How Linux Security Fails to be Simple
Linux Security Should be Simple, Right?
Why that is not a reality, and we might never achieve it.
Linux gained great popularity over the last 10 years, powering our servers and smartphones. With all the efforts put in creating more secure software, it seems installing security updates will remain a weekly task. Will this ever change?
Security is Hard
Properly securing a system means different things for different people. So let’s take the assumption that every system has a particular goal, secondly that it should be properly secured. The first one defines what the system should be able to do, like “be a web server and provide content”. The right amount of security, that is slightly harder to define. We know that at a minimum our security measures should not conflict with the goal, but that’s it. How much security is enough?
Be a Bank?
If you are a bank, confidentiality and integrity of data might be more important than availability. While you might argue that the lack availability gives a bad reputation, that is something people will forgive you. Showing incorrect bank statements might be a different story.
For most of us, we don’t have to harden our servers at the same level of a bank. The question still remains, what security measures are appropriate. Ask that to different security specialists, and they will all give you a different answer.
Some security professionals will directly answer “do risk analysis”. While this is a good tool to determine the risks involved in running a particular system, it is time-consuming and not an easy task either. If you are a system administrator, do you really know all the risks involved within your business?
Linux Security Complexity
Two things make Linux security complex. The first is what you would count as “Linux”. You might just count the kernel (GNU/Linux), the kernel plus additional basic system administration commands, or a whole Linux distribution. Depending on that criteria, the last option will give you a lot more to secure.
The second part of complexity is the amount of security measures involved. From benchmarks and guides, to tools and utilities. There are so many resources, with even more contradicting advice involved. Sometimes simply no longer correct due to the ongoing changes made to the involved software components.
A great example of new development is the systemd framework. It is a major change on how Linux systems operate now. At the same time, most of its users won’t have any idea what security options are provided, or how to configure them. Sure, there is some security related systemd documentation, but not clear instructions on how to implement it on your systems.
Guides, Guides, and more Guides
We often think that choices are a good thing. It has been proven several times that more choice can be harmful, or even result in analysis paralysis. In this last case we might actually end up doing nothing, as we can’t decide where to start. For Linux system hardening there is an overwhelming amount of hardening guides available:
- CIS benchmarks
- NSA hardening guidelines
- NIST standards
- Vendor guides
- GitHub snippets (and gists)
Even Linus Himself Dislikes Security
The original author of GNU/Linux, Linus Torvalds has a negative opinion about Linux security. No surprise there, as he is known to express his thoughts in a very strong way. Some might even call it aggressive, but that is not the point here. What is more concerning, is that this means a lot of security measures won’t find its way into the kernel. This includes those who might make the operating system more secure, or easier to secure.
Security is hard, that has been proven over and over again. Linux security is no different. Sure, there are a lot resources available, but they can be overwhelming and confusing. One of the reasons includes the contradicting advice. Other reasons are: unclear risks for each software package, and sometimes limited understanding of security concepts, by both users and developers. Even with all this complexity, I hope Lynis provides you better insights. Let’s stop complexity together! We will definitely keep fighting the endless battle to make Linux security easier.