How secure is Linux? Patching, static/dynamic analysis, etc...
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How secure is Linux? Patching, static/dynamic analysis, etc...
Are patching services, or kernel developers, or pentesters reliably patching all bugs and vulnerabilities found with the current set of static and dynamic analysis tools that exist today? If they are not, then who is?
It seems like there should be someone or some entity that is capable of doing this.
Also, I know that not all bugs can be guaranteed to be found. I just thought using the tools available today that there would be someone or some website devoted to patching the kernel in this manner.
Does this all make sense or am I not looking at this problem correctly?
Does this all make sense or am I not looking at this problem correctly?
There are thousands (if not millions) of developers actively involved in Linux security on a daily basis.
Consider this: The same Operating System kernel powers >70% of the world's smart phones (Android uses the Linux kernel), and all of the top 500 super computers.
There are, in fact, several "white hat" international security monitoring services, such as CERT, who make it their daily business to gather and immediately publicly disclose(!) known security vulnerabilities and to coordinate the process of developing responses to them.
The principle is that there can never be "security by obscurity." Quite the opposite.
Every major operating system, for every platform "from mainframe to mobile," is constantly involved in this process. You should always immediately install every "security update" just as soon as it is published, or simply arrange for your computer(s), and phone(s), to do so automatically. "Time is of the essence."
But also remember: "Security is a process." The fundamental nature of computers, borne by their sheer complexity, is that "there will always be another hole," and always another person looking for it – regardless of the color of his "hat." And also: "The greatest security vulnerability is always located between two ears."
Last edited by sundialsvcs; 03-07-2023 at 09:33 AM.
It seems like there should be someone or some entity that is capable of doing this.
The developer who wrote a piece of code can fix the bugs in his code in a fraction of the time and effort than some other competent developer who has never seen the code in question before.
obviously there are errors, problems, security holes, lazy developers. So there will be always something to patch.
We always find and fix bugs and in the meantime we create new ones (and they are always different and probably harder to find).
Who is winning, black hat or white hat -- in terms of finding vulnerabilities and exploiting?
If security is a process, is there no quick fix to prevent my system from getting hacked?
Must I hire a security consultant or is this something I can do on my own?
How is it that important organizations are preventing exploitation? Are they relying on this idea that security is a process and simply updating their OS when there is a new security update?
How does one bridge the gap between time of discovery of a vulnerabily and patching it?
Who is winning, black hat or white hat -- in terms of finding vulnerabilities and exploiting?
If security is a process, is there no quick fix to prevent my system from getting hacked?
Must I hire a security consultant or is this something I can do on my own?
How is it that important organizations are preventing exploitation? Are they relying on this idea that security is a process and simply updating their OS when there is a new security update?
How does one bridge the gap between time of discovery of a vulnerability and patching it?
It is smart to secure your network as well as you can and still be fully functional, IT is smart to secure your NODES on that network, because nothing (including security plans) can ever be perfect. IT is smart to set up intrusion and malware detection in case someone bypasses all of your security, because that can happen. After all that it is not that it is perfect and you are bulletproof, it is that now literally EVERYONE else looks like an easier target!
No operating system is perfectly secure that is still fully useful for most purposes. Linux is easier to secure than most, but it is an ongoing effort. As long as you have data worth protecting, you revisit threats, patches, network and host security, and evaluate vulnerabilities and risk regularly no matter WHAT OS you run.
If security is a process, is there no quick fix to prevent my system from getting hacked?
It depends upon what your system is, what it does and what you want from it. Is it a web server? Is it an email server? Is it a desktop system? Do you want it to be accessible from the open internet? How do you intend to use the machine it will be installed on?
Without knowing more of these kinds of details, it is difficult to give you specific advice about locking it down.
Quote:
Originally Posted by watchintv
How does one bridge the gap between time of discovery of a vulnerabily and patching it?
Keep your system updated. Most vulnerabilities in Linux and software that runs on it are patched quickly. Many of the things being patched these days would only make your system vulnerable within a narrow set of circumstances.
Thank you for the information. I suppose if I wanted to check for vulnerabilities myself that I could do the following:
Breakdown my software:
Linux kernel (specific version)
Other OS software
Check CVE database for this software. Is the website https://www.cvedetails.com/ reliable for this process? In particular I noticed it lists "# of exploits" for each peice of software.
Why not rely on your distribution's update mechanism? They all have one, and that should be sufficient.
There are websites like this one, which will show you how your machine looks from the outside: https://www.grc.com/shieldsup
Well, my concern is that the time between a vulnerability being found and a patch to exist seems risky.
Also, relying on white hat developers to find vulnerabilities vs a black hat entity who doesn't share with the community their vulnerabilities seems risky.
I guess all I can do is either stay updated with the Distro releases and updates and/or check the software for vulnerabilities myself.
Lightning strikes, disc failures, fire, flooding, virus, malware... isn't the threat list endless?
And haven't the threats been around since... forever?
My take - or advice?
Bring it on, I say!
The important stuff, data, is at hand in multiple copies and can fully restore from bare metal in 10 minutes...
A trusted browser filters nasty stuff on the web, my mail-provider filters nasty mails, on Windows antivirus is running in the background... do you know of Lynis? or similar services?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.