Ressources documentaires pour Mandriva Linux et les Logiciels Libres

Follow up : On Linux security

Adam on his latest blog named On Linux security is 100% right when he’s saying that Linux users should not have a false sense of security and impunity when using Linux.

In fact the strength of Linux concerning user security is the fact that … it’s not easy to install third-party applications ! Indeed to install third-party applications you have to deal with several issues : package format ( TGZ vs RPM vs DEB ), API/libraries versions issues, compatibility issue, the need to know root password eventually, the need to add manually the execute bit on a executable to run it eventually.

In short : one of the main weakness of Linux to be able to be easy to use for mass consumer market is fact also what allow Linux to be less targeted by malware ! When everybody will be running Ubuntu with full sudo power for first user, then we will have the same issues than Windows users 😉

SELinux/AppArmor may help, but most of the time only for known applications. SELinux/AppArmor allow to provide rules saying that application X is allowed to this, but not allowed to do that. However you need to create the rules for the applications, so most of the time, users will be running the system in permissive mode, or use MAC security only on servers with a limited and known applications set. But what about third-parties applications ? As you don’t know the rules to create, you will let the application do whatever he wants, and then he can just open a port on a unprivileged port and listen or send whatever informations he want … Of course you have tools to create simply rules for SELinux or AppArmor. But are most users able to audit theses auto-created profiles to catch abnormal operations or non-wanted behavior ?

The only ways to be protected against theses kinds of issues are :

  • monitor changes to critic system configuration files or binaries ( chkrootkits for example ). This is where Mandriva shine with its MSEC tool. Indeed MSEC allow to put security constraints on several system settings, and executes daily security checks, which detect changes in system files, system accounts, and vulnerable directory permissions and then send reports to the user.
  • prevent unknown or unwanted applications from communicating to outside world by using a firewall filtering incoming but also outgoing communications ( however at one point users will just answer yes to everything as they don’t know what to answer most of the time ).
  • monitor system activity for abnormal ones … in short running an AntiVirus/AntiTrojan/AntiMalware … This consume resources, may generate false-positives, but also don’t detect the malware. No antivirus/antimalware/antitrojan is able to detect 100% of the threats. The bests are able to detect at most 90%, and most of them only detect 80%-70% of the threats.
  • or easier : only install packages from trusted sources. However, are the distributions checking all the code in all of their packages ? I don’t think so. Are distribution able to provide all the appplications that a user may want to use ? I don’t think so. On top of that it’s easy to become the packager for a distribution, doing a good job at the beginning, and when you are ready, add some subtle changes that will allow you to install a rootkit or trojan in the users computers. And you don’t even need to do a “rm -fr /” right after the package installation in the %post installation scripts. Just edit root crontab or put a file in /etc/cron.monthly or cron.yearly. Before that someone may catch that something is wrong is your packages …

So the perfect solution doesn’t exist. You will have to use a mix of different solutions, but again the first defense is … YOU. Switch on your brain, be smart and careful.


Aucun commentaire jusqu'à présent.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *


My Tweets