TCS automates Linux server hardening

For Linux system administrators striving to harden a system on a server-by-server basis, Trusted Computer Solutions' Security Blanket may be the way to go.

This Content Component encountered an error
Trusted Computer Solutions (TCS), a Herndon, Va.-based security technology company known for its work in hardening Sun Microsystems Inc.'s Solaris in high-security government environments, is set to launch a tool that it calls a "first for Linux security."

For more on Linux security:
Linux security: Authenticate your users and know what they're up to

Red Hat, Symantec to offer bundled secure server applications

Intrusion detection with Snort on Red Hat Enterprise Linux 5
Called Security Blanket, the tool is an automated security and compliance application for systems running Red Hat Enterprise Linux (RHEL), said Doug Hartman, TCS vice president of product development.

Security Blanket will be available on Sept. 15 for $199 per license. It is a menu-driven system that runs predefined profiles and industry-defined standards for hardening Linux systems. These profiles are based on the Unix Security Technical Implementation Guide (STIG) and Center for Internet Security (CIS) guidelines. Users also have the option to customize profiles that support their own security policies, Hartman said.

[With Security Blanket, users can] scale a few Linux machines without being perfect operating system gurus.
Jennifer Mulligan,
analystForrester Research Inc.

Once a user selects a profile, the product assesses the Linux system and provides one of three conformance indicators: pass, fail or not applicable. "By clicking on any failed criteria, the user receives a detailed description of the failure or suggestions on modification and a choice to accept modification or ignore," Hartman said, adding that the tool is modular and can be updated with new vulnerabilities as they are discovered and added to STIG and CIS.

Jennifer Mulligan, an analyst at Cambridge, Mass.-based Forrester Research Inc., said an automated, easy-to-use application like Security Blanket could be a boon for system administrators who preside over smaller server deployments.

According to the latest Forrester research on hardening Linux systems, 24% of system administrators are using an ad hoc process to harden their servers, and 30% are manually scripting security policies. Automating this process, Mulligan said, could save IT managers time and money. The fact that Security Blanket is based on proven standards like STIG and CIS also bodes well for end users, she said.

Linux security snapshot
Raven Zachary, research director for open source software at the New York-based 451 Group, said Security Blanket provides "a great snapshot of where users could have security vulnerabilities in their Red Hat Enterprise Linux distribution."

"It's a dashboard view [of the system], and it kind of reminds me of what Microsoft was doing with Vista;" Zachary said. "They've created a visual, file-sharing, consumer-[oriented] look and feel to it."

Without a tool like Security Blanket, administrators generally address the hardening issue with a series of customized best practices and firewalls or other hardware, Zachary said. "When managing a small set of Linux servers, however, having a tool that simplifies the checklist process and what should be locked down and considered by a system administrator could be very convenient," he said.

But Zachary said Security Blanket isn't quite ready for enterprise-sized deployments just yet. Zachary said the application is best suited for server-by-server deployments and for "system administrators with limited numbers of machines."

That said, the potential exists for larger deployments just as soon as TCS expands its support to other Linux distributions like Novell SUSE Linux Enterprise Server and Debian, Zachary noted. "It wouldn't take much more effort for TCS to add other Linux distributions, and I think they're going to have to if they want to stay relevant," he said.

Bastille Linux
Security Blanket's feature set mirrors that of Bastille Linux, a freely available Linux application with an interactive hardening script for selected Linux distributions like RHEL and SUSE Linux Enterprise Server. It is free software licensed under the General Public License.

Bastille is free, but Forrester's Mulligan said it can be harder to use and requires a degree of knowledge and familiarity to get the best return. "[TCS] offers something easier to use, something that will appeal to novice users and will allow them to scale a few Linux machines without being perfect operating system gurus," she said.

Hartman said Security Blanket differentiates itself from Bastille by automating STIG and CIS compliance checks, something the free tool does not currently do.

For now, TCS is competitive with Bastille, but nothing is stopping the Bastille community from simply adding features similar to Security Blanket's automation into the Bastille source code, Zachary said.

"TCS is going to need to look at more of an enterprise play," he noted. "Certainly, however, this is a valuable application for users with a small number of deployments that want to make sure their basic systems are locked down," he said.

Email Jack Loftus with your comments and suggestions.

Dig deeper on Linux security tools

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close