Linux Hardening Guide

Discussion in 'all things UNIX' started by Nanobot, Jan 1, 2021.

  1. Nanobot

    Nanobot Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    459
    Location:
    Neo Tokyo
  2. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,394
    Location:
    Member state of European Union
    I think that many claims here are exaggerated to create distorted view. Many facts ignored.
    Comparison to Windows in sandbox area: how many people do use only or at least mainly UWP applications? Do average Joe use Windows store? Does average Joe even is aware of and use built-in sandbox for non-UWP programs in Windows 10?
    Contrary to standard Windows user behaviour many Linux users do download software from trusted repository which is important when it comes to Firejail.
    As per discussion linked to section about Firejail it do "effectively" sandbox applications contrary to the website claim. Main concern in linked discussion was that it can open some privilege escalation for malware/user that is already outside sandbox and that threat may be mitigated as well. As I said earlier considerable amount of Linux users do download software only from trusted sources, so there is not malware outside sandbox. madaidan claims that it can be if it breaks out of Firejail sandbox, but is this really a realistic threat for average desktop Linux home user? Does Windows sandbox protect against attacker that skilled and motivated?

    Flatpak: there are many words about X11, but desktop is in middle (or even beginning of late) stage of long-time (ca. 2013) transition to Wayland protocol. You can't really ignore transition from X11 to Wayland when you talk about GUI security.

    "Windows which is leaning heavily towards Rust, a memory-safe language" - well, Windows internals (kernel, drivers, services, low-level libraries and even .net runtime environment) are still written in C and C++. Microsoft maybe written a component or two in Rust and that's it.
    When it comes to user facing application then, yep, C# on Windows is used for many applications and is memory safe, but many desktop Gnu/Linux programs are written in memory safe Python language, which was of course ignored to create distorted view. There are Linux programs in the form of local web app written in memory safe Go language.

    There are things to be done on Linux security, but it isn't that bad as that website claims. I know that I used some whataboutism in this post comparing Linux to Window, but madaidan did unfair comparisons to Windows that made it seem like Linux is inferior to Windows in certain aspects (memory safe language etc) while Windows isn't really better at that.
     
    Last edited: Jan 1, 2021
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    I don't get what the author means when he states, and I quote:

    I don't see how it's operating under root user, at least in my case using latest Debian.
     
  4. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,394
    Location:
    Member state of European Union
    SUID is a special bit in permissions set on file. Every file in Unix has an owner. When read and execute permissions are set then file can be executed as a program. When there is permission SUID then program starts on the account of file owner even if it is executed by another (non-root) user. More on that: https://en.wikipedia.org/wiki/Setuid
    Firejail file on my Debian is owned by root:
    Code:
    ~$ which firejail
    /usr/bin/firejail
    ~$ ls -nh /usr/bin/firejail
    -rwsr-xr-x 1 0 0 468K 10-22 18:16 /usr/bin/firejail
    Firejail process drops privileges or at least changes effective owner of an itself. I understand where he comes from. As a Whonix developer he must assume that less probable for average Joe attacks are likely to happen to average Whonix user. On the other hand I think it is too unlikely for average home user to experience these kind of attacks, so I wouldn't worry about it that much.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    Thank you reasonablePrivacy. I had forgotten about file ownership, and it's not quite as simple as I had thought, when the program is executed under a user account. I certainly don't worry about security issues in my Linux setup, nor with my Windows 10 setup. I guess the author is looking at securing Linux to the most extreme extent possible
     
  6. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    11,165
    Location:
    NSW, Australia
    These type of guides will encourage users who have moved from Windows to Linux, to move back to Windows.
     
  7. Gringo95

    Gringo95 Registered Member

    Joined:
    May 7, 2009
    Posts:
    149
    "Many security experts also share these views about Linux". Where?
    The underlying factor with a lot of this stuff is to achieve clicks and YouTube views. I'm not saying there's no truth in some of it but the British tabloids are full of this click-bait stuff 99% of which has no relevance to the majority user market. I'm still waiting for details of the hundreds of Linux users who had their bank accounts emptied after logging in with Mint or Ubuntu.
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,539
    Location:
    Outer space
    Afaik the author is just saying Linux doesn't have a secure design, he's not directly comparing it with Windows or saying the average joe can get easily infected with malware. Linux and Windows are both monolithic operating systems and are not designed from the ground up with security in mind.
     
  9. Nanobot

    Nanobot Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    459
    Location:
    Neo Tokyo
    Here!

    Many security experts also share these views about Linux.

    Achive clicks on what? an one hour long linux security event video from the Linux Foundation?

    Ha!
     
    Last edited by a moderator: Jan 2, 2021
  10. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,394
    Location:
    Member state of European Union
    5 out of 9 links directs to the same team: Solar Designer, Brad Spengler, Grsecurity. These are legit people, but I don't think that average Joe needs to have their Gnu/Linux distribution kernel hardened to that extent they are advocating for. Maybe some VIP or political activists (latter is likely to use Whonix) and corporate servers processing personal or otherwise valuable data and critical infrastructure.
    Most importantly this article portrays Windows as something far more secure than Gnu/Linux while I can provide links from the very researcher he linked (@rootkovska) saying that Windows can't be secured. IIRC she was so dissatisfied with both Windows and Gnu/Linux that she created Qubes OS (OS based on Xen hypervisor so you can separate different activities from each other by doing them on another OS).
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    Haha good point :thumb:

    That's right, they'll think Linux is a Swiss cheese of security holes just begging to get hacked.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.