December 6, 2006

Interview with Linux security expert Kurt Seifried

Author: Michael Stutz

Linux.com readers might know Kurt Seifried as the author of the Linux Administrators' Security Guide or proprietor of the popular security mailing list. In this interview, he gives his views on how security in Linux has been stacking up and where it's lacking, what users can do to secure their systems, and whether every admin needs to know much about security.

Over the years Seifried has made a name for himself in the world of Linux security, and he's not resting on past accomplishments. He's part of the technical team at iDefense/Verisign, which he says "allows me to spend most of my time keeping on top of all the current security threats." Seifried is also working on a new site called RiskBloggers.com, a blog/magazine with articles on security and risk.

Linux.com: Is it true that you're planning to launch a Linux-specific security list soon?

Kurt Seifried: Yeah, "as soon as I have time"™ . It'll basically be all the vendor lists (Debian, Slackware, etc.) collated into one, so there will be a lot of overlap since they tend to ship the same software, but since some vendors are faster than others for shipping security updates, it'll also provide a heads up.

Lc: Linux has been around for a good 15 years now. How has the area of Linux security changed in that time?

KS: It's matured significantly. Projects like SELinux and StackGuard (formerly SubDomain) have really had an impact.

I use SELinux on my servers now and it really allows me to lock down Internet-facing services like Apache. There's also a lot more software -- the average Linux installation when I started was 50-100 megabytes (about 50-70% of my available hard drive at the time). Now, I typically install 1-2 gigabytes worth of software (less than 1% of my available hard drive space now). Added complexity and size means more potential holes for attackers to exploit.

Lc: Last year, Microsoft claimed that Linux security is a "myth" and that Linux was "too immature" to use for mission-critical computing. Is there any truth to that?

KS: Microsoft claims a lot of things. Most large companies claim a lot of things. Remember Oracle's "unbreakable" ad campaign? Remember Microsoft saying they had addressed buffer overflow in Windows and that wouldn't be a problem anymore? It's the nature of the industry, there is a lot of mud throwing (aka FUD).

Lc: Security myths or not, Linux is more popular today than its ever been, especially for mission-critical computing. Does this growing popularity change anything from a security perspective?

KS: Yes. The biggest change I think is the level of auditing. For example, the recent Month of Kernel Bugs found numerous issues in the Linux kernel's support for various filesystems, which can lead to local denial of services or code execution.

Unlike, say, the OpenBSD Project, which has been auditing their code base exhaustively for a long time, the Linux code base is still relatively messy in that respect, but it's getting better.

Lc: What are the big issues in Linux security today?

KS: Code quality continues to be abysmal. Known security issues like buffer overflow, and even simple file creation issues continue to plague us. It's downright embarrassing when 20-year-old programming errors continue to occur.

Lc: As Linux usage grows among end users, are we going to see more malware or does Linux have immunity to that?

KS: Linux certainly is not immune, but it is highly resistant.

Let me put it this way: would I worry about malware on servers? Not really. Would I worry about home users doing silly things that get them infected? It's possible. However, a well built and configured system with a user that is not allowed admin access would be relatively immune to such attacks.

Lc: Are Linux users generally at more or less risk than users of other OSes?

KS: Depends how you define risk for one thing. Simply plugging an unpatched Linux box with a default install of your favorite distro is safer than plugging in an unpatched Windows box (which will be attacked and compromised, usually in less than half an hour).

If you run vulnerable services on your machine, or you engage in unsafe Internet usage [such as] opening and executing email attachments [or] surfing the Web with older browsers that have well known issues, chances are you'll run into problems regardless of the OS.

Lc: There's so many distributions out there. Can someone still be a "Linux security" expert today without having to be on top of all the nuances in all the many distributions, or is this another layer of complexity they have to know?

KS: Well, the good news is that most Linux systems are pretty similar. You have the same class of vulnerabilities and attacks in most cases: poor file permissions, badly written applications, etc.

There are, of course, differences (Where the heck is config file X? And why did they allow this service by default?), but once you learn the core fundamentals, how to read man pages, and probably most importantly of all how to use Google, you should be ok.

Lc: Security-wise, are all distributions created equal, or are some better than others?

KS: Some distributions are definitely doing a better job. Red Hat, for example, now ships a pretty locked down default configuration -- i.e., Sendmail only listens on localhost, not all interfaces. Most vendors have abandoned Telnet in favor of OpenSSH, and so on.

Lc: What do you think about the plethora of special "security-focused" distros and Linux security software such as hardening scripts and add-on security packages?

KS: As long as the security technology is mature, secure, stable, functional, and safely configurable, I'm all for it. But complex add-on security for the sake of fancy-looking complex add-on security is almost never a good idea. I remember a quote from [Immunix co-founder] Crispin Cowan which went something like, "SubDomain means the difference between having to run and patch the server, vs. walking to the server and patching it."

Lc: Do you have any favorite Linux security tools?

KS:SELinux for host security (fine grained control, but a monster to configure!). Nmap for verifying that my firewall rules are correct. Emacs for editing files to configure my system securely. There is literally no one tool that is my favorite, but indeed hundreds.

Lc: What's the one most important thing that your average Linux admin can do to increase security?

KS: I guess that would be run the automatic updater your distribution comes with. If nothing else, this will minimize the number of gaping-wide holes in your system. Security is a holistic practice, you are only as strong as your weakest link, an attacker only needs to find one mistake to exploit a system.

Lc: So can it be said that newer software -- like in unstable or beta releases -- is generally more secure than old, tested software that's been around for a few years?

KS: Nope. [The new software] probably contains a ton of security holes as well -- just not widely known ones (yet).

The difference being, an older version has holes for which I can get exploit code from Packet Storm or Metasploit, and break in trivially. The newer holes take a little more time to develop exploit code for.

Lc: Does every admin have to be a security expert now?

KS: Sadly yes, they do. This is I think is one of the biggest failings of most operating systems. To install one and configure it for online use you effectively have to have a degree of security knowledge in order to do so safely. Most applications and operating systems fail in ways that are not safe (i.e. buffer overflows resulting in code execution rather than a simple error message).

I hope that the computer industry will enter a period of maturity similar to, say, the auto industry, where safety and stability becomes a major factor, and the products are designed and built to be safe, reliable, and secure.

However, I do not think this will happen for a very long time, if ever, due to the general culture surrounding software development.

Category:

  • Security
Click Here!