Linux Desktop Security Review

I try out different Linux distros for my personal computers quite often. (Right now I'm running Manjaro on my laptop and Ubuntu on my personal workstation.) While hopping through various Linux distros per year, I observed that some distros have a better security posture by default than others. Good default security settings are important because a lot of users won't bother to improve security of their desktop OS by fiddling with settings or installing extra software.

So I decided to do some research and document the results within blog posts here. I will choose the distros based on their distrowatch ranking, starting with MX Linux. In this post I will define all the tests I run through, when reviewing the default settings of a vanilla install of the distros.

Installer ā€“ Security Features

One can argue whether full disk encryption (FDE) is necessary or desirable on workstations. On laptops FDE is a necessity these days, so I will check whether encrypting the disk is an option from the get go.

Another security feature of the installer is whether it indicates the strength of the password the user defines during installation. This can be the password for the disk encryption or the password for the actual user that is created during install.

Summary of Installer ā€“ Security Features:

The tested distro receives a point for each question answered with Yes.

Firewall

I have noticed that many distributions do not install a host firewall by default. As a cyber security professional I believe that all systems should have an enabled host firewall that not only blocks incoming/ingress but also filters outgoing/egress traffic. Therefore, I will check whether a host firewall is installed, enabled and what it is blocking/filtering.

Summary of Firewall:

The tested distro receives a point for each question answered with Yes.

Automatic Updates

This section is all about security patches and updates. I will check whether updates are installed during installation of the OS. Whether the software updater automatically downloads new updates and notifies the user that new updates can be installed. And whether the software updater properly authenticates the source of packages.

Summary of Automatic Updates:

The tested distro receives a point for each question answered with Yes.

Vulnerabilities

To measure the success of host firewall and software updating I run Nessus scans (unauthenticated & authenticated) against a freshly installed copy of the distro.

The results are measured with the following four questions:

The tested distro receives a point for each question that produces a zero.

User Privileges

Managing privileges of desktop users is not trivial. I will look at the use of sudo and how it is secured.

The following two questions will be used to measure:

The tested distro receives a point for each question answered with Yes.

Default Browser

A surprisingly large group of users don't bother installing their browser of choice but rather use the browser installed by the OS by default. Therefore, it is important the default browser of the distro is reasonably secure.

The following questions are used to assess the default browser:

The tested distro receives a point for each question answered with Yes.

Application Sand-boxing

App sand-boxing is very effective in terms of protection from exploitation but relatively hard to implement and maintain. Therefore, I don't expect any of the distros to actually implement an app sand-boxing solution by default. However, I want to give all distros a chance to earn an extra-point with this question:

Summing up the Security Review

In total each tested desktop distro can collect 18 points. A full score (18 points) indicates that the distribution prioritizes security over UX. A low score (<=9) indicates that the distribution prioritizes UX over security.

Why?

Because I think that improving security always starts with knowing the insecurities/vulnerabilities. Unfortunately, I am not a developer and therefore I have a hard time contributing to a Linux distribution directly. I am a security professional though and have been using Linux since the 90ā€™s, so I hope what Iā€™m doing here is helpful in a way.

I also consciously chose to include factors that should be relatively easy to change and can be understood without having to have a pen-testing degree.

Feedback on how to improve the review approach is always welcome! Please reach out via @seb@ioc.exchange">mastodon with your suggestions.

#infosec #opensource