Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

How Secure Is Linux?
Linux Security ^ | 8 March 2021 | Brittany Day

Posted on 03/09/2021 3:51:00 AM PST by ShadowAce

It is no secret that the OS you choose is a key determinant of your security online. After all, your OS is the most critical software running on your computer - it manages its memory and processes, as well as all of its software and hardware. The general consensus among experts is that Linux is a highly secure OS - arguably the most secure OS by design. This article will examine the key factors that contribute to the robust security of Linux, and evaluate the level of protection  against vulnerabilities and attacks that Linux offers administrators and users.

Secure by Design

When it comes to security, Linux users are at a decided advantage over their Windows- or Mac- using counterparts. Unlike proprietary OSes, Linux in many ways has security built into its core design. The increasingly popular open-source OS is high flexibility, configurable and diverse. It also implements a strict user privilege model and offers a selection of built-in kernel security defenses to safeguard against vulnerabilities and attacks. The transparency of Linux source code means that vulnerabilities in it - which are inevitable to some degree in any OS - are almost always short-lived. Let’s take a closer look at each of these factors and how it contributes to the heralded security of Linux.

The Open-Source Security Advantage

Linux source code undergoes constant, thorough review by members of the vibrant, global open-source community and, as a result of this scrutiny, Linux security vulnerabilities are generally identified and eliminated very rapidly. In contrast, proprietary vendors like Microsoft and Apple employ a method known as “security by obscurity”, where source code is hidden from outsiders in an attempt to conceal vulnerabilities from threat actors. However, this approach is generally ineffective in preventing modern exploits and, in reality, undermines the security of the “hidden” source code by preventing outsiders from identifying and reporting flaws before they are discovered by malicious actors. Let’s face it - when it comes to discovering security bugs, a small team of proprietary developers is no match for the worldwide community of Linux user-developers who are deeply invested in their work both for their own benefit and for the benefit of the community.

A Superior User Privilege Model

Unlike Windows where “everyone is an admin”, Linux greatly restricts root access through a strict user privilege model. On Linux, the superuser owns all the privileges, and ordinary users are only granted enough permissions to accomplish common tasks. Because Linux users have low automatic access rights and require additional permissions to open attachments, access files, or adjust kernel options, it is harder to spread malware and rootkits on a Linux system. Thus, these inherent restrictions serve as a key defense against attacks and system compromise.

Built-In Kernel Security Defenses

The Linux kernel boasts an array of built-in security defenses including firewalls that use packet filters in the kernel, the UEFI Secure Boot firmware verification mechanism, the Linux Kernel Lockdown configuration option and the SELinux or AppArmor Mandatory Access Control (MAC) security enhancement systems. By enabling these features and configuring them to provide the highest level of security in a practice known as Linux kernel self-protection, administrators can add an additional layer of security to their systems. 

Security through Diversity 

There is a high level of diversity possible within Linux environments as a result of the many Linux distributions (distros) available and the different system architectures and components they feature. This diversity not only helps satisfy users’ individual requirements, it also helps protect against attacks by making it difficult for malicious actors to efficiently craft exploits that can be used against a wide range of Linux systems. In contrast, the homogeneous Windows “monoculture” makes Windows a relatively easy and efficient attack target.

In addition to the design diversity seen in Linux, certain secure Linux distros are differentiated in ways that specifically address advanced security and privacy concerns shared among pentesters, reverse engineers and security researchers.

Highly Flexible & Configurable 

There are vastly more configuration and control options available to Linux administrators than to Windows users, many of which can be used to enhance security. For instance, Linux sysadmins have the ability to use SELinux or AppArmor to lock down their system with security policies offering granular access controls, providing a critical additional layer of security throughout a system. Admins can also use the Linux Kernel Lockdown configuration option to strengthen the divide between userland processes and kernel code, and can harden the sysctl.conf file - the main kernel parameter configuration point for a Linux system - to give their system a more secure foundation.

Linux: An Increasingly Popular Target among Cyber Criminals

Linux powers the majority of the world’s high-value devices and supercomputers and the OS’s user base is steadily growing- and cyber criminals have taken note of these trends. Malware authors and operators are increasingly targeting Linux systems in their malicious campaigns. The past few years have been plagued with emerging Linux malware strains - Cloud Snooper, EvilGnome, HiddenWasp, QNAPCrypt, GonnaCry, FBOT and Tycoon being among the most notorious. That being said, Linux is still a relatively small target, with 83% of malware targeting Windows systems in 2020. Furthermore, the recent increase in Linux malware attacks is not a reflection on the security of Linux. The majority of attacks on Linux systems can be attributed to misconfigurations and poor administration, highlighting a widespread failure among Linux sysadmins to prioritize security.

Luckily, as Linux malware continues to become increasingly prevalent and problematic, Linux features built-in protection against malware attacks through its strict user privilege model and design diversity, and there is a selection of excellent reverse engineering and malware scanning tools, toolkits and utilities including REMnux, Chkrootkit, Rkhunter, Lynis, and Linux Malware Detect (LMD) available to help admins detect and analyze malware on their systems.

The Bottom Line

The security of the OS you deploy is a key determinant of your security online, but is by no means a sure safeguard against malware, rootkits and other attacks. Effective security is dependent upon defense in depth, and other factors including the implementation of security best practices and smart online behavior play a central role in your digital security posture. That being said, choosing a secure OS is of utmost importance, as the OS is the most critical piece of software running on your computer, and Linux is an excellent choice as it has the potential to be highly secure - arguably more so than its proprietary counterparts - due to its open-source code, strict user privilege model, diversity and relatively small user base.

However, Linux is not a “silver bullet” when it comes to digital security - the OS must be properly and securely configured and sysadmins must practice secure, responsible administration in order to prevent attacks. Also, it is crucial to keep in mind that security is all about tradeoffs - both between security and usability and between security and user-friendliness. LinuxSecurity Founder Dave Wreski explains, “The most secure system is one that is turned off, covered in cement, and located at the bottom of the ocean - but this system is obviously not very usable. Admins should configure their systems to be as secure as is practical within their environment. In regards to convenience, Linux has a bit of a learning curve, but offers significant security advantages over Windows or MacOS. It’s a tradeoff that’s well worth it if you ask me.”


TOPICS: Computers/Internet
KEYWORDS: linux; security
Navigation: use the links below to view more comments.
first previous 1-2021-4041-58 last
To: ShadowAce

Computer security is a lot more than user permissions and packet traffic. If a sufficiently committed attacker wants to get in to or damage your system though, he’s gonna get in or damage it. If you are a defender, all you can do is make it cost more money and time to do so than the attacker thinks is worthwhile, or create a method of reducing the effects of damage.

I agree that *nix architecture has apples to apples advantages over Microsoft. I think open architecture is a design philosophy that results in more secure systems, and that cost to attack the system is naturally higher for linux than it would be for microsoft.

Of course, once governments around the world start putting quantum computing to work in a way that can crack AES and SHA (and while I do expect that it will happen in my lifetime, I don’t expect there will be a formal announcement, people will just notice things happening that could only be explained by this advance), a lot of what we thought we knew about computer security is going to be thrown out the window.


41 posted on 03/09/2021 9:01:30 AM PST by jz638
[ Post Reply | Private Reply | To 13 | View Replies]

To: usconservative

In order of Least Secure to Most Secure:

1. Android
2. Windows
3. Apple (iOS)
4. Linux (Desktop/Server
5. Apple OS

Seems to be the present situation.


42 posted on 03/09/2021 9:06:34 AM PST by linMcHlp
[ Post Reply | Private Reply | To 18 | View Replies]

To: Starcitizen

—”Useful for things other than the most simple of desktop tasks, no.”

I have installed mostly Ubuntu for many, many friends, family, neighbors...

And it works well for them, because of the many cloud-based applications.

Not 100%, my wife worked for a gov agency that required the latest version of MS Edge to log in to work.

Dual boot is very simple to implement and use...

Outside of work, most spend their time in a browser.


43 posted on 03/09/2021 9:32:37 AM PST by DUMBGRUNT ("The enemy has overrun us. We are blowing up everything. Vive la France!"Dien Bien Phu last message.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Openurmind
Yep... Plain and simple. And the system remains isolated. The concept makes too much sense. System-Swap-Home, all separate partition volumes.

Backups are important as well. Let's say someone did sneak something by me. Because it was executing as my user, it could totally trash all my files. This would not be trivial, as I have a crapload of data, mostly music, and personal files/pics and docs.

However, if something like that happened, I'd boot from media, reinstall everything, and restore from last night's backup. I might lose a day's worth of browsing history, but that gets wiped regularly anyway, so who cares?

One thing I'd really love to implement as a part of my backup routine would be to automount the backup drive as the backup starts, then unmount as it ends.

44 posted on 03/09/2021 10:52:06 AM PST by zeugma (Stop deluding yourself that America is still a free country.)
[ Post Reply | Private Reply | To 36 | View Replies]

To: Paladin2

No writer for Linux or any other tech nerd stuff looks as good as the Brittany Day in your post!
So it must be someone else : )


45 posted on 03/09/2021 2:07:10 PM PST by minnesota_bound (I need more money. )
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce

Norton, Comodo, AVG


46 posted on 03/09/2021 2:09:03 PM PST by ducttape45 ("Righteousness exalteth a nation; but sin is a reproach to any people." Proverbs 14:34)
[ Post Reply | Private Reply | To 40 | View Replies]

To: ducttape45

If you need an antivirus, clam AV would be the way to go. It comes in the standard software repository, and you just have to install it.


47 posted on 03/10/2021 3:46:43 AM PST by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 46 | View Replies]

To: zeugma

I do similar... I have “Timeshift” auto take a restore point image every couple days, and manually before I make any changes or installs. It will also throw up a list of what you actually want to restore back as previous. :)


48 posted on 03/10/2021 5:51:56 PM PST by Openurmind (The ultimate test of a moral society is the kind of world it leaves to its children. ~ D. Bonhoeffer)
[ Post Reply | Private Reply | To 44 | View Replies]

To: Openurmind

I was working on something the other day and couldn’t make it work. I wanted the external drive to mount, then run the backup, then unmount. I couldn’t get it to work. The backintime program seems to want to run outside the thread, so the script would mount, fire up backintime, then immediately unmount. It was annoying. I suppose I might be able to have the script check once a minute or so if backintime was running and only unmount if not. I apparently need to think about it a bit more.


49 posted on 03/10/2021 7:16:37 PM PST by zeugma (Stop deluding yourself that America is still a free country.)
[ Post Reply | Private Reply | To 48 | View Replies]

To: zeugma

I’m not familiar with backintime, but my backup solution uses rsync, which does run inside the thread. My script mounts the drive, rsyncs to it, and then umounts it. Works perfectly every time.


50 posted on 03/11/2021 4:14:30 AM PST by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 49 | View Replies]

To: zeugma
The backintime program seems to want to run outside the thread...

OK, you'll have to include some logic in your script.

Launch backintime, find the PID (ps-aux| grep), perform a while loop to wait until the PID is done, then perform the unmount.

That should accomplish it.

51 posted on 03/11/2021 4:31:03 AM PST by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 49 | View Replies]

To: zeugma

Something I have always found a bit confusing is how Linux apps want to mount and unmount partitions, volumes, and drives like that.

Something I realized when installing a Mint one time is that sometimes after an action like that is chosen it needs to unmount the volume to make those wanted changes to it. What gave me a hint was during the install it required the internal drive to be unmounted before it could do it’s auto partition changes to it from the external ISO test drive/install USB stick.

I am still trying to figure out exactly when and why it wants to unmount different things like that depending on what you are trying to do. It seems random depending on the action wanted. But it always seems to work when I just trust it.

I am going to guess “backintime” is the same as the “timeshift” I use that comes boxed by default with this Mint. If so I found there are some configuration settings in the app that can be customized to make it do what you want it to do aside from the default configs.

I don’t know if that helps any but something that might be worth trying is disabling the backintime and download/install timeshift and see if it works better for your needs? It might have better configuration options?

I do know the “restore” snapshot apps like that work different than the actual “backup” apps work. So maybe an actual backup tool app with good config options might work better for what you are trying to do there?


52 posted on 03/11/2021 6:35:19 AM PST by Openurmind (The ultimate test of a moral society is the kind of world it leaves to its children. ~ D. Bonhoeffer)
[ Post Reply | Private Reply | To 49 | View Replies]

To: ShadowAce

That’s pretty much what I was thinking. There is an issue though that I’m going to have to work around. It appears that the first time backintime is invoked after boot, a ‘service’ binary stays loaded “/usr/share/backintime/qt/serviceHelper.py”. That means just grepping for ‘backintime’ will always be true.

I’m looking through the backintime docs now to see if I can figure out how to invoke the mount/unmount as a part of the config.


53 posted on 03/11/2021 6:40:18 AM PST by zeugma (Stop deluding yourself that America is still a free country.)
[ Post Reply | Private Reply | To 51 | View Replies]

To: Openurmind
Well, one you might need to unmount a device is because you need to do something low-level to it, like repartitioning, or formatting with a filesystem. When you format a device, it has to be unmounted because otherwise you could get corruption if some process wanted to write to the device while you were formatting it. Obviously, you'd never want to just unplug a drive that was mounted, because it could be in the middle of a write operation, and you could leave the device in an inconsistent state, which is never a good thing. I much prefer the way that Unix/Linux treats drives much better than the Windoze way. Because in Linux everything is a file, it allows you to do some stuff that you couldn't do in Windoze. I also think it makes much more sense to have everything cascade from / rather than drive letters, though for new users it can take some getting used to.

Regarding timeshift, I'd look at changing, but I have been literally using backintime for years. I have backups on my main backup device that go back to 2016, and older than that with my offsite archives. (I keep quarterly backups in my safe deposit box).

Not having used timeshift, I can't really say much about ease of use, but I really like the way backintime lets me deal with those offsite backups. What I do for that, is the evening that I want to take a backup for that, I unmount /backup, then plug in the offsite drive and mount it on /backup. Then I go to bed. The cronjob that runs nightly takes care of the actual backup for me. In the morning, I unmount /backup, and remount the default drive. The offsite drive goes to the bank, and I bring back the previous offsite. That is sweet IMO.

Reading through the backintime docs, it looks like there should be a way to do a mount/umount thing, but it's probably going to require a hand-edit of the config, as the gui doesn't seem to mention those options. (sigh).

54 posted on 03/11/2021 7:12:51 AM PST by zeugma (Stop deluding yourself that America is still a free country.)
[ Post Reply | Private Reply | To 52 | View Replies]

To: ShadowAce

If only I could get a WiFi driver that works with Debian on my Dell Inspiron 6400!


55 posted on 03/11/2021 7:19:03 AM PST by Poser (Cogito ergo Spam - I think, therefore I ham)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Poser
What's your wifi chipset? Broadcom? Is it a Cingular card?

Can you post the output of lspci ?

56 posted on 03/11/2021 7:23:52 AM PST by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 55 | View Replies]

To: ShadowAce

Whatever is in a Dell Inspiron 6400


57 posted on 03/11/2021 8:53:02 AM PST by Poser (Cogito ergo Spam - I think, therefore I ham)
[ Post Reply | Private Reply | To 56 | View Replies]

To: zeugma

Thank you for sharing that. Hope Ace was able to help you.


58 posted on 03/12/2021 5:34:57 AM PST by Openurmind (The ultimate test of a moral society is the kind of world it leaves to its children. ~ D. Bonhoeffer)
[ Post Reply | Private Reply | To 54 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-58 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson