This has been indeed an interesting year for Linux security. The point of this article is to offer a view on what I believe to be some of the most interesting happenings in 2003. The Linux experts that offer their view on 2003 are Bob Toxen (one of the 162 recognized developers of Berkeley UNIX and author of “Real World Linux Security”) and Marcel Gagne (President of Salmar Consulting, Inc. and author of “Linux System Administration – A User’s Guide” and “Moving to Linux”).
Reflecting On Linux Security In 2003
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
FYI:
I can recommend “Practical Unix & Internet Security, 3rd Edition” by Simson Garfinkel, Gene Spafford and Alan Schwartz
it’s really well written and covers a lot of ground.
Glad to read that Linux is secure in comparison to Windows and why. I’m just a desktop user and a windows user friend asked me several months ago if I ran a firewall and I said, “no, you don’t need them in Linux.” Now I know it is installed automatically.
I did know that I had never had any trouble with a virus or worm since 1999. Now I have broadband and RH9 was set to high security at install.
This is the most biased article I’ve yet read on OSNews. Are we becoming /. here? The idea that Linux is inherently secure or “has been designed for security” is just too laughable. And market penetration of Win2k means nothing?
Yeah, right.
“Now I know it is installed automatically.”
Not always. In Slackware for example, you need to d/l an ip-tables script to enable this feature.It dosent do anything w/o the script.
Distros like RH,SUSE,MDK have them installed by default though.
I’m not much of a Linux zealot, but I am biased to an extent. The wording in this article makes it sound like 3-4 13 year olds wanted to write a professional article about how WinBLOWZ!! SuXXoRzz!!!
Given, there isn’t a doubt in my mind that Linux is more secure, at least by default (on most distros), than Windows, but any “expert” who flat out says Linux users don’t need antivirus software is being biased. Were these guys drunk during the interviews? The wording alone bothers me.
Well, please explain how it was not designed with security in mind. If you actually think Linux is insecure compared to what, Windows?
Linux users don’t need antivirus software. I’m a Linux user, been one since ’96, and I’ve never had a virus on Linux, ever. Have you?
I’ve got boot sector viruses from floppy disks in DOS, but luckily Linux doesn’t allow software to access the MBR or my harddisk unless it has root priveleges.
I probably got a virus through email or smb on a Windows PC before, but Linux doesn’t get viruses this way because the people developing the OS knew better than to execute code that came off some network.
Basicly if I get a virus on Linux I must have downloaded it and run it myself. Stupid me, huh.
In my opinion, the point of this article is quite different. The point is Linux consultant selling ‘Linux solution’ to anyone who listens.
What a wonderful Linux world he lives in! A one where Linux vendors offer bug fixes for free, a one where old versions of software are inherently longer supported. The world where having secure kernel is enough to have secure OS. The world where firewall is always installed by default and makes system secure forewer.
Boy, I would love to live in that world of dreams!
Instead, I live in an ugly world where one major Linux vendor forces people to pay $300/year for bug fixes, where another consumer-oriented Linux vendor makes people pay $50/year for bug fixes.
The world I live in is where old versions of Red Hat Linux will be supported by the third party for a mere $5/month, $60/year.
The world I live in has rootkits, remote exploits that would knock down hundreds of millions of Linux desktops- if there *were* hundreds of millions of them.
The world I live in has home users who are not willing to patch their computers for free- yet somehow they will be all happy paying Linux customers and safe from 3 months old published exploit by diligently applying patches the day they (patches) are published by the Linux vendor.
The world I live in runs tons of software on the top of the kernel- and that software has bugs and exploits, making kernel security less important that ‘distro’ security.
The world I live in has home users running KaZaa, eDonkey, ICQ,- all demanding free access to user’s box, often requiring either disabling or tweaking firewall to accomplish that.
This is the ugly, ugly, ugly world. I hate it. I want one that Linux consultant painted to me.
>What a wonderful Linux world he lives in! A one where Linux vendors offer bug fixes for free.
Nice indeed, Plus you have the source code.
>a one where old versions of software are inherently longer supported.
Five years long enough?
Windows98 was supported for about that right? 98-2003
Win2k will be faded out in april of 2005
>The world where firewall is always installed by default.
Done on my distro (Fedora), which one do you use?
>The world I live in has rootkits, remote exploits
echo off > /proc/modules #don’t allow loadable modules
echo 1 > /proc/sys/kernel/exec-shield #Randomize heap/stack/vm mappings.
If I wouldn’t have read it lying in my bed I would have fallen from my chair.
The way the autor argues about why Linux is more secure them Windows also proves that BeOS or SkyOS are more secure than Linux.
The problem today is that evry lil Scriptkiddy tries to write a virus for Windows (evryone wants to be cool, hip or what ever).
Lets see how secure Linux is when it’s as hard attacked as Windows.
MfG,
Chris
PS: I use MS-OSs since DOS 3.2 and since i switched to Win 95 I didn’t have a single virus. And I don’t run a firewall or a anti virus program.
> PS: I use MS-OSs since DOS 3.2 and since i switched to Win 95 I didn’t have a single virus. And I don’t run a firewall or a anti virus program.
Hahaha! How can you say that you have never had a virus if you are not running a virus scanner. That’s like having tons of unprotected sex and saying you don’t have any std’s because you never took an std test.
Because every virus shows itselve, even if it’s only through increased trafic when spreading itselve (and on an ISDN-connection you notice every k
)
Well, I can’t tell if Linux was built with security in mind only Linus and some other core Linux developers can tell you that.
But I can tell you that it is built upon good software design principles. I’m thinking about cohesion keeping cohesion high and coupling low. This makes the cost of modificaton low for any type of change, including security fixes. This is teched at everey beginners course in system development.
Compare well defined components like sendmail, imap2000 to MS exchange, Even in this comparison I am nice to MS as sendmail is considered too large and cumbersome to many Linux admins, and many of them replace it with something smaller more well defined like postfix. Exchange on the other hand is a large monolithic peace of software.
Look at how IE spreads like a tumor into the core of the windows OS, while Mozilla or other browsers commonly used on Linux do not, Look at how GUI stuff have entered into the windows OS kernel while its userspace functions in Linux.
But even so, I do agree that Linux should not be considered a secure OS in the shape it usually is distributed. There are no more protection from viruses etc than what you find in WinNT/2k/XP. Even though the flaws a virus can utilize is quicker to fix due to a better architecture.
But luckily in Linux you have access to the source code. This make it possible for a security consious admin to apply patches to enhance the security. I’m thinking of thing like LIDS (http://www.lids.org). The latest version of LIDS works with ths LSM of the 2.6 kernel and make it possible to hide files even to root users, to protect processes, network connections and memory. You can even make it work together with the built in firewall to prevent spreading of worms.
So, clearly you can make your Linux system extremely secure.
But remember security also have a price in form of more difficult system administration. In Linux the problem is not to get your system secure enough, but to strike the right balance between security and ease of use and administration.
And no, market penetration means nothing. Either a system is secure or it is not. A typical example of this is the Apache web server it has almost 70% market penetration and still the MS competitor have more bugs.
I’ve had a nasty linux virus that worked off an Apache exploit a while back. I was lucky in that it didn’t use a rootkit (as far as I could tell), just installed a trojan for infecting other apache servers and ran a DOS attack against the computer the infected it.
This was because I was slow to react to a remote exploit. I’ve also dealt with a virus that used a Samba exploit.
The viruses are out there and they are just as destructive as windows virii. However these are worms which affect servers primarily (an area where linux is well represented). There was no social engineering involved, no dumb user to blame.
Linux has done some things right by advocating firewalls, but most linux boxes still run too many unecessary services.
It will be interesting if OO.org macro virii will also appear.
Eric,
I am running Windows 2000 since beta and move to XP since the Preview version was released, and never have any virus. And I don’t have any antivirus, and the firewall I’m running is the one XP includes. If I want to check my system, I go to the Symantec site, and they have a free online virus scan. By the way, is there any way to know if a Linux system have any Trojan or virus???? (You know, there are virus and Trojans for Linux) Moving to Linux doesn’t mean the security problems are solved. Always there is a need to have security patch applied. If you move your enterprise to Linux, you are free of the Windows problems, but become a slave of the Linux ones. And when you have a lot’s (hundreds to thousands) of PC’s, believe me, there will be problems, doesn’t matter if it is Windows, Linux or any OS. So, is our responsibility to secure our systems. By the way, I use both systems on my office…
I still think that Linux folks would be better served if more of them implemented the SELinux extentions. If so, then the correctness of the kernel and the security policy would be all one really needed to worry about, instead of the correctness of everything in the system. To be fair, I think that the FreeBSD folks should do the same thing with the TrustedBSD MAC stuff that they have implemented.
“The world I live in has rootkits, remote exploits that would knock down hundreds of millions of Linux desktops- if there *were* hundreds of millions of them.”
Rootkits are not the problem. Rootkits are a result and signal of the problem: unsecure computer resulting in a compromised computer. Wether there are rootkits or not does not make this problem worse or better. Root compromise is root compromise. The same counts for exploits. Wether someone has coded a program to exploit a remote vulnerability or not does not make the actual vulnerability more or less important. Crackers generally wouldn’t be interested in a simple home computer anyway. It doesn’t run anything exotic and doesn’t contain important information, most of the time. Nevertheless the solution of the problem lies at patching.
“The world I live in has home users who are not willing to patch their computers for free- yet somehow they will be all happy paying Linux customers and safe from 3 months old published exploit by diligently applying patches the day they (patches) are published by the Linux vendor.”
The problem lies imo in education and i believe Linux users are more educated regarding this since Linux finds it roots rather at the computer-minded people. One of the first things people should learn is patching.
A patch applied 3 months later after a remote vulnerability has been known is no problem in the case the box hasn’t been compromised.
In the case it has been compromised, which does happen, there’s a problem. You won’t see that much in commercial environments (which should be extremely easy to patch anyway). I think ISP’s should contribute a more to this. It isn’t much work to do so since they’ll have to track such for themselves anyway, and it is in their advantage too. I know i’m happy my ISP does (regarding Microsoft Windows virusses and patches)
“The world I live in runs tons of software on the top of the kernel- and that software has bugs and exploits, making kernel security less important that ‘distro’ security.”
Untrue, for the reason that there are several solutions to secure these “unsecure” programs. Don’t run them (don’t run more than necessary). Run stack protectors (ie. W^X, PaX, use truncating libraries (ie. libsafe), ACLs (ie. systrace), and a lot more options. Pure education. The point is, none of these solutions can protect the actual kernel. If there’s a vulnerability in the kernel, you’re fried. Above mentioned securitry measures do not help; for example GrSecurity did not safe people from the do_brk vulnerability.
“The world I live in has home users running KaZaa, eDonkey, ICQ,- all demanding free access to user’s box, often requiring either disabling or tweaking firewall to accomplish that.”
Your point?
>but any “expert” who flat out says Linux users don’t need
>antivirus software is being biased. Were these guys drunk >during the interviews? The wording alone bothers me.
Hard to believe he? Fact is you DO NOT NEED antivirus software for Linux. I have RAV antivirus for LInux running on a couple of servers and workstations the only thing is does is catching Windows virusses. (samba shares) So is handy but not nessesary
>Your point?
Exactly the same as yours: Linux is more secure than Windows only when it is used by what you call ‘computer-minded people.’
That is the point that is missing in the article written by Linux consultant.
Security is not (only) in the OS, security is in minds of OS users. You can not change user’s mind by changing his/her OS: a fact Linux consultant conveniently forgets to mention.
That is my another point: reality and consultants do not mix.
Russian guy you made some great points about linux software. For more technical users, linux can be secured at least as well as windows. Most of the major linux distros are shipping more secure by default, than they used to. Patch management however is something that the major linux distributors expect users to pay for. this negates the cost savings of the software. Support for microsoft products is much longer than linux products. 5 years minimum and closer to 10 for major security flaws.
NT4 is still being supported.
It really comes down more to the person doing the securing.
Viruses like blaster mainly affect desktop systems,of which linux only has a miniscule pencentage. I hope linux grows in the desktop market, but worry about how its going to hold up security wise when average joe user starts using it.
I must disagree with permabuzz on his issue on longer support from Microsoft. NT4 is no longer supported, unless you’re willing to pay for a rather expensive support contract.
I think that the current support for Microsoft products is “current version – 1”. So, Windows XP and 2000.
What bothers me more is that things change all the time between versions. As a developer you can throw away all your code when you upgrade e.g. from version 6 to .Net. Or you must run some wizards that solve a fraction of your problem.
I like Linux a lot more. At least I know that I will find somebody who is willing to help me without paying for solving things that are considered “default by design” on Technet.