[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Astra Linux - Security Focussed Linux Distribution?

Something useful, Open Source here that we can port to Whonix?

https://astralinux.ru/en/

https://astralinux.ru/en/products/astra-linux-special-edition/

  • Mandatory access control
  • Modules isolation
  • Clearing RAM and external memory, secure file deletion
  • Document marking
  • Events logging
  • Information protection procedures in graphics subsystem
  • User activity constraint mode (KIOSK mode)
  • Protection of addressing space of processes
  • Control of software environment closure
  • Integrity control
  • Domain configuration tools
  • Secure relational DBMS
  • Secure software package of email
  • Secure software package of hypertext data processing
2 Likes

Wouldn’t really trust a Russian government OS too much.

These points seem to mostly be marketing with no actual substance.

Mandatory access control

This is too vague. They don’t explain what they actually do with MAC.

Modules isolation

This doesn’t even make sense. Do they mean isolation between kernel module processes? Because, that’s literally impossible due to the design of linux.

Clearing RAM and external memory, secure file deletion

Great. How?

Document marking

How is marking documents a security feature?

Events logging

Too vague. This is already done by default to some extent.

Information protection procedures in graphics subsystem

Too vague. Too many buzz words, no actual info.

User activity constraint mode (KIOSK mode)
Protection of addressing space of processes
Control of software environment closure
Integrity control
Domain configuration tools

Too vague.

Secure software package of email

Pre-installing an email client doesn’t make the OS super secure.

Secure software package of hypertext data processing

So they have a browser? Great…

I can’t find any source code or technical documentation either although I may have just missed it as a lot of the site is in Russian which I don’t understand.

1 Like

How you know?

1 Like

Installing Astra Linux Common Edition in a VM. The installer seems based on the usual old Debian installer (DI). A new screen shows various options. All disabled by default. Possible to opt-in.

  • Use hardened kernel.
  • Enable console lock.
  • Enable interpreter locks.
  • Enable ufw firewall.
  • Enable system limits.
  • Disable ptrace capability.
  • Disable non-execution bit setup. [skip]
  • Enable password entry for sudo.
  • System clock is set to local time.
  • Enable autologin X session. [skip]
  • Disable automatic network configuration. [skip]
  • Install 32-bit bootloader. [skip]

[skip] meaning I will skip those.

  • Disable non-execution bit setup. [skip]

I don’t know if this should be checked for better security.

I see it in source code here:
https://gitlab.boincfast.ru/Kekkonen/autoinstall-astra/blob/de73879efc221dafc28b417ded5c6ce659c336d1/roles/preseed/vars/main.yml#L66

But that repository https://gitlab.boincfast.ru/Kekkonen/autoinstall-astra may be third-party / extra just for auto installation.

  • System clock is set to local time.

What would it be set to otherwise?

1 Like

https://en.wikipedia.org/wiki/Astra_Linux

Astra Linux is a Russian Linux-based computer operating system developed to meet the needs of the Russian army, other armed forces and intelligence agencies.

Where did you find the link to this?

1 Like

That’s not a primary source. Wikipedia has some inaccuracies. It’s also implying Open Source. But I haven’t found any source code yet.

Google textual strings found in installer using quotes.

1 Like

To me, this seems to be just another debian re-skin with fancy buzzwords.

I don’t see anything there that it is a Russian government OS.

Something used by the government does not imply “developed by the government”. Russian government before used Windows and nobody claimed yet as far as I know that Windows was a Russian government project.

Certification also does not hint at “developed by the government”. Governments certify all sorts of things all the time. Also does the government usually certify itself?

Astra Linux, a Debian derivative developed by Russian company RusBITech since 2008.

RusBITech initially developed the OS for use in the Russian private market, but the company also expanded into the local government sector, where it became very popular with military contractors.

“expanded into the local government sector”, alright, well, producing products targeted at government sector, one could argue that is slippery slope resulting in blurry borders between private and government sector?

RusBITech initially developed the OS for use in the Russian private market, but the company also expanded into the local government sector, where it became very popular with military contractors.

Which is a pretty broad claim and needs evidence.

For example https://www.linux.com/tutorials/now-russian-govermential-agencies-can-use-astra-linux-top-secret-information-processing/ talks about “Astra Linux”

Thus the open-source based software platform with the high-level information security has appeared for governmental agencies in Russia. The process of complete replacement of previous operating systems and software by Linux and open-source software that is going on nowadays in governmental agencies in Russia must be completed till 2015.

The operating system «Astra Linux» has been created and is developing by the RPA RusBITech on the base of open-source software and functions on the computers with the processors x86-64 and ARM, and also on the mainframes IBM System Z. It comprises the software that ensures the highest level of information security.

Which implies Astra Linux is Open Source. Or at very least misleading. Perhaps it was different in past and that article is now outdated. But I doubt it is intentionally misleading. “Linux” easily makes the mental connection “Open Source” and that is easily written without verification or mistakenly some other source code for it.

Quote Wikipedia:

It is declared the Astra Linux licenses correspond with Russian and international laws and “don’t contradict with the spirit and demands of GPL license”.[7]

But I haven’t found any source code yet and I tried hard to find it using multiple search engines. I cannot prove something is closed source and I would say the burden of proof is on the one claiming the something “is Open Source”. Show me the source code then, right?

https://astralinux.ru/en/products/astra-linux-common-edition/ (archived) links to https://astralinux.ru/products/astra-linux-common-edition/documents-astra-ce/liczenzionnoe-soglashenie-po-ispolzovaniyu-operaczionnoj-sistemyi-obshhego-naznacheniya-«astra-linux-common-edition».pdf (archived) which is not using an Open Source license but a proprietary license contract.

Astra Linux wikipedia talk page (archived) talks about an edit war.

Quote Astra Linux Russian Wikipedia Page

License Semi-free (without decompilation rights) for Common Edition [2] , proprietary - for Special Edition [3]

[2] http://www.astra-linux.com/litsenzionnoe-soglashenie.html (archived)
[3] http://www.astra-linux.com/usloviya-litsenzirovaniya.html (archived)

Astra Linux by Russian government… Is it a plausible claim worth researching or outrageous? Certainly not totally off. Worth researching.

I am not even so much interested in Astra Linux by Russian government or not. It would be good to know if it is by Russian government or not, but the more important here for me are the generalized lessons. Inaccuracies in media, wikipedia, epistemology, scientific method, logic, arguments.

1 Like

Alright, it might not be directly created by the Russian government but they do have ties with it and the government likely has lots of influence.

A friend sent me a screenshot of the Astra Special Edition. Good for comparison with Astra Common Edition (see post #4).

Converting into text here.

  • Enable ELF signature check.
  • Disable non-execution bit setup.
  • Use hardened kernel.
  • Disable bootloader menu show up.
  • Enable swap cleanup.
  • Enable freeing regions on cleanup on EXT-paritions.
  • Enable console lock.
  • Enable interpreter locks.
  • Enable ufw firewall.
  • Enable system limits.
  • Disable ptrace capability.
  • Disable automatic network configuration.
  • Install 32-bit bootloader.
1 Like

More information here:

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]