The many facets of Linux security

75

Author: Joe 'Zonker' Brockmeier

As we’ve seen in the last several days, there’s a lot going on in the Linux community with regards to security. In this series of articles we’ve covered SELinux, AppArmor, Bastille, how vendors’ secure distributions deal with security, and looked at the progress the US Department of Homeland Security is making in its “vulnerability discovery and remediation open source hardening project” — and that’s just the tip of the iceberg.

There is, of course, plenty of work left to be done. As Mayank Sharma points out in his AppArmor article, AppArmor has not been adopted in many distros outside of SUSE and openSUSE, and SELinux is not exactly easy to configure. Still, both security frameworks are making headway, and lots of organizations are using them to help secure their systems.

Though AppArmor and SELinux address a number of problems, there’s just no magic software you can install to keep your system 100% secure. As security expert Kurt Seifried noted, every administrator needs to have “a degree of security knowledge” to be able to run a system or service safely. Even with all patches applied and SELinux or AppArmor enabled, a poorly configured system can be a recipe for disaster.

One way to become more knowledgeable is to use Bastille. As Bruce Byfield pointed out last week, Bastille not only helps lock down a system, it also offers an assessment tool to inform you why the system may not be secure and how to correct that.

Byfield also covers “the forgotten side of security” and shows why system security is in such a sorry state to begin with. Byfield quotes Dan Razzell, president of Starfish Systems, as saying that it’s “entirely possible” to create and run a secure OS — but “there’s a huge gap between the best practices that industry uses and what people settle for as consumers. And it exists for no other reason except complacency.”

Obviously, security is a huge topic, and we have not covered every aspect of security with Linux and open source software. We will be revisiting security with another series of articles in 2007, and touch on topics including how to secure your system by setting up a firewall, hardened Linux distros such as EnGarde Secure Linux, and much more.

We would, of course, like to hear from you about what you want to see covered. Feel free to email us or leave a comment about topics that interest you. Want to see a series on package management in 2007, or how about storage, or voice over IP (VoIP)? We’re all ears, so speak up and we’ll do our best to deliver the kinds of stories that you’re looking for.