March 16, 2017

How to Choose the Best Linux Distro for SysAdmin Workstation Security


Workstation Security Checklist
In this series, we’ll lay out a set of baseline recommendations for Linux workstation security. This article covers some considerations you should weigh when choosing a distribution.

Learn how to work from anywhere and keep your data, identity, and sanity. DOWNLOAD NOW

If you’re a systems administrator choosing a Linux distribution for your workstation, chances are you’ll stick with a fairly widely used distro such as Fedora, Ubuntu, Arch, Debian, or one of their close spin-offs. Still, there are several security considerations you should weigh when picking which distribution is best for your needs.

You’ll want a distro that:

  • Has a robust MAC/RBAC implementation such as SELinux/AppArmor/GrSecurity (ESSENTIAL)

  • Publishes security bulletins (ESSENTIAL)

  • Provides timely security patches (ESSENTIAL)

  • Provides cryptographic verification of packages (ESSENTIAL)

  • Fully supports UEFI and SecureBoot (ESSENTIAL)

  • Has robust native full disk encryption support (ESSENTIAL)

These considerations are part of the guidelines The Linux Foundation gives our own remote team of sysadmins to reduce the risk that they become attack vectors against the rest of our IT infrastructure. You may also want to read our previous posts on how to choose hardware and considerations for a pre-boot environment. Or you can download our full set of recommendations in a handy ebook.

SELinux, AppArmor, and GrSecurity/PaX

Mandatory Access Controls (MAC) or Role-Based Access Controls (RBAC) are an extension of the basic user/group security mechanism used in legacy POSIX systems. Most distributions these days either already come bundled with a MAC/RBAC implementation (Fedora, Ubuntu) or provide a mechanism to add it via an optional post-installation step (Gentoo, Arch, Debian). Obviously, it is highly advised that you pick a distribution that comes preconfigured with a MAC/RBAC system, but if you have strong feelings about a distribution that doesn’t have one enabled by default, do plan to configure it post-installation.

Distributions that do not provide any MAC/RBAC mechanisms should be strongly avoided, as traditional POSIX user- and group-based security should be considered insufficient in this day and age. If you would like to start out with a MAC/RBAC workstation, AppArmor and GrSecurity/PaX are generally considered easier to learn than SELinux. Furthermore, on a workstation, where there are few or no externally listening daemons, and where user-run applications pose the highest risk, GrSecurity/PaX will offer more security benefits than just SELinux.

Distro security bulletins

Most of the widely used distributions have a mechanism to deliver security bulletins to their users, but if you are fond of something esoteric, check whether the developers have a documented mechanism of alerting the users about security vulnerabilities and patches. Absence of such a mechanism is a major warning sign that the distribution is not mature enough to be considered for a primary admin workstation.

Timely and trusted security updates

Most of the widely used distributions deliver regular security updates, but it’s worth checking to ensure that critical package updates are provided in a timely fashion. Avoid using spin-offs and “community rebuilds” for this reason, as they routinely delay security updates due to having to wait for the upstream distribution to release it first.

These days, it is hard to find a distribution that does not use cryptographic signatures on packages, updates metadata, or both. That said, fairly widely used distributions have been known to go for years before introducing this basic security measure (Arch, I’m looking at you), so this is something worth checking.

Distros supporting UEFI and SecureBoot

Check that the distribution supports UEFI and SecureBoot. Find out whether it requires importing an extra key or whether it signs its boot kernels with a key already trusted by systems manufacturers (e.g. via an agreement with Microsoft). Some distributions do not support UEFI/ SecureBoot but offer alternatives to ensure tamper-proof or tamper- evident boot environments (Qubes-OS uses Anti Evil Maid, mentioned in a previous post). If a distribution doesn’t support SecureBoot and has no mechanisms to prevent boot-level attacks, look elsewhere.

Full disk encryption

Full disk encryption is a requirement for securing data at rest, and is supported by most distributions. As an alternative, systems with self- encrypting hard drives may be used (normally implemented via the on-board TPM chip) and offer comparable levels of security plus faster operation, but at a considerably higher cost.

In our next article, we’ll give some general distro installation guidelines. All distributions are different, but there are some good rules of thumb including a recommended encryption strategy, guidelines for choosing good passwords, password configuration for user- and admin-level accounts, and more.

Whether you work from home, log in for after-hours emergency support, or simply prefer to work from a laptop in your office, you can use A SysAdmin’s Essential Guide to Linux Workstation Security to do it securely. Download the free ebook and checklist now!

Read more:

3 Security Features to Consider When Choosing a Linux Workstation

4 Security Steps to Take Before You Install Linux

Click Here!