Articles / Linux Security: It's Not Ju…

Linux Security: It's Not Just About Security

Jon Lasser began the Bastille Linux Project in order to harden the security of Red Hat Linux, the distribution he uses at work. In the process, he began looking at the other distributions to see how they handle security updates, and he was not at all happy with what he found. In today's editorial, he shares his concerns and explains why it matters to you even if you do all your security monitoring for yourself.

As a professional Unix systems administrator, I'm concerned about system security. Keeping unauthorized users off my systems is simply part of my job; doing this requires vigilance in the form of monitoring performance, reading logs, and keeping patches up-to-date. For me, security is about security; it's about keeping my users' projects safe and keeping them comfortable despite a full-time connection to the Internet.

As Lead Coordinator of the Bastille Linux Project, a hardening script for Red Hat Linux, I thought my job was to make Linux more secure so beginning users could easily keep their boxes secure. Often, new Linux users have no experience as system administrators or often even any experience with Unix. I thought the best way to tackle the problem was to make it easy to do the right thing.

Recently, I've been asked lots of questions about Linux system security by reporters. Often, I'm put on the defensive right away: Does Linux have a security problem? Why is Linux less secure than other operating systems? Is open-source software inherently less secure than commercial systems?

I usually begin by explaining that more holes are reported in open-source software before they're exploited, and that the number of actually-exploited holes is no greater -- perhaps even less -- than commercial software. I explain that one reason there are so many break-ins into Linux systems is that there are so many Linux systems on the Internet, and I explain that Linux can be as secure as any other operating system.

But Linux does have a security problem. It's not a universal problem, but look at the following list of security Web sites, mailing lists, and update tools for some common Linux distributions:

These are all mainstream Linux distributions, tending towards a general audience; at the least, they're not aiming at the router market or the embedded devices market. These are all products intended to be used by normal people and thrown up on a corporate network or even the Internet. Some may be aimed at relatively expert users, but I'm a fairly advanced user myself, and I still expect that my software distributor is watching out for security at least minimally. That's one of the reasons I don't roll my own distribution.

Of the eight common distributions I could think of, three have nothing whatsoever to do with security, and at least one of the others didn't seem to be doing anything useful. No wonder Linux has a security problem: while those four distributions have probably less than a quarter of the Linux market, they tend to be high-profile distributions which garner more than their share of media coverage.

These distributions aren't just putting their users at risk; they're damaging Linux's credibility and its image in the marketplace. Every time I'm asked by a reporter why Linux is so insecure, I have to consider Caldera, Corel, Turbo Linux, and Slackware before I can answer. These distributions' total lack of concern with security is an embarrassment to the entire Linux and Open-Source communities.

Because of these distributions, I'm forced to admit to reporters that many Linux installations are insecure, and there's little the average user can do about it without dedicating an inordinate amount of time to security work. Most users aren't paid to worry about security, as I am. For many, computing may be only a small part of their work. These people can't rightly be asked to read Bugtraq; they've got work to do.

If only systems were kept up to patch, huge numbers of systems wouldn't be cracked. On the university campus where I work, systems have been exploited using the automount daemon bug which is more than a year old, and which has been patched nearly that long. Being a professional, I know that they shouldn't even be running it, because I know that they're not using it. But I can't expect them to know, and I can't even fix it myself: I didn't know that some of these machines existed until I found out that they'd been hacked. Asking these users to read a single, low-volume, vendor-specific mailing list is a pretty good solution -- when those lists exist.

Experienced users should abandon Linux distributions which don't provide security fixes in a timely manner and post that information to a Web site, a mailing list, or both. They should abandon these distributions not because they necessarily need the security notices for themselves, but because these distributions are ruining Linux's image not only with novice users, but with the reporters and editors who shape managers' opinions on whether Linux is a viable solution.

You may claim that you're a hobbyist, and you couldn't care less if businesses use Linux; that's your right, certainly. However, you lose nothing when businesses use Linux, you lose nothing when security updates are made available and publicized, and you gain nothing when businesses reject Linux because some vendor couldn't be bothered to package up an already publicly-available solution to a security hole.

The rest of us do lose. It hurts our professional reputations when we stand behind a piece of software with frequent and highly-publicized security lapses. It wastes our time, tracking down hacked user machines for which we're not responsible and rebuilding them from the ground up. It wastes our money, when businesses and government agencies buy more expensive hardware and software for the illusion of security.

Solving this problem isn't difficult or time consuming; simply pick distributions which express a basic level of concern for security issues, and let vendors know -- at trade shows, in e-mail, in letters to the editor of your favorite publication -- that security isn't just about security. It's about preserving our reputation for quality, and it's about saving time and money.


Jon Lasser is a Unix Systems Administrator, Lead Coordinator for the Bastille Linux Project, and author of a forthcoming Unix book from Macmillan tentatively titled Think Unix. He's never bothered to take a computer course, except a single Pascal class in high school. He lives in Baltimore with his wife Kathleen, and their three cats: Mallet, Dashigara, and Spike. If for some reason you want to know more, check out his home page.


T-Shirts and Fame!

We're eager to find people interested in writing editorials on software-related topics. We're flexible on length, style, and topic, so long as you know what you're talking about and back up your opinions with facts. Anyone who writes an editorial gets a freshmeat t-shirt from ThinkGeek in addition to 15 minutes of fame. If you think you'd like to try your hand at it, let jeff.covey@freshmeat.net know what you'd like to write about.

Recent comments

12 Jan 2000 13:08 Avatar rdemanow

RE: RE: Linux and the Common Man(tm), revisited
Andy Wrote:


RichD wrote: My premise isn't even that every UNIX user should be responsible for understanding UNIX security.

My mistake. I must have misinterpretted the part where you screamed

Go back and read the sentence after that one ...

if you don't know what inetd.conf is for, if you don't know where your startup scripts are [snip] ... then *you* *should* *NOT* *be* *using* *UNIX*!!!!!


Well, you shouldn't.

there's no excuse for that level of incompetence in someone who's educated enough to be a CEO.

Everyone who is interested should teach themselves about how computers and networks work, how to configure them, etc. But the reality is that in
the long run, to use your car analogy, the people who configure computers are more like car mechanics, not car drivers. CEOs will not ever learn
much, if anything, about how computers work. For them it's a tool, not a hobby. It's much more cost effective to have an expert configure their
computer than it is for them to do it themselves.


Ok, then, let me take the car analogy one step further that that ...


Windows Vehicle:

You turn on your machine, it boots Windows, you hit the Start button, you chose a program, it runs. If there's a problem, an "engine problem" indicator lights up on the dashboard.
You get in your Geo, put the key in the ignition, turn it on, put the gearshift in Drive, step on the gas, and go. If there's a problem, a "General Fault" message pops up on the screen.

Linux Vehicle:

You turn on your machine, it boots Linux/BSD/Solaris/FooNIX, you watch the startup messages for any errors, you type in your login and password, you get a shell prompt, maybe you type "startx" to get a nice GUI. You now have your choice of hudreds of commands, tools, utilities, compilers, editors, and apps to bring to bear on the problem at hand. If there's a problem, a core file and a ton of log messages are spewed out to tell the user exactly what part broke, and whether or not it's going to compromise the stability of the rest of the system.
You step out on the flight line, do a thorough walkaround of your F-22 checking for any potential problems, hop in the cockpit, enter your authentication code, crank up the turbines, taxi out to the end of the runway, get clearance from the tower, and take off. You now have your choice of hundreds of possible maneuvers, and a wide array of avionics, ECM, and weaponry to bring to bear on the problem at hand. If there's a problem, diagnostic information gets spewed out at the pilot to tell him exactly what part broke, and whether or not it's going to compromise the airworthiness of the aircraft.

The driver of the Geo doesn't need to know how the engine works, or how to repair it, in order to get from point A to poing B. That's what the mechanic is for. If there's a problem, an "engine problem" indicator lights up on the dashboard.


Likewise, the driver of the F-22 doesn't need to know how the radar, avionics, and engine work, or how to repair them, in order to shoot down the other guy. That's what the ground crew is for.


The persond driving F-22, however, must have a great deal more knowledge of and competence in the physics involved in maneuvering the vehicle than the driver of the Geo.


The "driver" of the Windows box doesn't need to know how files are stored on disk, or how an interrupt vector tells the CPU that the sound card wants some attention. He does need to know enough to use the Start->Shut Down menu item, instead of just turning off the power. He should know enough not to run any .exe files or open any word files that haven't been virus scanned.


The "driver" of the Linux box doesn't need to know what an inode is, or how System V IPC works. He does need to know how to log on and off properly, and how to read basic error messages that show up on the console, how to use the shutdown command. He should know the basics of configuring and compiling a kernel, and locking down inetd.conf and the rc.* files.


In a corporate environment, most of the more complicated stuff for either system is handled by the IT staff. They take care of things like firewalls at the edge of the corporate network, and shutting off telnet, ftp, rpc, and other such things on machines that don't need them up.


At home, it's a different story. Someone using a computer at home is most likely either dialing a modem in to an ISP, or connecting full time with an ISDN or DSL link. (Unless they're a total geek, and have set up their own 10.0.0.0 network behind a dedicated NAT-ing/Firewalling box ...)


Sadly, most people don't realize the risk they're putting themselves at by doing this without installing and configuring security tools. Even a simple thing like NukeNabber for Windows can help avert a system compromise, if the user is aware enough to yank the phone line out of the wall when a port scan is detected by it. I have little sympathy for people who's machines get compromised due to their own ignorance and incompetence. Anyone running a computer that's attatched to the 'net needs to take the time to learn how to secure it. (By "running" I mean being the person responsible for it's maintenance, as in an IT person for a corporation, or the owner/user of a home machine.)

That's just the way it is. If you want Linux for the masses, it must be idiot proof.


There's no such thing.


If no distro makes the idiot proof LAN workstation, then each network
sys admin will have to cook up their own.


Who's better qualified to cook up a machine config that's suited to the local network environment that the local network admin?

Umm ... let's see ... rpm for RedHat,

I've used that one. Last time I checked, it did not add or remove links from the rc.* directories, nor did it do a recursive dependancy check to install all
the packages that the package I want depends on.

No, but it will tell you if you need to install another package that this one depends on. That way, it doesn't install stuff it's not telling you about ...

Yet installation programs magically can do this. They seem different to me.

If you want Windows' InstallShield Wizard, you know where to find it.


11 Jan 2000 21:29 Avatar awiggin

RE: Linux for the Common Man(tm), revisited
RichD wrote: My premise isn't even that every UNIX user should be responsible for understanding UNIX security.


My mistake. I must have misinterpretted the part where you screamed


if you don't know what inetd.conf is for, if you don't know where your startup scripts are [snip] ... then *you* *should* *NOT* *be* *using* *UNIX*!!!!!


moving on...


there's no excuse for that level of incompetence in someone who's educated enough to be a CEO.


Everyone who is interested should teach themselves about how computers and networks work, how to configure them, etc. But the reality is that in the long run, to use your car analogy, the people who configure computers are more like car mechanics, not car drivers. CEOs will not ever learn much, if anything, about how computers work. For them it's a tool, not a hobby. It's much more cost effective to have an expert configure their computer than it is for them to do it themselves.


That's just the way it is. If you want Linux for the masses, it must be idiot proof. If no distro makes the idiot proof LAN workstation, then each network sys admin will have to cook up their own.


But I do agree that it would be nice if people understood computers better.


Umm ... let's see ... rpm for RedHat,


I've used that one. Last time I checked, it did not add or remove links from the rc.* directories, nor did it do a recursive dependancy check to install all the packages that the package I want depends on. Yet installation programs magically can do this. They seem different to me.


what are you complaining about?


... not complaing. Just floating an idea.


-a

11 Jan 2000 18:35 Avatar rdemanow

Linux for the Common Man(tm), revisited.
Andy wrote:
First, I'm glad the discussion has risen from the gutter. I think some of these slackeware types need to starting dealing with their anger...


Well, some of the statements made in the original article (and many of the responses) were just bound to start a religious flame war. Welcome to the wonderful world of Linux geeks ...
I have to disagree with RichD's premise that every UNIX user must be responsible for understanding UNIX security.


My premise isn't even that every UNIX user should be responsible for understanding UNIX security. My premise is that every computer user should be responsible for understanding basic computer security. The state of the general public's computer literacy is, IMNERHO, simply pathetic!


How many people simply assume it's safe to go into Windows and start up their Dialup Networking and connect to the Internet? How many people assume that because they use an ISP and have a dynamically assigned IP address that they can't get hacked? How many people assume it's ok to open that Word file without virus scanning it because they "know" that only .exe files can contain viruses? How many people assume it's safe to get up from their workstation without locking their screen?


From my point of view, that's just like driving off in a car not knowing where the brake pedal is, and assuming you're not going to crash into anything. It's just like turning on a band saw and shoving a piece of wood in the general direction of the blades without wearing safety glasses or knowing where the scram switch is, and assuming you won't get a splinter in your eye or cut your fingers off.


A computer is a powerful, complex tool that, if properly applied, can boost productivity in the workplace to a great degree. Like any other tool, however, if it is not used correctly, it has the potential to do a great deal of damage.


Linux advocates talk about displacing Windows, but it will never happen until secrataries and CEOs can be productive on Linux, too.


The tools are there, it's just a matter of R-ing TFM to learn how to use them.


And believe me, they barely understand what their account name is.


True. And there's no excuse for that level of incompetence in someone who's educated enough to be a CEO.


One person must be able to maintain 10's or 100's of "secure enough" Linux boxes.


One person, who has even just a little experience installing and securing Linux boxes, can. It would make a great internship opportunity for a CS student looking at getting into network administration ...


You don't have to have a PhD in Computer Science to be able to use a computer safely and effectively, just as you don't need to know the physics and engineering of an internal combustion engine to drive a car safely and effectively -- but, as with a car or a bandsaw or any other piece of equipment, a basic level of knowledge and competence is needed. It is this lack of knowledge of the fundamentals of networks and their hazards that causes so many machines to get cracked.

With regards to distro install scripts, one thing I find annoying is that the scripts (the one's I've used, at least) only run at install time. I think a better
way to do it would be to have an install script that detected the hardware, installed the kernel and other non-optional packages, then rebooted into
console mode. Then, use a general purpose tool (one that you could run again later) to enable and disable services, and install/uninstall software.


Umm ... let's see ... rpm for RedHat, pkgtool for Slackware, Debian has a package manager, FreeBSD has pkg_add pkg_delete and the ports system, linuxconf lets you adjust all your system settings from an easy to use and understand GUI (in X) or menu system (on the console) ... what are you complaining about?


Most distributions even let you select between a Workstation and a Server installation, and adjust what daemons are available by default accordingly. Perhaps they are a bit permissive with things like telnet, ftp, nfs, and other services, but that's only in accordance with the UNIX tradition, where these services are expected to be available. If you have a problem with that, there's always OpenBSD, which shuts everything except SSH off by default.


Above and beyond that issue, and I'll make this point again and again until it's heard, it's not that hard to go and get yourself informed enough about your computer and OS to not make a total ass of yourself on the network!

11 Jan 2000 13:11 Avatar awiggin

Corporate LANs and distro install scripts
First, I'm glad the discussion has risen from the gutter. I think some of these slackeware types need to starting dealing with their anger...

I have to disagree with RichD's premise that every UNIX user must be responsible for understanding UNIX security. I'm a newer Linux user (less than two years), so I don't have the same perspective as the old-timers. I don't see Linux as a hobbyist's toy, I see it as a tool that I'd like to be able to use at work (much as Mr. Lasser was talking about). In a LAN setting, not everyone is a sysadmin, and in fact, that could never work. People can be perfectly productive UNIX users without understanding anything about inetd.conf. I know I was for years.

For Linux to make it in the corporate world, the boxes need to be easy to set up as LAN workstations and easy to keep up to date with software patches. One person must be able to maintain 10's or 100's of "secure enough" Linux boxes. In my mind that should be the goal, and tools like AutoRPM and Bastille Linux are the right approach.

Linux advocates talk about displacing Windows, but it will never happen until secrataries and CEOs can be productive on Linux, too. And believe me, they barely understand what their account name is.

With regards to distro install scripts, one thing I find annoying is that the scripts (the one's I've used, at least) only run at install time. I think a better way to do it would be to have an install script that detected the hardware, installed the kernel and other non-optional packages, then rebooted into console mode. Then, use a general purpose tool (one that you could run again later) to enable and disable services, and install/uninstall software. That way turning on and off services would not be such a big deal, since they could easily tweeked later using the same, easy to use, vendor specific tool. This might make it more practicle to turn off more services by default.

-Andy

11 Jan 2000 02:44 Avatar digitalun

Security? distro independant.
I find fault not with Slackware, or Red Hat's policy on custom packages being included. My issue only is with the install programs from the distros. A linux install with all of the services turned off is fairly secure. This is not entirely practical.

Anyone intending to use their computer as a server should make it their responsibility to keep themselves informed and their server running only new software. I find it a little humorous when someone sets up a web server, and maybe an ftp server, and a portscan reveals 20 open ports. Thats insecure. And that is about right for any default install of most distributions. I have always used slackware and yes, I felt it was in a beta-stage until v7.0.
My message is only that multiple inetd.conf files should be included with every distribution, and the user should have the opportunity to choose from several options:
Secure: for single users - no open ports
Medium: for remote-admin nodes - telnet, ssh, just the 'portant stuff
Insecure: for the hacker who will do it all themself anyways :)

I find it discontenting that distributions include soooo many services on by default...

but thats just me...
and I'm just the user

digitalunity aka digitalun aka mike the hacker next door

bud - bag, can, bottle, keg. itsallgood.

Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.