Is Linux secure or insecure?

Rick Butler said:

This is an interesting question - pretty common one in the line in teaching security. But I find that last question is something of a hasty generalization fallacy. Just because people can find new an interesting exploits to a system doesn't mean it's not a secure OS. Any lock can be picked or broken with sufficient will, time, and resources.

If they want a classic answer, assign your students to read Sun Tzu's Art of War as a reading assignment.

There are four security principles that come into play that I've taught in classes before:

1) Security through Obscurity is not Security at all
2) Open Disclosure is Good for Security
3) There is no such thing as absolute security; there are no silver bullets.
4) Security is a function of proper risk management.

I would start also with the opposite question - Microsoft Windows Server is a closed source operating system. But yet, it has been the target of many attacks. So being open or closed really isn't going to come into play - everyone is a target - MSFT, Linux, Apple...all of them are targets.

Next, I would raise the point that while exploits of code are why systems end up compromised, compromises are far more the case through the user. So it really doesn't matter what OS it is - if I can beat the user, the system security is irrelevant, in the long run.

Then, going back to my two points, yes, the bad guys are going to pour over OS code looking for holes. Doesn't matter if it's Linux or something else - never underestimate a properly motivated attacker. But when code is open, it also gets the good guys seeing it too. Now zero-day threats are a real thing and always will be, regardless of system. When a Zero Day comes out, regardless of OS, there are firms all over it, working up a patch.

Interestingly, in February, Google announced bigger bug bounties for exploits to Linux and Kubernetes. So in that, our attackers are now more apt to pen-test for the payoff, rather than to attack others. Threats are out there still. As a matter of fact, this week marked a year since I got to come toe-to-toe with the Kasaya ransomware hack from Russian group REvil.

In short, it's a cat and mouse game. Build a better mousetrap, get better mice. It's a revolving process. The cost, though, as we all know...

...is constant vigilance.

Close the discussion with a challenge - are you willing to stand in the gap and defend your network?

Because that's what it takes.

/r

Click to expand...

jasoneckert said:

While it is arguably true that most - if not all - open source software is more secure than closed-source software via community contribution, security itself is never guaranteed and largely depends on how software and systems are implemented.

Some Linux distributions are reasonably secure out-of-the-box because the distribution maintainers chose to provide a default set of configuration options and technologies (e.g., SELinux, strict PAM/Systemd rules, firewall enabled by default, etc.). However, the user can still choose to install that Linux distribution on a system without a trusted boot chain and without LUKS-encrypted volumes, as well as configure it in a way that accesses other systems insecurely.

Even then, nothing is remotely close to 100% secure, which is why those working in Cybersecurity have to have a sense of humour.

So, perhaps a better way to answer that question is to compare secure out-of-the-box Linux distributions (like Fedora) to macOS, BSD and Windows.

• On M1 hardware, macOS is arguably just as secure as that Fedora Linux distribution because of the strict enforcement of System Integrity Protection (SIP) alongside the total isolation of system folders from the userspace.
• On a system with a TPM, both Windows 10 and 11 are also arguably just as secure if you enable hardware-assisted security (anomaly detection), protected folders (anti-ransomware), and core isolation (process isolation) within the settings of Windows Defender, since only Defender antivirus is fully enabled by default.
• BSD UNIX flavours (e.g. FreeBSD) contain equivalent security technologies as Linux, but almost always need to be manually configured (there is no out-of-the-box secure BSD flavour to my knowledge). But this is less of a concern since BSD is only used by power users who will likely configure those security features anyways.

Moreover, most Windows and macOS components/frameworks that are the target of CVEs are actually open source, so they benefit from the open source community releasing rapid updates. And with the rise of Cybersecurity focus in recent years, the remaining few proprietary components are often fixed quickly by Microsoft and Apple (the amount of open source components with a permissive MIT license in Windows and macOS is staggeringly high!).

So, I guess you could say that "Today, certain Linux distributions are secure out-of-the-box, but not dramatically more secure than macOS or Windows or even a well-configured BSD system. The most secure computer you'll find today is a Commodore 64."

Click to expand...

jasoneckert said:

No problem! Cengage may have omitted that Appendix because Microsoft has since dramatically simplified the steps to configure WSL following the original publication of the book, making that Appendix no longer relevant. Now, just running wsl --install from a command prompt in Win10/11 installs all components as well as the Ubuntu distribution (yes, it's now that easy!).

You can then run the ubuntu command to access it (or click Ubuntu on your Start menu). Installing other distributions is equally easy - just install them from the Windows Store and run the associated command (e.g. fedora) or click on their Start menu icons.

In my next edition, WSL will merely be a side note

Click to expand...