Five Linux Security Myths You Can Live Without

Before I wrote this article, I went to some Linux newsgroups to find out what typical concerns among security-conscious Linux users might be. I asked, simply, what they felt were the biggest myths surrounding Linux security.

Boy, did I get an earful! It was as if I had gored someone's pet ox.

When I asked about the most common misperceptions of Linux security, I wasn't implying that Linux is any worse, or any better, than other operating systems. There are few "religions," however, with followers as zealous as those of Linux. As with any religion, you can't make zealots question the perfection of their belief systems.

It reminded me of an expression: You can always tell a Linux user--you just can't tell them much.

In spite of the flames, I got what I was looking for: The Linux security myths that are most likely to cause trouble for users and administrators. Some of these are more likely to trip up newbies, but they can turn up even among experienced users. And when you're talking about security, most of us deal with more than enough "trouble" without making any more for ourselves.Here they are, listed in no particular order:

1. All distributions are equally secure, or insecure, right out of the box.

All distributions are not created equal: Some distros, by default, are very secure; others install with virtually no default security. A good source of independent information on the quality of distro security is www.distrowatch.com, a site that supports the idea that some distros offer better security than others.

As a rule, some of the most popular and feature-laden distros, such as Fedora Core 3 , are not built with immediate, instantaneous security in mind. But I've never found a Linux distro that an educated user can't make secure. Just remember that one size does not fit all: You always make a tradeoff between convenience and security. A knowledgeable user can lock down just about any distro tight--so tight that it's hard to get anything accomplished.

It's also up to users to keep an eye out for new vulnerabilities that appear all the time in various distros. The day I wrote this, in fact, Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and Suse all sported new security-related updates, as discussed at www.linuxsecurity.com.Over the years, I've installed a number of distros almost since the day they hatched. My current favorites for out-of-the-box security include Trustix, EnGarde, and Immunix, as well as the hardened versions of Gentoo and Debian. "Hardening" means that a distro vendor or developers have plugged standard security gaps, such as buffer overruns, right down to the compiler and even to the library level.

I'm also currently exploring a distro called Annvix (www.annix.com), a secure, server-oriented distro based on Mandrakelinux. So far, so good: It looks secure, even right off the freshly burned CDs.

2. Linux Security by default is better or worse than Windows.

Want to start a fight? Go to any advocacy newsgroup, for either Windows or Linux, and agree--or disagree--with either side. Then watch the fireworks!

I've discovered that the default, unpatched, versions of either product (including most Linux distributions) is full of security holes. Get the newest release, keep it up to date, and install with security in mind. Among other things, this means setting a root password stronger than "toor" or "guest," and not setting the permissions for important directories and files such as /kmem to "rwxrwxrwx", just as Windows admins should install passwords for all users and restrict dangerous administrative access privileges to those who require it.One real distinction between the two operating systems' default security settings lies in their networking settings, where Windows XP patched with Microsoft's Service Pack 2 offers excellent default security. My point isn't to belittle the standard installation of most Linux distros, but to emphasize that when it comes down to asking which OS has the bigger "Kick Me!" sign taped to its butt, you have to assume they're equally tempting targets. I'm not just speculating here: I installed Windows XP and a standard Linux distro, logging the number of attempted attacks on each system. Both basically took an equal number of attacks, but none of them got through either system's rudimentary, but carefully configured, software firewalls. Know what to expect from a distro's default security, and then take the time to lock it down.

3. Security is only a kernel/user-land/developer concern.

Security is everyone's concern, whether a workstation is networked to a T1/DS3 or still uses a dial-up modem. Don't forget simple physical security, either: One of my first security audits was brought to its knees when the Tiger Team took a brick to our server rack. And for home systems, few "attacks" are as dangerous as a child's poking finger and the words, "What's this do, Daddy?" (usually followed by a rapid fsck).

The fact is, the minute one group proclaims security someone else's problem, it becomes theirs. My experience is that if you remove all security protection, such as installing a system without a root password, the resulting problems are so complicated and so immediate that a clean reinstall is the easiest solution.

4. Linux is not "certifiable" for United States government use.Remember that old joke about standards being so good, everybody should have one? Whoever came up with that canard must have been speaking of government security standards, because there are a zillion of them.

Properly hardened, Linux can qualify for a number of U.S. government security certifications, and several distributors, including Suse and Red Hat, have done just that. The most common certification, known as CAPP/EAL, comes in different levels; at least one distro has been certified at EAL 5, a security level required for many high-risk government systems. The U.S. government offers such certification, however, only to combined hardware and operating system configurations; Suse Linux, for example, was certified using IBM's eServer product line. and vendors typically work closely together to earn these certifications.

5. Open source automatically, absolutely equals security--or insecurity.

Open Source means the source code to piece of software is free and available to the general public, and anyone is free to examine it for flaws and security lapses. This does not make open-source software, inherently more secure--or less secure--than proprietary software. It just means that a bunch of propeller heads have access to the source code, for better or for worse.

The concept of more eyes examining the code for security flaws sounds great on paper. The real world, however, is not made of paper. Thousands of servers run Linux and other open-source software: How secure are they, and how often is the source code examined before it goes into use? When I sent this article to my editor, it passed through other people's Linux servers, any number of which may run software that no one has ever thoroughly checked for security flaws.One good example is the security hole recently discovered in Firefox, a popular open-source Web browser. No matter which side of the Open Source vs. proprietary software issue you take, it's still a fact that programming errors and security holes will always exist. Secure software depends on the skill of the programmer, not whether it's open-source. Buggy software is buggy software.

I've also seen first-hand how open-source code can create potential security concerns. At one time, I was responsible for an installation with an open-source compiler that a terminated former employee had installed. The compiler turned out to include an unwelcome feature: shell escapes had been added for easy access by buffer overruns.

We were sitting on a powder keg: Compilers are often installed with full root privileges, and giving anyone root-privileged shell access is the Linux equivalent to taping a "kick me" sign on your back. Many buffer overruns are accessible over an Internet connection via simple email or even through unrestricted pinging, and a properly constructed overrun can, by itself, give an attacker root access.

I learned a simple lesson. In this business, there's no such thing as paranoia: Someone really is out to get you. There's an equally simple solution: Trust no one. Recompile everything when security really matters, learn how to run diff on the source code, and account for every difference you find in the code.

Ross M. Greenberg [email protected]) was doing computer security long before there even was a Linux. And those zealous Linux bigots that were hanging out in the newsgroups he visited? How quaint. Kids, these days....0