Redstar OS Server

For a few years now, iso files of both the desktop and server edition of North Korea's homegrown linux distribution, Redstar OS, have been floating around the internet. There's been an awful lot of analysis of the desktop edition, made famous in part by the blatant aping of MacOS and the kernel level file watermarking it does (Which you can read up on Here
and Here). However there doesn't seem to be that much information on the server edition.

So what better way than to setup a server with Redstar OS and see what's what? The system seems geared towards web servers and comes with packages for the full LAMP stack with httpd 2.2, PHP 5.3 and MySQL 5.5. If you're curious for the full package list on the disk, you can view it here (that is the only source of packages, no yum repos are added as default). You can view the whole site here. EDIT: The server has been taken down as I needed the IP!

At its core the OS seems to be based on RHEL 6 and is running kernel version 2.6.32-201305.RSS3.i686 (Only an i686 version of the server seems to be floating around publicly, but apparently an x64 version does exist). There's no redhat-release or lsb-release, but /etc/system-release gives the OS name as: 《붉은별》봉사기용체계 3.0(갱신판 1) which according to google translates to "Red Star" Service System 3.0 (Update 1).

Installation was a relatively simple TUI and I was able to guess what needed to go where on the pages without too much hassle, though I did need to manually adjust the ifcfg-eth0 file since it seems I filled some details in incorrectly, but nothing too major. Within the OS itself, the kernel boot flags set the system language to ko_KP.UTF-8 and most config files for the web services are in Korean. Interestingly, despite the desktop OS having selinux enforced, this isn't the case in the server edition. Nothing in the grub.conf and getenforce returns a Disabled response. Unlike the desktop edition, which doesn't provide root access, the setup here prompts you for a root password and the account is fully enabled and usable.

The server edition also comes with iptables, so the first thing I did (as little as it may help) was block 175.45.176.0/22 and 210.52.109.0/24 for both INPUT and OUTPUT which are the two ranges North Korea are known to use. I also deactivated access logging in the httpd.conf and just disabled rsyslog completely just in case there was something streaming data off somewhere in spite of the iptables block.

I then started tcpdump running on the VM's vnet device on my node, and after approximately ten minutes, there was nothing I could see that looked suspect in terms of network traffic in or out. Just the odd https requests, a few OVH health checks and of course attempts to get at SSH from miscellaneous locations (One from Japan, none from anywhere else in East Asia).

Next I was interested in the kernel module called rtscan that handles the watermarking as mentioned in the above post. Unfortunately, an lsmod seems to show this wasn't loaded and modprobe doesn't show it as being installed. However, I still wanted to test this, so I uploaded a set of files of different formats (.doc, .docx, .jpg, .mp4 and .txt) and md5'd them before uploading them to the server, and got the following outputs:

MD5 (kimjongun.doc) = 9c1bb78d8eb1daebd94ef93f6f981669
MD5 (kimjongun.docx) = d59a2e0aaf3a488183325918d4e130d1
MD5 (rat-with-teddy.jpg) = 9569b73ca7e41099aca434fb6f54e99d
MD5 (text.txt) = cae9c9e0816032b265c58db8e96afc70
MD5 (waterfall.mp4) = 33cdd0d874dcf9cc653f98164b3efb72

Post upload to the server (and after moving them around/touching/etc as both root and a new user) and rsyncing them back md5 gave this output:

MD5 (kimjongun.doc) = 9c1bb78d8eb1daebd94ef93f6f981669
MD5 (kimjongun.docx) = d59a2e0aaf3a488183325918d4e130d1
MD5 (rat-with-teddy.jpg) = 9569b73ca7e41099aca434fb6f54e99d
MD5 (text.txt) = cae9c9e0816032b265c58db8e96afc70
MD5 (waterfall.mp4) = 33cdd0d874dcf9cc653f98164b3efb72

As you can see, no difference. But just to be doubly safe, I popped open both the original file and the modified one in a hex editor side by side to look at Offset 80 for the watermark that has been added (original on left, downloaded off of the server on the right):

hex.png

As you can see, no watermark or change to the file at all.

So from poking at the server edition, unless they're being very very sneaky, it doesn't seem to have the same sort of tracking code that the desktop edition comes with. Of course, due to the context and history of this release, I personally still find it quite interesting. However, from a technical perspective, it's basically your run of the mill Red Hat inspired distribution albeit somewhat crippled in terms of available packages.

There is apparently a version 4 of Redstar in existence, but as yet, there doesn't seem to be a copy of it on the internet, perhaps that will end up being more interesting?