Posted on 03/09/2021 3:51:00 AM PST by ShadowAce
It is no secret that the OS you choose is a key determinant of your security online. After all, your OS is the most critical software running on your computer - it manages its memory and processes, as well as all of its software and hardware. The general consensus among experts is that Linux is a highly secure OS - arguably the most secure OS by design. This article will examine the key factors that contribute to the robust security of Linux, and evaluate the level of protection against vulnerabilities and attacks that Linux offers administrators and users.
When it comes to security, Linux users are at a decided advantage over their Windows- or Mac- using counterparts. Unlike proprietary OSes, Linux in many ways has security built into its core design. The increasingly popular open-source OS is high flexibility, configurable and diverse. It also implements a strict user privilege model and offers a selection of built-in kernel security defenses to safeguard against vulnerabilities and attacks. The transparency of Linux source code means that vulnerabilities in it - which are inevitable to some degree in any OS - are almost always short-lived. Let’s take a closer look at each of these factors and how it contributes to the heralded security of Linux.
Linux source code undergoes constant, thorough review by members of the vibrant, global open-source community and, as a result of this scrutiny, Linux security vulnerabilities are generally identified and eliminated very rapidly. In contrast, proprietary vendors like Microsoft and Apple employ a method known as “security by obscurity”, where source code is hidden from outsiders in an attempt to conceal vulnerabilities from threat actors. However, this approach is generally ineffective in preventing modern exploits and, in reality, undermines the security of the “hidden” source code by preventing outsiders from identifying and reporting flaws before they are discovered by malicious actors. Let’s face it - when it comes to discovering security bugs, a small team of proprietary developers is no match for the worldwide community of Linux user-developers who are deeply invested in their work both for their own benefit and for the benefit of the community.
Unlike Windows where “everyone is an admin”, Linux greatly restricts root access through a strict user privilege model. On Linux, the superuser owns all the privileges, and ordinary users are only granted enough permissions to accomplish common tasks. Because Linux users have low automatic access rights and require additional permissions to open attachments, access files, or adjust kernel options, it is harder to spread malware and rootkits on a Linux system. Thus, these inherent restrictions serve as a key defense against attacks and system compromise.
The Linux kernel boasts an array of built-in security defenses including firewalls that use packet filters in the kernel, the UEFI Secure Boot firmware verification mechanism, the Linux Kernel Lockdown configuration option and the SELinux or AppArmor Mandatory Access Control (MAC) security enhancement systems. By enabling these features and configuring them to provide the highest level of security in a practice known as Linux kernel self-protection, administrators can add an additional layer of security to their systems.
There is a high level of diversity possible within Linux environments as a result of the many Linux distributions (distros) available and the different system architectures and components they feature. This diversity not only helps satisfy users’ individual requirements, it also helps protect against attacks by making it difficult for malicious actors to efficiently craft exploits that can be used against a wide range of Linux systems. In contrast, the homogeneous Windows “monoculture” makes Windows a relatively easy and efficient attack target.
In addition to the design diversity seen in Linux, certain secure Linux distros are differentiated in ways that specifically address advanced security and privacy concerns shared among pentesters, reverse engineers and security researchers.
There are vastly more configuration and control options available to Linux administrators than to Windows users, many of which can be used to enhance security. For instance, Linux sysadmins have the ability to use SELinux or AppArmor to lock down their system with security policies offering granular access controls, providing a critical additional layer of security throughout a system. Admins can also use the Linux Kernel Lockdown configuration option to strengthen the divide between userland processes and kernel code, and can harden the sysctl.conf file - the main kernel parameter configuration point for a Linux system - to give their system a more secure foundation.
Linux powers the majority of the world’s high-value devices and supercomputers and the OS’s user base is steadily growing- and cyber criminals have taken note of these trends. Malware authors and operators are increasingly targeting Linux systems in their malicious campaigns. The past few years have been plagued with emerging Linux malware strains - Cloud Snooper, EvilGnome, HiddenWasp, QNAPCrypt, GonnaCry, FBOT and Tycoon being among the most notorious. That being said, Linux is still a relatively small target, with 83% of malware targeting Windows systems in 2020. Furthermore, the recent increase in Linux malware attacks is not a reflection on the security of Linux. The majority of attacks on Linux systems can be attributed to misconfigurations and poor administration, highlighting a widespread failure among Linux sysadmins to prioritize security.
Luckily, as Linux malware continues to become increasingly prevalent and problematic, Linux features built-in protection against malware attacks through its strict user privilege model and design diversity, and there is a selection of excellent reverse engineering and malware scanning tools, toolkits and utilities including REMnux, Chkrootkit, Rkhunter, Lynis, and Linux Malware Detect (LMD) available to help admins detect and analyze malware on their systems.
The security of the OS you deploy is a key determinant of your security online, but is by no means a sure safeguard against malware, rootkits and other attacks. Effective security is dependent upon defense in depth, and other factors including the implementation of security best practices and smart online behavior play a central role in your digital security posture. That being said, choosing a secure OS is of utmost importance, as the OS is the most critical piece of software running on your computer, and Linux is an excellent choice as it has the potential to be highly secure - arguably more so than its proprietary counterparts - due to its open-source code, strict user privilege model, diversity and relatively small user base.
However, Linux is not a “silver bullet” when it comes to digital security - the OS must be properly and securely configured and sysadmins must practice secure, responsible administration in order to prevent attacks. Also, it is crucial to keep in mind that security is all about tradeoffs - both between security and usability and between security and user-friendliness. LinuxSecurity Founder Dave Wreski explains, “The most secure system is one that is turned off, covered in cement, and located at the bottom of the ocean - but this system is obviously not very usable. Admins should configure their systems to be as secure as is practical within their environment. In regards to convenience, Linux has a bit of a learning curve, but offers significant security advantages over Windows or MacOS. It’s a tradeoff that’s well worth it if you ask me.”
I would disagree also.
Most the planets core infrastructure is Linux based.
I wonder if they are running windows 10 on the new Quantum Computers ?
Yes that last line was in need of a /s
Blessings.
I'll agree to your point on the eggheads who roll their own distributions and leave Apache (a) installed; (b) running; (c) unsecured.
Sticking with a mainline distribution of Linux such as Redhat, Ubuntu, Mint to name three doesn't incur such rookie mistakes.
I use Ubuntu and am running 20.10 I've run penetration testing against it as an out of the box configuration and it's secure. Of course there are always additional ways to make it even more secure and that's a balance between usability and security.
“So many folks on FR claim how superior their home user experience is over Windows, but are you really sure you’ve configured your Linux distro for security?”
Yes, just install it and use it, four years later this same install has had no breaches with no need for three different antiviruses or any updates.
Ok. Name the Linux commercial-grade equivalents for:
Microsoft Office including Visio and Project etc.
Adobe Creative Cloud including Substance Designer/Painter etc. (Photoshop, Audition, Premiere Pro etc)
Autodesk Entertainment Content Creation
(Maya, 3DSMax, VRay) etc.
ProTools, Logic, Reason, Nuendo or other DAW etc.
Unity3D, Unreal, Lumberyard etc.
Media Composer, Camtasia or other video timeline editor
Visual Studio Pro or equivalent (VS Code is only good for toy/hobbyist projects)
Oh and games. Nothing sells a platform like games.
I’ll wait.
They're out there. Go look.
Found the hubris!
I’d take the Pepsi challenge that your Linux distro has more holes than swiss cheese, but you’re sitting behind your ISP’s NAT.
Your install has had no breaches THAT YOU KNOW ABOUT. The thing with advanced persistent threats: they’re hard to find and know how to move around your environment undetected.
Thank you Ace. I am becoming more and more convinced that anyone who advocates for the superiority of MS either works for MS, Owns stock in MS, Or has not taken the time to actually try the current up to date Linux distros.
It cannot root it’s self and the system is isolated in it’s own partition volume.
The only vulnerability is me and my own decisions. And I am very very selective.
Don’t bother. It will be a never ending argument with this Linux hater. btdt.
The biggest mistake most people make on any OS is having only one user account with that user account being an admin account.
You should create a second account that does not have admin capabilities and use that as your everyday account. Log out and back in as admin when you need to administer(install a program etc)
Some hacks only allow the hackers to do whatever the logged in user can do. If you’re logged in as an admin, they can do anything.
That and get a firewall. For Ubuntu, Firewalld is one.
“The biggest mistake most people make on any OS is having only one user account with that user account being an admin account.”
Absolutely. Of which Linux does for you by default. And the system being in it’s own isolated partition volume is huge alone.
I do all of my browsing and anything thing that potentially could cause hacking, in a VM. So even if I get a virus, I just delete the Virtual instance, and start fresh.
Unless they are specifically targeting a buffer overflow or something similar in the email client, this is pretty much not true at all. My email client will not let you execute a file just by clicking on it. It will save an attachment to a file if it wants, but when the file is saved, it's executable bit is not set. You have to specifically make the file executable, then run it. No OS on the planet will protect you from a user doing something like that.
However, unless I'm a complete and utter moron, my user is NOT root, so even if I execute something, it is doing so with my own privileges, not as an admin or 'super user'.
Right there with you on that. I have an android tablet that is, 99% of the time, nothing more than a book reader and music player. Networking is disabled except in those very few instances when I actually need to get something from online with it.
Yep, absolutely. If I think I am taking any risks, I just boot a clone of my OS from an external USB system drive/stick for the same reason and just restore back to the original system image once in awhile. Nothing ever gets to my machine internal drive OS.
Lot of times I just boot and run my “Tails” stick if I am just surfing. I highly recommend a Tails stick with an optional Browser also installed for everyone to have available for just surfing. Why the optional browser? A lot of sites have now started rejecting the TOR browser exit nodes.
It is the 3rd party “Imunify 360” security they are now using on servers and cloud services.
Internet Security is made up with multiple levels.
For most home users, the use of residential routers is probably the biggest security hole.
My current home system has 6 levels of security and I’ve never seen anyone get past the first one.
Internet of Things is the 2nd biggest security problem.
You really don’t know what holes exist so you really want all your IOT devices on a unique VLAN.
Smart TV’s are the worst of all the IOT devices.
“However, unless I’m a complete and utter moron, my user is NOT root, so even if I execute something, it is doing so with my own privileges, not as an admin or ‘super user’.”
Yep... Plain and simple. And the system remains isolated. The concept makes too much sense. System-Swap-Home, all separate partition volumes.
I have a request Ace. Would it be possible to get a post about how the Partition Volume scheme works in Linux compared to MS? This would go a long way towards explaining the why... :)
I goofed there... What I meant to convey is...
“Of which Linux fixes for you by default.”
It always logs everyone even the owner as a limited privilege user by default.
One thing I haven’t been able to locate, and I don’t know if it even exists, is a good Internet Security Program for it. I got Linux Mint, and I know Linux is more secure than Windows by default, but is there a good Internet Security program that can be installed to make it even more so?
What do you mean by “Internet Security Program?” Can you give an example?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.