In Linux Hardening Guide by Madaidan, the author recommends the following suggestions for a secure Linux distro:
- Avoid distributions that freeze packages, as they are often quite behind on security updates.
- Use a distribution with an init system other than systemd. systemd contains a lot of unnecessary attack surface and inserts a considerable amount of complexity into the most privileged user space component; it attempts to do far more things than necessary and goes beyond what an init system should do. An init system should not need many lines of code to function properly. While a common argument in favour of systemd is its ability to sandbox system services, this can be replicated on other init systems through sandboxing utilities like bubblewrap, as documented below.
- Use musl as the default C library. musl is heavily focused on minimality, which results in very small attack surface, whereas other C libraries such as glibc are overly complex and prone to vulnerabilities. For example, over a hundred vulnerabilities in glibc have been publicly disclosed, compared to the very few in musl. While counting CVEs by itself is often an inaccurate statistic, in this case, it represents an overarching issue and is symptomatic of underlying security issues. musl also has invested in decent exploit mitigations, particularly its hardened memory allocator, heavily inspired by GrapheneOS’ hardened_malloc.
- Preferably use a distribution that utilises LibreSSL by default rather than OpenSSL. OpenSSL contains tremendous amounts of totally unnecessary attack surface and follows poor security practices. For example, it still maintains OS/2 and VMS support — ancient operating systems that are multiple decades old. These abhorrent security practices are what led to the dreaded Heartbleed vulnerability. LibreSSL is a fork of OpenSSL by the OpenBSD team that applies superior programming practices and eradicates a lot of attack surface. Within LibreSSL’s first year, it mitigated a large number of vulnerabilities, including a few high severity ones.
The best distribution to use as a base for your hardened operating system would be Gentoo Linux, as it allows you to configure your system exactly how you want it to be, which will be extremely useful, especially when we come to more secure compilation flags later in the guide.
However, Gentoo may not be feasible for many people due to its significant usability pitfalls. In this case, Void Linux’s musl build or Alpine Linux would be a good compromise.
Note that this guide has been mentioned a lot on Reddit, so I also wonder how PG team thinks about it. If the arguments are still valid, shouldn’t we adopt the suggestions? Or are there more concerns that the guide failed to cover?