I have been testing some of my installed systems with a couple of different distros with Lynis.
On a fresh install of Vanilla Arch (by the letter of ArchWiki) ( plus minimal Gnome) I got a hardening index of 60. For an openSUSE (Tumbleweed) system, I had 87!
Lynis security scan details:
Hardening index : 87 [################# ]
Tests performed : 254
I was, to say the least, a bit disappointed about Arch’s score.
Have you guys ever used this tool to audit your systems?
Is the tool relevant to get a picture of the weak/vulnerable parts of the system on desktop systems?
Do you know of similar tools for assessing the security of Linux systems?
And more importantly, what are your tips and tricks to harden your systems for security?
I am not concerned primarily with privacy here but I would like to learn how to to achieve the best ratio between security and usability. With a focus on the former.
Arch generally just uses upstream defaults for most things to my knowledge. Linux on defaults generally isnt some security utopia it takes some work. If you want a hardened system you have to do it yourself in Arch. Suse and Fedora/Red Hat tend to have harder defaults but this comes with performance penalties depending on the situation.
What is important is what makes up the score and how those issues apply to your personal threat model.
In other words, trying to make some number higher isn’t the right approach. You need to investigate the issues and understand how the risks apply to your situation.
That was my understanding as well after comparing the result for some distros.
I don’t mind losing some performance if i could get a system that y default comes with better security.
Thanks! I have been looking at this a bit and implemente already som of suggestions there.
Another thing about system security that people often overlook is physical security. It frequently doesnt matter how hardened your software is if an attacker can get physical access to a machine.
When it comes to security you need to figure out what your threats are so you can do targeted security. You cant make a system 100% safe BUT if you want to secure it vs specific threats you may have then you can be reasonable.
Before you do anything take a step back, list out your threat vectors, then figure out which are the highest priority. Work down your priority list to figure out the most effective means of threat mitigation.
EDIT: Also be prepared to maintain your security setup, its gonna require a higher degree of system maintenance vs a more generic setup. Hardened Systems are always more work to keep up with.
Dont just implement things in that list though, you need to know the what and why of implementing it. Just doing things in that wiki wont make you more secure, the biggest threat to your system is you and if you dont have a specific set of threats to target then you may just make your system needlessly more difficult to use.
The #1 threat to any system is the user(s), keep that in mind through your security process.
At this point, it is more than a “theoretical” exercise rather than being subject to an immediate threat.
However, I would like to learn, in time, what is the measures to be taken to have a locked down system which could divert the most common threats out there. To keep the system’s vulnerabilities that might be exploited, to the possible extent, to a minimum.
The problem is you need to define what the “common threats” are. This is going to heavily depend on the system, how many users, who the users are, what the machine is used for, etc.
The common threats for your system may not be the same as mine nor will they be the same as for a corporate workstation, etc.
A More cautious user/knowledgeable user will be subject to a different set of common threats vs someone else
Lynis performs something like over 250 test on different components of the system.
Not sure how the number is reached and related to the rather long list it produces of vulnerable and weak areas of the system
They could be all from systemd services, most of which are classified as “unsafe”, to directory permissions, mount point options for the filesystems firewall configuration etc. …
This is what I actually am trying to learn to do.
In my rather short “investigation”, I have come across the following site, among a few others.
Most of the suggestions in there are beyond me at the moment but I put it here in case you guys will take some interest to look at and comment on it:
IMO Linux hardening is not necessary from a workstation perspective. On Linux, components that are exploited are usually internet-facing services ie. ssh, apache, if you don’t have them then all you need is common sense and maybe drive encryption.
When I look at, for example, a systemd service: XYZ.service which gets classified as unsafe using a systemd tool, namely systemd-analyze:
systemd-analyze security XYZ.service
then this makes me wonder what it means for this service to be unsafe, what makes it unsafe and if there are measures to be taken which can better its state of “unsafety”.
What I think is more like:
Look, we have a system here, we know it has many components that are vulnerable for one reason or other, no matter if there is an actual threat which might exploit this or not, I would like to learn what those reasons are and to reduce or remedy those vulnerabilities as much as possible with as less as possible loss of usability.
I know a ship at the harbor is much safer than at sea but it is not what it is meant for. So I still want be able to sail knowing that my vessel is as safe as possible.
That was my intention to post at the first place and pose the question.