I secure systems for my day job. That means installing AV software, ensuring Windows Firewall is ON, etc. (Plus many other things…)
I’ve seen discussions around disk encryption here, but I don’t recall much about a malware protection. Maybe a little about personal (desktop) firewalls.
I’m aware of Clam, etc, but is anyone actually using these tools much?
Or are we just presuming we’re all immune from the bad guys targeting Windows?
Scanning for malware is not really that effective and it probably shouldn’t be relied apon. For Linux systems themselves I would look into SElinux as it can tightly control privileges.
Also many features of legitimate software could be considered malware. That includes things like Google analytics and DRM.
Computing practices (like installing packages from trusted maintainers and the deliberate use (through filling in passwords) for granting privileged access etc.) on Linux are different than on Windows. This already ensures that -simply by the virtue of using Linux as it’s intended- a Linux user is protected from complete classes of attacks.
Furthermore, the average Linux user is a lot more computer savvy compared to the average Windows user. And I haven’t even mentioned the focus on FOSS, the security benefits through obscurity etc.
Of course, Linux isn’t impenetrable. In fact, one might argue that its security frameworks on desktop are lacking compared to macOS and perhaps even to Windows (S mode).
Nonetheless, Qubes OS (i.e. the worlds most secure desktop OS) heavily relies and utilizes Linux to do its bidding.
To conclude, there’s a lot of nuance to secure computing on Linux. But as long as its user (i.e. the biggest attack vector) holds on to best practices, it should be more than safe. Unless…, you seek protection against sophisticated adversaries and their targeted attacks. At that point, I wouldn’t trust any desktop OS besides Qubes OS anyways.
AV software is usually the antithesis of security.
Up-to-date software and especially not giving every random binary you find on the web execution permissions seemed to be much more effective.
Removed by mod
On Linux, you install things from a repository, which is harder to install or execute a malicious binary. Reducing the risk of running binaries from unknown sources from internet, the risks are minimum if you keep your system always up to date, and on Linux is easier than on Windows, a single command to update each and any component on your system.
- On Linux, you don’t download random stuff from the internet, e.g. a new browser. You get it from a central source, usually package manager, where it is verified and secure.
- Most stuff is open source, therefore we can check if it does weird stuff. Proprietary software is often seen critically in our community.
- Linux has more granular permissions. There’s no “allow nothing” (but still too much) or “give random software access to the whole device” like on Windows. Linux software is written to need only as many permissions as needed, but not much more.
- Containers are big and crucial, especially when immutable distros grow more popular (even better security!). Many of use use Flatpak because of those pros. With them, we can give or remove every permission, like network access, file system, etc.
- Antivirus is almost useless, it won’t always work reliably, see it more as an additional measure. Many AVs are close to being malware themselfes. They may act as indicator, but not as safeguard for viruses.
- If you share stuff with people using Windows, ClamAV is still handy.
- We aren’t safe from viruses too, but we try to minimize our attack vector as much as we can with those methods mentioned above.
- Windows viruses can still be executed with WINE, so use Bottles (container for WINE) when running Windows software.
On Linux, you don’t download random stuff from the internet, e.g. a new browser. You get it from a central source, usually package manager, where it is verified and secure
Devs tend to make strong use of packages on GitHub, PyPi etc which have been targeted quite a bit with malware. Malicious snaps and
Linux software is written to need only as many permissions as needed, but not much more.
Hooboi. Depends on who writes the software. There are plenty of dumb devs for either OS, and I’ve had to yell at many for requiring their commercial software (built in Java with an X11/web front-end and exposed listening ports) run as root, usually because they didn’t want to figure out the permissions needed to access a device. There’s a surprisingly narrow intersection of devs who understand OS security and networking.
Linux is usually always updated because of the central update mechanism, so that vulnerabilities are fixed very quick
For OS packages, sure, but are all your Docker containers, snaps, flatpaks, and appimages updated whenever one of the underlying libraries had a significant vulnerability? How about that PPA, or the stuff you compiled from source a year ago?
Because people are increasingly using those for software not available on the base repositories
Linux users often have a false sense of security that leads them towards insecure practices, often for the same reasons as Windows users (I just want it to do X and work). While traditional signature-based antivirus doesn’t help much for either OS, there are plenty of other controls to fill the space that most people/organizations can - but don’t - implement on either OS.
On Linux, that includes strict management/review of software+code sources, SElinux/AppArmor enforcement, remote logging+review, and much more. These often conflict with Linux devs idea of “freedom” and thus area a hard sell.
the rhel machines at work are terrible specifically because of mcaffe av
Immutable distros aren’t considered secure or reliable by the industry. You need SElinux to secure a device properly.
Definitely. Having SELinux or AppArmour is very important.
Image based distros still offer some security and reliability benefits, because they are reproducible and therefore issues can be fixed quicker and easier. Also, at least now, due to the read-onlyness of the core parts of the OS, you can’t install malware as easily.
I don’t really bother with AV on my linux system. What I do is just use trusted software from my repos and run containerized applications.
What I am currently working on is using secure boot with a Unified Kernel Image (already doing that) that boot into a read-only
/usr/
partition with verity + signature (one UKI only loads a certain partition with a specific signature, or nothing at all). Any other things I need I create a systemdsysext
that gets overlayed ontop of/usr/
(also read-only) or they get installed as flatpak. For development I would just be using nspawn containers and podman/OCI containers for services that are outside of the other scopes.This is all based on https://0pointer.net/blog/fitting-everything-together.html which is a nice write down of what I am doing/following.
That already covers a lot of different attack vectors by just not having my system be modifyable outside of my control or apps just being containerized.
Or are we just presuming we’re all immune from the bad guys targeting Windows?
Kind of, yes. You can install Microsoft Endpoint Security on managed devices, but most Linux people don’t run any decently capable antivirus. They just assume they’re technically skilled enough not to fall for common virus infections, and pretend the execute bit will protect them from all malware.
Firewalls are common, though. Almost always, they’re configured to allow all outgoing traffic and limit incoming traffic, but there are tools that will also restrict outgoing traffic that are packaged with various distros.
Luckily, almost nobody uses Linux, so the common malware doesn’t really target Linux users. There is some malware that targets developers (often through dependency management tools like npm/pip/cargo) and I don’t think many Linux developers bother to protect against them.
Number 1.
Threat model.
Then you can ask specific questions.
<Or are we just presuming we’re all immune from the bad guys targeting Windows?>
Yes, I find that does tend to be the attitude among most Linux articles/videos/etc I see on the subject. There’s some truth to it, in that from what I understand Linux is immune to much of it, but it’s not entirely true. Malware for Linux does exist, so IMO people should not be as complacent about malware as many seem to be, but the community based open-source nature of most Linux software helps mitigate it SOMEWHAT (NOT entirely, because it’s dependent on trusting the community to both want to defend against it and have the skill to do so). Unlike Windows malware defense (to a degree, Windows patches have gotten leagues better than in the past), the primary way Linux stops malware is removing vulnerabilities before they can be exploited. It’s another reason you won’t see nearly as much Linux malware showing up as on Windows: it can’t spread if there’s no exploit to spread through. I do still run Clam and a firewall primarily for my own peace of mind because on my system aside from Clamd using a crap-ton of RAM they don’t really slow it down to a visible degree. Long story short, Linux malware is indeed much rarer than Windows malware, but it does exist and I’m not keen on Linux media people giving the impression that security isn’t something to watch for with Linux for the average user.
The biggest threat on Linux is social engineering. It doesn’t take much to get someone to open a file on Linux.