Security Shortcomings in Fedora

Why are there not more security programs in Fedora’s software offering?

Why isn’t there an expert breakdown of what one can do to harden a Fedora system?

I find that a lot of stuff does not work properly, or it is old, or both. For example, COMODO does not work smoothly in Fedora 30; chkrootkit comes as an old version; and Lynis comes as an old version too.

I think security should be up front and prioritized, and one does not get the impression that this is the case right now with Fedora. Can someone please fix this.

1 Like

Have you looked at Security Lab?

There are lots of these on the internet, and the Security SIG is always ready to help. Have you contacted them yet?

If packages are not available, or not up to date, it is generally because the volunteers that maintain the package are short on time. Please consider joining the package maintainers to help improve the software that the repositories provide.

I’m sorry you get that impression, but I can tell you that we all agree that security is important, and it is prioritised to the extent where resources will permit. The RedHat security team also keeps an eye on CVEs, for example.

Why not you :smiley: ? Everything is free/open source, all our resources only require an FAS that you already have—you can start now!

2 Likes

Here is an example of what goes wrong in Fedora:

The rkhunter.log file was locked on my system. After unlocking it, I could see that some tests had been turned off. This is the kind of bad thing that I face. I can wipe my OS, etc., but why should I put Fedora back onto my computer? It seems that I cannot make it safe.

[07:36:51] Info: Using package manager 'RPM' for file property checks
[07:36:51] Info: Found the 'rpm' command: /bin/rpm
[07:36:51] Info: Previous file attributes were stored
[07:36:51] Info: Enabled tests are: all
[07:36:51] Info: *Disabled tests are: suspscan hidden_ports deleted_files packet_cap_apps apps ipc_shared_mem*
[07:36:51] Info: Current logging will be appended to the log file
[07:36:51] Info: Found kernel symbols file '/proc/kallsyms'
1 Like

So, in such advanced tasks the maintainer (who we can safely assume knows what they are doing) pick a set of defaults that work for most cases. If you think these defaults aren’t enough, please file a bug and discuss them with the maintainer so that they can benefit all users. In cases where the defaults aren’t sufficient, the user must modify the configurations to fit their use-case. One set of configurations just does not fit every user.

1 Like

Hey!
Well, I think that you can’t measure how much an operating system is secure looking at the security scanner tools it provides. Actually Fedora doesn’t offer neither a real-time anti virus :sweat_smile:

Fedora frequently receives kernel and core components updates, and as you know, having an updated system is the first security countermeasure. In addition Fedora comes with a firewall and selinux enabled.

By the way, chkrootkit RPM is at version 0.53, like the latest release that you can find on the chkrootkit web site.

Instead you are right, Lynis is not at the very last version, (2.7.1 that comes with Fedora was released on 2019-01-30, while the last version was released on 2019-04-21).
However, as far as I can see, if you want the very last version, you can enable the repository offered by the Lynis developers: CISOfy Software Repository (Community)

I hope you will change your impression :smiley:

2 Likes

First, Security is how a system is built.

I highly recommend this CCC talk about writing secure software.

You dont need tools but a secure core system that has a scope and requirements and follows those. Android or ChromeOS for example have a very strong focus on Security and you simply dont run anything but containerized Apps.

Linux is not there yet, but there are ways.

First, Fedora is a good base. For a hardened system, use secureblue which follows Fedoras Atomic model and applies a lot of security hardening from various projects.

Fedora has SELinux and every program has a matching profile. This makes it unique and more secure than others. It also has a very good image-based updating system with rpm-ostree which is also a huge security advantage over other “immutable” models that are not image based, or mutable system directories with no control at all.

Fedora does use glibc though, so Alpine Linux has a huge advantage in that it has binary repos for apps compiled for musl instead, which is way more secure than glibc with a security first approach.

Then you have other factors like

  • kernel configurations (which are okay but not security first at all on Fedora)
  • the used Firewall (firewalld instead of ufw like on the *ubuntus and Debian)
  • testing and requirements for software in the repos
  • security update speed
  • support for modern technologies like portals, Wayland, flatpak, etc.

Fedora ticks a lot of those, can be optimized for security (like secureblue) but with its focus on general users, this is quite a tradeoff with the current state of the Linux Desktop.

I highly advise to use Flatpaks, and I maintain a list of apps following secure modern standards (please add missing ones!).

Especially for WINE, Bottles is the no1 best option as it is perfectly packaged and you shouldnt run Windows software unsandboxed on your system.

I am not a security expert but it seems to me that a breach in security comes when somebody runs some hostile code on your own device. Then the issues becomes how that hostile code got on your device. We rely on software repositories then we rely on the fact that both the software developers and the package maintainers are personally identified and trusted, then they look for each other. If/when you grab some code from an untrusted source and you run it, there can’t be any real “security”, you can only give for granted soon or later your device will get compromised and then offline backups and erasing. The fact that companies rely on “smart working” obviously moves the “security issue” on any device used by employees at home. Again, those employees cannot run any software from untrusted sources. If they are the sysadmins for the company, they are “security” so there can’t be more “security”.

Given what I wrote, I don’t like the idea of snap and flatpak because it seems I cannot be sure about who ever wrote the code and who is publishing it on the “store”. The fact that both are sandboxed doesn’t look like much “security” given that it is the snap and the flatpak itself setting its own permissions.