18 KiB
title | icon |
---|---|
Vista general de Linux | simple/linux |
Es una creencia popular que los programas de código abierto son seguros porque su código fuente está disponible. Siempre hay una expectativa de que la verificación comunitaria sucede regularmente; sin embargo, este no siempre es el caso. Esto depende de varios factores, como la actividad del proyecto, la experiencia del desarrollador, el nivel de rigor aplicado a las revisiones de código y con qué frecuencia se le brinda atención a ciertas partes del código base, que pueden no ser modificados en años.
De momento, Linux de escritorio tiene algunas áreas que pueden ser mejoradas al ser comparadas con sus contrapartes propietarias, por ejemplo:
- Una cadena verificada de inicio, como el Inicio Seguro de Apple (con el enclave seguro), el Arranque Verificado de Android, el Arranque Verificado de ChromeOS, o el proceso de inicio de Windows con TPM. Estas características y tecnologías de hardware pueden ayudar a prevenir la manipulación persistente ocasionada por algún malware o ataque de 'evil-maid'.
- Una fuerte solución de aislamiento como la que se encuentra en macOS, ChromeOS y Android. Las soluciones de aislamiento utilizadas comúnmente de Linux como Flatpak y Firejail, aún tienen mucho por recorrer.
- Fuertes mitigaciones de vulnerabilidades.
A pesar de estos inconvenientes, las distribuciones Linux de escritorio son geniales si quieres:
- Evitar la telemetría que, regularmente, viene con los sistemas operativos propietarios.
- Mantener la 'libertad del software'.
- Tener sistemas enfocados en la privacidad como Whonix o Tails.
Nuestra página generalmente utiliza el término "Linux" para describir las distribuciones Linux de escritorio. Otros sistemas operativos que también utilizan el kernel de Linux como ChromeOS, Android y Qubes OS no se discuten aquí.
Nuestras recomendaciones de Linux: :material-arrow-right-drop-circle:{.md-button}
Elegir tu distribución
No todas las distribuciones Linux son iguales. Mientras nuestra página con recomendaciones de Linux no fue creada para ser una fuente autorizada para decidir cuál distribución debes utilizar, hay algunos aspectos que debes considerar al elegir cuál distribución usar.
Ciclo de lanzamiento
Recomendamos encarecidamente que elijas las distribuciones que permanecen cerca a los lanzamientos estables, comúnmente denominadas como distribuciones de lanzamiento continuo. Esto se debe a que las distribuciones de lanzamiento de ciclo congelado, normalmente no actualizan las versiones de sus paquetes y se encuentran detrás en actualizaciones de seguridad.
Para las distribuciones congeladas como Debian, se espera que los encargados de mantener los paquetes adapten los parches para corregir vulnerabilidades, en lugar de actualizar el software a la "siguiente versión" lanzada por el desarrollador original. Algunos arreglos de seguridad no reciben un CVE (programas de menor popularidad) del todo y no llegan a la distribución con este modelo de parches. Por ello, a veces las correcciones de seguridad son pospuestas hasta la siguiente versión importante.
No creemos que retener paquetes y aplicar los parches provisionales sea una buena idea, porque se aleja de la forma en que el desarrollador se pudo asegurar que el software funcione. Richard Brown tiene una presentación sobre esto:
Actualizaciones tradicionales vs. Atómicas
Tradicionalmente, las distribuciones de Linux se actualizan secuencialmente, actualizando los paquetes deseados. Las actualizaciones tradicionales, como las utilizadas en las distribuciones basadas en Fedora, Arch Linux y Debian, son menos confiables, si un error se produce al actualizar.
Las distribuciones de actualizaciones Atómicas, aplican las actualizaciones en su totalidad o no del todo. Normalmente, los sistemas de actualización transaccional también son atómicos.
Un sistema de actualización transaccional crea una instantánea que se realiza antes y después de haber aplicado una actualización. Si una actualización falla en cualquier momento (debido a situaciones como fallas de electricidad), la actualización puede revertirse fácilmente al "último estado bueno conocido".
El método de actualizaciones Atómicas es utilizado para distribuciones inmutables como Silverblue, Tumbleweed y NixOS, y puede obtener confiabilidad con este modelo. Adam Šamalik brinda una presentación sobre cómo rpm-ostree
funciona con Silverblue:
Distribuciones "enfocadas en la seguridad"
A menudo existe cierta confusión entre las distribuciones "enfocadas en la privacidad" y las distribuciones "pentesting". Una búsqueda rápida para "la distribución más segura de Linux" suele arrojar resultados como Kali Linux, Black Arch y Parrot OS. Estas distribuciones son distribuciones de pruebas de penetración ofensivas que incluyen herramientas para probar otros sistemas. Estas no incluyen ninguna "seguridad adicional" o mitigaciones defensivas destinadas a un uso regular.
Arch-based distributions
Arch based distributions are not recommended for those new to Linux, (regardless of distribution) as they require regular system maintenance. Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own.
For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a mandatory access control system, setting up kernel module blacklists, hardening boot parameters, manipulating sysctl parameters, and knowing what components they need such as Polkit.
Anyone using the Arch User Repository (AUR), must be comfortable in auditing PKGBUILDs that they install from that service. AUR packages are community-produced content and are not vetted in any way, and therefore are vulnerable to software supply chain attacks, which has in fact happened in the past. AUR should always be used sparingly and often there is a lot of bad advice on various pages which direct people to blindly use AUR helpers without sufficient warning. Similar warnings apply to use third-party Personal Package Archives (PPAs) on Debian based distributions or Community Projects (COPR) on Fedora.
If you are experienced with Linux and wish to use an Arch-based distribution, we only recommend mainline Arch Linux, not any of its derivatives. We recommend against these two Arch derivatives specifically:
- Manjaro: This distribution holds packages back for 2 weeks to make sure that their own changes don’t break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest libraries from Arch’s repositories.
- Garuda: They use Chaotic-AUR which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks.
Kicksecure
While we strongly recommend against using outdated distributions like Debian, there is a Debian based operating system that has been hardened to be much more secure than typical Linux distributions: Kicksecure. Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default.
Linux-libre kernel and “Libre” distributions
We strongly recommend against using the Linux-libre kernel, since it removes security mitigations and suppresses kernel warnings about vulnerable microcode for ideological reasons.
Recomendaciones generales
Drive Encryption
Most Linux distributions have an option within its installer for enabling LUKS FDE. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after disk partitioning, but before file systems are formatted. We also suggest securely erasing your storage device:
Swap
Consider using ZRAM or encrypted swap instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to swap space. Fedora based distributions use ZRAM by default.
Wayland
We recommend using a desktop environment that supports the Wayland display protocol as it was developed with security in mind. Its predecessor, X11, does not support GUI isolation, allowing all windows to record screen, log and inject inputs in other windows, making any attempt at sandboxing futile. While there are options to do nested X11 such as Xpra or Xephyr, they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland.
Fortunately, common environments such as GNOME, KDE, and the window manager Sway have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in hard maintenance mode. If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager (GDM, SDDM).
We recommend against using desktop environments or window managers that do not have Wayland support, such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3.
Proprietary Firmware (Microcode Updates)
Linux distributions such as those which are Linux-libre or DIY (Arch Linux) don’t come with the proprietary microcode updates that often patch vulnerabilities. Some notable examples of these vulnerabilities include Spectre, Meltdown, SSB, Foreshadow, MDS, SWAPGS, and other hardware vulnerabilities.
We highly recommend that you install the microcode updates, as your CPU is already running the proprietary microcode from the factory. Fedora and openSUSE both have the microcode updates applied by default.
Updates
Most Linux distributions will automatically install updates or remind you to do so. It is important to keep your OS up to date so that your software is patched when a vulnerability is found.
Some distributions (particularly those aimed at advanced users) are more barebones and expect you to do things yourself (e.g. Arch or Debian). These will require running the "package manager" (apt
, pacman
, dnf
, etc.) manually in order to receive important security updates.
Additionally, some distributions will not download firmware updates automatically. For that you will need to install fwupd
.
Privacy Tweaks
MAC Address Randomization
Many desktop Linux distributions (Fedora, openSUSE, etc) will come with NetworkManager, to configure Ethernet and Wi-Fi settings.
It is possible to randomize the MAC address when using NetworkManager. This provides a bit more privacy on Wi-Fi networks as it makes it harder to track specific devices on the network you’re connected to. It does not make you anonymous.
We recommend changing the setting to random instead of stable, as suggested in the article.
If you are using systemd-networkd, you will need to set MACAddressPolicy=random
which will enable RFC 7844 (Anonymity Profiles for DHCP Clients).
There isn’t many points in randomizing the MAC address for Ethernet connections as a system administrator can find you by looking at the port you are using on the network switch. Randomizing Wi-Fi MAC addresses depends on support from the Wi-Fi’s firmware.
Other Identifiers
There are other system identifiers which you may wish to be careful about. You should give this some thought to see if it applies to your threat model:
- Hostnames: Your system's hostname is shared with the networks you connect to. You should avoid including identifying terms like your name or operating system in your hostname, instead sticking to generic terms or random strings.
- Usernames: Similarly, your username is used in a variety of ways across your system. Consider using generic terms like "user" rather than your actual name.
- Machine ID:: During installation a unique machine ID is generated and stored on your device. Consider setting it to a generic ID.
System Counting
The Fedora Project counts how many unique systems access its mirrors by using a countme
variable instead of a unique ID. Fedora does this to determine load and provision better servers for updates where necessary.
This option is currently off by default. We recommend adding countme=false
to /etc/dnf/dnf.conf
just in case it is enabled in the future. On systems that use rpm-ostree
such as Silverblue, the countme option is disabled by masking the rpm-ostree-countme timer.
openSUSE also uses a unique ID to count systems, which can be disabled by deleting the /var/lib/zypp/AnonymousUniqueId
file.
--8<-- "includes/abbreviations.es.txt"