Ignorance may be bliss, but a smoking crater where your Linux workstation once sat is not. Here are some common Linux security myths that you're better off living without.
Before I wrote this article, I went to some Linux newsgroups to find out what typical concerns among security-conscious Linux users might be. I asked, simply, what they felt were the biggest myths surrounding Linux security.
Boy, did I get an earful! It was as if I had gored someone's pet ox.
When I asked about the most common misperceptions of Linux security, I wasn't implying that Linux is any worse, or any better, than other operating systems. There are few "religions," however, with followers as zealous as those of Linux. As with any religion, you can't make zealots question the perfection of their belief systems.
It reminded me of an expression: You can always tell a Linux user--you just can't tell them much.
In spite of the flames, I got what I was looking for: The Linux security myths that are most likely to cause trouble for users and administrators. Some of these are more likely to trip up newbies, but they can turn up even among experienced users. And when you're talking about security, most of us deal with more than enough "trouble" without making any more for ourselves.
Here they are, listed in no particular order:
1. All distributions are equally secure, or insecure, right out of the box.
All distributions are not created equal: Some distros, by default, are very secure; others install with virtually no default security. A good source of independent information on the quality of distro security is www.distrowatch.com, a site that supports the idea that some distros offer better security than others.
As a rule, some of the most popular and feature-laden distros, such as Fedora Core 3 , are not built with immediate, instantaneous security in mind. But I've never found a Linux distro that an educated user can't make secure. Just remember that one size does not fit all: You always make a tradeoff between convenience and security. A knowledgeable user can lock down just about any distro tight--so tight that it's hard to get anything accomplished.
It's also up to users to keep an eye out for new vulnerabilities that appear all the time in various distros. The day I wrote this, in fact, Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and Suse all sported new security-related updates, as discussed at www.linuxsecurity.com.
Over the years, I've installed a number of distros almost since the day they hatched. My current favorites for out-of-the-box security include Trustix, EnGarde, and Immunix, as well as the hardened versions of Gentoo and Debian. "Hardening" means that a distro vendor or developers have plugged standard security gaps, such as buffer overruns, right down to the compiler and even to the library level.
I'm also currently exploring a distro called Annvix (www.annix.com), a secure, server-oriented distro based on Mandrakelinux. So far, so good: It looks secure, even right off the freshly burned CDs.
2. Linux Security by default is better or worse than Windows.
Want to start a fight? Go to any advocacy newsgroup, for either Windows or Linux, and agree--or disagree--with either side. Then watch the fireworks!
I've discovered that the default, unpatched, versions of either product (including most Linux distributions) is full of security holes. Get the newest release, keep it up to date, and install with security in mind. Among other things, this means setting a root password stronger than "toor" or "guest," and not setting the permissions for important directories and files such as /kmem to "rwxrwxrwx", just as Windows admins should install passwords for all users and restrict dangerous administrative access privileges to those who require it.
One real distinction between the two operating systems' default security settings lies in their networking settings, where Windows XP patched with Microsoft's Service Pack 2 offers excellent default security. My point isn't to belittle the standard installation of most Linux distros, but to emphasize that when it comes down to asking which OS has the bigger "Kick Me!" sign taped to its butt, you have to assume they're equally tempting targets. I'm not just speculating here: I installed Windows XP and a standard Linux distro, logging the number of attempted attacks on each system. Both basically took an equal number of attacks, but none of them got through either system's rudimentary, but carefully configured, software firewalls. Know what to expect from a distro's default security, and then take the time to lock it down.
3. Security is only a kernel/user-land/developer concern.
Security is everyone's concern, whether a workstation is networked to a T1/DS3 or still uses a dial-up modem. Don't forget simple physical security, either: One of my first security audits was brought to its knees when the Tiger Team took a brick to our server rack. And for home systems, few "attacks" are as dangerous as a child's poking finger and the words, "What's this do, Daddy?" (usually followed by a rapid fsck).
The fact is, the minute one group proclaims security someone else's problem, it becomes theirs. My experience is that if you remove all security protection, such as installing a system without a root password, the resulting problems are so complicated and so immediate that a clean reinstall is the easiest solution.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2018 State of the CloudCloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.