Desktop Linux Security Review – EndeavourOS

This post documents my testing results for the Desktop Linux distro EndeavourOS. I performed the same testing on the following distros:

• [13 points] Elementary OS (results)
• [13 points] Linux Mint (results)
• [12 points] Ubuntu (results)
• [12 points] Manjaro (results)
• [10 points] MX Linux (results)
• [10 points] Garuda Linux (results)
• [9 points] Pop!_OS (results)

The results are based on the methodology described here:

Linux Desktop Security Review

EndeavourOS collected 9 out of 18 possible points – An OK balance between UX and Security.

Distro Name: EndeavourOS (https://endeavouros.com)

Tested Version: Atlantis neo 21_5 (XFCE), downloaded on 2022-01-11

ISO MD5: 916ffee83602f9f59b00cf0971de299f

Total Score: 9 / 18

Summary of Installer – Security Features:

• [Y] Does the Installer offer to fully encrypt the main disk?
• [N] Does the installer indicate the strength of chosen passwords?

EndeavourOS’ graphical installer makes it easy to fully encrypt the disk. The installer also has no password strength indicator – Neither for the disk encryption password nor for the main user’s password.

Score: 1 / 2

Summary of Firewall:

• [N] Is a host firewall installed by default?
• [N] Is the host firewall enabled by default?
• [N] Does the host firewall block all incoming/ingress traffic by default?
• [N] Does the host firewall filter outgoing/egress traffic by default?

EndeavourOS does not install a firewall per default. It does offer a Firewall installation under “Add more Apps” in the Welcome App.

Score: 0 / 4

Summary of Automatic Updates:

• [N] Are updates automatically downloaded during installation?
• [N] Is the package manager configured to automatically download updates and notify the user about new updates being available?
• [Y] Are the package sources properly authenticated by default?

EndeavourOS does not download updates during installation. Setup of software update notifier is a thing in the Post-Install recommendations but is not done by default. Signature checking for packages is enabled by default.

Score: 1 / 3

Vulnerability Scanning Results:

• [0] How many critical vulnerabilities are present right after installation?
• [0] How many high vulnerabilities are present right after installation?
• [0] How many critical vulnerabilities are present after a full software update run?
• [0] How many high vulnerabilities are present after a full software update run?

Arch-Audit scans identified 0 critical and 0 high vulnerabilities right after installation. EndeavourOS clearly benefits from being an Arch based distro here.

Score: 4 / 4

Summary of User Privileges:

• [Y] Is sudo required to use root privileges?
• [Y] Does sudo require a password?

EndeavourOS is using sudo for admin task elevation and protects the use of sudo with a password.

Score: 2 / 2

Summary of Default Browser:

• [Y] Is the default browser updated regularly?
• [N] Does the default browser warn about the execution of downloaded files?

EndeavourOS is installing Firefox as the default browser. It is regularly updated. However, it does not warn about the execution of downloaded files.

Score: 1 / 2

Summary of Application Sand-boxing:

EndeavourOS does not install FireJail, AppArmor, nor does it install SELinux.

Score: 0 / 1

#infosec #linux #older