Desktop Linux Security Review – Garuda Linux
This post documents my testing results for the Linux distro Garuda Linux. I performed the same testing on the following distros:
- [13 points] Elementary OS (results)
- [13 points] Linux Mint (results)
- [12 points] Manjaro (results)
- [12 points] Ubuntu (results)
- [10 points] MX Linux (results)
- [9 points] Pop!_OS (results)
- [9 points] Endeavour OS (results)
The results are based on the methodology described here:
Garuda collected 10 out of 18 possible points – A good score for a UX focused distro.
Distro Name: Garuda Linux (https://garudalinux.org)
Tested Version: KDE Dragonized (220101), downloaded on 2022-01-29
ISO MD5: e3c4eb652264ab97dba92e497183a8a6
Total Score: 10 / 18
Summary of Installer – Security Features:
- [Y] Does the Installer offer to fully encrypt the main disk?
- [N] Does the installer indicate the strength of chosen passwords?
Garuda’s graphical installer makes it very easy to fully encrypt the disk. The installer does not come with a password strength indicator.
Score: 1 / 2
Summary of Firewall:
- [Y] Is a host firewall installed by default?
- [N] Is the host firewall enabled by default?
- [N] Does the host firewall block all incoming/ingress traffic by default?
- [N] Does the host firewall filter outgoing/egress traffic by default?
Garuda installs UFW per default. However, UFW is not enabled by default.
Score: 1 / 4
Summary of Automatic Updates:
- [N] Are updates automatically downloaded during installation?
- [Y] Is the package manager configured to automatically download updates and notify the user about new updates being available?
- [Y] Are the package sources properly authenticated by default?
Garuda does not download updates during installation – However, it is Arch based and the ISO isn’t too old. Garuda also asks to update the system right after the user logs in for the first time. The Update Manager is configured to notify the user about available updates by default. Signature checking for packages is enabled by default as well.
Score: 2 / 3
Vulnerability Scanning Results:
- [0] How many critical vulnerabilities are present right after installation?
- [1] How many high vulnerabilities are present right after installation?
- [0] How many critical vulnerabilities are present after a full software update run?
- [0] How many high vulnerabilities are present after a full software update run?
Arch-Audit identified 0 critical and 1 high vulnerability right after installation. After a round of updates have been applied, there were no vulnerabilities present anymore.
Score: 3 / 4
Summary of User Privileges:
- [Y] Is sudo required to use root privileges?
- [Y] Does sudo require a password?
Garuda is using sudo for admin task elevation and protects the use of sudo with a password.
Score: 2 / 2
Summary of Default Browser:
- [Y] Is the default browser updated regularly?
- [N] Does the default browser warn about the execution of downloaded files?
Garuda is installing FireDragon (a fork of LibreWolf) as the default browser. It is regularly updated. However, it does not warn about the execution of downloaded files.
Score: 1 / 2
Summary of Application Sand-boxing:
Garuda does not install Firejail, AppArmor, nor SELinux by default.
Score: 0 / 1
Contact via Mastodon: @seb@ioc.exchange