Linux--The Most Secure OS of All?
The Few, The Proud, and The Secure
Some may claim otherwise, but many insist that Linux is the most secure operating system (OS) of them all.
Linux security advocates point to a plethora of hardened distributions and hardened kernels, for one thing. Linux administrators can also take also take many steps to make any distro even more secure, starting with installation procedures.
Linux practitioners have seen security as a priority from day one, according to Jim Dennis, one of the principals at Starshine.org. "Essentially, people who use Linux tend to value security over features," Dennis maintains.
Many Linux distros, for example, come with support for transmission control protocol (TCP) wrappers compiled right in, he illustrates. "With Sun Solaris, for instance, you still have to add that."
Dennis acknowledges that Linux is now feeling the impact of worms and viruses. By and large, though, these infections originate in the Microsoft Windows environment, he charges.
One way to help fend off incursions is to use componentry from different code bases--such as Apache 2.0 and Apache 1.3--in putting together Web server implementations, according to Dennis. "Diversity saves us," he quips.
Meanwhile, organizations such as banks and federal security agencies have been working for years to build hardened Linux distros and kernels. Hardened kernels include LIDS; GRSecurity; RSBAC; and LOMAC.
SELinux, on the other hand, was developed by the National Security Agency (NSA). This hardened distro, which features a hardened kernel, is also "extremely granular," so that implementation is complex, Dennis says.
In a two-hour session at the recent PC Expo show, and a follow-up interview later, Dennis gave wide-ranging tips on how to protect all Linux implementations from technical and network exploits.
Security is a highly complicated matter, however, Dennis admitted. "I'm not going to make you a CISSP pro in two hours. I'm not one myself," he told attendees at PC Expo's Linux Bootcamp.
On the installation side, Dennis recommended starting from either a CD or an isolated local area network (LAN). You should eliminate services you don't need, and place strict limits on any services you do need.
"You can't crack a service you can't reach," Dennis said. "Bind services to specific interfaces via their config files. Use 'host allow' and 'host deny' to say who can access services, and who can't."
When installing patches and upgrades, check vendor package signatures and/or checksums. Debian binary packages are unsigned, however. With RPMs, signature checking is optional.
If possible, you should also run Bastille, an interactive lockdown/hardening script. Right now, Bastille supports Red Hat, SUSE, TurboLinux, Debian, and Mandrake distros, in addition to Mac OS X and HP-UX.
Bastille may be "generic and opaque," but it's also "quick, easy, and a consolidation of best practices," according to Dennis.
Dennis also advised installation of both AIDE and Samhain, a software project from lunapark.
"AIDE is the new tripwire. Tripwire is old and somewhat non-free," Dennis added. For its part, Samhain features LDAP authentication, a network console, a stealth option, and daemon mode, for instance.
"Use two," Dennis suggested. "Copy archives and checksum databases. Use bootable read only (RO) media. Add to DNS, DHCP, routers, SNORT, BB/Naslos, etc."
Denis also gave advice across a wide range of other security areas, including the use of "jail services" such as chroot; replacement of "deprecated protocols" such as telnet, and the role of cryptography, to name a few.
The most important thing, though, is to never let down your guard, Dennis recommended. "Stay vigilant. Complacency is dangerous," he concluded.