The Insecurity of Debian

Privacy
1

HN discussion: The Insecurity of Debian | Hacker News

1 Like
2

It’s beyond me why people still recommend Debian and its derivatives when we have openSUSE, Fedora, Arch, etc.

3

Not convinced by this article. Little technical depth and mainly about Selinux vs Apparmor, which is not a Debian specific problem.

3 Likes
4

Even current Whonix recommends Debian as your host OS.

2 Likes
5

Does using CentOS in case of a LTS distro better than Debian, considering I want to avoid Ubuntu ?

1 Like
6

Debian’s focus on stability, Debian’s extensive package repository, Debian’s large user community, Debian’s derivatives like Ubuntu are very popular.

And about SELinux:

I’ve worked at many RedHat shops over the years and I’ve never seen one where disabling SELinux wasn’t a normal part of provisioning a server. I haven’t seen the same thing with AppArmor (although I admit I have less visibility into debian systems administration). YMMV but it seems to me that a component which is so inconvenient that it’s normally disabled doesn’t provide much security in the end.
– FWIW, I’ve worked at many RedHat shops over the years and I’ve never seen one wh... | Hacker News

Debian is a good Linux distro. I use and recommend Debian.

2 Likes
7

Where?

8

Host Operating System Selection

2 Likes
9

Cool! It’s probably really not that bad, then.

CentOS no longer exists. But, maybe consider Alma Linux.

10

Sounds like these sysadmins weren’t trained well. If they don’t get adjustments right (which are often not that difficult with the right tools), they can still switch the domain making problems to permissive or to unconfined_t, which would still be better than to disable it as a whole.

1 Like
11

Maybe just lazy.

12

It does: Download. EOL only applies to versions below 9.

2 Likes
13

CentOS stream ?

I don’t know. I never understood the RHEL drama and community backlash. Linking to something that explains simply is appreciated.

What about Ubuntu LTS in that case, Their AppArmor profiles is in a good way except that they push snaps heavily.

1 Like
14

Veronica has a video on this.

Edit - I’d personally rather stick with Debian than Ubuntu

15

What about the insecurities then ?

16

Do you know Linus Pauling? He is a scientist who was awarded the Nobel Prize in Chemistry. Later, he started promoting vitamin C to treat cancer.

Whonix is an awesome project, but that doesn’t make all of their recommendations automaticaly valid, same applies to other projects and people.

1 Like
17

This post mainly mentions not having enough MAC profiles. So if you want to address the issues here… Just install apparmor profiles.

Debian has other issues, but it’s not like these issues are being fully ignored

18

In my opinion the backlash was a misunderstanding (people on social media jumping to conclusions before understanding the situation). Here is one perspective that is a little more nuanced and thoughtful than much of the social media discourse has been.

What about Ubuntu LTS […] apparmor […] except that they push snaps heavily.

With respect to security, Ubuntu preferencing snap isn’t a bad thing (particularly true for an LTS release, since it allows more up to date packages)

19

The article discusses mainly SELinux vs AppArmor, but it also touches on Debian’s AppArmor configuration deficienies.

The ugly truth is that security is hard. It’s tedious. Unpleasant. And requires a lot of work to get right. Debian does not do enough here to protect users.

Debian’s security is good that as far as I know it isn’t designed to spy on or betray users, but out-of-the-box Debian has too many insecurities. Debian users need to do an extreme amount of hardening (days of effort) to make it anywhere near secure. For this reason I cannot recommend vanilla Debian to most people.

With the caveat that not all of below are always sensible, examples of insecure defaults:

  • The volume of installed packages is far larger than needed.
  • Networking, Firewire, Bluetooth etc are enabled at boot.
  • Anyone can gain root privileges using su.
  • The firewall accepts all network traffic.
  • IPv6 leaks network interfaces’ MAC addresses.
  • MAC addresses are not randomised.
  • Various insecure kernel parameter settings are in effect.
  • Debian’s APT repositories are not bound to a signing OpenPGP key.
  • System logs, temp files and caches persist for far longer than needed.
  • Recently used files, shell commands and other history are logged.

Maybe Debian can be secure when configured properly. Are there any Debian derivatives that have extreme security hardening? Tails exists, but I don’t know to what extent it has been hardened.

20

That page just simply says “easy to use” probably because it doesn’t have any MAC policies enabled by default. The fact is there are things you can do with SELinux you cannot do with AppArmor. Particualrly related to MCS and VM/container workloads:

Also iirc that whonix wiki has a lot of conspiratorial rubbish on it because literally any nutter is able to contribute to it. There are some very low quality articles on there that state certain things as fact.