Bulletproof your work sessions: Deploy a security-enhanced Linux distro
By Jack M. Germain
With malware assaults, hacking fusillades, and ransomware attacks on the rise, companies that depend on security and privacy need to stay one giant step ahead of the bad guys’ broadsides. The Linux operating system helps you do that.
But can you run a more secure computing environment than what is already provided by the hundreds of Linux distributions? After all, one of the main reasons for running the Linux OS is the greater security the open-source environment provides. So how can you make your computing activities safer and more reliable?
The answer is to run a security-enhanced Linux distro. As fortified as the Linux OS is, some distros are more security-minded than others. If you demand a more rigorous security shield, check out these top picks from a growing field of specialized Linux distros.
Secure the Linux Core with CoreOS
That is what you get with CoreOS. If you are transitioning to the use of containers or already use them, one of your best options is to run a highly secure Linux distro built for container technology. That is CoreOS. Do not confuse CoreOS with a related Linux OS project dubbed Tiny Core Linux. Tiny Core is a minimalist Linux OS built from scratch with a focus on being as small and secure as possible.
CoreOS is a widely used container-based platform. It is designed specifically for providing infrastructure to clustered deployments. Its focus centers on automation, easy application deployment, reliability and scalability. One of its most salient properties is a hypersecure underbelly. CoreOS is not the sole Linux distro unto itself. Rather, it provides minimal functionality for deploying applications within containers. Its developers offer several variations of this minimalistic Linux OS with different pieces added for desktop and cloud functionality.
The particular Linux variant you want is Container Linux. This Linux OS reduces the operating system into just the components needed for secure container packaging. It does this by providing only applications that fit the container strategy. This difference is significant. Traditional Linux distros include unused software which often introduce dependency conflicts that, in turn, increase the attack surface. Instead, Container gives you a small base and full control over all dependencies through the use of containers.
Be Discreete with your OS security
Discreete Linux used to be called Ubuntu Privacy Remix. Now, it is based on Debian Linux. If you want professional-grade privacy but lack either a deep knowledge of computers or an underburdened IT staff — or both — Discreete Linux could be your ideal Linux solution for security-enhanced Linux.
Discreete Linux is less complicated to use because you do not have to install it on a hard drive. That alone removes countless security obstacles. You can remove much of your security anxiety by running this Linux OS as a live disk by installing it on an external disk, USB or SD Card. This creates a read-only environment each time you boot into Discreete Linux. So, you run a fresh session with no remnants of the previous files, malware or otherwise.
One of the strongest assets to Discreete Linux is how it protects documents and user information, as well as secret encryption keys, from Trojan attacks. The entire live session is securely encrypted. The OS stores the private keys in internal Cryptoboxes. The keys are only accessible in Discreete Linux’s isolated, offline environment. Discreete locally encrypts files and messages and later sends an email attachment from a computer with internet access. The Discreete OS reverses the process when receiving encrypted messages, requiring the attachments to be delivered into Discreete’s environment for decryption and storage.
Keep a lid on your security with Red Hat’s Enterprise Linux
Red Hat Enterprise Linux (RHEL) is a long-established leader in enterprise solutions built on the Linux OS. The Red Hat community maintains a market share that approaches 80 percent of enterprise distributions. Red Hat offers a complete business package that includes Platform as a Service, Infrastructure as a Service, middleware, integration and automation, storage, containers, virtualization, and business process automation.
RHEL has one major distinguishing trait that makes it stand out from other enhanced-security Linux developers. It comes with a price tag. You can not download an ISO file, install it, and then order enterprise add-ons. Instead, you must pay as you go. And you start paying from the start to get the Linux distro up and running. This subscription payment approach extends to installing what is typically free, open-source applications. When you install free software on Red Hat’s Linux platform, you must have access to the company’s subscription service.
Of course, you could justify the up-front, ongoing expense by considering the top-notch degree of reliability, security, and support. If you are really serious about computer security, Red Hat can be an excellent investment. The recently released RHEL version 7.4 beta version is bolstered with new security and compliance features. It has streamlined automation, along with tools for improved systems administration.
Of particular interest to IT security buffs is RHEL’s new Network Bound Disk Encryption feature. It is designed to greatly reduce the management burden of disk encryption at scale. This new security feature mitigates concerns over password security when deploying on a data center as well as on encrypted laptops.
Spin the Qube of Linux Security
Qubes OS could be the pinnacle of Linux security distros. But be careful. It is a complex OS not intended for the faint-hearted. It offers you a hybrid computing technology that takes locking down your computers to a new level.
Qubes OS, developed by Invisible Things Lab, is based on the Fedora Linux desktop. Fedora already pushes the limit for innovation and security in Linux. Qubes OS breaks through these limits — considerably further.
The security concept is best described as ultimate isolationism. This highly advanced OS uniquely compartmentalizes each part of the system to lock down the computer. It relegates each component of the OS to a domain structure and isolates each one from all other domains.
This design approach guarantees that rogue code and harmful intrusions that might impact one domain cannot impact any other component in the Qubes OS. And just in case something goes wrong and an intrusion happens, a self-destructing domain presents an added security barrier.
The developers designed Qubes OS to function within separate domains implemented as lightweight Xen virtual machines. The desktop uses different colors for each Zen window to show the different virtual machines.
Make a cryptographic fortress with Subgraph OS
Subgraph OS could be as close as you can get to an operating system being an ironclad fortress. This distro is based on Debian Linux. It builds in enhanced hardening features that address tighter security from anonymous web-browsing and a locked-down Linux kernel.
Two more hard-core strategies batten the security hatches. One is an application firewall that blocks specific executables from accessing the network. This forces all internet traffic through the Tor network. The other is the distribution’s file manager tools that remove metadata from files and integrate them with the OnionShare file-sharing application.
Subgraph OS shepherds communication through the Icedove email client, which is configured to automatically work with Enigmail for encrypting e-mails. These features combine to make Subgraph resistant to network-borne exploits and malware attacks. The developers apply the concept from the cryptography domain where proprietary algorithms are never trusted.
The operating system creates virtual sandboxes around risky applications like web browsers. This security layer blocks attacks against individual applications. You must install Subgraph OS to a hard drive. You must also encrypt the entire file system to avoid leaking any plain-text data.
Divide to conquer with Whonix
Whonix is an enhanced security Linux OS that is based on three critical concepts: anonymity, privacy and security. To provide this heightened level of computer security, Whonix uses the Tor anonymity network, Debian GNU/Linux and security by isolation.
This Linux distro takes a two-team approach to fastening down the security hatches. One part of the OS independently runs through the Tor network as a gateway. Part two focuses on enhancing workstation security by operating on a completely isolated network. It only allows connections through Tor. Whonix lets you use applications and run servers anonymously over the internet. This two-part process makes DNS leaks impossible, and renders malware with root privileges forever looking for the computer’s real IP.
Whonix strikes a compromise for security by eliminating the choice of running a live session, which requires rebooting to load each time you run a session, and installing to a hard drive, which introduces the chance of an intrusion. Instead, Whonix works as a virtual machine inside VirtualBox. This lets you snapshot and reset to default settings.
Closing thoughts on SELinux
The above list of security-enhanced Linux distros offers you some of the best alternatives to making sure that your computing sessions are safe and secure. I omitted a few other choices from this list because they are a bit long in the tooth and more complex to configure compared to these more hardened and streamlined options.
If you have the incentive to check out two potentially good alternatives outside this list, take a look at TAILS and TENS.
Tails is a live Linux distribution that focuses on privacy. It runs on a DVD, USB key or SD Card as a live system on any computer. TENS (Trusted End Node Security), developed by the US Air Force, is approved by the National Security Administration (NSA). The respective provenance of both these systems might merit a deeper exploration on your part. After all, you can never bulletproof your Linux work sessions enough.
Please feel free to share below any comments, questions or insights about your experience with security-enhanced Linux distros. And if you found this blog useful, consider sharing it through social media.
About the blogger: Jack M. Germain is a veteran IT journalist whose outstanding IT work can be found regularly in ECT New Network’s LinuxInsider, and other outlets like TechNewsDirectory. Jack’s reporting has spanned four decades and his breadth of It experience is unmatched. And while his views and reports are solely his and don’t necessarily reflect those of Linode, we are grateful for his contributions. He can be followed on Google+.
Related Linode Guides & Tutorials
- Use CoreOS Container Linux on Linode
- Install CoreOS on Your Linode
- Run a Distribution-Supplied Kernel on a KVM Linode
- Install a Custom Distribution on a Linode
