Minimum System Requirements:
- Intel Pentium III
- 2 Gb disk space (Red Hat recommends that a server-class 7.1 system should have at least 650 MB for a minimum set of packages and 1.2 GB for a full set. The Apache Web server requires approximately 90 MB)
- 128 Mb RAM (Red Hat recommends 64 MB RAM for a 7.1 system. Apache requires at least 64 MB for moderate traffic.)
- A 3.5-inch 1.44 MB flexible disk drive
- A bootable CD-ROM drive, and a tape drive
- A network interface card
Pros: A Redhat-compatible Linux for the totally paranoid.
Cons: Somewhat out of date compared to modern Linux distributions, no Kerberos Domain Controller or LDAP domain setup facility. No automatic updates, no administrative GUI to configure Tripwire intrusion detection.
In many enterprises with mission-critical applications, Linux is still perceived as a hacker OS where new security holes pop up every day. In a sense, that opinion is not too far from the truth. By default, most “out of the box” Linux servers are not pre-configured to be very secure.
Recognizing the need for an enterprise-ready Linux, Hewlett Packard developed their own preferred Linux distribution, HP Secure OS for Linux, or just HP-LX. Introduced in October 2001, HP-LX lets enterprises run an open operating system on commodity hardware without all the security risks.
At the time this review was written, HP-LX was still at version 1.0, and version 2.0 was in late beta testing. Please keep in mind that this review reflects a product at the end of its sales and support cycle.
HP-LX is a full-blown Linux distribution, based heavily on RedHat 7.1. When it was first introduced, RedHat 7.1 was a fairly up-to-date distribution, but now in late 2002, it’s starting to show its age. HP-LX 1.0 out of the box still runs the original Redhat 7.1 kernel, which is at version 2.4.5.
The HP-LX install procedure is essentially a standard RedHat 7.1 text-mode install. The main difference is that HP-LX is capable of using Kerberos and LDAP, authentication methods that plain vanilla RedHat does not have. An additional setup screen lets you choose your authentication method.
Both Kerberos and LDAP require dedicated servers for external authentication — a Kerberos Domain Controller (KDC) and LDAP Domain Server, respectively — which we were unable to set up for the purposes of this review. However, Solaris, AIX, and HP-UX have KDC and LDAP Domain Server, so it’s assumed that you’ll be running HP-LX and one of these Unixes as well. (Kerberos KDC functionality is available on Linux, but the HP-LX install doesn’t provide for setting up a new KDC — we hope that HP provides this in the next version.)
By default, HP-LX is installed with ipchains security set to “high,” but this can be changed during the install. Additionally, and again by default, no remote console services are turned on. It’s expected that HP-LX will be used in a datacenter with some sort of KVM management scheme. sshd can be turned on, but it has to be done post install.
In addition to Kerberos and LDAP authentication and default high security firewalling, HP-LX also runs Tripwire (http://www.tripwire.com), an intrusion detection system that continuously looks for changes in the file system, such as tampering with password files, moving or deleting core system files, etc.
Tripwire comes with a policy file import tool that allows the system administrator to add file system objects (files, databases, etc.) to the list of of directories to be monitored. In HP-LX 1.0, that tool is command-line based and is fairly complicated to use. We hope that a future release includes an X-based GUI.
While we had no problem running all sorts of Linux server applications on HP-LX, and had no problem manually updating the RPMs to newer versions, the RedHat up2date program for RedHat understand that this should be treated as a totally new OS, it is for the most part plain vanilla RedHat with some added security bells and whistles, and we would expect some form of automatic system update facility.
For the most part, we were really happy to see that HP is serious about Linux and provides a secure version for its most paranoid of customers — myself included. If you’re looking to bring Linux into your environment, but want to be able to sleep at night as well, definitely give HP-LX a whirl.
Jason Perlow is a systems integrator. He can be reached at email@example.com.