing the DNS server should have been the easiest thing in the world, but I couldn't edit the configuration file without being able to log in. I had to boot with a live CD to change it.

By now this was without a doubt the most trouble I had ever gone through from the time of inserting a Linux CD to the point where I could first log in. Finally my persistence paid off, and after registering for the Guardian Digital network I was able to set my root password and access my system.

Once past the initial configuration screen in WebTool, it became clear that I would only rarely, if ever, have to log in to the machine directly for regular maintenance. The install of EnGarde was painful and clunky, but WebTool is a work of art. The update module told me that my system was up-to-date, so I went through the easy process of setting up the various services I had installed, making sure to use as close to the default configuration as I could in order to test the professed security of the vanilla system.

After that the fun part started. I won't bore you with the details, but I tried through various means to break into the EnGarde system via the network. Any scans I did were picked up by Snort, logged, and made available through WebTool. My efforts were in vain, as I could locate no usable remote exploits against any running network services. I decided to go one step further and make myself a user account, then try to become root. I was not successful at this either. I make no claims at being a skilled cracker, but I have taken multiple security courses and I understand what is involved enough to be way beyond your average script kiddie. Guardian Digital has clearly taken steps to make the default system secure, even while it's running multiple services such as FTP, Web, database, and SMTP.

Once installed, EnGarde proved itself as a secure, easily manageable server. Overall, EnGarde seems to be very good at what it claims to do: security and easy administration. They left out the part about awful install and required registration, but if you can get past that, it's all gravy.

Preston St. Pierre is a computer information systems student at the University of the Fraser Valley in British Columbia, Canada.

Share    Print    Comments   

Comments

on After troublesome install, EnGarde proves it's secure

Note: Comments are owned by the poster. We are not responsible for their content.

After troublesome install, EnGarde proves it's secure

Posted by: Anonymous [ip: 74.163.13.15] on March 11, 2008 06:10 PM
Isn't it obvious why you can't install on existing partitions? How does EnGarde know there is not backdoor/rootkit/some_type_malware on your current filesystem. This distro is designed for utmost security based on the NSA's SELinux!! Why would they take the chance on your filesystem already being compromised and you saying a week later: "Hey, EnGarde isn't that secure, I have a rootkit on my box". So it makes so much sense to me to format the filesystem to be used. Does anyone else agree?

#

Re: After troublesome install, EnGarde proves it's secure

Posted by: Anonymous [ip: 70.78.129.157] on March 12, 2008 09:49 PM
Noone said anything about installing on existing filesystems, only existing partitions. I have other distributions installed that I do not want to wipe out. They are on other partitions. EnGarde will not allow me to keep them. What if this was a server with important databases on another partition, and I merely wanted to replace the OS and applications? I would have to wipe out the other data. Now do you see?

#

After troublesome install, EnGarde proves it's secure

Posted by: Anonymous [ip: 65.190.27.135] on March 12, 2008 02:28 AM
Good point, I agree.

#

After troublesome install, EnGarde proves it's secure

Posted by: Anonymous [ip: 91.121.102.64] on March 12, 2008 03:42 AM
Yeah, pretty much the first thing that I thought of, if it's going to be advertised as secure, you'd tend to think that it would want complete control over the drive that it's destined to be installed on.

#

After troublesome install, EnGarde proves it's secure

Posted by: Anonymous [ip: 74.163.12.113] on March 13, 2008 05:59 AM
Those other partitions are on the same drive, so what about MBR rootkit? This installation technique outside of OS is used by many malware authors now. What about any type of malware that is on this "other" partition? It could have the ease of being local in it's penetration of EnGarde somehow by being on neighboring partition. Sure you can do this somehow, but why, you want more chance of being bulletproof, I do anyway if I go to the trouble already of using distro such as this one. I agree with not wanting to connect to the internet right after installation. Core Impact security product does this too, it is bothersome to say the least. I definitely wouldn't use this anyway with forced registration, that doesn't even feel GPL too me, it sounds like something Bill G would do.

#

After troublesome install, EnGarde proves it's secure

Posted by: Anonymous [ip: 74.163.12.113] on March 13, 2008 06:03 AM
Besides you could mirror that data real quick after compressing it, cpio/scp with rzip or lzma26, scan the drive with data externally from other system while this drive with data is not running. Yea then it would be ok, but just because you have a drive with data this shouldn't prohibit you from maintaining as much lockdown as you can. You have all kinds of ways to dd data to somewhere for a sec and then put it back on. You do mean data right? Not a windows installation on that "other" partition I hope.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya