Quote:
Originally Posted by rollo
My assumption is I am living safely.
|
Your assumption is generally correct. Linux, Unix, and the *BSDs are safer than any edition of Windows. There aren't very many other options for desktop computer operating systems so you are doing as well as you can do by running Linux. Remember that nothing is perfect. SELinux was created because someone (meaning the NSA) perceived that there was a need to enhance the security on Linux.
Quote:
Originally Posted by rollo
So I guess this is my three-part question:[*]Is my assumption correct?
|
Briefly, no.
Quote:
Originally Posted by rollo
[*]If not, which security hole should I address first (I'm guessing the browser)
|
The browser is a good choice for your first priority. You can disable Java, Java Script, loading images from servers other than the one that you connected to, stop html address referring, clear private data when the browser exits, stop Flash and other plugins, and other stuff. You will probably find that the cure is worse than the disease. I take another approach. I have one account for general Internet usage that doesn't have any personal information, then I have another account with email, my checkbook, my personal photos, and other personal information. The general Internet usage account cannot see into the home directory of the personal information account.
Other things that you can do include:
- keep your patches up to date. You should check for updates at least once a week for the software that you have installed.
- keep your user account home directories (in the /home directory) on their own partition and mount the /home partition with the noexec parameter
- create two container files with a file system in each. Mount one through a loop device onto the /tmp directory with the noexec parameter. Mount the other one on the /var/tmp directory with the noexec parameter. Your fstab would look something like this:
Code:
/var/sys.common/tmp.loop /tmp ext3 loop,auto,noexec 0 0
/var/sys.common/var-tmp.loop /var/tmp ext3 loop,auto,noexec 0 0
You can see that I have two files in /var/sys.common, which is a partition in its own right. The file tmp.loop is 200 MB and contains a file system. It is mounted through a loop device at boot time on the /tmp directory with the noexec parameter. The other file is named var-tmp.loop. It also contains a file system and is mounted through a loop device at boot time on the /var/tmp directory with the noexec parameter. Note that there is a small set of applications, like Wine, that require the ability to run a program from the /tmp directory. This is not possible with this setup.
Quote:
Originally Posted by rollo
[*]If my assumption is (in general) correct, is that more due to fundamental security strengths of Linux, or simply to the small numbers of people using the OS?
|
Linux enjoys a smaller universe of malware but remember, the expression "rootkit" was invented on Unix. As I said above, Linux and friends are a better choice than Windows due to the design of Linux et. al. and to much higher quality of workmanship in creating the components and applications.
Visit the Security Focus web site. They have a section for Linux and another one for Unix.
www.securityfocus.com
You'll see that most of the reported exploits either apply to web server software or database server software or require the attacker to log in to the machine before he can do any harm. If you don't run a web server or database server and if you have strong passwords then you are in good shape.