Is Linux Secure?

Is Linux really more secure? This paper explores the vulnerabilities and capabilities of the Linux platform as well as what can you do to safeguard your Linux system against threats.

Linux has multiple advantages in the area of security, however, here are vulnerabilities and weaknesses that could leave your system open to security threats. How to defend your Linux system against emerging cyber threats?

Linux Kernal
To understand Linux security one must understand the existing and emerging attacks are against the Linux kernel. The Linux Kernel controls all operations on a linux platform including access control, process management, memory management, hardware device drivers, filesystem drivers, network management and other operations. While Linux is considered more secure than Windows, the increasing use of Linux is making it a bigger target for cyber threats. Not all distributions use the same version of the kernel, as a result, differences in distribution vulnerabilities exist. The kernel is a popular foxus of Linux attacks as it is common to all releases of the operating system.

Examples of Linux Vulnerabilities
Some of the earlier vulnerabilities in Linux include:
■ Heartbleed (CVE-2014-0160): Allowed the extraction of keys or other information due to failure to check OpenSSL return payloads
■ Spectre and Meltdown (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754): Enable reading of memory running on the local device
■ SACK Panic and Slowness (CVE-2019-11477, CVE-2019-11478): Exploits the kernel’s TCP, which can result in denial of service

While some vulnerabilities can be repaired without patching. For example, Heartbleed is fixable before patching by recompiling OpenSSL with a specific parameter. Others like Spectre and Meltdown require patching. All software, including operating systems, contain vulnerabilities. The complexity of the code resists complete elimination of execution risk, regardless of the OS.

Misconfigurations of Linux Increases Cyber Threats
When configured correctly, Linux can be very secure (but not risk-free!). These are the general steps to follow to ensure a secure configuration of any server.

Shutting down all unused ports and services
■ Encrypting data
■ Managing penetration test results
■ Reviewing and testing code
■ Segmenting the network
■ Securing communication
■ Removing or locking default passwords
■ Limiting servers to a single function
■ Removing all unnecessary software and utilities
■ Managing and auditing privilege account access

How to Secure your Linux System
Pluggable Authentication Modules (PAM) comes with most Linux distributions. PAM provides centralized authentication management for applications and services that are PAM-aware. Any additions or changes to account login policies are made to the configuration file with the same name in /etc/pam.d.

PAM’s collection of configuration files stored in /etc/pam.d are used to implement biometrics and other authentication methods and conditions for any PAM-aware application or service. Authentication granularity is enabled with additional configuration files located in /etc/security.

What About SELinux?
SELinux is a Linux security enhancement that enables mandatory access control (MAC). MAC enforcement with SELinux controls access by explicitly defining the resources to which a process has access. This is managed by applying business policies to processes that restrict access by managing capabilities like read and write. This approach helps prevent compromised kernel processes from maliciously accessing sensitive information. According to the openSUSE Security and Hardening Guide, implementing SELinux requires labeling objects and processes. These labels establish privilege boundaries. Implementation includes:

■ Linux kernel security framework
■ SELinux libraries and binaries
■ SELinux policy
The SELinux policy drives protection. However, organizations do not have to start from a blank policy. The SELinux Reference Policy Project provides a complete policy as a foundation.

How to Manage Segmentation
Linux is not only on servers but Embedded Linux is also spread across Internet of Things (IoT) and industrial IoT (IIoT). As a result, implementing server hardening, PAM, and SELinux on these devices is not usually possible. As a result, IoT and IIoT must be segmented from the rest of the production network. Instead, IoT and IIoT should not be directly accessible by the internet or on-premises networks. In addition, IoT and IIoT segments should not have unfiltered access to cloud and on-premises data and processes.

In Conclusion
Access control risk of Linux
■ Coding errors
■ Lack of device hardening
■ Failure to configure available authentication and access control capabilities
■ Failure to segment embedded Linux devices

It is a common misconception that Linux systems do not require anti-malware and other safeguards surrounding Windows servers. This is not true. As the number of Linux servers (both virtual and physical) increases, they become increasingly vulnerable to cyber threats and cybercriminals will spend more time identifying ways to compromise Linux resources.

Lastly, it is equally important to invest in training to ensure Engineers are ready to meet the challenges of Linux systems, both for today and the future.

For more information, please write to info@etere.com.