How secure is Linux? Patching, static/dynamic analysis, etc...
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
1. Firewalls (hardware and software),
2. Disable all unused services,
3. Keep your distro up to date,
4. Use VPNs for over-the-internet connections (eg: your home PC to office LAN),
5. Don't click links in spam emails,
6. Don't run untrusted software,
7. Run AV or anti-malware,
8. Disable port-forwarding on your routers and only use it where absolutely necessary.
But I think it's much more likely that some place that has all my info gets hacked.
ChatGPT says (when fed the entire #1):
Linux is generally considered to be a secure operating system, but like any software, it is not completely immune to vulnerabilities and exploits. The open-source nature of Linux makes it easier for security experts to analyze and identify vulnerabilities, which can lead to quicker patching and updates.
Patching services, kernel developers, and pentesters are all important players in ensuring the security of Linux. These individuals and organizations work to identify and patch vulnerabilities through a variety of means, including static and dynamic analysis tools. However, it is important to note that not all vulnerabilities may be found or fixed immediately, as new vulnerabilities can always emerge.
There are also a number of independent organizations that focus on identifying and patching vulnerabilities in Linux, such as the Linux Security Module project and the Open Source Security Foundation. These organizations work to improve the security of Linux and its related software components through a variety of means, including code audits, vulnerability assessments, and patch development.
In general, it is important for users of Linux to stay up-to-date with security patches and updates as they are released. Additionally, users should consider implementing additional security measures, such as firewalls and intrusion detection systems, to help protect against potential attacks.
But I think it's much more likely that some place that has all my info gets hacked.
ChatGPT says (when fed the entire #1):
Linux is generally considered to be a secure operating system, but like any software, it is not completely immune to vulnerabilities and exploits. The open-source nature of Linux makes it easier for security experts to analyze and identify vulnerabilities, which can lead to quicker patching and updates.
Patching services, kernel developers, and pentesters are all important players in ensuring the security of Linux. These individuals and organizations work to identify and patch vulnerabilities through a variety of means, including static and dynamic analysis tools. However, it is important to note that not all vulnerabilities may be found or fixed immediately, as new vulnerabilities can always emerge.
There are also a number of independent organizations that focus on identifying and patching vulnerabilities in Linux, such as the Linux Security Module project and the Open Source Security Foundation. These organizations work to improve the security of Linux and its related software components through a variety of means, including code audits, vulnerability assessments, and patch development.
In general, it is important for users of Linux to stay up-to-date with security patches and updates as they are released. Additionally, users should consider implementing additional security measures, such as firewalls and intrusion detection systems, to help protect against potential attacks.
Why is it that Linux based OS's have a higher number of vulerabulities compared to Windows on that list?
Why is it that Linux based OS's have a higher number of vulerabulities compared to Windows on that list?
Is this due to Linux being open source?
Microsoft is financially motivated to hide their problems.
Linux devs report problems and fix them in real time. Microsoft has been known to threaten user who report or publish vulnerabilities with legal action, in some cases even if they had offered to PAY them if they found and reported any.
On the Linux website https://www.kernel.org, I noticed there is a link called "patch", what is this/what does this contain?
That allows you to patch your kernel source tree up to the current level, without having to re-download the whole thing.
It goes back to a time when Linux developers all had dial-up internet and didn't want to waste bandwidth unnecessarily re-downloading code they already had.
You don't need it unless you want to compile the latest patch level of the kernel.
The documentation explains it:
"A patch is a small text document containing a delta of changes between two different versions of a source tree. Patches are created with the diff program."
I'd say that, "if Linux is higher 'on that list,'" it's simply an inconsequential consequence of "that list." (And, "open source" is actually an advantage in terms of discovering and solving vulnerabilities, because "anyone can do it.")
Nonetheless – the problem that is faced by every platform vendor is the same, and the strategies are the same. Whenever a vulnerability is discovered, it is fully and immediately disclosed. Whether or not "the source code that must be patched" is proprietary, the nature of the vulnerability and the mechanisms of its operation are not. There is no "security by obscurity."
I assure you that noone is "financially motivated to hide their problems!" (Their "financial motivations" are, in fact, exactly the opposite.)
"Proprietary" software vendors routinely provide "privileged access to their source code" to these various security-monitoring groups, and they accept "pull requests" from them.
"Security is a process." Black-hat "smart guys" are always out there, trying to break in, and White-hat "smart guys" are always out there fighting them.
- - -
Every(!) time a security-related software update is published, both for your computers and your phones, you should immediately (and automatically) apply it. (Likewise do so for other things, such as the software which runs your home router. If your device has an "automatic update" option, you should enable it.) Legitimate automatic updates will always be cryptographically signed, and that signature will always be checked. "Time is of the essence."
Last edited by sundialsvcs; 03-08-2023 at 09:30 AM.
Why is it that Linux based OS's have a higher number of vulerabulities compared to Windows on that list?
I once looked into that in great detail by examining¹ some months worth of CVEs and my conclusion was that it is because of the way bugs are counted and the difference in scope:
First, Linux bugs are counted multiple times, once for each version of each distro whereas for m$ it is just once per each version of Windows if even that. Also, m$ vulnerability reports tend to aggregate as many problems as they can get away with into a single report whereas the Linux reports are much more granular by covering only a single problem at a time for the most part.
Second, all the possible packages one might conceivably install on said distros are counted whereas the scope of the Windows bug reports are generally limited to the base system.
If you're looking for a masters' thesis project, you can download the CVEs and normalize them so that it would be possible for them to be compared. Then we might get a real answer. But for now, due to the differences in counting and scope you are comparing apples and oranges.
¹ I had planned to go through them all, or at least many years, but the reports are just so different in nature that normalizing any of them at all was too much effort for the return. Those that know, know, on both sides. For what it's worth, the obfuscation from M$ started just over 20 years ago and people quickly got tired of calling them out on it.
tldr; m$ security remains a dumpster fire but between systemd, uefi, restricted boot, and adoption of the M$ way of thinking, the gap is closing slightly.
"Software vulnerabilities" can be very loosely categorized into two general classes:
Those that are linked to the operating system.(e.g. "zero-day vulnerabilities")
Those that are linked to common software.
Of the two, the second category is far more interesting. Every operating system probably uses the same (open source ...) software to implement its handling of – say – "JPEG images." Therefore, if a vulnerability could be discovered and exploited in that code, "it would affect everyone in the world at once."
But, I think, many of these attacks are assuming that the innocent victim doesn't know about the "Principle of Least Privilege." The innocent is probably "an Administrator" of his computer and maybe doesn't even know it. And, even if he isn't, he's likely to reflexively respond with "the right answer" when presented with a simple dialog-box asking for the magic words.
How do I protect myself from black hats who have access to an undisclosed vulnerabilities and thus associated exploits and use them?
There you have to hope that your layered approach to security has enough layers to buy you enough time to get patches or mitigations in place. Usually no one thing alone will work because bugs can be found just about anywhere in the system. For the most part, the difference between a bug and an exploit is the intelligence of the attacker, so one arranges the system with otherwise redundant layers protecting each other. The concept is called layered security, layered defense, or just defense in depth.
A long time ago, CVE and CVE-like warnings used to come with information about how to detect an attempt to exploit it so one could mitigate the weaknesses, whatever they happened to be. However, one major vendor who doesn't even have to be named again for you to know which one, always ran into trouble with that because it reminded people about 1) how slow they were to produce patches, 2) how many tries it took them (with additional delays) to produce a working patch, and 3) how many more tries it took them to produces a working patch that did not break more than it fixed.
Last edited by Turbocapitalist; 03-09-2023 at 11:12 PM.
How do I protect myself from black hats who have access to an undisclosed vulnerabilities and thus associated exploits and use them?
Aren't people worried about this?
That is a bit similar to cars: how can you protect your car? No way, if they're going to steal, that's probably what they're going to do. But you can make it difficult for them, and they'll probably look for an easier target.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.