http://linux.com/security/newsitem.phtml?sid=11&aid=6702
Why Linux Security Will Succeed
There is no subtlety in the race to gain the exalted title
of having the most secure operating system. Both sides of the
virtual fence argue their preferred operating system is more secure
by default installation. More often than not, these OS bigots spend
more time knocking the other contenders down rather than arguing the strengths
of their own OS. Some fanatics argue that their OS can be made more
secure in the long run. When one is fighting a losing battle, shooting holes
in the other side is often more effective than boasting of your own
merits. In the war between Linux and its rivals, Linux is in a position
to stand on its own positive features, and it does it well.
Nothing to Hide
A longtime trendsetter in the Open Source movement, Linux continues
to bare all to friends and foes alike. Every day thousands of hobbyists
and developers fiddle with every part of the operating system, finding
new ways to improve on it. Some of this results in small fixes to make
parts of the system more efficient. Others streamline the code while adding
new features that allow more flexibility, while some fix bugs left by
predecessors in a day where security was barely an issue. The key here is
that anyone who has the whim or desire to scrutinize or improve the current
code base can do just that. By offering the full source code to every piece
of the operating system, linux developers around the world are putting
their work on trial. With thousands of critical eyes, it stands to reason
that any such bugs will be ferreted out in no time.
On the other hand, closed source operating systems hide their foundation
from the world, relying on security via obscurity to prevent vulnerabilities
from being discovered and exploited. These closed source systems appear to be
developed by companies more concerned with profit margins than secure and
stable operating platforms. These Operating Systems tend to be written by
programmers with the primary goal of making a sizeable salary, rather than the herds
of developers working on open source operating systems for the love of
the work.
With open source operating systems, the time required to find and isolate a
bug is decreased tenfold. Large corporations must rely on laborious internal
testing to find and fix bugs, while a qualified linux enthusiast can take
minutes to verify a bug in the source tree. The same programmer can often
develop a fix for the bug and share it with the world in hours. The sheer power
to effect change and provide improved components of an operating system is something
unknown to widely deployed commercial operating systems. This advantage
will continue to make open source free operating systems a thing of
power and control. The most effective part of this process can be seen when
developers and enthusiasts all over the world collaborate on the best way
to fix a problem. This is seen on the full disclosure security mail list
Bugtraq.
The Right Tool to do the Job
More important than choosing the right tool for the job is having
all of the tools required to do the job correctly. Perhaps one of the
most potent and overlooked strengths to Linux and other open source
operating systems is the amazing number of tools available to do
virtually any job required. With many tasks in the computer or network
world, it is accepted that you have one (sometimes two) tools to do
a specific job. You learn those tools and you learn to like them because
there is no alternative. The world of Linux is one of choices. Perhaps
the most self empowering attribute of open source platforms is that
anyone can develop their own tool as an alternative to the rest.
This can be illustrated quite easily by having any skeptic subscribe to the
daily Freshmeat newsletter. Once a day Freshmeat
mails out a summary of new or updated tools submitted to its site.
Each piece of mail lists the title of the tool, where to find it on the
net, a brief description of its features, as well as the reason a new
version was released. In many cases they also announce the release of
new tools and provide the basic details. On a typical day, this mail will
contain a list of some 20 - 60 tools that have been released or updated.
The beautiful part? Almost all of them are free.
Looking at the Freshmeat mail for January 26th, I learn of four new
security software package events. The first is a low urgency upgrade
to the Fwctl
program, which helps users configure a tight firewall. Next is an updated
version of a popular vulnerability scanner called
SAINT that is a highly
evolved version of its predecessor
SATAN. Third in the security
category is a new package called Tripwall
which is designed to give an alternative to a better known
Tripwire package that some
feel has become too commercial. Last is a small upgrade to the
Linux Intrusion Detection System (LIDS)
package. All of these commercial grade tools in a single day, and all of
them free of charge.
With the availability of hundreds of security tools, it better equips
every linux user in the fight to maintain a secure system. By offering
many choices for each type of tool, administrators can perform their
work efficiently and effectively, without the headache of inadequate
software. We all know how much one enjoys a job working with inferior or
cumbersome tools!
Winning the Race
The race between system intruders and security personnel is never-ending.
Each struggles to find previously undiscovered bugs with the release
of each new version of operating systems. Intruders use these new found bugs
to break into a number of systems in hopes that administrators are unaware of
the holes. Security personnel attempt to find them and patch them before the intruders
have a chance to exploit thousands of vulnerable hosts running critical business
functions. Because of the importance of maintaining a secure platform, many
open source developers have recognized the need for proactive auditing. Rather
than wait for computer response teams to report a new bug being exploited, the
developers closely scrutinize their work with security in mind.
Two flavors of Linux stand out in the fight to maintain the most secure platform
possible. Both the RedHat and the
Independence distributions of Linux
have made significant proactive efforts to improve their out-of-box security.
In singling these two distributions out, I do not imply that other flavors of
Linux are in any way negligent, only that these two appear to be setting trends in
the Linux community.
Over a year ago, the RedHat team determined that security was an important aspect
of the operating system and deserved more attention. With that in mind, they set out
to audit significant portions of the source code looking for any part that might
be exploited by intruders. In their search for bugs and vulnerabilities, they were
able to proactively find and fix several problems that could have posed serious
risk to RedHat users. After fixing each bug, they turned to the security community
and shared their findings. This
gave every developer a chance to see the value
of doing source code auditing, and helped point out dozens of other bugs and
vulnerabilities in other operating systems.
Another relatively new distribution has taken an interest in improving system
security by tightening file and directory permissions. Unix descends from a spirit
of sharing resources and information dating back to the 70's, when security
almost hindered daily operations too much. It was a time where one administrator would
quietly sneak into a system to fix a bug that was preventing his system from
sending mail to a recipient, and just as quietly sneak back out without a word.
Because of the loose permissions on files and directories, this was possible and
encouraged users to fix their own problems. In today's world, that ability to fix
your own problems also translates into the ability of an attacker to gain additional
access and compromise the integrity of a network.
"Expecting a new user to have to handle the security of a Linux server is
preposterous, not only does it take years of experience in the field, but
it also takes the time to keep up to date with the latest problems. If
users are expected to do this, then Linux's progress will be limited."
- Independence Linux
Developers of Independence Linux see that as a point of concern. In response, they
have been working on a new permission scheme that does not break any functionality
of the system, yet improves the security posture significantly. By making hundreds
of small permission changes around the system, the distribution caters to those
individuals seeking security and privacy. Like RedHat, the Independence project
also maintains a security page
outlining the bugs and vulnerabilities they have found.
Another evolving effort dramatically increasing security awareness in the Linux
community is the Bastille Linux project.
Building on the existing security of the RedHat distribution, the Bastille Linux project
aims to create a utility that will automate the security hardening process. This is
done to help new users of the RedHat system who may not be familiar with all of
the security issues at hand. Like all efforts in security, the need for functionality
must be kept in mind and this tool aims to do just that.
Setting a Standard
With more and more companies adopting open source platforms for important business
applications and mission critical activity, they are setting a standard and
acknowledging the inherent benefits. Some companies have adopted the open
source movement so much that they now have personnel that routinely review
security discussion forums like Bugtraq, as well as the security pages of
the distributions they favor. This adoption signals a changing point in the
faith of security via obscurity. Many companies are no longer willing to risk
their vital business to operating systems with a track record of bugs and slow
fixes. The speed and efficiency with which Linux distributions dispatch
updated components is favorable to organizations that would rather not risk
break-ins for months at a time while their otherwise closed source vendors would
take months at a time.
Brian Martin (bmartin@linux.com)
01.29.00