is linux a secure operating system?

Maybe read this first

Few examples (plenty more to come in the future)
It is broken because secure boot is just a db. No way to fix this.
I didn’t ask you to throw a bunch of links naming specific exploits, or specific manufacturer flaws, but to explain why signing the boot sequence chain of responsibility is not secure.

Also, “just a db” means nothing. There are plenty of solutions based on databases that are secure.

The fact that you can point us to examples where the secure boot has failed just means that you can identify bad engineers, but doesn’t prove that the secure boot (as an industry proposal) is not secure.

Not to mention that Linux does not really need it.
That is not true. Any operating system needs to be able to validate and enforce trust when it comes to allow random code to access kernel mode. Linux, macOS, Windows and whatever is to come.

The rest of the message: I stopped reading on the authority fallacy. Alluding to who someone is with the intention of avoid discussing a set of facts is not the kind of conversation I want to have. I could just spit back a video of Linus saying that secure boot is the right thing to do, but I’m not because it wouldn’t add any value to it.
 


Neither provide security out of the box. Apparmor is path dependend and easy to circumvent, selinux requires knowledge beyond average user willingness to learn.
RHEL/Fedora come out of the box with better security because you are given a set of default policies that policies that applies to files and applications running and filesystem locations. The only place I've had to customize my selinux setup is on server where you use custom paths for applications and where applications are deployed that go against the existing selinux policies. On the desktop I've maybe only seen it happen once where an application wouldn't work correctly because of selinux and then you could still get it to work.

Flatpaks as security measure? So often with outdated software. Not to mention that if for example each provide own ssl lib then in fact this is security nightmare.
Flatpaks aren't perfect but so sure plenty of areas they can still improve and seems they are still open to improving it since the git repo is still quite active including the issues/feature request. No software is perfect since there are always things to improve.
 
I use both linux and windows, the linux distribution I currently run is Fedora Silverblue.

I started reading in different forums and internet websites about linux, and two pages in particular called my attention about security in linux, and I would like to share them here and know what you think about it, I don't want it to be misunderstood, I love linux and I have tried several distributions, I always heard that linux is more secure than windows and I always took it for granted, but to my surprise when I started reading about linux security in these pages and everything they talked about, then from there this topic does not stop itching my curiosity.

That link is questionable. Who writes such mis-information ? Trash!
I have been using Linux {mainly Mint} since 2015 with no problem with viruses, malware or any other problem with security. No need for any anti-virus programs.
OG TC
 
@MikeWalsh
shrug: while I tend to believe someone who is Whonix maintainer or Gentoo wiki, or Qubes devs I don't know you.
No software is perfect since there are always things to improve.
Yes, that is the whole point.


Any operating system needs to be able to validate and enforce trust when it comes to allow random code to access kernel mode. Linux, macOS, Windows and whatever is to come.
Yes, except that due to the existing holes in secure boot this particular approch never provided what is supposed to. It was always broken if you read about actual implementation. These links that I provided above just state that flaws in secure boot made it not efficient because they existed from the beginning and probably were abused long before issues were discovered.

I would also suggest reading up Qubes kb which provides solutions that solve this particular issue. Issue being that secure boot is in fact not secure.
Qubes is based on Fedora. So this is Linux except that this is secure Linux. As far as I know this is most secure Linux available.
The link to the hardened kernel that I provided in the first post is maintained my Arch kernel developer. Another link from the first post it is checking enabled kernel hardening options is suggested by Whonix devs.

The whole point is that default options are the compromise between usability and security. With the balance skewed toward usability. But it is possible to make Linux very secure.

People are running Linux workstation even without firewall enabled. Crazy? No, because if Linux workstation does not have any port open/listening then this should work and it looks like it is working for them.

If you want to use secure boot, go for it. Is it secure? Nope. Why? Because of the existing flaws (links above). Are there better options? Yes (for Linux only, not MS Window. OS X boot security is not affected as long as Intel is not used).
 
If you need a really secure system, it's better to build your own hardened setup instead of relying on something like Qubes. I mean, what's the point of having an unbreakable lock if the burglar already knows where the key is probably hidden?

The Qubes KB is a great resource, but e.g. a custom hardened Slackware, where the burglar doesn’t even know where to start looking, is a much better option. :)
 
@cartonoak

I've read your 1st link only, and my conclusion is that all that's said is generalization and not targeted to specific distro (which is mandatory if one wants to talk about security) and so all this generalization is only partially true because it depends on distro.

For instance:
Another thing to keep in mind is that Mandatory Access Control is also somewhat effective on servers, as commonly run system daemons are confined. In contrast, on desktop, there is virtually no AppArmor profile to confine even regularly used apps like Chrome or Firefox, let alone less common ones.
This is simply not true for my case, because AppArmor is installed by default and running, and on top of that I can create profiles my self for software which I install from non distro repo such as Firefox or WineHQ etc.

But on another side it is true that majority of Linux community take Linux as secure by default as granted and do very little if anything at all to secure their system.

For instance, every distro has a ton of unfixed CVE's all the time, so a hacker can exploit your system at any time simply by taking advantage of these holes.

For comparison my Debian system with currently installed packages has 1532 security issues that are not fixed:
Bash:
debsecan | wc -l
1532

Your distro might have much more of them, so how can anyone say Linux is secure in spite of these numbers? it's just insane.
And on top of that, this is publicly available data, what about undisclosed vulnerabilities?
 


Latest posts

Top