Linux Desktop Security Review
I try out different Linux distros for my personal computers quite often. (Right now I'm running Manjaro on my laptop and Ubuntu on my personal workstation.) While hopping through various Linux distros per year, I observed that some distros have a better security posture by default than others. Good default security settings are important because a lot of users won't bother to improve security of their desktop OS by fiddling with settings or installing extra software.
So I decided to do some research and document the results within blog posts here. I will choose the distros based on their distrowatch ranking, starting with MX Linux. In this post I will define all the tests I run through, when reviewing the default settings of a vanilla install of the distros.
Installer ā Security Features
One can argue whether full disk encryption (FDE) is necessary or desirable on workstations. On laptops FDE is a necessity these days, so I will check whether encrypting the disk is an option from the get go.
Another security feature of the installer is whether it indicates the strength of the password the user defines during installation. This can be the password for the disk encryption or the password for the actual user that is created during install.
Summary of Installer ā Security Features:
- Does the Installer offer to fully encrypt the main disk?
- Does the installer indicate the strength of chosen passwords?
The tested distro receives a point for each question answered with Yes.
Firewall
I have noticed that many distributions do not install a host firewall by default. As a cyber security professional I believe that all systems should have an enabled host firewall that not only blocks incoming/ingress but also filters outgoing/egress traffic. Therefore, I will check whether a host firewall is installed, enabled and what it is blocking/filtering.
Summary of Firewall:
- Is a host firewall installed by default?
- Is the host firewall enabled by default?
- Does the host firewall block all incoming/ingress traffic by default?
- Does the host firewall filter outgoing/egress traffic by default?
The tested distro receives a point for each question answered with Yes.
Automatic Updates
This section is all about security patches and updates. I will check whether updates are installed during installation of the OS. Whether the software updater automatically downloads new updates and notifies the user that new updates can be installed. And whether the software updater properly authenticates the source of packages.
Summary of Automatic Updates:
- Are updates automatically downloaded during installation?
- Is the package manager configured to automatically download updates and notify the user about new updates being available?
- Are the package sources properly authenticated by default?
The tested distro receives a point for each question answered with Yes.
Vulnerabilities
To measure the success of host firewall and software updating I run Nessus scans (unauthenticated & authenticated) against a freshly installed copy of the distro.
The results are measured with the following four questions:
- How many critical vulnerabilities are present right after installation?
- How many high vulnerabilities are present right after installation?
- How many critical vulnerabilities are present after a full software update run?
- How many high vulnerabilities are present after a full software update run?
The tested distro receives a point for each question that produces a zero.
User Privileges
Managing privileges of desktop users is not trivial. I will look at the use of sudo and how it is secured.
The following two questions will be used to measure:
- Is sudo required to use root privileges?
- Does sudo require a password?
The tested distro receives a point for each question answered with Yes.
Default Browser
A surprisingly large group of users don't bother installing their browser of choice but rather use the browser installed by the OS by default. Therefore, it is important the default browser of the distro is reasonably secure.
The following questions are used to assess the default browser:
- Is the default browser updated regularly?
- Does the default browser warn about the execution of downloaded files?
The tested distro receives a point for each question answered with Yes.
Application Sand-boxing
App sand-boxing is very effective in terms of protection from exploitation but relatively hard to implement and maintain. Therefore, I don't expect any of the distros to actually implement an app sand-boxing solution by default. However, I want to give all distros a chance to earn an extra-point with this question:
- Is an application sand-boxing solution installed and enabled by default? (1 point)
Summing up the Security Review
In total each tested desktop distro can collect 18 points. A full score (18 points) indicates that the distribution prioritizes security over UX. A low score (<=9) indicates that the distribution prioritizes UX over security.
Why?
Because I think that improving security always starts with knowing the insecurities/vulnerabilities. Unfortunately, I am not a developer and therefore I have a hard time contributing to a Linux distribution directly. I am a security professional though and have been using Linux since the 90ās, so I hope what Iām doing here is helpful in a way.
I also consciously chose to include factors that should be relatively easy to change and can be understood without having to have a pen-testing degree.
Feedback on how to improve the review approach is always welcome! Please reach out via @seb@ioc.exchange">mastodon with your suggestions.