On Sb, 11 apr 20, 19:06:59, l0f...@tuta.io wrote: > > I understand most of you respondents don't use anti-malware at all. A > good hygiene or other kind of solutions like system hardening > (AppArmor, SELinux) are way more efficient. > > NB : I've been told SELinux is so complex, people eventually let it > drop... Do you all succeed in configuring & using it? ;)
Didn't even try, I just take whatever Debian does by default. > Do you follow any guide or tool to help you in hardening your Linux > distro? > I've used Lynis for the audit part, it's nicely done. What do you > think about it? Any such tool you are using has to be regularly updated as well and by definition is built on the assumptions of the developers of what is (not) necessary for me. This can easily lead to a false sense of security. > Anti-malware on Windows is common/best practice. However, as we are > discussing it here, things seem to be different with Linux. I don't > really think Linux is intrinsically more secure than Windows nowadays > (a vulnerability remains as such) but I really think Linux ecosystem > is. Here are some reasons that could explain that according to me: > > * Most softwares are downloaded through official preconfigured > repositories. Users are less prone to download malware on suspicions > websites There are sufficient tutorials advising to download random scripts and run with root privileges. > * Updates are easier as well because tracked/centralized through > repositories themselves for the most part. On Windows you need to > check Windows Update + Windows Store + each application individually Would be the same on Debian if you chose to install additional software with some other package manager and debs downloaded from whatever website. > * Linux users are globally more tech-savvy so they take care more > about their systems This is just a side effect of Linux being much less common on typical[1] desktop / laptop systems. > * Open source is more common on Linux (community-based) than Windows > (money-based) so theoretically anyone competent enough could view the > source by oneself and spot a malovelent behavior (/!\ in practice this > is not so easy, see what happened with OpenSSL / HeartBleed) You probably mean Linus's law[2]. Unfortunately the reverse is true as well: without sufficient eyeballs there will be many bugs. If something like Heartbleed can happen to a widely deployed software imagine what is probably hidden in all the software with a much smaller user-base and almost no active maintenance. > * Linux desktops are less exposed : it's more lucrative for black hats > to target Windows users with malware (see desktop marketshares). > However this is only half of an argument because Linux server > marketshares are quite the opposite! > > * Until some years ago, I would have added that Linux is more secured > by design (least privilege, compartmentalization) than Windows but I > think this is not so true now, Windows has cought up apparently... > > => What is your opinion? In my opinion any system can be made very secure, but not 100%. The given/chosen hardware and software can make some things easier while making others more difficult. The FLOSS ecosystem has a slight cultural advantage: less reliance on tools to stop and/or detect malware. Instead the vulnerability is (hopefully) found and patched. This advantage is partially due to Microsoft's security practices in the past. While these have improved significantly in recent years some practices are difficult to change and will probably only disappear together with the desktops and laptops[3]. [1] not including Chromebooks [2] https://en.wikipedia.org/wiki/Linus%27s_law [3] fortunately when new types of devices like smartphones and tablets were introduced the hardware and software makers used the opportunity to also introduce better security models and practices, unfortunately together with an entire class of new privacy issues. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
signature.asc
Description: PGP signature
