![]() ![]() ![]() Linux-libre Kernel and “Libre” Distributions #ĭo not use the Linux-libre kernel, since it removes security mitigations and suppresses kernel warnings about vulnerable microcode for ideological reasons. They don’t include any “extra security” or defensive mitigations intended for regular use. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. There is often some confusion about “security-focused” distributions and “pentesting” distributions. It covers a lot of privacy and hardening recommendations by default. Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. While you should not use outdated distributions like Debian, if you decide to use it, it would be a good idea to convert it into Kicksecure. Beyond that, they promote incredibly bad advice in their official communication channels such as to keep Secure Boot off because it is somehow bad and evil. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. Garuda: They use Chaotic-AUR which automatically and blindly compiles packages from the AUR.When AUR packages are used, they are often built against the latest libraries from Arch’s repositories. Manjaro: This distribution holds packages back for 2 weeks to make sure that their own changes do not break, not to make sure that upstream is stable.Here are some examples of why that is the case: If you are experienced with Linux and wish to use an Arch-based distribution, you should use Arch Linux proper, not any of its derivatives. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own.įor a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a mandatory access control system, setting up kernel module blacklists, hardening boot parameters, manipulating sysctl parameters, and knowing what components they need such as Polkit. Arch does not have an distribution update mechanism for the underlying software choices. That being said, Arch based distributions are not recommended for those new to Linux, regardless of the distribution. Arch-based Distributions #Īrch Linux has very up to date packages with minimal downstream patching. Richard Brown has a presentation about this:Įven if you are worried about the stability of the system because of regularly updated packages (which you shouldn’t be), it makes more sense to use a system which you can safely update and rollback instead of an outdated distribution partially made up of unreliable backport packages without an easy rollback mechanism in case something goes wrong like Debian. Holding packages back and applying interim patches is generally not a good idea, as it diverges from the way the developer might have intended the software to work. Bug 1633467 and DSA-1571 are examples of this. In fact, in certain cases, there have been vulnerabilities introduced by Debian because of their patching process. ![]() ![]() As a result minor security fixes are sometimes held back until the next major release. Some security fixes do not receive a CVE (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.įor frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such example) rather than bump the software to the “next version” released by the upstream developer. You should choose a distribution which stays close to the stable upstream software releases, typically rolling release distributions. When choosing a Linux distribution, there are several things you need to keep in mind. Not all Linux distributions are created equal. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |