Hola, ADIOS boot CD

70

Author: JT Smith

If you dismiss the ADIOS Linux Boot CD as just another bootable Linux live CD, you might be missing out on an interesting project with several unique characteristics. Which other distribution provides users with a pre-configured User Mode Linux so that you can run several new instances of Linux within the existing system? Which one comes with a kernel patched with all the latest security safeguards? Can you name another live CD that gives a choice to boot into Security-enhance Linux, a Linux kernel developed by the National Security Agency (NSA)? Or boot with the Linux Intrusion Detection System turned on?

Developed by the Queensland University of Technology in Brisbane, Australia, ADIOS is an acronym that stands for “Automated Download and Installation of Operating Systems.” The original idea was to create a tool for easy installation of multiple operating systems on students’ workstations, but as the project evolved and the original needs changed, more and more effort went into a Red Hat-based live CD, which is now known as ADIOS Linux Boot CD. Version 2.00, based on Red Hat Linux 9, was released last week.

The CD boot process is a slight variation of other similar live CDs in that it gives users choices for running the live CD entirely from CD and RAM, or partly from a pre-existing Red Hat partition, or using previously saved configuration settings on a hard disk, diskette, or USB memory drive. For Windows-only machines formatted with NTFS, the boot CD provides a useful option to reduce the partition’s size and install ADIOS on a new ext3 file system. The boot process then continues with standard boot messages, while Red Hat’s kudzu automatically detects and configures most hardware. By default, the system boots into graphical mode (the desired runlevel can be modified by selecting the relevant option from the boot menu) with the choice of KDE, GNOME, or IceWM as desktop environments. The passwords for the root account as well as a user account called “adios” are set to “12qwaszx.”

Once the boot process completes, the system resembles a standard Red Hat installation, and indeed, it can be used as such. However, much interesting stuff is hidden inside some of the menus, especially the one called User Mode Linux.

User Mode Linux

For those unfamiliar with the concept, User Mode Linux (UML) is a kernel patch that allows the Linux kernel to be compiled as a standalone Executable and Linkable Format (ELF) binary. Such a kernel can then be executed within user space, or in simple terms, with the ability to boot a second instance of a Linux system within the existing Linux system. The UML kernel then runs as an entirely separate process from the main Linux installation. This is useful in high-security production environments, where certain network services or processes can be run within the UML kernel, or “jail,” as it is often referred to. As such, it can be thought of as a more powerful version of chroot. UML has also found its place among the developers writing kernel-level code, who use it as convenient debugging tool.

While patching the kernel with the UML patch and downloading the desired root file system (currently available for certain versions of Debian, Mandrake, Red Hat, and Slackware) is not particularly difficult, the ADIOS developers have conveniently configured their live CD in such a way that a single click on the relevant panel icon will launch Konsole, where you can watch the process of booting into another instance of Red Hat Linux. The boot process stops at runlevel 3, but typing startx launches IceWM with several lightweight graphical applications, such as Mozilla Firebird, as well as some system tools. It goes without saying that the user mode instance of Red Hat Linux is not a full Red Hat Linux (a 94MB ISO image can be downloaded separately), since few users will need to jail three CDs’ worth of applications. Depending on the available system memory, you can start more than one instance of UML.

Security-Enhanced Linux

Besides the standard kernel, the ADIOS live CD also comes with Security-enhanced Linux (SELinux), developed by the US National Security Agency. According to the project’s Web site, “Security-enhanced Linux is a research prototype of the Linux kernel with enhanced security. It contains new architectural components, which provide support for the enforcement of many kinds of mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs.” In other words, users running SELinux can define explicit rules about what subjects (users and programs) can access which objects (files and devices). It can be thought of as an internal firewall with the ability to separate programs, thus ensuring a high level of security within the operating system. SELinux is distributed under GPL.

Although the ADIOS live CD does not allow booting into SELinux, this option is available when starting an instance of the User Mode Linux, or with ADIOS installed on hard disk. It comes with two pre-configured options called “SELinux enforcing” and “SELinux permissive.” Configuration of SELinux tends to get fairly complex and it is essential to read the official policy document on the subject to understand the basic concepts. A graphical configuration tool called SELPE (SELinux Policy Editor) has been developed as a Webmin add-in module by Hitachi Software Engineering Company in Japan. SELPE is not included with ADIOS, although Webmin is.

Linux Intrusion Detection System

The Linux Intrusion Detection System (LIDS) is another project developing a kernel patch that implements access control. When in effect, selected files, system and network administration operations, memory, and I/O access can be made inaccessible even for root. A configuration file defines which programs can access specific files. LIDS can be fine-tuned to hide sensitive processes and to send security alerts over the network. As with SELinux, LIDS also requires a fair amount of reading before it can be used effectively, but the ADIOS boot CD comes complete with sample configuration files and instructions on how to use it. Unlike SELinux, the LIDS-enabled kernel can be started directly from the boot CD by typing lids at the boot prompt, and it is also available in User Mode Linux by selecting the appropriate menu entry. It can be turned on and off in a running kernel, which is a useful option in cases where a
quick modification of LIDS configuration is required.

Other features

Other than the abovementioned security enhancements, ADIOS is a standard Red Hat Linux. The ADIOS kernels were built with the Squashfs file system loopback interface to allow the operating system to mount a compressed file system containing nearly 2GB of files. This is a departure from a more widely used cloop file system, originally developed by the LNX-BBC project, but now actively maintained by Knoppix. Both allow for faster transfer of files between the CD-ROM and memory, as well as on-the-fly decompression.

Starting with version 1.33, the project also provides an ADIOS Development Kit (ADK), which is essentially a script enabling custom builds of Red Hat-based live CDs. This is for those users who miss certain packages not included on the original ADIOS live CD, or those who would prefer a leaner system, as the addition of new RPM packages, as well as removal of unneeded packages is supported. Once all configuration is completed, the “make iso” command creates the final ISO image, which can be burned onto a bootable CD. All documentation and scripts are stored in the /adk directory on the CD.

The most recent stable version of ADIOS is 2.00, which is based on Red Hat Linux 9, although an older version 1.33, based on Red Hat 8, is also available. Those who prefer a more up-to-date system can try out the first development release of ADIOS 3.00-test1, which is based on Fedora Core 1.

The ADIOS Linux Boot CD is released under GPL. While the project provides ample documentation on all aspects of the live CD, it lacks any mailing lists or user forums for interaction and exchange of help with other users. This is possibly the only sore point about the otherwise excellent and, in many ways, unique distribution, so one has to hope that with the increased awareness of the project, the developers will make an effort to setup some form of online discussion forum. Even if they don’t, the 700MB ADIOS CD is certainly worth a download, especially for its educational qualities on the subject of kernel-level security and the fun of booting Linux within Linux.

Ladislav Bodnar is the creator and maintainer of DistroWatch.com, a Web site devoted to news and
information about Linux distributions. Born in Slovakia and a citizen of
South Africa, he currently lives in Taiwan with his wife and a parrot.