Feature Request: Security... eventually

[Sepero]

Hi there. I'm very new to Bedrock Linux and I'm very interested to use it as desktop distribution one day. I believe that the security issue is somewhat of a problem, but not insurmountable. For the current time being, I understand that Bedrock is young, and there are currently other pressing issues about getting the system stable/working. If users like myself could be assured that Bedrock at least has distant future plans to increase security, then that would be very comforting.

If this sounds okay, then I perhaps we may get some wording to this effect into the documentation: In the future, we have intentions to improve Bedrock security after the base system becomes more stabilized.

Thanks for considering,
Bedrock fan

[paradigm]

Hi Sepero!

Sorry for not getting back to you earlier - completely missed this. I've been a bit myopic about trying to get the upcoming Bedrock Linux release out.

What do you mean by "the security issue"? This makes it sound like there's one security issue in particular you're referring to.

The closest things that come to mind - especially considering this is related to the website - are these FAQ entries:

If you value security, note that Bedrock Linux probably has the highest attack surface of just about any Linux distribution, mostly because its attack surface is the sum of the attack surfaces of just about every other Linux distribution combined. While steps can be taken to alleviate this to some degree, ultimately, a locked-down Bedrock Linux can never truly reach the security offered by a locked-down standard Linux distribution.

and

Bedrock, by its very design, interweaves other Linux distributions together; it ensures they share quite a bit. This means if there is a security vulnerability in one of the clients, there is little to stop it from affecting the rest of the system. Virtual machines, by their very design, sandbox the clients, such that an attack on one of them will have a difficult time propagating to others.

If that's what you mean, that's not something I have any intention of "fixing" in the future; it's a fundamental design trade-off. We can't fix it and still do what Bedrock Linux is trying to do. You can't have your cake and eat it too.

Think of it like a fence - the longer the fence, the more places in it there could be a hole that a bad guy could get in. A small, tight fence is easier to fully audit to ensure is hole-free, to maintain, and to guard. However, you can't protect as much stuff with it. So goes it with software distribution: the more software you make available (especially if it "just works" without additional access controls that have to be lifted), the more things a bad guy could potentially use to attack you. This is concept often referred to as an attack surface. From a security point-of-view you want to minimize your attack surface, but there's a trade off to doing so in that you get less stuff.

Bedrock Linux, in some sense, is a distro which has the largest repository of any other distro. Thus, for better or worse, it has the largest attack surface. I can't simultaneously reduce the attack surface and maintain accessibility to all of the software out there.

Note that there are hardening techniques. You're certainly welcome to use Bedrock Linux with Mandatory Access Control, use hardened packages with grsecurity (just no chroot() hardening - that breaks bedrock) (or at least you could for a while), as well as a bunch of other stuff. However, you can use all of those things on other distros as well; they're not unique to Bedrock Linux. And if you use such techniques on some minimal, security-oriented distro with a limited package set, statistically you're probably more secure than you are on Bedrock Linux.

I do want to be completely open with Bedrock Linux; I don't intend to hide it's faults. Any security minded people would have realized this had it been conspicuously hidden from the website.

The closest thing to a security-oriented Bedrock Linux I can think of is Qubes, which is a really cool project that uses virtualization to segregate things and lock them down, while still presenting a usable interface to allow things to interact. It has to make a number of trade-offs for this security, though, in comparison to Bedrock Linux; by its very design, it can't "just work" the way Bedrock Linux tries too, and it'll have much more overhead. But it'll also be much harder to break than the vast majority of distros out there, non-hardened Bedrock Linux very much included. If security is an important enough deal for you that the trade-offs sound worth it, I'd definitely recommend giving Qubes a look.

If I failed to guess the security issue you're referring to, feel free to point it out more specifically and I'll be happy to address it.

[Sepero]

Yes I was referring to the issue you addressed here. I understand your point that we can secure Bedrock, but this won't do a lot to increase the security of the distro's it relies upon. Perhaps I made a mistake, because the way things are worded, I was reading it similarly to this-

Our distribution is going to vulnerable, and because of this, we aren't really going to try to implement any security measures

This would be something that I hope could improved after the base system became more stabilized. But perhaps I was wrong in reading it this way? Thank you for all your great work.

[paradigm]

Yes I was referring to the issue you addressed here.

Good, at least we're on the same page there, as I think we're not elsewhere.

I understand your point that we can secure Bedrock, but this won't do a lot to increase the security of the distro's it relies upon.

That wasn't my intended point. In fact, I disagree with it. We can do things to lock down the packages acquired from other distros. Mandatory Access Control (MAC) is one example means of doing so I provided in the previous post.

I'd also like to note that the differentiation between a Bedrock Linux system and the software from other distributions that are combine to make a Bedrock Linux system isn't overly meaningful in this context. That's like differentiating "a forest" and "a collection of trees"; you can't fireproof a forest without also fireproofing the trees that make it up. If you were to harden a Bedrock Linux system with MAC, not only would you be securing packages acquired from other distros but you'd do it with MAC software from other distros. A Bedrock Linux system is a collection of packages from other distributions (and some Bedrock Linux "glue" to make them work together).

Perhaps I made a mistake, because the way things are worded, I was reading it similarly to this-

Our distribution is going to vulnerable, and because of this, we aren't really going to try to implement any security measures

This would be something that I hope could improved after the base system became more stabilized. But perhaps I was wrong in reading it this way?

That was definitely not the message I was hoping to get across with it. Bedrock Linux is not (necessarily) going to be vulnerable, and we definitely do implement security measures, and I plan on further documenting hardening techniques down the road.

I'm not sure how you came to that interpretation or how to reword things to remedy it. I had hoped my previous post would get across what I had intended with the discussed sections of the website so we could work towards rewording the website to make the underlying intent come across more clearly, but I'm concerned I still didn't get things across. I don't know how to progress from here beyond assuring you that we're not knowing releasing insecure software (although I do have to admit patch times for discovered issues may be slow during the beta).

[Sepero]

Bedrock Linux is not (necessarily) going to be vulnerable, and we definitely do implement security measures, and I plan on further documenting hardening techniques down the road.

That's good news. All these thing you mention about MAC hardening are good things to know. This is the kind of information I would like to see referenced on the page- http://bedrocklinux.org/faq.html Perhaps a new section specifically for security. I think that just simply stating the implemented security measures, and any intentions to minimally harden security in the future would be great.

I do want to be completely open with Bedrock Linux; I don't intend to hide it's faults.

Yes I can understand, and that is appreciated. Though, I suspect that any security minded people might (should) also realize the possible vulnerabilities of Bedrock, without very very explicit explanation. A fear of mine is that I don't want non-security people scared away by statements like this, "[Bedrock's] attack surface is the sum of the attack surfaces of just about every other Linux distribution combined" (from the faq).

although I do have to admit patch times for discovered issues may be slow during the beta

Yes, this is true for many smaller distros! And because of this, I believe Bedrock has the potential to actually Increase Distro Security. Let me explain. Assuming Bedrock has 2 clients- one very secure, and another with questionable security. For example- Debian and ObscureX. Someone wants the stability and security of Debian, but also wants test out software from some lesser distro. By mixing packages from both, Bedrock could have a Security Level somewhere between the two.

So from that, I believe Bedrock is capable of increasing security some cases, and so I think the following statement is not necessarily true, "Bedrock Linux probably has the highest attack surface of just about any Linux distribution" (from the faq). Perhaps we can show the security of Bedrock from positive perspective, and not only negative.

I appreciate your patience in dealing with me. :)

[paradigm]

Bedrock Linux is not (necessarily) going to be vulnerable, and we definitely do implement security measures, and I plan on further documenting hardening techniques down the road.

That's good news. All these thing you mention about MAC hardening are good things to know. This is the kind of information I would like to see referenced on the page- http://bedrocklinux.org/faq.html Perhaps a new section specifically for security. I think that just simply stating the implemented security measures, and any intentions to minimally harden security in the future would be great.

A new FAQ entry on specifically security is an excellent idea. I'll definitely follow up on that.

I do want to be completely open with Bedrock Linux; I don't intend to hide it's faults.

Yes I can understand, and that is appreciated. Though, I suspect that any security minded people might (should) also realize the possible vulnerabilities of Bedrock, without very very explicit explanation. A fear of mine is that I don't want non-security people scared away by statements like this, "[Bedrock's] attack surface is the sum of the attack surfaces of just about every other Linux distribution combined" (from the faq).

Your fear is not only well founded, it seems prophetic. I should definitely rephrase things.

although I do have to admit patch times for discovered issues may be slow during the beta

Yes, this is true for many smaller distros! And because of this, I believe Bedrock has the potential to actually Increase Distro Security. Let me explain. Assuming Bedrock has 2 clients- one very secure, and another with questionable security. For example- Debian and ObscureX. Someone wants the stability and security of Debian, but also wants test out software from some lesser distro. By mixing packages from both, Bedrock could have a Security Level somewhere between the two.

Yup, very true. Consider the scenario where Bedrock Linux's offering is not available: if your distro doesn't have a package you want, and you compile it from source (and stick it in /opt and symlink to /usr/local, or make a .deb and dpkg it, or some such thing), it's on you to keep it up-to-date with security patches. Many people won't be good about such things which could cause security issues. By ensuring one can get such software from other, maintained distros, it decreases the chance of this kind of thing happening.

So from that, I believe Bedrock is capable of increasing security some cases, and so I think the following statement is not necessarily true, "Bedrock Linux probably has the highest attack surface of just about any Linux distribution" (from the faq).

I still think that statement is technically true, but it seems others are interpreting it in a very different way from what I had in mind. Better phrasing is clearly needed.

Perhaps we can show the security of Bedrock from positive perspective, and not only negative.

Sounds good to me.

I appreciate your patience in dealing with me. :)

Hey, I appreciate you going out of your way to help Bedrock Linux!

Here's a rough draft of the proposed changes. I threw a few other concepts (stability and complexity) into the mix as they seemed fitting with the security related changes. Let me know if you think they remedy the issue, or if you see any room for further improvement.

(existing item I am updating)

## Why should I not use Bedrock Linux?

- If you are happy with all of the functionality provided by another Linux
  distribution, and you have no interest in features it does not provide, it
  would likely be best to simply use that other Linux distribution.

- Bedrock Linux is still in deep development with a relatively small community.
  While stability, reliability, and accessibility are high priorities for the
  eventual "stable" release, they may be lacking in the project's current place
  in the development cycle.  If you are willing to put up with some rough edges
  more testers are certainly welcome, but if you are looking for a stable,
  well-proven or user-friendly distro Bedrock Linux may not yet meet your
  needs.  See the [stability FAQ entry below](#stability).

- While Bedrock Linux can acquire beneficial attributes of other distributions,
  it can also take in some negative attributes, namely *lax security*.  A
  Bedrock Linux system composed of careful chosen, curated components from
  other distributions with properly configured hardening techniques may be more
  secure than most other distros out there; however, one composed of a
  cacophony of overly-complicated insecure packages from poorly designed and
  ill maintained distros could easily be much worse than most other distros.  In
  other words, Bedrock Linux's flexibility lets you shoot yourself in the foot
  in wholly new and unique ways.  See the [security FAQ entry below](#security).

- Just as security issues are additive, so is complexity.  Any two distros *X*
  and *Y* would each be, individually, simpler than a Bedrock Linux system
  which is composed of packages from both distros *X* and *Y*.  While this
  complexity is manageable in practice, those looking for extreme
  minimal/simple distros may prefer to look elsewhere.

(new FAQ entries)

## How secure is Bedrock Linux?

A Bedrock Linux is composed of packages from other distributions.  If you
limit yourself to packages from secure, well-proven, hardened distros,
security should be comparable to those distros themselves.  If you use less
secure packages from less secure distros, Bedrock Linux's security will
suffer accordingly.  In theory Bedrock Linux allows one to build a system
out of every package from every major distro without any access controls in
place, which would have an incredible attack surface and be a terrible
idea.  Don't do that.

In practice, Bedrock Linux does offer some notable security benefits over other
traditional distros:

- If a distro does not provide a desired version of a desired package, a user
  is typically expected to go acquire it outside of the distro's repositories.
  It then falls on the user to maintain the package himself/herself.  While it
  is possible a given user is extremely diligent about maintaining such
  packages, there is a strong possibility the user may fail to follow proper
  diligence and let security updates languish.  With Bedrock Linux, the package
  may be acquired from another, maintained distribution whose security team the
  user can depend on.

- Some hardening techniques from one distro may protect software from others.
  For example, a hardened kernel from one distro may be used with packages from
  another distro that does not provide such a hardened kernel.  Access control
  mechanisms such as SELinux as provided by one distro may be configured to
  extend to packages from other distros that would not have natively provided
  such access control mechanisms at all.

There are also some downsides to Bedrock Linux from a security
point-of-view:

- `chroot()`-hardening techniques will break Bedrock Linux.  Some people
  attempt to misuse `chroot()` as a security tool, unaware of the many ways
  `chroot()` "contained" things can influence the rest of the system.  These
  hardening techniques attempt to shore up these limitations of using
  `chroot()` as a pseudo-container.  Bedrock Linux uses `chroot()` to a nuanced
  degree, taking advantage of the areas where it does *not* contain things;
  changes there will break Bedrock Linux.  If you need to lock down `chroot()`,
  consider changing or expanding your strategy to include things such as using
  `pivot_root` and namespaces.

- Some distros provide security mechanisms such as SELinux policies or
  intrusion detection systems which may not "just work" across packages from
  different, unrelated distros in a Bedrock Linux system.  It may be possible
  to manually extend such policies and mechanisms to cover the entirety of a
  Bedrock Linux system composed of packages from a variety of distros, but
  additional work would be required; it won't "just work".

## How stable is Bedrock Linux?

Stability and, where that fails, resilience to otherwise potentially
breaking issues, is a high priority for the project. The reason the project
was originally started was to allow access to newer packages without the
sacrifice in stability provided by distros such as Debian and RHEL

However, at the moment, Bedrock Linux is in deep development and it is very
possible that stability issues may arise.  Moreover, the community is
relatively small, limiting our ability to properly test and quality-assure
the project in its current state.  While stability is a valued eventual
goal, it may be lacking to some degree or another at the current time.

Even when 1.0 stable is reached, Bedrock Linux's flexibility may allow for
unstable configurations.  A Bedrock Linux is composed of packages from
other distributions.  If you limit yourself to packages from stable,
well-proven distros, stability will follow. If you use less stable packages
packages from less stable distros, Bedrock Linux's stability will suffer
accordingly.

Neither an all-very-stable package collection nor an all-bleeding-edge
package collection is required.  Rather, a blend of the two is where
Bedrock Linux is able to excel.  In such a setup, a user can keep around
and depend on stable software while still having access to less dependable,
more cutting edge software.  Should some software fail - most likely the
bleeding-edge software, but not impossibly the older software software -
packages from other distros can fill the functionality gap, minimizing the
hit.  This even works with things such as init systems: should an init
system fail, traditional distros would be rendered unbootable without
manual efforts to resolve.  With Bedrock Linux one can simply chose
an init system from another distro.

[Sepero]

I'd like to suggest some edits., but it's a lot for me to digest in one read through. Can you incorporate it into the website, and I'll submit pull requests?
https://github.com/bedrocklinux/bedrocklinux-website/blob/master/markdown/faq.md

[Sepero]

I tend to be a believer in the philosophy of "simpler is better", so I may also prefer to remove an entire sentence or two in pull requests. You'll have to judge for yourself what you feel is and isn't appropriate to remove.

[paradigm]

I incorporated it into the website. Take a look, let me know what you think.