[This was originally published on secure.linux.com and mirrored on attrition.org.]
There is no subtlety in the race to gain the exalted title of having the most secure operating system. Both sides of the virtual fence argue their preferred operating system is more secure by default installation. More often than not, these OS bigots spend more time knocking the other contenders down rather than arguing the strengths of their own OS. Some fanatics argue that their OS can be made more secure in the long run. When one is fighting a losing battle, shooting holes in the other side is often more effective than boasting of your own merits. In the war between Linux and its rivals, Linux is in a position to stand on its own positive features, and it does it well.
Nothing to Hide
A longtime trendsetter in the Open Source movement, Linux continues to bare all to friends and foes alike. Every day thousands of hobbyists and developers fiddle with every part of the operating system, finding new ways to improve on it. Some of this results in small fixes to make parts of the system more efficient. Others streamline the code while adding new features that allow more flexibility, while some fix bugs left by predecessors in a day where security was barely an issue. The key here is that anyone who has the whim or desire to scrutinize or improve the current code base can do just that. By offering the full source code to every piece of the operating system, Linux developers around the world are putting their work on trial. With thousands of critical eyes, it stands to reason that any such bugs will be ferreted out in no time.
On the other hand, closed source operating systems hide their foundation from the world, relying on security via obscurity to prevent vulnerabilities from being discovered and exploited. These closed source systems appear to be developed by companies more concerned with profit margins than secure and stable operating platforms. These Operating Systems tend to be written by programmers with the primary goal of making a sizeable salary, rather than the herds of developers working on open source operating systems for the love of the work.
With open source operating systems, the time required to find and isolate a bug is decreased tenfold. Large corporations must rely on laborious internal testing to find and fix bugs, while a qualified Linux enthusiast can take minutes to verify a bug in the source tree. The same programmer can often develop a fix for the bug and share it with the world in hours. The sheer power to effect change and provide improved components of an operating system is something unknown to widely deployed commercial operating systems. This advantage will continue to make open source free operating systems a thing of power and control. The most effective part of this process can be seen when developers and enthusiasts all over the world collaborate on the best way to fix a problem. This is seen on the full disclosure security mail list Bugtraq.
The Right Tool to do the Job
More important than choosing the right tool for the job is having all of the tools required to do the job correctly. Perhaps one of the most potent and overlooked strengths to Linux and other open source operating systems is the amazing number of tools available to do virtually any job required. With many tasks in the computer or network world, it is accepted that you have one (sometimes two) tools to do a specific job. You learn those tools and you learn to like them because there is no alternative. The world of Linux is one of choices. Perhaps the most self empowering attribute of open source platforms is that anyone can develop their own tool as an alternative to the rest.
This can be illustrated quite easily by having any skeptic subscribe to the daily Freshmeat newsletter. Once a day Freshmeat mails out a summary of new or updated tools submitted to its site. Each piece of mail lists the title of the tool, where to find it on the net, a brief description of its features, as well as the reason a new version was released. In many cases they also announce the release of new tools and provide the basic details. On a typical day, this mail will contain a list of some 20 – 60 tools that have been released or updated. The beautiful part? Almost all of them are free.
Looking at the Freshmeat mail for January 26th, I learn of four new security software package events. The first is a low urgency upgrade to the Fwctl program, which helps users configure a tight firewall. Next is an updated version of a popular vulnerability scanner called SAINT that is a highly evolved version of its predecessor SATAN. Third in the security category is a new package called Tripwall which is designed to give an alternative to a better known Tripwire package that some feel has become too commercial. Last is a small upgrade to the Linux Intrusion Detection System (LIDS) package. All of these commercial grade tools in a single day, and all of them free of charge.
With the availability of hundreds of security tools, it better equips every Linux user in the fight to maintain a secure system. By offering many choices for each type of tool, administrators can perform their work efficiently and effectively, without the headache of inadequate software. We all know how much one enjoys a job working with inferior or cumbersome tools!
Winning the Race
The race between system intruders and security personnel is never-ending. Each struggles to find previously undiscovered bugs with the release of each new version of operating systems. Intruders use these new found bugs to break into a number of systems in hopes that administrators are unaware of the holes. Security personnel attempt to find them and patch them before the intruders have a chance to exploit thousands of vulnerable hosts running critical business functions. Because of the importance of maintaining a secure platform, many open source developers have recognized the need for proactive auditing. Rather than wait for computer response teams to report a new bug being exploited, the developers closely scrutinize their work with security in mind.
Two flavors of Linux stand out in the fight to maintain the most secure platform possible. Both the RedHat and the Independence distributions of Linux have made significant proactive efforts to improve their out-of-box security. In singling these two distributions out, I do not imply that other flavors of Linux are in any way negligent, only that these two appear to be setting trends in the Linux community.
Over a year ago, the RedHat team determined that security was an important aspect of the operating system and deserved more attention. With that in mind, they set out to audit significant portions of the source code looking for any part that might be exploited by intruders. In their search for bugs and vulnerabilities, they were able to proactively find and fix several problems that could have posed serious risk to RedHat users. After fixing each bug, they turned to the security community and shared their findings. This gave every developer a chance to see the value of doing source code auditing, and helped point out dozens of other bugs and vulnerabilities in other operating systems.
Another relatively new distribution has taken an interest in improving system security by tightening file and directory permissions. Unix descends from a spirit of sharing resources and information dating back to the 70’s, when security almost hindered daily operations too much. It was a time where one administrator would quietly sneak into a system to fix a bug that was preventing his system from sending mail to a recipient, and just as quietly sneak back out without a word. Because of the loose permissions on files and directories, this was possible and encouraged users to fix their own problems. In today’s world, that ability to fix your own problems also translates into the ability of an attacker to gain additional access and compromise the integrity of a network.
"Expecting a new user to have to handle the security of a Linux server is preposterous, not only does it take years of experience in the field, but it also takes the time to keep up to date with the latest problems. If users are expected to do this, then Linux's progress will be limited." - Independence Linux
Developers of Independence Linux see that as a point of concern. In response, they have been working on a new permission scheme that does not break any functionality of the system, yet improves the security posture significantly. By making hundreds of small permission changes around the system, the distribution caters to those individuals seeking security and privacy. Like RedHat, the Independence project also maintains a security page outlining the bugs and vulnerabilities they have found.
Another evolving effort dramatically increasing security awareness in the Linux community is the Bastille Linux project. Building on the existing security of the RedHat distribution, the Bastille Linux project aims to create a utility that will automate the security hardening process. This is done to help new users of the RedHat system who may not be familiar with all of the security issues at hand. Like all efforts in security, the need for functionality must be kept in mind and this tool aims to do just that.
Setting a Standard
With more and more companies adopting open source platforms for important business applications and mission critical activity, they are setting a standard and acknowledging the inherent benefits. Some companies have adopted the open source movement so much that they now have personnel that routinely review security discussion forums like Bugtraq, as well as the security pages of the distributions they favor. This adoption signals a changing point in the faith of security via obscurity. Many companies are no longer willing to risk their vital business to operating systems with a track record of bugs and slow fixes. The speed and efficiency with which Linux distributions dispatch updated components is favorable to organizations that would rather not risk break-ins for months at a time while their otherwise closed source vendors would take months at a time.