What Linux OS is purpose built for security?

[skoggo]

Hi I am fairly new to Linux I was wondering if there is a more security focused version of Ubuntu.

Or which Linux OS is purpose built for security / built to be like the fort knox of operating systems.

I only need the OS to do two things 1 - connect to the internet and watch youtube videos 2 - work on word documents

I have looked into Tails although this does not seem very practical because of the ToR browser, and save issues

I am also look at Alpine which seems more promising, as well as Qubes.

[guiverc]

The highest level of security would be achieved, I suspect, via either

- if using a deb based system (ie. year.month release) using only 'main' packages or packages that the Ubuntu Security team were involved with

- using a snap only product (ie. year based release) where everything runs with confinement and few programs have access to your real file-system; which provides better privacy by default.

Yes the other archives (eg. 'universe' or community packages) follow similar procedures to the 'main' archive - but they don't get the security team audit(s).

ie. You don't need a separate product; you can use existing products; and just don't limit yourself to specific packages that meet the requirements you prefer.

Many enterprise users of Ubuntu avoid touching 'universe' or community packages I've noted in support.

[monkeybrain20122]

Well I think you can make it more secure by fine tuning apparmor or selinux settings. My understanding is that Ubuntu's default apparmor settings are a bit more permissive so that the normal desktop users can actually do normal things without feeling being in a prison. The default Selinux setting on Fedora is very strict so many apps won't run and often the first thing a Fedora user does is too change Selinux's setting to permissive or warnings.

So it has less to do with which distro you use, you can fine tune and configure anything on Linux including security settings.

It depends really on what you use the computer for, the typical desktop use case differs a lot from the "enterprise users", the latter operate in a completely locked down environment that only allows certain specific applications, so IMO what "enterprise users" do is quite irrelevant to the usual desktop users' need and expectations.

But then according to RMS even going on the internet is risky and if he has to he uses a text based browser like Lynx so watching YT videos is a no no. IMHO that is a bit paranoid but to each his own.

[grahammechanical]

You want security when using a computer? Don't connect to the internet. Do not let anybody know your password. Do not install software from sources that you cannot trust. Do not use a computer operating system that is the main target for criminal hackers. At the moment Linux is not the main target but things might change.

With Ubuntu 20.04 it is impossible to disable security updates. Once we connect to the internet the OS will check for security updates and if there are any they will be downloaded and installed.

https://wiki.ubuntu.com/SecurityTeam/Policies

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/

Canonical has a very secure version of Ubuntu called Ubuntu core. It lacks a desktop environment and user interface. Redhat is working on something called Silverblue which I know very little about. Except that it aims to be what is called an immutable OS. Which means the user (and others) cannot alter the operating system. This is the situation with Ubuntu Core.

There are similarities but the main difference as far as I can tell, is that Canonical is not offering even as a test project a desktop edition of Ubuntu Core. There was such a test project several years ago called Ubuntu Personal. It proved proof of concept but development has not publicaly continued.

Regards

[HermanAB]

Any Linux distribution will suffice for that use case. I suggest that you install Linux, then relax and enjoy the system. You will gradually learn why you suddenly don’t have issues with viruses and malware anymore.

[ActionParsnip]

If you install a minimal install of Ubuntu using the minimal ISO, then install libreoffice, firefox and lxde then you will get a very small and punchy OS with a minimal footprint (obviously switch to a different desktop session if you prefer).

Fewer services and applications gives less scope for attack.

As stated above, things like SELinux and AppArmor can be used to improve an OSes security but the weakest link will always be the human using the system.

[bunny9000]

On the ubuntu gui version I always install gufw which allows you to control your firewall easily with a nice graphical app. You can disable all incoming and anything outgoing if you want. You don't need to install a graphical app. iptables is pretty easy to configure via command line and if your distro has se linux that adds another layer.

Linux is a bit like lego, you can build your distro up from its base to be a secure or insecure as you want. You might also want to check if your home router has a firewall built into and fine tune it. You could purchase a physical firewall at your home or office also.

[QIII]

No Linux distribution is bullet proof. All Linux distributions can be made as secure as any other if you take the time needed.

If you are looking for one that already has the pieces installed, don't let that fool you. No matter what, security is not a "fire and forget" exercise. It is a constantly evolving process that will bear your constant attention. Even if you have one machine with all the security bells and whistles, another unprotected machine on your network can compromise it. Your security should extend out to your router with regard to security settings and further out to the web with regard to security hygiene there. Personally, I wouldn't call Tor a security measure. It provides anonymity and obscurity, but security by obscurity and security by anonymity are not security at all. And even with Tor you have to pay attention to web hygiene so you don't drop bits of information all over the place for people to gather and build a picture of you. Further, if you are using Tor with a router using a wifi connection that is unencrypted, the guy driving down your street scanning for unprotected wireless networks will walk right in. If your password is weak, he only has to take a short while to pick the lock.

If you are looking for distros that claim some superiority in the security department, you might try Qubes, Arch, Tails or Kali. But as you have noted with Tails, there is still a learning curve to proper setup.

As I said, you also need to choose a router that give you security tools.

You could also look outside of Linux to the BSDs. Expect a bit larger learning curve there.

[HermanAB]

Btw when I need to be paranoid about security, I use OpenBSD.

[TheFu]

I believe the most secure, end-user, OS is ChromeOS running on a chromebook. There is a F/LOSS distro called "ChromiumOS", but it loses the tight integration between the OS and the hardware that google provides in their supported Chromebooks. For typical end-user stuff, ChromeOS is fine and prevents many security problems. It automatically patches and maintains 2 full OS setups - A and B. When B is being used, A gets updated. At the next reboot, A will be used and B will be updated. In this way, there should always be a bootable OS, assuming no hardware failures. The in-use OS is mounted read-only and the updated OS is cryptographically signed and validated. Of course, ChromeOS typically runs on lower powered systems, but it has hardware and driver support for the most challenging video playback work, so we don't care so much that the CPU is slow.

ChromeOS encrypts the user's data area. I don't recall looking at the storage from outside - it is hard because the hardware only boots chromeOS and nothing else. Modifying the firmware to allow booking other OSes prevents ChromeOS from booting. Once I physically modified the hardware to allow a different BIOS to be installed, I was unable to put the original BIOS back and run ChromeOS again. ;( This was 6+ yrs ago, and I was able to get ChromiumOS installed and running. But I needed just a little bit more control over the OS - for example, it didn't support NFS which was a game stopper for my needs. NFS is a way of life here. Without it, may as well cut off both my legs and 1 arm.

Plus, ChromeOS has this idea of "Powerwashing" the OS - which is basically setting it back to the factory setup. At the next login (assuming a gmail account is used), all the files and settings will be pulled down again. Doing a fresh ChromeOS install isn't hard either. I've used 4GB SDHC cards to get things "just so."

Finding a ChromiumOS distro is getting harder, as the companies creating those restrict the installs. Used to be that we could pull an installer and run it on almost any system, including into virtual machines, which was very nice for showing off or to use for on-line banking. Last time I went looking, the virtual machine installs have all been removed or made less easy to install.

Don't expect any privacy.

Obviously, security and privacy are completely different things.

The smaller any OS is, the more likely it will actually be secure. Less code == fewer bugs, right?