Re: Debians security features in comparison to Ubuntu
On Sat, May 17, 2014 at 8:44 PM, Patrick Schleizer <adrelanos@riseup.net> wrote:
> Joel Rees:
>>> He told me to use Ubuntu instead. He explained that with the fact,
>>> that Ubuntu has more security features enabled than Debian (also
>>> more compiler flags for security) in a fresh install. He gave me a
>>> link to the following site:
>>> https://wiki.ubuntu.com/Security/Features
>>>
>>
>> That's a good list of all the currently fashionable "security"
>> features for Linux. Some of the items in the list are meaningful,
>> some are not. Most might be if you know what you are doing with them.
>> None of the meaningful items in that list are unavailable on Debian,
>> and the defaults are reasonably secure in Debian.
>
> The problem is, that Debian lacks a page similar to:
> https://wiki.ubuntu.com/Security/Features
Is that page really useful? I mean, besides as a sort of sales brochure?
> As you can see, that https://wiki.ubuntu.com/Security/Features page
> looks impressive to new users. I guess Debian is losing a few users to
> Ubuntu, because Debian does not have such a page.
I did note that the debian pages on security are a bit dated.
I suppose I should lend a hand there if I can find the time. How about
you, do you have the time? You don't have to start out understanding
the whole list, you just have to be willing to look up the debian
packages, learn how their setup works, and write down what you
learned, discuss it on the appropriate lists, then write up some
summaries and submit them. If you do good work, you'll be invited to
assume responsibility for some of the wiki pages.
>> This will be an issue with any OS you
>> choose, even seriously secure OSses like openBSD.
>
> Is OpenBSD a seriously secure OS?
I suppose it's easier to get into an openbsd server than it is to fly
to the moon, but if you set up an openbsd server and keep it updated,
attackers will generally find it easier to try social engineering
instead of attacking the server directly.
Modulo the services you run, but that's true of any OS. If you are
running a hypertext protocol server and it has a hole, you have a hole
in your server.
> Last time I checked, OpenBSD didn't provide signed packages for the
> package manager by default. Using OpenBSD signed packages for updating
> only seemed ridiculously complicated.
Basically, you're supposed to buy the CDs from the project. CDs are a
bit harder to spoof than dns, and they come out every six months.
> http://www.openbsd.org/faq/faq1.html:
> "OpenBSD is thought of by many security professionals as the most secure
> UNIX-like operating system"
>
> Well, for experts eventually, not for normal users!
There is no operating system that is secure for people who aren't
willing to learn how to admin the thing.
> And I am wondering
> which security professionals they are quoting and from when these quotes
> are.
Search the web.
>> Do not surf the web as root or as any administrator login id, of
>> course.
>>
>> Speaking of admin login ids, it's a good idea to have one non-root
>> login id that you only use for administrative tasks. And you should
>> avoid getting onto the web when logged in with the admin id. Which
>> means you need another id for general use, which makes two strong
>> passwords, three if you allow root login.
>
> After reading the following blog post
>
> http://theinvisiblethings.blogspot.fr/2011/04/linux-security-circus-on-gui-isolation.html
>
> it seems to me, that user account level isolation isn't very strong.
That's why you don't surf the web as an admin user.
There are lots of things I left out, to avoid dropping an elephant on
the list. One is that you should avoid X11 user switching in general,
and especially when you are doing admin work..
--
Joel Rees
Be careful where you see conspiracy.
Look first in your own heart.
Reply to: