Hardening Linux is non-realisitic for end users

I have often come across comments that although Linux is insecure and it can be made secure or “hardened”. Sadly some generic hardening guide you stumbled upon are not enough to fix any of these massive security issues. Restricting a few nominal things such as setting some boot parameters is not going to fix this. A few generic security features distributions deploy is not going to fix this. Fedora enables a MAC framework (SELinux) by default but without creating a strict policies and running most processes unconfined does not help.

Another thing I would like to add is that SELinux policies is not something for everyone. For anyone wanting to learn it, here is a Github link for you to try some stuff.

The hardening required for a reasonably secure Linux distribution is far greater than people assume.You would need to completely redesign how the operating system functions and implement full system MAC policies, full verified boot (not just for the kernel but the entire base system), a strong sandboxing architecture, a hardened kernel, widespread use of modern exploit mitigations and plenty more. Even then, your efforts will still be limited by the incompatibility with many of the apps you may use and with the rest of the desktop Linux ecosystem and the general disregard that most have for security.

For the average person looking for Privacy and security, just use Windows,MacOS or ChromeOS and turn off telemetry. If you are skeptical, run Wireshark to analyze network connections. If you are someone who is a bit more advanced, you may try Qubes. Don’t assume Qubes is perfect

Please see - https://madaidans-insecurities.github.io/

posts an article from 2010.


Actually about this: Some people (including me) in the Gentoo hardening room are thinking about ways to “fork” Gentoo with as many security features as possible. Let’s hope that we’ll be able to actually get to a usable point some time in the near future…

1 Like

Underrated article.

BTW Qubes have upped their security and Joanna is no longer strongly associated with Qubes these days. She still writes some blogs and some stuff but they are largely irrelevant.

Yeah and as Brad pointed out SELinux Zealots should die.

Linux has some security problems, but recommending people to use Windows, MacOS or ChromeOS as a viable alternative (“turn off telemetry”? lol) seems a little disingenuous.
The article you linked has some good points for sure but a lot of it is issues that are/being resolved (are we really still bringing up “Flatkill”?) or entirely present in the other operating systems you mentioned, on top of all of the other issues they got going on over there.

1 Like

Feel that one too, these discussions always feel a bit black and white. Sure Linux has some security problems, but lets not act as if Windows is any better against malware. And yeah you cant really just „disable telemetry“, you can debloat some stuff but never be 100% sure. Not an expert in any way so nobody get mad pls

1 Like

I don’t agree on that. Turning off Telemetry and use Windows, MacOS or ChromeOS is not enough. From my experience it takes way more effort to secure (if it’s even possible) those platforms. I also doubt that the average user is also able to analyze network connections with Wireshark.

In the end you are not even admin of your own system on a walled-system as Windows or MacOS.
Installing most Linux systems is quite easy nowadays for the average person. I would also say, just using Linux (even without hardening) is a step into the right direction.

But you are right, it comes to issues, when people would like to harden their system.
Therefore I am working on an Ansible script together with someone else for a while, so that all the user would need to do is typing two sentences in a terminal window. So easy and usable install scripts are still missing and maybe someone feels inspired to create or start one as well (cause I don’t think mine would fit them all).

I’m gonna paste my Reddit comment here:

The #1 privacy threat is the user itself. Imagine that user using an operating system whose security level entirely depends on the user…Yes, security and privacy are two different things, but often they’re closely tied together.

On another note, macs are more secure OOB than Linux is. There’s a lenghty article on this topic, which I’m unable to pull up right now, as I haven’t saved it. (EDIT: Someone linked it already in a response)

I do support Linux and it’s vision, but the fact of the matter is that it’s very far from a friendly user environment, even if you use one of those distros that swear by user friendliness. Maybe the UI is user-friendly, maybe it has pre-installed apps, and it may be user-friendly for a very basic user who only double clicks the web browser to browse the internet, and plays a media file here and there. But for those like me, who knows how to develop websites, yet I hate tinkering with my tools to work the way I need them to, a friendly UI is not gonna make my UX anything near great when installing a virtual audio mixer and routing the signal from my DAW which works via emulation to another unsupported creative software. — just for one simple example. So power users are fckd. We are literally required to learn to type commands in 2022, to manage doing anything little more complex I just described. Some may not have a problem with that… Most do, I believe. Creatives just want their tools to work, or the flow ceases and we’re out of the loop.

Prior to finding the sweet spot for myself in the privacy space, I actually did try to switch to Linux, and quickly realized what I just described…

Linux is a very robust OS, and it surely has it’s place, but you are required to overlook far too many things as a power user who doesn’t want to tinker with it. Being a very basic user, maybe…. but even that is a problem, as they likewise can’t keep their OS secure. It’s almost like an OS for programmers and nerds. Well, you can certainly smell that it’s baked by a team lacking anyone else with a different expertise. Macs are there where they are, as Apple (I’d imagine) spends nearly the same amount on software engineers and UI / UX designers. But that is another topic, anyway.

Not to get off-topic, but I think that creatives are the last major hurdle for Linux to overcome to be able to work for most people. It works for the average user who mainly uses a browser, for the IT person, and increasingly for the gamer. But no Adobe suite will likely continue to mean no big push for creatives in Linux unless something big changes.

Yep, that’s facts.

For sure most artists at least from what I know by watching youtube swear by the Apple ecosystem. And who can blame them when they have all the apps they could ever want, a seamless experience, and 5k displays to see their art in a consistent manner.

You’re probably right?

You should clarify if you are targeting the security of OS’s or the privacy of them. I assume you are talking about security; theoretically Windows and MacOS should be pretty darn secure because they have enormous funding behind them but from what I’ve heard on techlore and privacyguides and on youtube in general MacOS seems to beat Windows in this department. The sandboxing seems great, full disk encryption is solid, backups are painless, I don’t know about updates but I’d imagine they are easy to install as well. For a beginner and even for nontechnical parents MacOS might be a decent recommendation.

Big tech begone spray.

Now for the folks that want an OS without big techs grubby little fingers linux is the only option they have and is what I use Fedora is one of the only decent options, but one could also tinker with an arch system if they fancy a bit more fine tuning. I can confidently say that beginners and intermediate users should not chose anything other than Fedora if you value privacy and security, you would not believe how many distributions don’t offer easy luks installs or a GUI to decrypt your hard drives like fedora does. Trust me you don’t want to be missing such a basic feature, security should be easy and Fedora makes it easier but not easy at least not yet. If you’re advanced go with arch all the way you can definitely handle it. I can’t verify most of the claims about linux being insecure because I genuinely don’t know but I know that Linus Torvalds is notorious for refusing security upgrades to the kernel which is alarming to say the least. Linux can still be used for privacy but the security risks should be noted.

The discussion on OS hardening is somewhat pointless, most people don’t get hacked by someone deploying at 0-day exploit or something similar.

Some people get tricked into installing malicious software, we are talking about users literally hacking themselves. The majority don’t even get their system compromised, they just don’t use MFA and once their email and password is known it’s trivial to use that information to access other services.

No amount of hardening is going to protect you from human stupidity, most users just ignore warnings and if they can’t be ignored they want them turned off.

Indeed, it really depends on what you protect and against what. If you want to protect your social media or cloud services from being ransomed it doesn’t really make sense to nerd out on the state of your OS kernel security. Or at least: to begin with.

While the Original Article was a FUD aurticle, there were some truth to it and “EvilSkeleton” here agrees partially.

1 Like

I agree with the sentiment lol (username).

security does not mean shit without privacy

You don’t make any sense but whatever.

I just like to think of it as a lock and a curtain. The lock is security. The curtain is privacy. Now if an adversary is going after your safe a curtain merely gives you privacy it doesn’t guard the safe. A lock however guards it against them and needs extra resources to break wasting valuable time for the attacker. Someone like your big tech company may have their own key to the lock but they are authorized to do so because you’re using their servers. If there was a curtain they wouldn’t know there was a lock in the first place and even if they did it’s locked. In tandem security and privacy are a strong duo but without security your privacy will have a very weak base to stand on if that makes sense.

1 Like