Pipe 3CZ Friday Distro: Alpine Linux

Friday Distro: Alpine Linux

by
in linux on (#3CZ)
This week's Friday distro is Alpine Linux, a surprisingly interesting distro specialized for Routers, VPNs, VOIP service, and firewalls that takes an aggressive, proactive approach to security. It's therefore minimalist, so you can install it on a router, and includes the absolute minimum (no Perl, for example). It began life as a branch of the LEAF project, which wanted a router/vpn system that could be booted from a floppy disk and run from memory: the Alpine hackers decided that config was a bit too minimal and chose instead a slightly larger package set that also provided squid, samba, dansguardian, and some other heavier applications. I thought for sure I'd learn it was developed by a bunch of Swiss or Austrian hackers, but no: it simply stands for "A Linux Powered Integrated Network Engine." Distrowatch reports it comes originally from Norway.

Most interesting of all, Alpine incorporates two security enhancements I haven't yet found on any other distro: PaX and Buffer Overflow Protection (Stack Smashing Protection). PaX is a Linux kernel patch that implements least privilege protection for memory pages. It flags data memory as non-executable, program memory as non-writable and randomly arranges the program memory. Inclusion of these two systems kept Alpine Linux protected from the vmsplice 0-day Linux kernel vulnerability: even though the attack would crash the OS, there would be no system compromise.

If you're interested in trying it, it's easy: you can run it from a USB stick, back up your config to a single file, and its simple package management and init systems make it possible to be up and running in under 10 minutes.

History


Deprecated: mb_convert_encoding(): Handling HTML entities via mbstring is deprecated; use htmlspecialchars, htmlentities, or mb_encode_numericentity/mb_decode_numericentity instead in /var/pipedot/include/diff.php on line 25

Deprecated: Creation of dynamic property FineDiff::$granularityStack is deprecated in /var/pipedot/lib/finediff/finediff.php on line 217

Deprecated: Creation of dynamic property FineDiff::$edits is deprecated in /var/pipedot/lib/finediff/finediff.php on line 218

Deprecated: Creation of dynamic property FineDiff::$from_text is deprecated in /var/pipedot/lib/finediff/finediff.php on line 219

Deprecated: Creation of dynamic property FineDiff::$last_edit is deprecated in /var/pipedot/lib/finediff/finediff.php on line 372

Deprecated: Creation of dynamic property FineDiff::$stackpointer is deprecated in /var/pipedot/lib/finediff/finediff.php on line 373

Deprecated: Creation of dynamic property FineDiff::$from_offset is deprecated in /var/pipedot/lib/finediff/finediff.php on line 375

Deprecated: Creation of dynamic property FineDiffCopyOp::$len is deprecated in /var/pipedot/lib/finediff/finediff.php on line 155
2014-07-18 09:43
Friday Distro: Alpine Linux
zafiro17@pipedot.org
This week's Friday distro is Alpine Linux, a surprisingly interesting distro specialized for Routers, VPNs, VOIP service, and firewalls that takes an aggressive, proactive approach to security. It's therefore minimalist, so you can install it on a router, and includes the absolute minimum (no Perl, for example). It began life as a branch of the LEAF project, which wanted a router/vpn system that could be booted from a floppy disk and run from memory: the Alpine hackers decided that config was a bit too minimal and chose instead a slightly larger package set that also provided squid, samba, dansguardian, and some other heavier applications. I thought for sure I'd learn it was developed by a bunch of Swiss or Austrian hackers, but no: it simply stands for "A Linux Powered Integrated Network Engine." Distrowatch reports it comes originally from Norway.

Most interesting of all, Alpine incorporates two security enhancements I haven't yet found on any other distro: PaX and Buffer Overflow Protection (Stack Smashing Protection). PaX is a Linux kernel patch that implements least privilege protection for memory pages. It flags data memory as non-executable, program memory as non-writable and randomly arranges the program memory. Inclusion of these two systems kept Alpine Linux protected from the vmsplice 0-day Linux kernel vulnerability: even though the attack would crash the OS, there would be no system compromise.

If you're interested in trying it, it's easy: you can run it from a USB stick, back up your config to a single file, and its simple package management and init systems make it possible to be up and running in under 10 minutes.
Reply 0 comments