cross-posted from: https://piefed.world/c/uncommon/p/1089778/linux-is-actually-very-vulnerable-to-exploits-and-it-s-showing-with-high-value-vulnerabi

I hate when people keep repeating the myth that Linux is more secure than X OS without any understanding of how much Linux gets exploited.

On the other hand, FreeBSD rarely suffers from wide security issues.

Overall, I don’t think anyone should repeat the myth that Linux is secure.

And at least if they gonna recommend Linux, they better recommend a good distro with SeLinux, hardened kernel and hardened OS.

  • N.E.P.T.R@lemmy.blahaj.zoneEnglish
    51·
    1 day ago

    What does it mean to “make Linux secure”? What does secure mean to you (genuine question). I see people say they can make Linux secure but from what kinds of attacks. I think madaidan’s blog explains why you can’t as an individual fix an issue with the entire ecosystem, or fix the kernel of its inherent security flaws https://madaidans-insecurities.github.io/linux.html

    I think “good security” in my personal opinion means that even if you try to run a malicious app, it either crashes out right or can’t do anything because it doesn’t have the permission to.

    One thing that I think is very misunderstood is that messy or extremely large/dense code can be very hard to understand, even if you have the source code. Like systemd, it is several million lines of code and is very tangled together. Is it that much better than a blackbox if no one can audit the whole thing (unless you are a massive team)? I do think it is better to have source code and documentation, but vulnerabilities arise from unintended interactions in the code. The more code there is, the higher the chance of this happening.

    • Mikelius@lemmy.ml
      1·
      2 hours ago

      My response to the other person kind of explains some of the things I do to keep my devices secure. As for what it means to me: being able to control everything to be able to define level of access. I try to treat every device on my network as though it’s already compromised. How can I block the scope of the devices from spreading on the network? How can I limit the scope of damage for what’s available on the compromised device to a minimum? Heavy firewall configurations help limit the devices spread to. Encrypting private data such as contracts, government docs, etc into their own containers or partitions helps limit leaks. Alerts and dashboards on unexpected changes of any devices allows me to react quickly, of automation hasn’t already reacted for me.

      You’re right in the fact I’m not going to look at millions of lines of code for many tools and such I use. It doesn’t mean I don’t look though. Being given the option to look at what I’m running is always better to me than not having it, in my opinion