Well, the argument came up again. I've been busy playing Xenosaga 2, and haven't been blogging much; but not much has been happening, unless you want me to start blogging security notices or something. In that case you can just check the RSS feeds, which are visible if you click the text above the ads on this blog; icetalk should suffice for that.
The main argument I keep hearing is between "Linux is more secure than Windows" and "Security is a function of the administrator." I have yet to hear anyone actually reach the core issue and unify the two statements, which is what I'm going to do today.
The security of an operating system is a function of the operating system bounded by the competance of the administrator with the tools given to him. This means that simply having a secure OS does not make your OS secure; and simply having a good administrator does not mean he can make your OS secure. You need both.
Operating System Potential
The administrator can only make the operating system as secure as it can potentially be. This means that an OS such as DR-DOS with an added TCP/IP stack running as a Web server can't be secured by the administrator no matter how well he knows DOS. Security must be present in design (pdf).
The OS must supply some level of security. Even if it allows application programs to supply security countermeasures such as access control, it has to protect those programs from malicious attackers. SELinux would be of no use if a quick
kill -9 `pidof selinuxd` disabled it.
In addition, the granularity of control over the security that the OS offers is highly important. PaX supplies memory protections which can be individually disabled on executable binaries. Different functionality can be enabled or disabled by the executable header or by supporting access control systems. In contrast, a similar but more coarse grained system may need to be disabled system-wide to disable it for anything, removing protection where it could be left in place.
The administrator has to understand the usage of the operating system's tools in order to actually wield the full potential of the system. A Linux machine ran with a distribution using PaX, GrSecurity, SELinux, and DigSig is not more secure than a basic Debian machine if the administrator is a novice who replaces the kernel with a home-built vanilla tree.
The administrator needs to understand basic security concerns as well. A novice user may build a vanilla kernel to "optimize" it for his machine and potentially leave out security enhancements like GrSecurity. He will likely also set
enforcing=0 when SELinux breaks things; and probably won't understand the concept of bugfix patches that come with the distribution kernels.
If the administrator does not understand both the usage of the operating system's tools and the basic concepts and concerns of security, he may disable or fail to utilize security tools and patches. Security may be decreased due to administrative overhead; and old vulnerabilities may be reinserted.
Operating System Tools
An OS can offer tools and documentation to help less experienced administrators maintain the system. By doing this, the level of administrative overhead may be significantly reduced, allowing the administrator to rely on the expertise of others in configuring most of the system. These tools must directly configure the security systems, the system, and the applications to be effective.
OpenBSD has high administrative overhead, and so even experienced users are left to repeat work that could be done once and automated. Because of this, some administrators may spend hours setting up daemons and adding users, only to weave a poorly constructed system around a secure core. Both lack of experience and simple thoughtless mistakes could leave gaping security holes which are hard to find and fix.
On the other hand, Mandrake Linux allows simple adjustment of the "security level" of the OS as well as start-up daemons and users. A less experienced administrator would be able to set up a more secure environment under Mandrake than under OpenBSD; however, the administrator would also be more inclined to rely on and trust the tools. Still, less experienced administrators can find and fix their mistakes and easily set up a system properly with the guided installation process.
The security of an OS is a function of the OS itself bounded by the ability of the administrator to properly install, configure, and maintain the system. The upper bound of administrative competance can be raised by supplying better documentation and more effective administrative tools. In any case, security cannot interfere with usability, and so it is important that the granularity of control over invasive security systems such as MAC and memory protection systems is as fine as possible.