Linux Security

12 05 2009

Someone recently told me that the only reason why Linux was thought to be more secure was because it was so unpopular that no one ever bothered finding security holes. I believe this statement to be completely false and these are a just a few reasons why I believe Linux is more secure then the other OS’s out there. This isn’t some silly top 10 list, just 4 simple reasons.

1) Linux is attacked everyday.

It isn’t hard to find out what security updates are out there. Most distros provide the security updates for their users to follow. Some are mailing lists, some are RSS feeds, and some (like Debian) are both! [1] The reason why Linux is better at security is because the community responds and fixes the problems long before they become a problem for the users. I have admin’d many Linux boxes across /many/ distros. I watch security updates like a hawk and I can verify that most big security problems are fixed within days. Compare that to a certain major OS which measures patch times in months! Don’t believe me? Check it out yourself. Visit Debian’s security list [1] and pick out a bug. Now find the reported time and when it was fixed. There are exceptions, but the vast majority of the patches are under a week turn around time. Check which ever distro you want and I am certain you will find the same results there as well.

If it was true that Linux wasn’t ever targeted, then people could assume that there were only a few reported security incidents. But it isn’t true. Linux is always being targeted and that is why there are many security reports every week. Subscribe to Security Space’s audits [2]. It is not uncommon for them to list hundreds of vulnerabilities every week! Another great source is Linux Compatible [3]. All of these sources cover the major distros but they also cover different distros and projects too. Yes, there is overlap sometimes but I would rather have seen a security warning several times then not at all.

The point is that there are plenty of security warnings issued but the Linux community tends to fix them long before the vulnerability is ever a problem. It is proof that Linus’s Law works [4]. Yet another strength of Open Source.

[1] http://www.debian.org/security/

[2] http://securityspace.com/sspace/index.html and scroll down to “New Vulnerability Tests”; at the bottom is a subscribe link.

[3] http://www.linuxcompatible.org/

[4] http://en.wikipedia.org/wiki/Linus%27s_Law

2) File Permissions.
I won’t go into great detail here because there are many others who do a better job explaining them [1]. However, I think it is important to mention that how Linux handles file permissions is greatly superior to some other OS’s out there. If an attacker doesn’t have permissions to do bad things, then he can’t do bad things! Pretty simple concept. Meanwhile, other OS’s tend to either run the user as root/admin or bug them so much that the user clicks “allow all” and gives the attacker all the permissions he wants to do what he wants.

[1] http://www.google.com/search?q=Guide+to+Linux+file+permissions

3) Very few Distros are alike.

I tend to run Debian for the majority of my needs at work and home but I am also a fan of Ubuntu for work and home as well. Last but not least, I use CentOS quite often at work as we have several vendors who prefer the Red Hat/CentOS experience. Between three distros, there are eight variations (Debian Etch, Debian Lenny, Debian Squeeze, Ubuntu 8.04, Ubuntu 8.10, Ubuntu 9.04, CentOS 4.7, and CentOS 5.3). The chances of a single vulnerability taking out all eight variations across three distros is /highly/ unlikely. Now add in all the other distros that people use (Mint, SuSE, Fedora, ect) and the chance of a virus/worm/vulnerability spreading drops even more.

4) Very few installs are alike

Lets just take one version of one distro from the above list. Debian Lenny. I probably have more running installs of this version then any of the others. I have a 32bit firewall at home (http://www.untangle.com) based on Debian Lenny. I have a 64bit home computer that is my primary system (web browsing, movies, music, games). I have a 32bit mythtv frontend at home (fluxbox as a GUI instead of Gnome). I have a 64bit install at work (lots of office applications). I have both 32bit and 64bit servers that handle various packages needed at work (one runs MySQL while another runs Apache, neither have a GUI).

There are a lot of differences and these are not all of the Debian Lenny installs that I manage. Some are 32bit while others are 64bit. Not all have GUI’s while others have different GUI’s. Some have office applications while others have games. The only thing common in all of these boxes are the very basic core-functions of Debian.

I am going to do a little experiment. I am going to take 4 boxes; my home system, my work system, one server, and one development desktop. I am going to gather all of the packages installed on each (dpkg –get-selections > box.out) and compare them (sort * | uniq | wc -l). There are 1485 uniq packages.

We can’t just ‘sort|uniq -d’ all of them together as some packages (like vim) are installed on two but not on all four. Plus it will be interesting to see the count as we move through all the boxes one at a time.

The first two systems (sort OfficeSystem.out DevBox.out | uniq -d | wc -l) have 877 duplicate packages.

Add a third system (Home.out) to that and the duplicate packages drop to 815.

Add the last system (Server.out) and we get a final count of 197.

197/1485=13.27% of the packages are the same on all four boxes. This alone proves that the target range for a virus is already really low.

If all the other OS’s disappeared over night and were all replaced with versions of Linux (not saying they will; just /IF/) I absolutely can’t imagine having a virus/worm/trojan spreading as fast or doing as much damage as other OS’s have already experienced.

“But. But. But! This just means Linux is harder to work with! After all, none of the distros are the same and Linux will never gain popularity because it is not cookie-cutter clone. It is too difficult to learn! Programmers will never write for it because it is too different and they can’ account for all the variations. Companies will never support Linux because there are too many versions and they can’t deal with all of them. blah blah blah blah….”

These arguments are complete rubbish. In my above example, since it is all Debian Lenny it is trivial to bring any and all of these systems up to the exact same package install (sort OfficeSystem.out DevBox.out Home.out Server.out | uniq > /tmp/1; dpkg-set-selections < /tmp/1). This is NOT a weakness; this is a strength. I can, and have, customized each of these systems to do the exact job that they are assigned. Nothing more and nothing less. This means they are more efficient and a harder target for attackers.

As for the multiple distros, it is quite uncommon for me to find programs that install on one distro but can not be installed on another. If you are really worried about it (from a programmer/company/user point of view) then just stick with the major distros and you will be fine. I know a LOT of companies that certify on Red Hat and Novell. Even better news is that many companies I work with are beginning to certify on Ubuntu. Once again, this point is completely mute and should have died back in the 90’s when it was actually a concern.

That’s all I got for now. I welcome comments/suggestions.

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: