Posted on 03/09/2021 3:51:00 AM PST by ShadowAce
It is no secret that the OS you choose is a key determinant of your security online. After all, your OS is the most critical software running on your computer - it manages its memory and processes, as well as all of its software and hardware. The general consensus among experts is that Linux is a highly secure OS - arguably the most secure OS by design. This article will examine the key factors that contribute to the robust security of Linux, and evaluate the level of protection against vulnerabilities and attacks that Linux offers administrators and users.
When it comes to security, Linux users are at a decided advantage over their Windows- or Mac- using counterparts. Unlike proprietary OSes, Linux in many ways has security built into its core design. The increasingly popular open-source OS is high flexibility, configurable and diverse. It also implements a strict user privilege model and offers a selection of built-in kernel security defenses to safeguard against vulnerabilities and attacks. The transparency of Linux source code means that vulnerabilities in it - which are inevitable to some degree in any OS - are almost always short-lived. Let’s take a closer look at each of these factors and how it contributes to the heralded security of Linux.
Linux source code undergoes constant, thorough review by members of the vibrant, global open-source community and, as a result of this scrutiny, Linux security vulnerabilities are generally identified and eliminated very rapidly. In contrast, proprietary vendors like Microsoft and Apple employ a method known as “security by obscurity”, where source code is hidden from outsiders in an attempt to conceal vulnerabilities from threat actors. However, this approach is generally ineffective in preventing modern exploits and, in reality, undermines the security of the “hidden” source code by preventing outsiders from identifying and reporting flaws before they are discovered by malicious actors. Let’s face it - when it comes to discovering security bugs, a small team of proprietary developers is no match for the worldwide community of Linux user-developers who are deeply invested in their work both for their own benefit and for the benefit of the community.
Unlike Windows where “everyone is an admin”, Linux greatly restricts root access through a strict user privilege model. On Linux, the superuser owns all the privileges, and ordinary users are only granted enough permissions to accomplish common tasks. Because Linux users have low automatic access rights and require additional permissions to open attachments, access files, or adjust kernel options, it is harder to spread malware and rootkits on a Linux system. Thus, these inherent restrictions serve as a key defense against attacks and system compromise.
The Linux kernel boasts an array of built-in security defenses including firewalls that use packet filters in the kernel, the UEFI Secure Boot firmware verification mechanism, the Linux Kernel Lockdown configuration option and the SELinux or AppArmor Mandatory Access Control (MAC) security enhancement systems. By enabling these features and configuring them to provide the highest level of security in a practice known as Linux kernel self-protection, administrators can add an additional layer of security to their systems.
There is a high level of diversity possible within Linux environments as a result of the many Linux distributions (distros) available and the different system architectures and components they feature. This diversity not only helps satisfy users’ individual requirements, it also helps protect against attacks by making it difficult for malicious actors to efficiently craft exploits that can be used against a wide range of Linux systems. In contrast, the homogeneous Windows “monoculture” makes Windows a relatively easy and efficient attack target.
In addition to the design diversity seen in Linux, certain secure Linux distros are differentiated in ways that specifically address advanced security and privacy concerns shared among pentesters, reverse engineers and security researchers.
There are vastly more configuration and control options available to Linux administrators than to Windows users, many of which can be used to enhance security. For instance, Linux sysadmins have the ability to use SELinux or AppArmor to lock down their system with security policies offering granular access controls, providing a critical additional layer of security throughout a system. Admins can also use the Linux Kernel Lockdown configuration option to strengthen the divide between userland processes and kernel code, and can harden the sysctl.conf file - the main kernel parameter configuration point for a Linux system - to give their system a more secure foundation.
Linux powers the majority of the world’s high-value devices and supercomputers and the OS’s user base is steadily growing- and cyber criminals have taken note of these trends. Malware authors and operators are increasingly targeting Linux systems in their malicious campaigns. The past few years have been plagued with emerging Linux malware strains - Cloud Snooper, EvilGnome, HiddenWasp, QNAPCrypt, GonnaCry, FBOT and Tycoon being among the most notorious. That being said, Linux is still a relatively small target, with 83% of malware targeting Windows systems in 2020. Furthermore, the recent increase in Linux malware attacks is not a reflection on the security of Linux. The majority of attacks on Linux systems can be attributed to misconfigurations and poor administration, highlighting a widespread failure among Linux sysadmins to prioritize security.
Luckily, as Linux malware continues to become increasingly prevalent and problematic, Linux features built-in protection against malware attacks through its strict user privilege model and design diversity, and there is a selection of excellent reverse engineering and malware scanning tools, toolkits and utilities including REMnux, Chkrootkit, Rkhunter, Lynis, and Linux Malware Detect (LMD) available to help admins detect and analyze malware on their systems.
The security of the OS you deploy is a key determinant of your security online, but is by no means a sure safeguard against malware, rootkits and other attacks. Effective security is dependent upon defense in depth, and other factors including the implementation of security best practices and smart online behavior play a central role in your digital security posture. That being said, choosing a secure OS is of utmost importance, as the OS is the most critical piece of software running on your computer, and Linux is an excellent choice as it has the potential to be highly secure - arguably more so than its proprietary counterparts - due to its open-source code, strict user privilege model, diversity and relatively small user base.
However, Linux is not a “silver bullet” when it comes to digital security - the OS must be properly and securely configured and sysadmins must practice secure, responsible administration in order to prevent attacks. Also, it is crucial to keep in mind that security is all about tradeoffs - both between security and usability and between security and user-friendliness. LinuxSecurity Founder Dave Wreski explains, “The most secure system is one that is turned off, covered in cement, and located at the bottom of the ocean - but this system is obviously not very usable. Admins should configure their systems to be as secure as is practical within their environment. In regards to convenience, Linux has a bit of a learning curve, but offers significant security advantages over Windows or MacOS. It’s a tradeoff that’s well worth it if you ask me.”
Tech Ping
Nothing is secure if a user decides to open a malicious email or email attachment. This goes for Linux.
Did you read the article?
Sorry.
This is also true for most operating systems, whether they be Linux, Apple, Microsoft or Android.
Agreed. You can set up a very secure system, but then with one momentarily lapse in judgment and a single action it can be compromised.
Secure, yes, by a mile.
Useful for things other than the most simple of desktop tasks, no.
Not the fault of Linux, per se. but without decent apps, it’s not really useful for anyone actually doing work on a PC.
Commercial app developers need to get on board.
You never see a commercial-grade office suite, many AAA or indie Games, a content-creation suite (graphics, music or publishing) or a professional development suite on Linux. Just a bunch of hideously difficult to use broken open-source alternatives.
I fault the developers, but with 1.8% of the market, why bother?
I manage a multi-site datacenter with thousands of servers from my linux desktop.
So I think I'll have to disagree with you on this.
You obviously have not been looking very hard then.
I think the article did a pretty good job explaining a bit of the “what”, but I think it buried the lede toward the end by mentioning that the system is only as secure as the admins make it.
*nix has historically been more secure as a baseline OS family because of the amount of consciousness that an administrator has had to explicitly pay to security, and the general skill levels needed to work as a unix or linux sysadmin compared to a windows sysadmin. I’m not totally sure that remains the case today, not because linux has gotten weaker, but because windows has tightened up and gotten more complicated to administer. (Does anyone remember the NT license cards that you’d buy to add new users to a network? It was just a piece of cardstock wrapped in plastic that cost something like $99 and when you opened it up it said “you have a license, now go into this setting and click the number of users to add one”.)
I suspect things are trending in the opposite direction though as more and more data is hosted by third parties like AWS and Azure. The concept of “yours” isn’t the same anymore. Ownership and boundaries are blurred (in a way, on purpose. Makes it easier for big tech to keep someone paying for their own stuff if they think they don’t actually own it). Even if the big cloud providers have dedicated teams to monitor security and develop countermeasures to threats, it only takes one slip up to blow the whole thing apart for everyone.
Yes, we can all agree that the user/admin/person at the keyboard is integral to security of any system, and that any bad decision will compromise any system.
However, this article is about the baseline being set--what that user/admin has to work with, and the design decisions made for the OS.
IOW, given the same user/admin, Linux is more secure than most, and has the ability to *be* more secure than most.
That is not counting the billions of devices running Android, which is in fact Linux.
This was the discussion at a company I worked for in the 1990s. Our products were on OS/2. Our offices were a mix of unix, Windows 3.1, Windows 95 and Mac. To get a document that from one person to the next in a usable format was difficult. The engineers loved OS/2. Greatest OS ever for the time but they couldn’t use it for actual work unless they were in emulation mode. The lack of usable business applications made it wither and die. Developers for Linux and other OSs will have to figure out how to overcome that. You are right about why bother with such a small base.
I work exclusively on a Linux desktop. No emulation involved for any task.
I can communicate with all of my co-workers, management, users, and customers without any issues whatsoever. This includes documents, spreadsheets, video meetings, e-mail, shared storage space, etc.
I am much more productive than those employees who insist on using a Windows desktop to do the same job I do.
I love Linux for a majority of workloads, but it is consistently the first OS hacked at every annual Black Hat conference. It may be ubiquitous, but most admins don’t understand how to configure it securely, esp. Apache.
If you’re using it in your home environment, make sure you know what you’re doing. So many folks on FR claim how superior their home user experience is over Windows, but are you really sure you’ve configured your Linux distro for security?
Two words: Patch Tuesday.
In order of Least Secure to Most Secure:
1. Android
2. Windows
3. Apple (iOS)
4. Linux (Desktop/Server
5. Apple OS
In the case of Android and Windows, it certainly doesn't help when the core OS has numerous security holes that require constant patching. "Patch Tuesday" has been the drill for years with Microsoft's Operating Systems. Win95, Win98, Win2k, WinXP, Win7, Win8 may have had nice GUI's however the underlying security of these OS' frankly speaking: SUCKED. The amount of security infrastructure required to protect them which included Anti-Virus/Anti-Malware, Firewalls, Network Segmentation, etc.. remains a huge cost component of providing a desktop to users in companies/enterprises globally.
I'm not even going to "go there" with Android as I have one and refuse to do any sensitive transactions on it. I don't use it for online banking, checking balances, sending any sort of financial information or doing sensitive work with it, period. It's convenient for non-sensitive email, web browsing, SMS Messaging, a camera and music streaming. That's all I'll use mine for.
iOS isn't much better than Android, IMO. I stopped using my iPad two+ years ago now so I may be wrong and am willing to change my opinion.
That leaves us with Linux and Apple's OS. Both of which one has to be a complete dunderhead to mis-configure and leave open for hacking because of the amount of information that's widely available via video tutorials, online manuals, help forums, etc.. that are in easily comprehensible language.
After having used Windows Server and Desktop OS' for my entire career and Linux for the past 20, I dumped Windows for Linux exclusively at home. I was at the point I wouldn't even do my online banking on a Windows VM that I'd only start-up and shut down for that specific purpose because of all the security issues with it. I'm much more comfortable doing so with Linux.
Yes, now days you can. Back in the 90s it was not so easy, at least the way the company had things setup.
Linux is great in concept but the egghead’s putting together the distributions make some huge rookie mistakes and this is one of them.
No one should have to go hunt down and close a bunch of doors that got left open during an install.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.