Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
in the past i have hear that freebsd is more secure from debian (or other linux but i use debian for example).
Also i have see in the freebsd security page very small number of Vulnerabilities.
But last days i have try to check who of this systems have real more Vulnerabilities.
This is because debian include on Vulnerabilities reports all included programs, but freebsd include only the kernel.
So i have check: http://www.vuxml.org/freebsd/
& http://www.debian.org/security/
and i have see that both have the same number of Vulnerabilities.
So finally freebsd and debian have the same security?
I have do this search because i am interest to learn more any of this 2 OS and i want to know who is the most stable and secure.
Thanks for the answers and sorry for my bad English.
Regards,
Christos
well here's how I'd think this is...and when you read this, keep in mind that I haven't studied the differencies of security between these two.
1) if both of these use a linux kernel, they both share the same vulnerabilities. if they don't use the same kernel, then there is a chance that other one is more secure than the other one...a chance. not a "must". but if they both run, for example, a normal linux kernel 2.6.7 with the same configurations, their kernels' security is the same.
2) the software and the way it's managed is surely different. at least the way the system is built up (hey, this is what makes distributions differ from each other). this means they have different kinds of holes, vulnerabilities, and different kinds of strengths..so this fact makes them differ - I can't say which one is more secure, but their way of building up the whole distro does make a difference.
3) a different kind of kernel configuration can too make a difference in security - for example, some kernel modules might have problems with security (overflow thingies etc.), so different configurations mean different amounts of possible vulnerabilities.
when one thinks like this, it should be clear that they cannot be equally secure, or at least that's very improbable...and there is always the one last thing that affects this security-stuff: users. every user, and superuser too, affects the security with the way they work, how they use services, what they allow and what they don't. so basically, no matter how well you do your security stuff, at some point it's the user who makes a difference between working and non-working security, if they have abilities to do that. so in the long run, it's quite much up to you yourself, which one is more secure - it's not just the kernel or apps that build the security, but the actions and choises that are made.
this might sound philosophical (hopefully not, since I don't know about that stuff) but I'd say there cannot be that big security differences that you couldn't make them up with your own actions...so, according to this, whether or not they are equally secure, you can make them be
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
FreeBSD is BSD, not Linux. They're totally different kernel architectures.
For the most part, Debian and FreeBSD have the same amount of third-party applications available and most of them are in common. This means that in general, the same applications vulnerabilities will affect both.
The differentiator is kernel vulnerabilities, and there (at least in the past year) all the BSDs have a huge advantage over Linux. I can only remember about 2 BSD vulnerabilities that allowed root access, vs. about 7 Linux vulnerabilities in the same time frame that would yield root (note this is purely off the top of my head and not necessarily accurate).
What does this means? Well if you're running a system that you allow other people to log in to in any way (or if you were running any applications that could be exploited to allow a login), FreeBSD would have been much safer over the last year.
In general, the BSDs also have a more secure default configuration. Less services are running and priviledges are slightly more restricted than with most linux distros.
You might also want to take a look at openBSD. They do a fairly rigorous code audit and security review of software before including it in a release.
i dont really agree about "freebsd isreal more secure from linux"
Dont flame me yet.
Ok let me give you one examples,
Lets assume 1 both operatings systems running apache have the same configurations as each other. If a remote expolit was found, which one would u think will be safer? Or rather which administrator is gona ignore the expolit and allow his server to get hacked.
Almost all linux and unix computers alike if there is a hacker that wana expolited he will do so no matter what program or product. Security, is not about which dam software is soo uber that cannot be hacked, we are all humans, that includes programmers thus they WILL make mistakes and bugs will happen.
It is up to the administrator to fix and patch those things. Its always the human element i think.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
To be far, NetBSD does a code audit, too. A lot of the ideas in OpenBSD came from NetBSD first (since that's where Theo forked it from any way). OpenBSD is just a bit more fanatical about it and they have a strong crypto focus, too.
OpenBSD is one of the stingiest OSs in the world for default configurations. By default only SSH is turned on, and the installer prompts you to make sure you really want it on (OS X uses a similar configuration, although disturbingly Bluetooth is on by default and discoverable in OS X).
I had a thread on here about a month ago where I pointed out a couple of security-focused Linux distros, but I don't recall what the original title was. You should be able to find it by using Search, though.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
gensis, you're ignoring the fact that a third-party application hack might only give underprivileged account access. There would have to be a privilege escalation flaw to allow root, otherwise the most the attack could do would be to modify files owned by the user of the process they exploited. That's where the big difference in local vulnerabilities between Linux and BSD really does matter.
While your input is appreciated (and your point about third party applications echos what I already said), please try to understand what you're talking about when you give adivce to others. We can agree that the weakest link in security is always the user (or administrator), but you really need to understand OS security a little more before you just declare everything equally secure. By your reasoning Linux would be just as insecure as Windows because a lot of the same applications run on Windows as Linux (MySQL, Apache, rsync, OpenSSH, etc).
Security, is not about which dam software is soo uber that cannot be hacked, we are all humans
I completely agree. However, the BSDs tend to have a more security-centric mindset and spend alot of time and effort reviewing code to identify those mistakes humans make before-hand. Alot of linux software is really bleeding-edge with less of a focus on security and secure coding practices. As a result you end up with more vulnerabilities. The same is even more true with windows. For years they've focused on use-ability and seamless integration rather than security. As a result, you have software that looks nice, is easy to use, and has lots of holes.
If you compare standard linux distros (redhat, mandrake, suse) to some of the security-oriented distros chort referenced like immunix, bastille-linux, hardened-gentoo, etc, you'll see the hardened versions always coming out on top. So it really has nothing to do with being uber l33t, but rather making security a priority.
I think the point is that if you look at what causes security breaches, you might come up with a split of something like 30% poor security standards, 30% human error, 20% application bugs; 10% OS bugs, 10% other (I just made these figures up as examples so don't have a go at me about them).
Within the proportion that result from OS bugs, an OS with fewer security-related bugs will tend to have fewer breaches. Within the proportion that are poor standards, an OS which comes with security as standard out of the box is likely to have fewer breaches. Within the proportion which are human error, an OS which provides admin tools appropriate to the skill level of most administrators of that OS will have fewer breaches.
The BSDs score higher on OS bugs. OpenBSD certainly scores high on the poor standards front, as it comes hardened out of the box. Not sure about the tools.
So, is FreeBSD really more secure than Linux? Yes, I would say so. Is that the whole story? No, there's more to security than OS bugs; but equally OS bugs are not irrelevant for security.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
