Consider the following key security factors when selecting a UNIX distribution:

· Understand the intended use of the system. What threats must the system defend against? Consider physical, human, and technological threats.

· Gauge the technical security competence and awareness of the primary administrator(s). Distributions that are a significant departure from local technical security expertise should be considered a higher risk (unless technical security training will be provided). Vendor-provided security training classes tend to be weak. The SANS Institute run good introductory courses.

In 1997, the CERT coordination center produced a "Report to the President's Commission on Critical Infrastructure Protection." Security awareness and user/administrator security training were key points.

· Learn about the vendor's approach to handling reported security vulnerabilities. Do they even acknowledge that vulnerabilities occur in their distribution? Do they have a clearly documented process for handling reports from outside? Do they watch Bugtraq for reports of security problems in their software? Do they provide e-mail addresses for reporting new security problems?

· Assess the vendor's response time when fixing security vulnerabilities. The SecurityFocus vulnerability database is useful for comparing the public announcement date and vendor fix dates.

· Consider the maturity and stability of built-in security tools and interface. Weak areas tend to be C2 audit log management and analysis, mixed coverage of daemon logging to syslog, and clunky security interfaces that can result in mistakes being made in security settings.

· Do a gap analysis, comparing the native security features against your UNIX security policy. Consider the availability, cost, and installation overhead of third- party/open source tools required to plug the gap.

· Estimate the time it will take to lock down a virgin install of the distribution to comply with your policy. Calculate the cost of the administrator's time and possible delays on projects. This is the cost of buying distributions that are not secure by default. Ask the vendor to provide you with smart ways to lower this cost.

· Visit the vendor support site. How long does it take to find the security alerts/bulletins and security patches? Read a couple of security bulletins. Do they make sense? Do they tell you enough about the problem to figure out whether you would need the patch? Compare a security bulletin with the original announcement made on Bugtraq. Does the vendor's assessment of the problem tally with the original report?

· Assess the ease of security patching. Are stable tools available to easily identify missing patches? Are these kept up to date? Can patch installation be reliably automated for server farms? Are MD5 hashes available to validate patch integrity? Bear in mind the SANS finding that failing to update systems when security holes are found is the third major security mistake.

· Check the release versions of any bundled third-party software (for example, sendmail, bind, or wu-ftpd). Make sure they are current or that the vendor has backported fixes for security problems.