Once a user selects a profile, the product assesses the Linux system and provides one of three conformance indicators: pass, fail or not applicable. "By clicking on any failed criteria, the user receives a detailed description of the failure or suggestions on modification and a choice to accept modification or ignore," Hartman said, adding that the tool is modular and can be updated with new vulnerabilities as they are discovered and added to STIG and CIS.
Jennifer Mulligan, an analyst at Cambridge, Mass.-based Forrester Research Inc., said an automated, easy-to-use application like Security Blanket could be a boon for system administrators who preside over smaller server deployments.
According to the latest Forrester research on hardening Linux systems, 24% of system administrators are using an ad hoc process to harden their servers, and 30% are manually scripting security policies. Automating this process, Mulligan said, could save IT managers time and money. The fact that Security Blanket is based on proven standards like STIG and CIS also bodes well for end users, she said.Linux security snapshot
Raven Zachary, research director for open source software at the New York-based 451 Group, said Security Blanket provides "a great snapshot of where users could have security vulnerabilities in their Red Hat Enterprise Linux distribution."
"It's a dashboard view [of the system], and it kind of reminds me of what Microsoft was doing with Vista;" Zachary said. "They've created a visual, file-sharing, consumer-[oriented] look and feel to it."
Without a tool like Security Blanket, administrators generally address the hardening issue with a series of customized best practices and firewalls or other hardware, Zachary said. "When managing a small set of Linux servers, however, having a tool that simplifies the checklist process and what should be locked down and considered by a system administrator could be very convenient," he said.
But Zachary said Security Blanket isn't quite ready for enterprise-sized deployments just yet. Zachary said the application is best suited for server-by-server deployments and for "system administrators with limited numbers of machines."
That said, the potential exists for larger deployments just as soon as TCS expands its support to other Linux distributions like Novell SUSE Linux Enterprise Server and Debian, Zachary noted. "It wouldn't take much more effort for TCS to add other Linux distributions, and I think they're going to have to if they want to stay relevant," he said.Bastille Linux
Security Blanket's feature set mirrors that of Bastille Linux, a freely available Linux application with an interactive hardening script for selected Linux distributions like RHEL and SUSE Linux Enterprise Server. It is free software licensed under the General Public License.
Bastille is free, but Forrester's Mulligan said it can be harder to use and requires a degree of knowledge and familiarity to get the best return. "[TCS] offers something easier to use, something that will appeal to novice users and will allow them to scale a few Linux machines without being perfect operating system gurus," she said.
Hartman said Security Blanket differentiates itself from Bastille by automating STIG and CIS compliance checks, something the free tool does not currently do.For now, TCS is competitive with Bastille, but nothing is stopping the Bastille community from simply adding features similar to Security Blanket's automation into the Bastille source code, Zachary said. "TCS is going to need to look at more of an enterprise play," he noted. "Certainly, however, this is a valuable application for users with a small number of deployments that want to make sure their basic systems are locked down," he said.
Email Jack Loftus with your comments and suggestions.