Signed-off-by: Daniel Gray <dng@disroot.org>
16 KiB
title | icon |
---|---|
Linux Overview | fontawesome/brands/linux |
It is often believed that open source software is inherently secure because the source code is available. There is an expectation that community verification occurs regularly; however, this isn’t always the case. It does depend on a number of factors, such as project activity, developer experience, level of rigour applied to code reviews, and how often attention is given to specific parts of the codebase that may go untouched for years.
At the moment, desktop GNU/Linux does have some areas that could be better improved when compared to their proprietary counterparts, e.g:
- A verified boot chain, unlike Apple’s Secure Boot (with Secure Enclave), Android’s Verified Boot or Microsoft Windows’s boot process with TPM. These features and hardware technologies can all help prevent persistent tampering by malware or evil maid attacks
- Strong sandboxing solution such as that found in macOS, ChromeOS, and Android. Commonly used Linux sandboxing solutions such as Flatpak and Firejail still have a long way to go
- Strong exploit mitigations
Despite these drawbacks, desktop GNU/Linux distributions are great if you want to:
- Avoid telemetry that often comes with proprietary operating systems
- Maintain software freedom
- Have purpose built systems such as Whonix or Tails
Our website generally uses the term “Linux” to describe desktop GNU/Linux distributions. Other operating systems which also use the Linux kernel such as ChromeOS, Android, and Qubes OS are not discussed here.
Our Linux Recommendations :material-arrow-right:{ .md-button }
Choosing your distribution
Not all Linux distributions are created equal. While our Linux recommendation page is not meant to be an authoritative source on which distribution you should use, there are a few things you should keep in mind when choosing which distribution to use.
Release cycle
We highly recommend that you choose distributions which stay close to the stable upstream software releases, often referred to as rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.
For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such example) rather than bump the software to the “next version” released by the upstream developer. Some security fixes do not receive a CVE (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release.
We don’t believe holding packages back and applying interim patches is a good idea, as it diverges from the way the developer might have intended the software to work. Richard Brown has a presentation about this:
Traditional vs Atomic updates
Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating.
Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic.
A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state”.
The Atomic update method is used for immutable distributions like Silverblue, Tumbleweed, and NixOS and can achieve reliability with this model. Adam Šamalík provided a presentation on how rpm-ostree
works with Silverblue:
“Security-focused” distributions
There is often some confusion about “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch, and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use.
Arch-based distributions
Arch based distributions are not recommended for those new to Linux, regardless of the distribution. Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own.
For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a mandatory access control system, setting up kernel module blacklists, hardening boot parameters, manipulating sysctl parameters, and knowing what components they need such as Polkit.
Anyone using the Arch User Repository (AUR), must be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened in the past. AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use AUR helpers without sufficient warning. Similar warnings apply to using third party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora.
If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend Arch Linux proper, not any of its derivatives. We recommend against these two Arch derivatives specifically:
- Manjaro: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest libraries from Arch’s repositories.
- Garuda: They use Chaotic-AUR which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks.
Linux-libre kernel and “Libre” distributions
We strongly recommend against using the Linux-libre kernel, since it removes security mitigations and suppresses kernel warnings about vulnerable microcode for ideological reasons.
General Recommendations
Drive Encryption
Most Linux distributions have an option within its installer for enabling LUKS FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after disk partitioning, but before file systems are formatted. We also suggest securely erasing your storage device:
Swap
Consider using ZRAM or encrypted swap instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to swap space. Fedora based distributions use ZRAM by default.
Wayland
We recommend using a desktop environment that supports the Wayland display protocol as it developed with security in mind. Its predecessor, X11, does not support GUI isolation, allowing all windows to record screen, log and inject inputs in other windows, making any attempt at sandboxing futile. While there are options to do nested X11 such as Xpra or Xephyr, they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland.
Fortunately, common environments such as GNOME, KDE, and the window manager Sway have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default and some others may do so in the future as X11 is in hard maintenance mode. If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager (GDM, SDDM).
We recommend against using desktop environments or window managers that do not have Wayland support such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3.
Proprietary Firmware (Microcode Updates)
Linux distributions such as those which are Linux-libre or DIY (Arch Linux) don’t come with the proprietary microcode updates. Some notable examples of these vulnerabilities include Spectre, Meltdown, SSB, Foreshadow, MDS, SWAPGS, and other hardware vulnerabilities.
We highly recommend that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default.
Privacy Tweaks
MAC Address Randomization
Many desktop Linux distributions (Fedora, openSUSE etc) will come with NetworkManager, to configure Ethernet and Wi-Fi settings.
It is possible to randomize the MAC address when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does not make you anonymous.
We recommend changing the setting to random instead of stable, as suggested in the article.
If you are using systemd-networkd, you will need to set MACAddressPolicy=random
which will enable RFC 7844 (Anonymity Profiles for DHCP Clients).
There isn’t much point in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the network switch. Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware.
Other Identifiers
There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your threat model:
- Hostnames: Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings.
- Usernames: Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name.
- Machine ID:: During installation a unique machine ID is generated and stored on your device. Consider setting it to a generic ID.
System Counting
The Fedora Project counts how many unique systems access its mirrors by using a countme
variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary.
This option is currently off by default. We recommend adding countme=false
to /etc/dnf/dnf.conf
just in case it is enabled in the future. On systems that use rpm-ostree
such as Silverblue, the countme option is disabled by masking the rpm-ostree-countme timer.
openSUSE also uses a unique ID to count systems, which can be disabled by deleting the /var/lib/zypp/AnonymousUniqueId
file.
--8<-- "includes/abbreviations.en.md"