AstraLinux Special Edition

Special purpose operating system

Operating system of Linux class provides data protection that contains state secret information with security classification up to "top secret" inclusively.

Special software components are developed and included in the operating system structure in order to increase system functionality and improve its security level and operability.

www.astralinux.ru

Mandatory access control

Operating system has mandatory access control application. In such a case decision making about access prohibition or permission from subject-to-object is based on type of operation (read / write / execute), mandatory security context connected with each subject and mandatory check mark connected with object.

Modules isolation

Operating system kernel provides custom isolated address space for each system process.

RAM and external memory clearance, assured file deleting

Operating system performs clearance of unusable file system blocks directly while deleting them.

This subsystem reduces speed of operations flow on deleting and file size clipping, but at the same time it is possible to configure this subsystem so that file systems will operate with various productivity indicators.

Document marking

Print server (CUPS) inserts necessary account data in the printed documents using developed marking procedure. Mandatory attributes are automatically connected with printout assignment on the basis of mandatory context of received net connection.

Events logging

Original logging subsystem is developed. It is integrated in all operating system components and ensures reliable events recording with employment of special service.

Information protection procedures in graphics subsystem

Graphics subsystem includes Xorg X-server, Fly user desktop as well as a range of software tools designed for both users and system administrators. Some efforts have been taken on developing and embedding necessary information protection tools in the graphics subsystem which provide mandatory access control in the graphics applications.

Developed Fly user desktop is closely integrated with information protection procedures. The following capabilities are implemented therein:
graphic display of mandatory mark for each window;
capability to run applications with different mandatory marks.

User activity constrains in "KIOSK" mode.

Level of these restrictions is specified by kiosk mask, which impacts on the access rights to file during each user attempt to gain access.

There is a templates system for access rights assignment – files with specified access rights are used in order to start any programs. There are special design tools for template development for any user tasks.

Protection of addressing space of processes

Operating system uses special format for executable files. It enables to set access mode to segments in the addressing space of process.

Centralized software compilation system ensures installation of light mode which is necessary for software operation. There is also capability of NOT EXECUTE BIT technology employment supported by modern processors.

Control of software environment closure

There are some arrangements for verification of loading executable files on invariableness and identity in ELF cialis online format. Test is performed on the basis of authenticity vectors calculated accordingly to the GOST34.10-2001 standard and embedded into executable files during compilation process.

It is possible to provide third-party software developers with authenticity vectors implementation tools.

Continuity control

Hashing service is applied accordingly to the GOST 34.11-94 standard for integrity control. Basic utility for integrity control is open-source software "Another File Integrity Checker".

Domain configuration tools

Subsystem Astra Linux Directory (ALD) is developed on the basis of open-source standard LDAP for domain structure organization. This subsystem provides tools for domain configuration and joint user space organization which ensure:

network pass-through authentication;

centralized data storage of user environment;

centralized data storage on the server concerning information protection subsystem settings;

centralized control of DNS and DHCP servers;

integration into the domain of secured servers such servers as DBMS servers, print servers, email and web-servers, etc.;

centralized auditing of security events within the framework of domain.

Secured relational DBMS

Operating system structure includes object-relational DBMS PostgreSQL which instrumented discretionary and mandatory procedures of access control to the secured DB resources.

Basis of mandatory access control is partition of access to the secured DB resources in terms of hierarchic and non-hierarchic access marks. It enables to realize multi-level protection with user access separation to the secured DB resources and control of information flows.

Secured software package of hypertext data processing

Structure of secured software package of hypertext data processing includes Mozilla Firefox browser and Apache web-server both integrated with embedded information protection tools for user mandatory access control during configuring of remote access to information resources.

Secured software package of email

Structure of secured software package includes email server consisting from Exim email transmission agent and Dovecot email delivery agent as well as Mozilla Thunderbird email client ensuring the following functional capabilities:

  • Integration with operating system kernel and basic libraries for providing mandatory access control to email messages stored with Maildir format use;
  • automated marking of user messages with employment of current mandatory context.

Email transmission agent uses SMTP protocol and provides solution of the following tasks:

  • delivery of outgoing mail from authorized clients to server which is principal for receiver mail domain processing;
  • receiving and processing of domain mail messages for which it is directed
  • transmission of incoming mail messages for processing by email delivery agent.

Patents and Certificates

Патент на изобретение № 2525481

Патент на изобретение № 2525481

Свидетельства о государственной регистрации программ для ЭВМ № 2009616752

Свидетельства о государственной регистрации программ для ЭВМ № 2009616752

Свидетельства о государственной регистрации программ для ЭВМ № 2014618600

Свидетельства о государственной регистрации программ для ЭВМ № 2014618600

Свидетельства о государственной регистрации программ для ЭВМ № 2014618809

Свидетельства о государственной регистрации программ для ЭВМ № 2014618809

Свидетельства о государственной регистрации программ для ЭВМ № 2016614506

Свидетельства о государственной регистрации программ для ЭВМ № 2016614506

Свидетельства о государственной регистрации программ для ЭВМ № 2016660334

Свидетельства о государственной регистрации программ для ЭВМ № 2016660334

Свидетельство на товарный знак № 550559

Свидетельство на товарный знак № 550559