I remember when mainframe computer manufacturers provided the source code to the operating system when you bought the computer. This went on for many years, but, not too many years ago, vendors stopped shipping the source code and only provided compiled object code. I believe it reduced the number of calls for operating system (OS) software support by systems programmers who had modified the operating system.

We have almost come full circle. IBM has announced that Linux, a Unix-like operating system, will run on the S/390 mainframe computer. Users can download it for free from IBM with a fast Internet connection. However, since it has to operate as a guest OS under an IBM mainframe operating system like VM, it is not exactly free software. Nevertheless, you get the Linux open source code and IBM provides operational support. With well-known vendors like IBM supporting Linux, more organizations are likely to consider using it in the near future.

Open source code has been around for decades, but has only gained stature and wide distribution outside the hacker culture in recent years. The web drives the distribution, adoption and development of the code. But an important point to note is that open source code does not necessarily mean free code (MacCormack and Herman, 1999).

Roberts (2000), has detailed a number of risks concerning open source code:

• No single company controls development of open source code.
• There is no way to predict when features will become available.
• Various licenses govern open source usage. No two licenses are the same.
• There are many legal uncertainties. No one has attempted to enforce open source copyrights and licenses in the courts. Who would want to be the test case?

This paper will review the history and development of Linux, compare and contrast several versions of it, report on my experience with loading Linux on two PCs, review networking uses of Linux, and discuss tools for controlling and securing Linux.

Brief History of Linux

In 1991 Linus Torvalds began to develop a Unix-like operating system, driven by his frustrations with the DOS operating system. His first version was based on a scaled-down version of Unix known as Minix and had 10,000 lines of code. Torvalds posted his operating system -- it was actually the kernel¹ -- in an Internet software newsgroup and soon received e-mails from users containing "patches" for bugs they had found and suggestions for new features (MacCormack and Herman, 1999). By 1998, Linux comprised more than 1.5 million lines of code.

Linux today has millions of users, thousands of developers and a growing market. It is used in embedded systems, it is used to control robotic devices, it has flown in the space shuttle (Torvalds, 1999). Let's review how it is developed today.

The Linux Development Cycle

The Linux kernel is maintained by a core group of developers with Torvalds as the final authority on all changes. Beneath this group, the kernel is divided into a number of kernel modules, with each module having an owner or maintainer. Patches, bug fixes and features that other developers contribute are reviewed by the owner/maintainer to determine which ones should be incorporated into the latest version of the kernel (MacCormack and Herman, 1999).

Torvalds (1999) feels this kernel approach makes it possible for him to keep abreast of the operating system's development. Hardware-specific code can often be confined to a single module, keeping the core kernel highly portable. As of April 2000, the latest stable version of the Linux kernel is 2.2.14 and the next version of the kernel will be version 2.4. The latest beta version of the Linux kernel is numbered 2.3.99 and is available for download at www.kernel.org so that users/developers can access the latest "bleeding edge kernel," test it and report bugs.

The Many Versions of Linux

Linux Online! (www.linux.org) lists at least 28 major English-language distributions of Linux. They also report that there are another 15 versions which are considered mini and specialty versions of the operating system. Torvalds was reported in Computerworld (2/2/2000) as saying that this fragmentation of Linux into so many products will allow it to serve different markets.

What all these versions have in common are the Linux kernel, the kernel modules and components of the GNU project.² Beyond this boundary, the features are dependent on the version of Linux you buy or download.

The following table reviews several versions of Linux, key features and cost, based on information from the manufacturers' web sites.³ These versions are usually combined with extra features that are not found in the downloadable versions of Linux.

Free Linux distributions may be downloaded from the Internet or purchased on CD-ROM for a small charge, however, they may require additional technical expertise on the part of the user to set up and install the system. Readers are directed to www.cnet.com/linux for a list of download sites.

Those who used Unix in college may fondly recall their first experiences with the text-based user interface. Many then moved on to Unix with X windows, a graphical user interface (GUI) developed at the Massachusetts Institute of Technology in Cambridge, Massachusetts. These versions of Linux have X windows interfaces, as well as several Windows-like desktop environments: Gnome, a product of the GNU project, and the K Desktop Environment (KDE), which began in 1996 as a Unix GUI. Some of the distributions claim to come with thousands of applications, however, you would want to carry out a detailed review to determine if these applications would be useful to you.

Linux on a PC

If you are planning to purchase a PC, you can consider putting together one with Linux-supported peripherals. Ask the vendor for detailed information about such peripherals as the video card, CD-ROM drive, disk drive controller, and networking card. Selecting a PC with Linux-supported hardware minimizes the potential for problems when installing Linux. You can also buy certain PC brands with Linux pre-installed (Barkakati, 1999).

To install Linux on an existing PC, verify that the latest Linux distribution supports all of the hardware on your PC. In other words, you need to take an inventory of your PC's hardware components and determine whether Linux currently supports them. This can usually be determined through a visit to the web site of the Linux version you are considering for purchase.

It is possible to have Linux and Windows co-exist on a PC by partitioning the hard disk. Due to the many file formats Linux can read, most versions can read Windows files with Linux applications (Barkakati, 1999). For example, WordPerfect for Linux can read your Microsoft Word files and allow you to work with them. However, most Windows applications cannot read Linux files. In addition, a few versions of Linux claim to work within a Windows partition, although one vendor notes that Linux performance is degraded by this approach (Red Hat, 2000) since the optimum Linux file system is not installed.

The PC inventory and Linux compatibility issues are vital to a successful installation of the OS.

My Experiments in Loading Linux

Although many vendors claim it is easy to load Linux on a PC, my experiences proved frustrating.

I decided to load Linux on two PCs that have Windows 98 on the hard disk -- a new desktop PC and a two-year-old notebook PC. The first version of Linux I bought promised a fast and easy installation on PCs by using the graphical installation program. I partitioned the hard drive on the notebook so that it had a Windows 98 partition and an 800 megabyte Linux partition. I then verified that the notebook was still able to use Windows 98.⁴

Installing Linux was far more difficult. Using the graphical installation program, Linux could not load on the notebook.

I also tried to install it on the desktop PC without success.

The installation guide advised me to try the older, text-based Linux installation program. The guide said it was a "very manual" process but guaranteed it would produce a successful Linux installation. However, I first had to create boot disks from the CD.

Linux did install on the notebook using this method, but a conflict with the computer's graphics card would not allow the graphical user interface (GUI) to run. Instead, the computer started up with the text-based Linux interface. It took about two days to reach this point. Next, I reviewed another Linux vendor's hardware compatibility web site and discovered that with their system, my desktop PC was considered an easy install. I inventoried both PCs by reading through the Windows 98 system listing and found that they had supported hardware for this Linux version.

While loading this new Linux on the desktop PC, I received an error message saying that the installation program could not find the file system to load Linux. Then the installation program terminated. The vendor provided e-mail installation assistance and I sent a message through the vendor's web page. The e-mail acknowledgment of my request for help advised me that it could take up to 3 days for the vendor to provide an answer.⁵

I then attempted to install this new version of Linux on the notebook. The installation program disagreed that the computer's graphics card had 2 megabytes of memory. It insisted that the notebook only had 0.25 megabytes of graphics memory which is insufficient to provide a color display (Barkakati, 1999). This disagreement meant that after loading Linux I also did not have the X Windows GUI. Again, I had the text-based interface on the notebook, but for a different version of Linux.

Reinstalling Linux on the notebook, I reluctantly agreed with the program about the amount of graphics card memory. The installation program loaded X Windows and the notebook ran the Gnome GUI I had selected. The graphics were not the sharp, crisp graphics of my active matrix display under Windows 98 but a difficult-to-read default set of Super VGA graphics that Linux had available in the open software graphics driver set.

One of the supposed virtues of using Linux is its availability. However, to obtain a better version of the notebook's graphics card driver for Linux, I would have to download code from a source I do not know, compile the code and install it on my notebook. There are no guarantees it will work. With Windows 98 I would probably download a new driver from my graphics card manufacturer, a trusted source.

To sum up my experiences, Linux may not be an easy operating system for novices or intermediate computer users to install on their system. It requires the computer user to be familiar with hardware details. When I again reviewed the vendor's hardware compatibility table, I discovered that their version of Linux was an "easy install" only for a specific Intel IDE disk controller and a specific disk drive. It is easy to overlook these details.

Based upon my experience, I don't expect to see Linux turning up on PC hard disks in the office in great numbers any time soon. Training and support requirements would seem to negate the savings from "free" software. So where is Linux so popular?

Linux as a Network Server OS

Linux can be an OS for either a PC workstation or a server on a network. Given a choice, would you pay US $4,000 for a single copy of Microsoft Windows 2000 server license for 25 users or US $100 for an enterprise version of Linux? That single copy of Linux can also be installed many times. Applications such as SAS, Oracle and SAP are being ported to Linux. Major hardware vendors are shipping an increasing number of Linux servers.

Computerworld (4/10/2000) reported that 72,422 Linux servers were shipped by Compaq, IBM, H-P, Dell, Fujitsu-Siemens, and others in the fourth quarter of 1999, an increase of 166 percent over the same period in 1998. Their report said, "Linux will continue to grow as more big-name vendors enter the market and as customers pick these products for reliability, availability, performance, and cost."

Computerworld (2/11/2000) reported that Linux was the second most popular PC network server OS in 1999 in terms of market share:

Given the recent antitrust decision against Microsoft, why rein in Linux?

Linux is also making waves at US federal research laboratories. Organizations that would naturally be concerned with security have adopted the OS to build low-cost supercomputers since Linux can work in clusters of PCs.

Linux for Supercomputing

Los Alamos National Laboratory and Caltech's Jet Propulsion Laboratory both used Linux and Intel Pentium processors to construct off-the-shelf supercomputers for about $30,000 in August 1997 (Warren, et al., 1997). In early 2000, the Fermi National Laboratory reported developing its own version of Linux (a modification of Red Hat Linux). Linux will be one of the operating systems considered to build a new "PC Farm" of 250-500 nodes for analyzing their next collider run.

The Oak Ridge National Laboratory developed a 126-node network of surplus PCs using Linux (Hoffman and Hargrove, 1999). They reported very few problems with their network, and that Linux was extremely stable. The nodes rarely crashed or dropped out due to software problems. This fast, cheap, and robust computer network has been successfully used for multivariate geographic clustering, finite-element groundwater simulations and continental vegetation modeling.

Controlling and Securing Your Linux Environment

It is vitally important to secure your operating system and applications environment on any computer. Large information technology shops segregate source code on a development computer that is separate from the production computer. Users of PCs and PC networks may never consider operating in this manner if they have used Windows since it does not contain source code. However, the need for such a separation arises in a Linux environment because the source code is installed with the operating system. With appropriate password control on the PC or network, there are Linux tools that will allow you to maintain control over the Linux operating system source code, the kernel, kernel modules and applications. This is important since source code changes, after being recompiled and installed on the PC, can produce unwanted, unexpected, or unintended changes in the Linux OS.

The Linux software distribution comes with two utilities called Revision Control System (RCS) and Concurrent Versions System (CVS) that can provide a version control of the Linux source code (Barkakati, 1999). When you modify a source code file, you can use RCS to archive source file revisions and lock the original file so that you can modify your working version without others doing so at the same time. Also, RCS can incorporate changes from two files into a third file, merge different revisions of a file and view the history of changes to a file.

CVS is designed to track the changes made to source code files by a group of developers working on the same set of files (Barkakati, 1999). A development team of programmers can check out an entire collection of files, work on them, and CVS will try to merge the changes made by them. If it is unsuccessful in doing so, CVS notifies the programmers and they have to manually resolve the issues.

Another tool that may be useful in addressing Linux OS source code security concerns is Tripwire (Anonymous, 2000). This Linux open source tool (www.tripwire.com) can be downloaded for free and is used to determine how Linux file systems have changed. A baseline database of files and directories is created by the Tripwire system. The baseline includes up to 28 attributes and up to four cryptographic checksums of the file contents. This baseline is usually stored on a write-once CD-ROM to assure it is not accidentally or purposefully tampered with.

The Tripwire system conducts subsequent file checks and compares the state of the system with the baseline database. Any inconsistencies are reported to the host systems log file. Upgrades to the product can be purchased and provide reports that can be e-mailed to a network administrator.

A combination of version control and Tripwire will provide an enhanced degree of configuration management over your Linux OS and alert you to possibly unauthorized changes to the programs on your PC or network.

Linux is making serious inroads into the PC networking market and will affect the operating system choices available to computer users in the future. Users and companies must assess the risks and benefits of using an open source code OS such as Linux in all appropriate environments before installing it. Roberts (2000) notes, "As many benefits as there are, a little bit of paranoia...is probably a healthy thing." Software tools are available to secure your Linux PC source code, but it will take time to discover, to properly configure and to learn to operate them correctly.

Based on my own experience installing two Linux versions, it is important to recognize that failure to determine the compatibility of your PCs for the Linux device drivers will give you less than satisfactory results. Additionally, users having little or no experience with Unix should expect to encounter some difficulties installing the current versions of Linux.

References Cited

1. Anonymous, Maximum Linux Security, SAMS Publishing, 2000.
2. Barkakati, N., Secrets of Red Hat Linux, 3rd Edition, IDG Books Worldwide, Inc., 1999.
3. Hoffman, F. M. and Hargrove, W. W., Cluster Computing: Linux Taken to the Extreme.
4. MacCormack, A. and Herman, K. Red Hat and the Linux Revolution, Case Study: President and Fellows of Harvard College, 1999.
5. Red Hat, Inc., The Official Red Hat Linux 6.2 Installation Guide, 2000.
6. Roberts, B., The Foibles of "Free" Code, Electronic Business, February 2000.
7. The Fermi Linux Home Page,
www-oss.fnal.gov/fss/documentation/linux/home.html
8. Torvalds, L. The Linux Edge, Communications of the ACM, April 1999.
9. Warren, M.S., Salmon, J.K., Becker, D.J., Goda, M.P., Sterling, T., and Winckelmans, G.S. Pentium Pro Inside: I. A Treecode at 430 Gigaflops on ASCI Red, II. Price/Performance of $50/Mflop on Loki and Hyglac, www.supercomp.org/sc97/proceedings/BELL/ WARREN/INDEX.HTM, 1997.

Endnotes

¹ The Tech Encyclopedia defines an operating system kernel as the fundamental part of an operating system that resides in memory at all times and provides the basic services. It is the part of the operating system that is closest to the machine and may activate the hardware directly or interface to another software layer that drives the hardware.
² The GNU project was started by Richard Stallman in 1984. It developed or licenses many components that are used by Unix-like operating system kernels. Linux is distributed under the GNU General Public License. The GNU C compiler and the Emacs text editor are two examples of these components.
³ Linux vendor web sites: www.calderasystems.com, www.redhat.com, www.corel.com, www.debian.com, www.linux-mandrake.com, www.slackware.com, and www.suse.com.
⁴ Linux loads on a Windows computer with a dual-boot capability. A program known as the Linux Loader (LILO) lets you access Windows or Linux at startup. If you were in Windows and wanted to go to Linux you would have to reboot your computer.
⁵ The vendor responded by e-mail after five days and confirmed my suspicion that Linux did not support the desktop PC's Ultra DMA/66 disk controller. They suggested a potential solution, without explaining how to implement it, that would reduce my disk drive transfer speed by 50 percent.

Robert Norris, Jr., Ph.D., CISA
received a Ph.D. degree in Management Information Systems from the Warrington College of Business of the University of Florida in 1997. He started working with Unix systems and applications in 1992 as part of his doctoral studies in artificial intelligence. He is a Senior Analyst at the US General Accounting Office in Washington, DC.

Dr. Norris wishes to thank Dr. William Lew who works for the Center for Computer and Information Technology Assessment, US General Accounting Office, Washington for his careful review of this article.

Appendix 1

             Open Source Software Licenses

Over the past year, Linux and other open source operating systems and projects such as Apache have occupied technology reporters and made their way into the business world. Some studies have indicated that business Linux use increased 212 percent in 1998, while others indicate that it is roughly doubling every year. In March 2000, the Netcraft¹ web survey indicated that 60 percent of web sites are using the Apache web server, while the more traditional closed-source web servers continue to lose market share. Open source software and operating systems have emerged into the business world, and are becoming a force that information technology control professionals must understand.

If your company should decide to incorporate open-source code, programs or products into its technology environment, an understanding of the various public licenses which open-source software may be distributed under is important. Even open source operating systems may have programs distributed under several different licenses -- for example, about half of the utilities that Linux is distributed with are drawn from the BSD distributions, which have a different license.

GNU -- The Concept of Copyleft²

The GNU public license (GPL) incorporates a concept that the creators call copyleft, which is intended to help keep the software free. Under other public licenses, open source software can be modified and adapted into proprietary systems, thus being brought under the restrictive licenses of those systems. The central idea of copyleft is that the original author gives everyone permission to run the program, copy the program, modify the program and distribute modified or unmodified copies of the program. But restrictions cannot be added -- changes must be free. Anything added or combined with a copylefted program must be such that the larger combined version is also free and copylefted.³

If programmers are designing proprietary systems, they can not incorporate GPL-ed programs into that proprietary program without violating the GPL. Changes made to GPL-ed programs cannot be made private.

The GNU Library General Public License (LGPL) which was designed for software libraries, is slightly less restrictive, and allows the libraries to be linked into proprietary systems. The C-language library provided with Linux systems is LGPL-ed, which means that it can be used to build proprietary systems.

X Consortium (MIT) and BSD Licenses⁴

These related licenses differ from the GNU license in that they allow people to do nearly anything with the software licensed under them. Because the software originally covered by the X and BSD licenses was funded by grants from the US Government, the idea was that US residents had already paid for the software through their taxes and were granted permission to make use of and make modifications to the software. Developers can take X or BSD licensed software modifications private, thus incorporating and adapting open source code into proprietary systems.

The Netscape Public License (NPL) and the Mozilla Public License (MPL)⁵

Netscape developed these licenses when they released Mozilla, the open-source version of the Netscape Navigator. The NPL contains special privileges that apply to Netscape, such as giving Netscape the privilege of re-licensing modifications that outside developers have made, improving upon them and taking the source code private.

The MPL license was created to mollify concerns about the privileges allowed Netscape by the NPL. Although it is much like the NPL, it does not allow Netscape to re-license modifications.

Both of these licenses allow developers to take modifications private.

Although these are not all of the public licenses that open source software can be licensed under, they are the most widely used. If your organization uses or modifies open-source software, be aware of which specific license the software is licensed under.

¹ www.netcraft.com/survey/
² A copy of the GNU General Public License can be found at: www.opensource.org/licenses/gpl-license.html
³ Stallman, Richard "The GNU Operating System and the Free Software Movement." Open Sources: Voices from the Open Source Revolution. O'Reilly. 1999.
⁴ X Consortium (MIT) License: www.opensource.org/licenses/mit-license.html
BSD License: www.opensource.org/licenses/bsd-license.html
⁵ MPL License: www.mozilla.org/MPL/MPL-1.0.html

Enjoying this article? To read the most current ISACA^® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute^® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2000 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.