Astra Linux is a Debian based Linux operating system that used by the Russian goverment and their agencies. Latelly, there is a lot of news published about the Russian military services has officially moved their operating system from Windows XP into the Astra Linux Special Edition.
This OS claimed can provide a data protection into the highest level and certified by the Defences Minister of Russian. Astra Linux itself developed by Rusbitech, a local technology company.
There are two versions has been released: Common Edition and Special Edition
Common Edition is a free version and the Special Edition is a paid version which offer more security and mainly used by the Russian goverment departments. There is a local company who produce a military grade laptop using the Astra Linux SE as the operating system. This laptop is using a local made processor.
OS Security Features:
- Disable non-execution bit setup.
- Use hardened kernel.
- Enable console lock.
- Enable interpreter locks.
- Enable ufw firewall.
- Enable system limits.
- Disable ptrace capability.
- Disable automatic network configuration.
- Install 32-bit bootloader.
The differencial features:
Common Edition:
- Enable password entry for sudo.
- System clock is set to local time.
- Enable autologin X session.
Special Edition:
- Enable ELF signature check.
- Disable bootloader menu show up.
- Enable swap cleanup.
- Enable freeing regions on cleanup on EXT-paritions.
I saw several reviewers said that this Astra Linux is just another Debian based Linux with Windows XP lookalike skin theme and a fancy buzzwords. For me, yes its very similiar with Windows XP and the interface is easy to use and i assumed your grandma can handle it easly.
I have installed the Astra Linux Common Edition Orel 2.1.22 Release which can freely downloaded from their site at astralinux.ru. The installation process itself offer two language options: Russian and English.
The step-by-step installation procedure is pretty intuitive.
The installation process takes around 15 minutes.
One thing that catch my attention in the Special Edition is: Enable ELF Signature Check. Unfortunelly we cant try this on my installed version.
This feature is forbid any of unsigned application being launch. It useful to prevent any malware downloaded and installed silently without user being noticed. If you manually trying to launch an unsiged application it will terminated with Segmentation Fault error message.
Not even close as an alternative to this feature, but as an additional security prevention i think create a realtime monitoring filesystem will simply help me — not to disallow execution — noticed if any new binary modified in the system. You can adjust the script to add an extra integrity check via md5sum once a modification alert triggered. And also do some quarantine taskchain just like an antivirus!
Here is the results preview:
