Desktop Linux Security Review - Elementary OS

Desktop Linux Security Review – Elementary OS

February 11, 2022

This post documents my testing results for the Linux distro Elementary OS. I performed the same testing on the following distros:

[13 points] Linux Mint (results)
[12 points] Manjaro (results)
[12 points] Ubuntu (results)
[10 points] MX Linux (results)
[10 points] Garuda Linux (results)
[9 points] Pop!_OS (results)
[9 points] Endeavour OS (results)

The results are based on the methodology described here:

Linux Desktop Security Review

Elementary collected 13 out of 18 possible points – A great score for a UX focused distro.

Distro Name: Elementary OS (https://elementary.io)

Tested Version: elementary OS 6.1 Jólnir (20211218-rc), downloaded on 2022-01-29

ISO MD5: 17b373306a9ee304ee3d544ee9cea97a

Total Score: 13 / 18

Summary of Installer – Security Features:

[Y] Does the Installer offer to fully encrypt the main disk?
[Y] Does the installer indicate the strength of chosen passwords?

Elementary’s graphical installer makes it very easy to fully encrypt the disk. The installer also includes a great password strength indicator.

Score: 2 / 2

Summary of Firewall:

[Y] Is a host firewall installed by default?
[N] Is the host firewall enabled by default?
[N] Does the host firewall block all incoming/ingress traffic by default?
[N] Does the host firewall filter outgoing/egress traffic by default?

Elementary installs UFW per default. However, UFW is not enabled by default. Elementary nicely integrates the host firewall into the general settings app.

Score: 1 / 4

Summary of Automatic Updates:

[N] Are updates automatically downloaded during installation?
[Y] Is the package manager configured to automatically download updates and notify the user about new updates being available?
[Y] Are the package sources properly authenticated by default?

Elementary does not download updates during installation. The Update Manager is configured to notify the user about available updates by default. Signature checking for packages is enabled by default as well.

Score: 2 / 3

Vulnerability Scanning Results:

[0] How many critical vulnerabilities are present right after installation?
[0] How many high vulnerabilities are present right after installation?
[0] How many critical vulnerabilities are present after a full software update run?
[0] How many high vulnerabilities are present after a full software update run?

A Nessus vulnerability scan did not identify any critical nor high risk vulnerabilities.

Score: 4 / 4

Summary of User Privileges:

[Y] Is sudo required to use root privileges?
[Y] Does sudo require a password?

Elementary is using sudo for admin task elevation and protects the use of sudo with a password.

Score: 2 / 2

Summary of Default Browser:

[Y] Is the default browser updated regularly?
[N] Does the default browser warn about the execution of downloaded files?

Elementary is installing Gnome Web (Epiphany) as the default browser. It is regularly updated. However, it does not warn about the execution of downloaded files.

Score: 1 / 2

Summary of Application Sand-boxing:

Elementary installs AppArmor together with some sensible profiles and enables it.

Score: 1 / 1

Contact via Mastodon: @seb@ioc.exchange