The RusBITech-Astra LLC company presented a special-purpose distribution kit, Astra Linux Special Edition 1.8, which can be used to protect confidential information and state secrets to the level of “special importance.” The distribution is based on the Debian GNU/Linux package base and contains additional security mechanisms, such as its own system of mandatory access control, auditing, file integrity and authentication control (PARSEC), guaranteed file deletion, and kernel assembly with patches to improve security. The user environment is built on the proprietary Fly desktop environment with components using the Qt library.
The distribution is distributed under a license agreement, which imposes a number of restrictions on users. Specifically, commercial use without a license agreement, decompilation, and disassembly are prohibited. The original operating algorithms and source code, implemented specifically for Astra Linux, are classified as trade secrets. The user is limited to one copy of the product on a single computer or virtual machine, and also grants the right to make only one backup copy of the product media. Complete installation builds are not yet publicly available, but container images and virtual machines.
The release successfully passed a set of tests in the information security certification system of the FSTEC of Russia at the first, highest level of trust, i.e. can be used to process information constituting a state secret of “special importance”. The certificate confirms compliance with security requirements for operating systems, virtualization and containerization tools, as well as DBMS.
Major changes:
- The package database has been updated to Debian 12.
- There are two Linux kernel packages to choose from, based on releases 6.1 and 6.6. Kernel 6.1 comes with changes and fixes from ISP RAS and will be supported throughout the entire OS life cycle. Kernel 6.6 is categorized as having a short-term maintenance cycle.
- Two separate repositories are proposed: Main and Extended. The first includes packages that have passed the full certification cycle, and the second contains development tools, packages for building the Main repository, as well as additional application and system packages.
- A new installer, astra-installer, is used, which starts after the system boots in Live mode. Remote control of the installation is supported using the VNC protocol.
- The update process from the Astra Linux 1.7 branch to release 1.8 has been automated; in case of problems during the update, a rollback to the previous state is possible.
- A scheme for assigning predictable names to network interfaces is used.
- The Kea DHCP server is included.
- The fly-admin-smc system administration interface has been replaced by the astra-systemsettings tool, which provides access to various settings modules. Among other things, a module for managing local security policy is integrated, which does not require running a separate fly-admin-smc program. Modules are also available for user management, mandatory access control, mandatory integrity control, file integrity monitoring using digital signatures, setting up an audit system, accounting for connected drives, setting up memory clearing, enabling graphic kiosk mode, and assessing the status of security functions.
- Ready-made recommended configuration profiles for information security tools have been implemented for various use scenarios. Previously, to comply with various security classes of systems, configuration instructions were offered that required manual work by the administrator. In the new version, the process of changing settings is automated.
- To dynamically monitor software integrity, the ability to use CIPF CryptoPro CSP and certificates for verifying digital signatures issued by a certification authority has been added.
- A new design style for Astra Proxima has been proposed, which reflects modern trends in interface design, but at the same time preserves the familiar design and minimalism. Four design modes are available: light, dark, simplified (without graphic effects) and utility.
- The application menu has been modernized and restructured (it is possible to return to the classic menu).
- Added the “Star Minimalism” sound theme, created with the participation of Roscosmos based on sounds from real space objects.
- The fly-dm-rdp package has been added for organizing a remote connection to the system via the RDP protocol.
- The fly-fm file manager has added a toolbar editor and the ability to display mounted network resources in the navigation panel. In dual-panel mode, two address lines independent of each other are implemented.
- The OpenSSL package has been updated to version 3.2.0.
- The Tantor DBMS has been updated to the PostgreSQL 15 code base (previously PostgreSQL 11 was used) with additions for information security and access control. * The Chromium, Chromium-gost and Firefox browsers have a built-in certificate from the certification center of the Ministry of Digital Development of the Russian Federation.
- Added support for snapshots of virtual machines with UEFI, export/import of virtual machines with snapshots, creating backup copies of virtual machines using virtnbdbackup, combining virtual machines into groups in virt-manager.
- The tools for mandatory integrity control implement the ability to use a hierarchical integrity level, in which the file system root and all file objects after installation have zero linear integrity, and file objects and launched processes can be assigned negative linear integrity.
- Added the ability to monitor the integrity of file system objects and deb packages based on templates, which are lists of files to be checked using checksums.
- Added new privileges: cap_perfmon (allows the use of monitoring systems), cap_bpf (allows some operations with BPF), cap_checkpoint_restore (allows you to determine the PID that is allocated to the next process created inside the namespace).
Source: opennet.ru
