On previous posts, we discussed why use Linux,
why developers love Linux
and understood
how can Linux be free. Since one of the fantastic benefits to run Linux lies in its security
model, let's understand how that works and learn why Linux is indeed
safer than Windows and MacOS.
Open-source code
Among the many reasons, being open-source by nature is definitely one of the
most important reasons Linux is safer. Due to the openness imposed by
open-source software, the code is frequently inspected by security researches
who report vulnerabilities back to developers who fix them as fast as possible
so that the fix gets to users before the threats. This constant cycle makes
Linux more battle-tested resulting in less exploitable security flaws.
Enterprise-Grade security
Since
how critical Linux is for the functioning of the internet today, there are lots of eyes on its security model. Government agencies like the
NSA and others collaborate to
build enterprise security tools like
SELinux
and
AppArmor. But
Linux's enterprise-grade security goes beyond that. In fact, there are multiple
reasons that make if more more secure then other systems, including some
features we'll see next such as a security-aware architecture, frequent updates,
native disk-encryption, encrypted virtual machines,
integrity sub-systems
that can be used to detect if a file has been altered and
encrypted data at rest.
A hardened permission model
Differently from Mac and Windows, Linux users run on a low permission level
called Discretionary access control (DAC) which restricts access to objects based on the identity of
subjects and/or groups to which they belong. This feature makes the
system less exposed to viruses or ransomware which will most likely have
little impact on your system. On top of that, kernel level
monitoring tools like
SELinux
and AppArmor monitor
application and block suspicious activities if necessary.
Kernel-level Security
There are multiple other security features at the kernel level
including DAC (previously mentioned),
POSIX ACLs,
Namespaces
(that limit the resources available to a program),
Linux Security Modules (LSM)
which implement hooks at all security-critical points within the
kernel, Linux IMA (Integrity Measurement Architecture), a subsystem that integrates with the Linux kernel to validate hashes of
files before their contents are accessed, and a cryptographic API is provided
for use by kernel subsystems.
Network-level Security
Linux's networking stack is really powerful and traffic passing between the
interfaces has to adhere to networking policies. Kernel-level modules
may hook into frameworks to examine packets and make security decisions about
them. On this space, Netfilter and iptables
are very common.
Enterprise-grade Cryptography
Linux counts with a cryptographic API that can be used by the kernel. It
provides support for the most popular and widely used cryptographic algorithms
and support for
IPsec, disk
encryption via
ecryptfs and
dm-crypt,
and
kernel module signature verification. Linux was also one of the first systems to gain support for
hardware-based encryption.
Static code analysis
Linux distributions are have also the source code automatically scanned via
static code analysis tools. These tools identify errors in programming, memory
reference and input stream validation to ensure compliance with coding best
practices.
Secure default compiler flags
Special compiler flags are used when compiling Linux code. These flags use
Position Independent Execution (PIE)
and
Relocate Read-Only Object (RELRO)
functionality to run applications and assign memory segments in a
nonpredictive manner. This helps to prevent stack smashing, mitigate memory
corruption, and provide control flow integrity hardware support.
Quick response to CVEs
Most Linux distributions have a dedicated team of security experts reacting
fast to threats. With that, Linux users are usually the first to get fixes
for CVEs (critical
vulnerabilities). But it goes beyond that. The open-collaboration model
previously mentioned fosters collaboration between a network of security
researchers and organizations so that as soon as the fix is ready, it can be
distributed in parallel by multiple vendors to their clients.
Open collaboration
Open-source code also fosters open collaborations. Developers and security
researches from different organizations throughout the world openly
collaborate, frequently pushing fixes and security patches to your system as
often as necessary. This collaboration model results in less exploitable
security flaws and more secure systems.
Frequent and Automatic updates
Linux distributions are frequently updated meaning that you will be getting
the latest security, software and kernel fixes. These are usually the holes
crackers explore to target you and your company. Getting updates quickly is
also important to mitigate
zero-days.
Less viruses, less ransomware, less threats
Despite still being subject to viruses and ransomware, the previously
mentioned features combined with a significant smaller percentage threats of
make Linux much safer than Windows and Macs (but not immune). And Linux also
has anti-viruses if the system administrators need need too.
Curated repositories
The easiest way to install software on your Linux is by using its own
repositories. These repositories are curated and are less prone to have
viruses since they usually only contain open-source software that has been
reviewed by a wider audience.
Native disk-encryption
Most distributions offer native disk encryption during the installation.
Native disk-encryption is essential today as users frequently transport their
devices out of the company's secured space. If lost or stolen, the only way to
access the data would be by entering the encryption password.
Robust Integrated Firewall
Linux also comes with enterprise grade firewall set to block suspicious
activities automatically. These policies are also updated regularly with the
rest of the system so your system gets protected as soon as the organizations
release
Millions of hours of review
Overall, each of the items discussed previously account in in-depth review for
specialized professionals. Cumulatively they mean literally millions of hours
spent by experienced professionals reviewing not only the software you run but
also battle-testing it.
Thousands of hours of test
And finally, before reaching your workstation, a big community of specialized
technicians (and volunteers) test the tools you'll use. They're the last to
ensure that not only you'll run safer software but, differently from other
systems, updates and upgrades won't break your system.
Long-Term Support (LTS)
Differently than proprietary software, enterprise Linux distributions
offer long-term support (LTS), a product life-cycle management policy in which a stable release of
computer software is maintained for a longer period of time than the standard
edition. Usually 10 years for
RHEL, SUSE,
CentOS and
Ubuntu LTS. This initiative definitely reduces risks for organizations that prefer
(or have) to run software for longer as their systems will keep receiving
security updates.
Conclusion
On this post we reviewed how a multitude of security features from the kernel
(the core of the operating system) to the user space make Linux is more secure
than Windows and MacOS. Excited to try out Linux? There's lots more to learn
more about Linux on this site and around the web. Feel free to explore!
See Also
