While reading a whitepaper in the SANS reading room today, I came across a reference to OpenNA Linux. OpenNA Linux is a distribution designed with a high level of security in mind. The distribution is somehow derived from Red Hat Linux originally, but now maintained by the OpenNA security solutions team which offers it for free [without support]. The fact that it stems from a Red Hat system makes it easy to install RPMs and gives Red Hat admins a good sense of familiarity. After reading a bit on their website, I plan on testing OpenNA Linux.
OpenNA Linux aims to be more secure than the average main-stream Linux distribution by removing all unnecessary software and services with role-based installations. If you are going to deploy a web-server, you install only the applications necessary to run a web-server. While role-based security is fairly obvious, very few distributions allow you the flexibility of installing only the bare minimum to run the services that you desire. OpenNA Linux even discourages installing an X Window system, which should be advised to any production server.
On a side note, Werner Puschitz, has written an article on how to secure a Linux system that is well worth reading. After reading the article, I have just a couple of additions to the article. The first thing that I would do is with the sshd_config file; replace the following line:
with this line:
This change will prevent the SSH server from using the SSH protocol 1 to authenticate users and it will be more secure. The other item that I don't quite agree with pertains to passwords. The auther encourages very complex passwords which makes it difficult for users to remember them. I do agree with his password scheme for any privileged accounts or accounts with remote access, but for normal users who do not have remote access (outside the subnet) there should be a more relaxed scheme. I would recommend only requiring at least two of the many criteria that he listed, as well as a minimum length of 8 characters.
Overall, I highly recommend reading his article and will get back on how I review the distribution.