Needle in the haystack
 

Would it make sense to use a small Linux distro to increase security, not by just decreasing the attack vecktors of uneeded software, but also by minimalizing the amount logs in the system. As I read before on a website that when looking for suspicious logs it like like looking for a needle in a haystack, so instead it better to only check the "hot areas". But by only only checking hot areas could you not be missing something somewhere's else in less oversighted logs? And as I also read on this forum where someone sugguested that once an attacker gets passed your IDS, it's too late. So because of this I was wondering that if I used a small distro would it still be too late, as I can more easily (I presume) to search for malitious activity in the system..

Never saw a system with too many logs. Security-wise there are logs you want to look at, and there is no "needle in haystack" situation.

If theres not a needle in the haystack situation then why have I heard/read from various sources on the inter-webs, that once an intruder infects your machine. Then from that point to be 100% sure, it's best to just not use that machine... I know you can clean out a machine with antivirus, but antivirus cant un-infect an already infected machine.

You do not "clean out the machine", in case your box is compromised you disconnect it from internet and do a fresh install. Before you do that, you investigate how they got in - and yes, you look at multiple logs while investigating. Still no "needle in haystack" situation.

I recommend making a distro as lean as possible if you want security. Still today many of the attacks happen not so much on the kernel level but from programs and services running that are not secure.

As always learn and use as many best practices as you can. Small doesn't mean secure. Secure is a wide array of steps. Many boil down to reduce exposure. Reduce the ability of the unknown to access your system.

Thanks and im aware of this but I also think it's the implementation of default permissions and setups in many distros. Like iptables not on by default, sudo starting off too open, unessesary read/write access on some files. Im still learning the basics tho so I wont be using anything like LFS or Gentoo for awhile.

also keep in mind
Just WHO are you securing it from!!!
script kiddies ?
Hacker group ?
random drive by install ?
or
the NSA/CIA/....

Understood but what if they infect the MBR with a root kit? Anyways like you said you look at multiple logs, and no i'm no expert so I could be totally wrong (which is why im asking) but if you had fewer subsystems and what not using a minimal distrobution would you not have fewer logs since those programs/subsystems are not present. I understand what you said about no such things about not having too few logs. But wouldnt that be irrelivent in this case since those logs are just not needed due to the absence of the parts of the system that they would normaly log?

Mainly crackers and script kiddies

I think it's extremely hard to secure a system these days. There's just too many vectors (web drive-by, hardware firmwares, 0days,bugs, dirty packets). All we can do, I guess, is to employ best practices and hope for the best.

Whatever that means. fewe{r,st} installed packages = fewer 'attack vectors' = fewer logs? I suppose there's an argument in there somewhere.

so...Without quoting 'what' you 'read' on "a website", we can only guess.
And I hate guessing. Linux doesn't guess.

Link please. Many eyes makes all bugs shallow.

Reference:
http://web.mit.edu/tweilu/www/eff-ss...reatmodel.html

Most nasties nowadays infect the Browser and that is going to happen whatever the OS behind it.
An unprotected Linux system is more dangerous than a protected Windows system and most people do not run any protection at all under Linux.

It doesn't matter who you are, you will be open to disease if you perform unprotected sex.

So how do you protect the average Linux desktop other than by not running a browser?

Depends how paranoid you want to get. I know some people that install a separate VM on their system just for web surfing, i.e. they never use a browser except in an isolated VM.

See https://www.av-comparatives.org/wp-c...ux_2015_en.pdf