Scientific Linux 6 RC1 released

Discussion in 'all things UNIX' started by Trespasser, Feb 18, 2011.

Thread Status:
Not open for further replies.
Page 2 of 2
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    How are the security features of SL6?
    How do they compare to Debian 6/Ubuntu?
     
    wearetheborg, Mar 1, 2011
    #26
  2. katio

    katio Guest

    It got SElinux but I don't know how targeted it is. It's certainly less aggressive than Fedora and most likely lacks desktop centric features like sandbox -X. Programs running in the unconfined domain don't gain much if any security through SELinux (recently Fedora for example started to confine unconfined itself a bit).

    At any rate, it's certainly better than Debian. Debian is the only mainstream distro with no gcc hardening (except for a very few selected packages) and it has no MAC either.
    However the latter is only the default choice and you could enable apparmor, SELinux or another module or patch yourself.

    Ubuntu got the most proactive features and easily "wins" in in terms of security.
    https://wiki.ubuntu.com/Security/Features

    In terms of retroactive securities, I don't know. This entirely depends on how responsive the dev team is to issue red hat security packages to the SL repos.
    When it comes to Debian and Ubuntu, Debian is more responsive. They are usually faster to issue updates. Also the web resources are a lot more useful than the ubuntu.com +launchpad.net mess. Add to that the fact that the Ubuntu security team has to support more distro versions at a given time and then only supports a by comparison small main repo. Packages in universe are often outdated for far too long and pushing vulnerable packages to its users. PPAs can solve that for some notorious packages (Chromium comes to my mind) but then you have missing quality control and other security issues, like who can guarantee the packages can be trusted?


    Summary:
    Fedora and Ubuntnu are the most secure desktop distros. They take different strategies and I much prefer the Ubuntu way because I do not believe that SELinux today is a viable option to expose to the enduser and a fully strict enforced system is impossible either. I like sandbox -x but if you ever have used Sandboxie on Windows or other solutions you'll see how it lacks in features, usability and ultimately because you have to make compromises, in security too.

    With Apparmor on the other hand is very easy to write your own profiles for whatever software you want to use (music and video players, pdf viewer, skype, whatever).
    However, given the current threat landscape Linux desktops are absolutely no target and therefore any distro is "secure" if you aren't a special target for some reason (you wouldn't be here asking this if you were).
    Servers are a target and that's why securing internet facing services is so important.
    In this regard they are all the same. Run the absolute minimum of services, firewall them, use fail2ban/denyhost, don't use plain text protocols, use strong passphrases or keyfiles and please don't run a public webserver on your desktop PC.
    (Sorry, boring stuff, repeated ad nauseam)
     
    Last edited by a moderator: Mar 1, 2011
    katio, Mar 1, 2011
    #27
  3. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Trespasser, Mar 2, 2011
    #28
Page 2 of 2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...