Astra Linux - Security Focussed Linux Distribution?

Something useful, Open Source here that we can port to Whonix?

https://astralinux.ru/en/

https://astralinux.ru/en/products/astra-linux-special-edition/

• Mandatory access control
• Modules isolation
• Clearing RAM and external memory, secure file deletion
• Document marking
• Events logging
• Information protection procedures in graphics subsystem
• User activity constraint mode (KIOSK mode)
• Protection of addressing space of processes
• Control of software environment closure
• Integrity control
• Domain configuration tools
• Secure relational DBMS
• Secure software package of email
• Secure software package of hypertext data processing

Wouldn’t really trust a Russian government OS too much.

These points seem to mostly be marketing with no actual substance.

Mandatory access control

This is too vague. They don’t explain what they actually do with MAC.

Modules isolation

This doesn’t even make sense. Do they mean isolation between kernel module processes? Because, that’s literally impossible due to the design of linux.

Clearing RAM and external memory, secure file deletion

Great. How?

Document marking

How is marking documents a security feature?

Events logging

Too vague. This is already done by default to some extent.

Information protection procedures in graphics subsystem

Too vague. Too many buzz words, no actual info.

User activity constraint mode (KIOSK mode)
Protection of addressing space of processes
Control of software environment closure
Integrity control
Domain configuration tools

Too vague.

Secure software package of email

Pre-installing an email client doesn’t make the OS super secure.

Secure software package of hypertext data processing

So they have a browser? Great…

I can’t find any source code or technical documentation either although I may have just missed it as a lot of the site is in Russian which I don’t understand.

How you know?

Installing Astra Linux Common Edition in a VM. The installer seems based on the usual old Debian installer (DI). A new screen shows various options. All disabled by default. Possible to opt-in.

• Use hardened kernel.
• Enable console lock.
• Enable interpreter locks.
• Enable ufw firewall.
• Enable system limits.
• Disable ptrace capability.
• Disable non-execution bit setup. [skip]
• Enable password entry for sudo.
• System clock is set to local time.
• Enable autologin X session. [skip]
• Disable automatic network configuration. [skip]
• Install 32-bit bootloader. [skip]

[skip] meaning I will skip those.

• Disable non-execution bit setup. [skip]

I don’t know if this should be checked for better security.

I see it in source code here:
https://gitlab.boincfast.ru/Kekkonen/autoinstall-astra/blob/de73879efc221dafc28b417ded5c6ce659c336d1/roles/preseed/vars/main.yml#L66

But that repository https://gitlab.boincfast.ru/Kekkonen/autoinstall-astra may be third-party / extra just for auto installation.

• System clock is set to local time.

What would it be set to otherwise?

Astra Linux - Wikipedia

Astra Linux is a Russian Linux-based computer operating system developed to meet the needs of the Russian army, other armed forces and intelligence agencies.

Where did you find the link to this?

That’s not a primary source. Wikipedia has some inaccuracies. It’s also implying Open Source. But I haven’t found any source code yet.

Google textual strings found in installer using quotes.

To me, this seems to be just another debian re-skin with fancy buzzwords.

I don’t see anything there that it is a Russian government OS.

Something used by the government does not imply “developed by the government”. Russian government before used Windows and nobody claimed yet as far as I know that Windows was a Russian government project.

Certification also does not hint at “developed by the government”. Governments certify all sorts of things all the time. Also does the government usually certify itself?

Astra Linux, a Debian derivative developed by Russian company RusBITech since 2008.

RusBITech initially developed the OS for use in the Russian private market, but the company also expanded into the local government sector, where it became very popular with military contractors.

“expanded into the local government sector”, alright, well, producing products targeted at government sector, one could argue that is slippery slope resulting in blurry borders between private and government sector?

RusBITech initially developed the OS for use in the Russian private market, but the company also expanded into the local government sector, where it became very popular with military contractors.

Which is a pretty broad claim and needs evidence.

For example Now russian govermential agencies can use Astra Linux for the top-secret information processing - Linux.com talks about “Astra Linux”

Thus the open-source based software platform with the high-level information security has appeared for governmental agencies in Russia. The process of complete replacement of previous operating systems and software by Linux and open-source software that is going on nowadays in governmental agencies in Russia must be completed till 2015.

The operating system «Astra Linux» has been created and is developing by the RPA RusBITech on the base of open-source software and functions on the computers with the processors x86-64 and ARM, and also on the mainframes IBM System Z. It comprises the software that ensures the highest level of information security.

Which implies Astra Linux is Open Source. Or at very least misleading. Perhaps it was different in past and that article is now outdated. But I doubt it is intentionally misleading. “Linux” easily makes the mental connection “Open Source” and that is easily written without verification or mistakenly some other source code for it.

Quote Wikipedia:

It is declared the Astra Linux licenses correspond with Russian and international laws and “don’t contradict with the spirit and demands of GPL license”.[7]

But I haven’t found any source code yet and I tried hard to find it using multiple search engines. I cannot prove something is closed source and I would say the burden of proof is on the one claiming the something “is Open Source”. Show me the source code then, right?

https://astralinux.ru/en/products/astra-linux-common-edition/ (archived) links to https://astralinux.ru/products/astra-linux-common-edition/documents-astra-ce/liczenzionnoe-soglashenie-po-ispolzovaniyu-operaczionnoj-sistemyi-obshhego-naznacheniya-«astra-linux-common-edition».pdf (archived) which is not using an Open Source license but a proprietary license contract.

Astra Linux wikipedia talk page (archived) talks about an edit war.

Quote Astra Linux Russian Wikipedia Page

License Semi-free (without decompilation rights) for Common Edition [2] , proprietary - for Special Edition [3]

[2] http://www.astra-linux.com/litsenzionnoe-soglashenie.html (archived)
[3] http://www.astra-linux.com/usloviya-litsenzirovaniya.html (archived)

Astra Linux by Russian government… Is it a plausible claim worth researching or outrageous? Certainly not totally off. Worth researching.

I am not even so much interested in Astra Linux by Russian government or not. It would be good to know if it is by Russian government or not, but the more important here for me are the generalized lessons. Inaccuracies in media, wikipedia, epistemology, scientific method, logic, arguments.

Alright, it might not be directly created by the Russian government but they do have ties with it and the government likely has lots of influence.

A friend sent me a screenshot of the Astra Special Edition. Good for comparison with Astra Common Edition (see post #4).

Converting into text here.

• Enable ELF signature check.
• Disable non-execution bit setup.
• Use hardened kernel.
• Disable bootloader menu show up.
• Enable swap cleanup.
• Enable freeing regions on cleanup on EXT-paritions.
• Enable console lock.
• Enable interpreter locks.
• Enable ufw firewall.
• Enable system limits.
• Disable ptrace capability.
• Disable automatic network configuration.
• Install 32-bit bootloader.

More information here:

• АО «НПО РусБИТех» → AstraLinux® SE
• https://web.archive.org/web/20191203174531/https://rusbitech.ru/en/products/os/astra-linux-se

Astra Linux Special Edition has a nice security feature “ELF Signature Check” that I would like to have for Whonix / Kicksecure too. All ELF binaries seem to be signed. No unsigned ELF binaries can be executed. Similar to Secure Boot but for all ELF binaries.

While Secure Boot in Debian by the time of writing verifies the bootloader signature, which verifies the kernel, which verifies kernel modules but then continues to execute unverified initrd and everything else. References, see these posts:

• enable Linux kernel gpg verification in grub and/or enable Secure Boot by default - #30 by Patrick
• Guaranteeing initramfs integrity during Secure Boot

Got access to Astra Linux Special Edition over SSH. Made a test. Copied /bin/nano to /bin/nano-test . Tried to execute nano-test . Success. Then edited a textual string inside /bin/nano-test . Tried to execute it again. Segmentation fault .

References what ELF signatures are:

• bsign(1) — bsign — Debian testing — Debian Manpages [archive]
• GitHub - digsig-ng/bsign-mirror: Git import of Debian bsign-0.4.5 sources, ELF executable signing tool. [archive]
• http://disec.sourceforge.net/ [archive]
• Debian Package Tracker [archive]
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857626 [archive]
• Debian -- Error

Another test. Install croc [archive].

wget https://getcroc.schollz.com

mv index.html croc-installer

bash ./croc-installer

Installation was successful. Trying to execute it.

croc

That failed.

Segmentation fault

Systemd journal log showing DIGSIG error.

Could try to sign it.

bsign --sign /usr/local/bin/croc

But asks for passphrase which I don’t know or somehow add a new key if that is possible.

DigSig project stating it is unmaintained since 2009. I wonder what has become of it. It seems like Astra Linux took over maintenance of it?

sudo modinfo digsig_verif

output:

filename: /lib/modules/4.15.3-1-hardened/misc/digsig_verif.ko
author: DIGSIG Team. Rusbitech support@rusbitech.ru
description: Distributed Security Infrastructure Module
license: GPL
srcversion: CCFE23AF0D192900B8313F3
depends:
retpoline: Y
name: digsig_verif
vermagic: 4.15.3-1-hardened SMP mod_unload modversions
parm: dsi_cache_buckets:Number of cache buckets for signatures validations.
(int)
parm: elf_mode:Enforce Digsig restriction for elf (2=debug).
(int)
parm: xattr_mode:Enforce Digsig restriction for xattr (2=debug).
(int)
parm: ignore_xattr_keys:Ignore XATTR user keys.
(int)
parm: ignore_i_mode:Ignore files if (inode i_mode & ignore_i_mode).
(int)
parm: ignore_gost2001:Ignore obsolete GOST R34.10-2001 signatures
(int)

Also the bsign utility which last appeared in Debian jessie is still available in Astra Linux.

What happened to ELF binary signing? Has it just been abandoned, forgotten and is waiting to be re-discovered in the wake of upcoming development of Secure Boot?

The kernel still has documentation on digsig.
https://github.com/torvalds/linux/blob/master/Documentation/digsig.txt

Which mentions keyctl.
https://manpages.debian.org/buster/keyutils/keyctl.1.en.html

Still need to figure out if ELF binary t signing is still doable nowadays (in a more modern way, without reviving digsig by taking over maintenance of it.

DigSig author wrote about reasons for deprecation here:
security - Signed executables under Linux - Stack Overflow

Good article on signed ELF, scroll down to Signed ELF Binaries:
http://dreamhack.it/linux/2015/12/03/secure-boot-signed-modules-and-signed-elf-binaries.html

Solaris signs all binaries:

• security - Signed executables under Linux - Stack Overflow
• https://blogs.oracle.com/solaris/signed-solaris-10-binaries-v2

But Solaris does not (yet?) have a feature to reject unverified binaries.

Newer signed ELF binary developments:

• http://blog.codenoise.com/signelf-digitally-signing-elf-binaries
• security - Signed executables under Linux - Stack Overflow
• ELF executable signing and verification [LWN.net]

Signed ELF binaries don’t seem that important with apparmor-profile-everything as all binaries/libraries are already read-only.

It would be good for defense in depth though.

Enforcing execution of only signed ELF binaries would also prevent the user from downloading and executing arbitrary ELF binaries by attackers (for example sent through e-mail and accidentally executed). It would help to break exploit chains that deploy an ELF binary through drive-by download and then execute it. Is that realistic at all or that wouldn’t work against the usual remote code execution bugs?

Maybe apparmor-profile-everything + noexec would have the same effect?

While easily enabling noexec was recently implemented, I don’t think we can enable that anytime soon by default due to at time of writing non-implemented “Tor Browser vs NOEXEC - Where should the Tor Browser folder be placed?”.

Linux doesn’t allow files to have the execute permission by default anyway so users will have to manually add the permission and execute it.

Unless the attacker somehow adds the permission themselves.

The security of Astra Linux is only to divert attention from the media, the FSB uses randomized systems and computers with different structures

whonix forum need to disable JS .
Fake Profile / using random user agent >

Real profile >

An unknown device
In this way you will not know what was used to enter, computer, tablet, phone, ps, tv etc

In this case, if someone tries to attack with a 0day, it will most likely not work and a copy will be obtained, That is what I have observed

Looked into Astra Linux a bit: