Linux Vendors Increase Security Features

Analysis: Red Hat, Canonical and Novell are enhancing the security features in their Fedora, Ubuntu and OpenSUSE Linux distributions, which are all slated for release later in 2008.

Linux-based operating systems are built on an open-development model, which can afford organizations an early view of-and an opportunity to influence-the technologies and implementations that will eventually work their way into these companies' infrastructures.

What's more, these early looks extend beyond points on a presentation slide to comprise run-able code that's gathered into fast-moving, community-supported Linux distributions that administrators can begin testing in advance of the long-lived, enterprise-oriented releases to come.

I examined the principal security-related developments in three such vanguard Linux distributions, Canonical's Ubuntu Linux 8.10, Novell's OpenSUSE 11.1 and Red Hat's Fedora 10, all of which are now available in beta form.

Ubuntu Linux 8.10, which is slated for release at the end of October, ships with an encrypted private directory feature that enables users to store sensitive data securely without incurring the performance overhead of full-volume encryption.

Click here to read about Microsoft's October patches and its new Exploitability Index.

In my own tests with full-volume encryption in previous Ubuntu versions, I've noted processor overhead of about 20 to 30 percent during disk-intensive processes such as virtual machine image creation.

What's more, full-disk encryption, unlocked by a single pass key, poses problems for multiuser machines, in which the disk unlocking is an all-or-nothing proposition, as opposed to a user-by-user measure.

As implemented in Ubuntu 8.10, the encrypted private directory feature creates a folder-labeled "Private"-in users' home directories. The system automatically encrypts files placed in this directory and unlocks the directory upon user log-on.

In my tests, I could broaden the range of home directory folders that the system protected by copying the folders to the Private location and leaving a symlink behind to allow my applications to continue accessing the protected files at their previous addresses.

As this feature now stands, it's too roughly implemented to supplant full-volume encryption entirely-there's no user interface at this point, and there's the possibility that sensitive data could be pulled from a system's unencrypted swap partition. I hope to see Ubuntu's encryption feature set firmed up to include full-volume, Private folder and home directory encryption in time for the distribution's next LTS (Long Term Support) release, which is currently scheduled for April 2010.