mirror of
https://github.com/clearlinux/clear-linux-documentation.git
synced 2026-05-01 12:33:44 +00:00
268 lines
15 KiB
HTML
268 lines
15 KiB
HTML
|
||
<!DOCTYPE html>
|
||
|
||
<html lang="en" data-content_root="../../">
|
||
<head>
|
||
<meta charset="utf-8" />
|
||
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
|
||
|
||
<title>OS Security — Documentation for Clear Linux* project</title>
|
||
<link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />
|
||
<link rel="stylesheet" type="text/css" href="../../_static/bizstyle.css?v=5283bb3d" />
|
||
<link rel="stylesheet" type="text/css" href="../../_static/copybutton.css?v=76b2166b" />
|
||
|
||
<script src="../../_static/documentation_options.js?v=5929fcd5"></script>
|
||
<script src="../../_static/doctools.js?v=9bcbadda"></script>
|
||
<script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
|
||
<script src="../../_static/clipboard.min.js?v=a7894cd8"></script>
|
||
<script src="../../_static/copybutton.js?v=a56c686a"></script>
|
||
<script src="../../_static/bizstyle.js"></script>
|
||
<link rel="canonical" href="https://clearlinux.github.io/clear-linux-documentation/guides/clear/security.html" />
|
||
<link rel="icon" href="../../_static/favicon.ico"/>
|
||
<link rel="author" title="About these documents" href="../../about.html" />
|
||
<link rel="index" title="Index" href="../../genindex.html" />
|
||
<link rel="search" title="Search" href="../../search.html" />
|
||
<link rel="next" title="Stateless" href="stateless.html" />
|
||
<link rel="prev" title="Performance" href="performance.html" />
|
||
<meta name="viewport" content="width=device-width,initial-scale=1.0" />
|
||
<!--[if lt IE 9]>
|
||
<script src="_static/css3-mediaqueries.js"></script>
|
||
<![endif]-->
|
||
</head><body>
|
||
<div class="related" role="navigation" aria-label="Related">
|
||
<h3>Navigation</h3>
|
||
<ul>
|
||
<li class="right" style="margin-right: 10px">
|
||
<a href="../../genindex.html" title="General Index"
|
||
accesskey="I">index</a></li>
|
||
<li class="right" >
|
||
<a href="stateless.html" title="Stateless"
|
||
accesskey="N">next</a> |</li>
|
||
<li class="right" >
|
||
<a href="performance.html" title="Performance"
|
||
accesskey="P">previous</a> |</li>
|
||
<li class="nav-item nav-item-0"><a href="../../index.html">Documentation for Clear Linux* project</a> »</li>
|
||
<li class="nav-item nav-item-1"><a href="../index.html" accesskey="U">Guides</a> »</li>
|
||
<li class="nav-item nav-item-this"><a href="">OS Security</a></li>
|
||
</ul>
|
||
</div>
|
||
|
||
<div class="document">
|
||
<div class="documentwrapper">
|
||
<div class="bodywrapper">
|
||
<div class="body" role="main">
|
||
|
||
<section id="os-security">
|
||
<span id="security"></span><h1>OS Security<a class="headerlink" href="#os-security" title="Link to this heading">¶</a></h1>
|
||
<p>Clear Linux* OS aims to make systemic and layered security-conscious decisions
|
||
that are both performant and practical. This security philosophy is rooted
|
||
within the project’s codebase and operating culture.</p>
|
||
<nav class="contents local" id="contents">
|
||
<ul class="simple">
|
||
<li><p><a class="reference internal" href="#security-in-updates" id="id1">Security in updates</a></p></li>
|
||
<li><p><a class="reference internal" href="#security-in-software" id="id2">Security in software</a></p></li>
|
||
<li><p><a class="reference internal" href="#security-in-system-design" id="id3">Security in system design</a></p></li>
|
||
</ul>
|
||
</nav>
|
||
<section id="security-in-updates">
|
||
<h2><a class="toc-backref" href="#id1" role="doc-backlink">Security in updates</a><a class="headerlink" href="#security-in-updates" title="Link to this heading">¶</a></h2>
|
||
<p>The Clear Linux OS team believes in the benefits of software security through open
|
||
sourcing, incremental updates, and rapidly resolving known security advisories.</p>
|
||
<section id="the-latest-linux-codebase">
|
||
<h3>The latest Linux* codebase<a class="headerlink" href="#the-latest-linux-codebase" title="Link to this heading">¶</a></h3>
|
||
<p>Clear Linux OS uses the newest version of the Linux kernel which allows the operating
|
||
system to leverage the latest features from the upstream Linux kernel,
|
||
including security fixes.</p>
|
||
</section>
|
||
<section id="automated-effective-updating">
|
||
<h3>Automated effective updating<a class="headerlink" href="#automated-effective-updating" title="Link to this heading">¶</a></h3>
|
||
<p>Clear Linux OS is incrementally updated multiple times per day.</p>
|
||
<p>This <a class="reference external" href="https://en.wikipedia.org/wiki/Rolling_release">rolling release</a> model allows Clear Linux OS to consume the latest security fixes
|
||
of software packages as soon as they become available. There is no waiting for
|
||
major or minor releases on Clear Linux OS.</p>
|
||
<p>An update is not effective if it is just simply downloaded onto a system.
|
||
It needs to be obtained <em>AND</em> ensured that the new patched copy is being
|
||
used; not an older copy loaded into memory. Clear Linux OS will let you know when a
|
||
service needs to be rebooted or do it for your automatically after
|
||
a software update, if desired.</p>
|
||
<p>In Clear Linux OS updates are delivered automatically, efficiently, and effectively. For
|
||
more information about software updates in Clear Linux OS, refer to the <a class="reference internal" href="swupd.html#swupd-guide"><span class="std std-ref">swupd</span></a>
|
||
guide.</p>
|
||
</section>
|
||
<section id="automated-cve-scanning-and-remediation">
|
||
<h3>Automated CVE scanning and remediation<a class="headerlink" href="#automated-cve-scanning-and-remediation" title="Link to this heading">¶</a></h3>
|
||
<p>The sheer number of software packages and security vulnerabilities is growing
|
||
exponentially. Repositories of Common Vulnerabilities and Exposures (CVEs)
|
||
and their fixes, if known, are published by <abbr>NIST</abbr> in a
|
||
National Vulnerability Database <a href="https://nvd.nist.gov/" target="_blank">https://nvd.nist.gov/</a> and at <a href="https://cve.mitre.org/" target="_blank">https://cve.mitre.org/</a> .</p>
|
||
<p>Clear Linux OS employs a proactive and measured approach to addressing known
|
||
and fixable <abbr title="Common Vulnerabilities and Exposures">CVEs</abbr>.
|
||
Packages are automatically scanned against CVEs daily, and security
|
||
patches are deployed as soon as they are available.</p>
|
||
<p>These combined practices minimize the amount of time Clear Linux OS systems are exposed to unnecessary security risk.</p>
|
||
</section>
|
||
</section>
|
||
<section id="security-in-software">
|
||
<h2><a class="toc-backref" href="#id2" role="doc-backlink">Security in software</a><a class="headerlink" href="#security-in-software" title="Link to this heading">¶</a></h2>
|
||
<section id="minimized-attack-surface">
|
||
<h3>Minimized attack surface<a class="headerlink" href="#minimized-attack-surface" title="Link to this heading">¶</a></h3>
|
||
<p>Clear Linux OS removes legacy, unneeded, or redundant standards and components as much as
|
||
possible to enable the use of best known security standards. Below are some
|
||
examples:</p>
|
||
<ul class="simple">
|
||
<li><p><cite>RC4</cite>, <cite>SSLv3</cite>, <cite>3DES</cite>, and <cite>SHA-1</cite> ciphers which have had known
|
||
vulnerabilities, have been explicitly disabled within many Clear Linux OS packages to
|
||
avoid their accidental usage.</p></li>
|
||
<li><p>Services and subsystems which expose sensitive system information
|
||
have been removed such as the <cite>finger</cite> and <cite>tcpwrappers</cite>.</p></li>
|
||
<li><p><cite>SFTP</cite> has been disabled by default due to security considerations.</p></li>
|
||
</ul>
|
||
</section>
|
||
<section id="verified-trust">
|
||
<h3>Verified trust<a class="headerlink" href="#verified-trust" title="Link to this heading">¶</a></h3>
|
||
<p>Clear Linux OS encourages the use of secure practices such as encryption
|
||
and digital signature verification throughout the system and discourages blind
|
||
trust. Below are some examples:</p>
|
||
<ul class="simple">
|
||
<li><p>All update operations from swupd are transparently encrypted and checked
|
||
against the Clear Linux OS maintainers’ public key for authenticity.
|
||
More information about swupd security can be found in the
|
||
<a class="reference external" href="https://clearlinux.org/blogs/security-software-update-clear-linux-os-intel-architecture">Security for software update in Clear Linux* OS</a> blog post.</p></li>
|
||
<li><p>Before being built, packages available from Clear Linux OS verify checksums and
|
||
signatures provided by third party project codebases and maintainers.</p></li>
|
||
<li><p>Clear Linux OS features a unified certificate store, <a class="reference external" href="https://github.com/clearlinux/clrtrust">clrtrust</a> which comes
|
||
ready to work with well-known Certificate Authorities out of the box.
|
||
clrtrust also offers an easy to use command line interface for managing
|
||
system-wide chains of trust, instead of ignoring foreign certificates.</p></li>
|
||
</ul>
|
||
</section>
|
||
<section id="compiled-with-secure-options">
|
||
<h3>Compiled with secure options<a class="headerlink" href="#compiled-with-secure-options" title="Link to this heading">¶</a></h3>
|
||
<p>While Clear Linux OS packages are optimized for performance on Intel® architecture,
|
||
security conscious kernel and compiler options are sensibly taken advantage of.
|
||
Below are some examples:</p>
|
||
<ul class="simple">
|
||
<li><p>Kernels shipped with Clear Linux OS are signed and disallow the usage of
|
||
custom kernel modules to maintain verifiable system integrity.</p></li>
|
||
<li><p><a class="reference external" href="https://en.wikipedia.org/wiki/Address_space_layout_randomization">Address space layout randomization (ASLR)</a> and
|
||
<a class="reference external" href="https://lwn.net/Articles/569635/">Kernel address space layout randomization (KASLR)</a> are kernel features
|
||
which defend against certain memory based attacks.
|
||
More information about PIE executables can be found in the
|
||
<a class="reference external" href="https://clearlinux.org/blogs/recent-gnu-c-library-improvements">Recent GNU* C library improvements</a> blog post.</p></li>
|
||
</ul>
|
||
</section>
|
||
</section>
|
||
<section id="security-in-system-design">
|
||
<h2><a class="toc-backref" href="#id3" role="doc-backlink">Security in system design</a><a class="headerlink" href="#security-in-system-design" title="Link to this heading">¶</a></h2>
|
||
<p>Simple, yet effective, techniques are used throughout the Clear Linux OS system design to
|
||
defend against common attack vectors and enable good security hygiene. Below are
|
||
some examples:</p>
|
||
<ul class="simple">
|
||
<li><p>Full disk encryption using <abbr title="Linux Unified Key Setup">LUKS</abbr> is available
|
||
during installation. Refer to <a class="reference external" href="https://gitlab.com/cryptsetup/cryptsetup/">cryptsetup</a> for additional information about
|
||
LUKS.</p></li>
|
||
<li><p>Clear Linux OS uses the PAM cracklib module to harden user login and password
|
||
security resulting in:</p>
|
||
<ul>
|
||
<li><p>No default username or root password set out of the box with
|
||
Clear Linux OS, you will be asked to set your own password immediately.</p></li>
|
||
<li><p>Simple password schemes, which are known to be easily compromised,
|
||
cannot be set in Clear Linux OS.</p></li>
|
||
<li><p>A password blacklist, to avoid system passwords being set to
|
||
passwords which have been compromised in the past.</p></li>
|
||
</ul>
|
||
</li>
|
||
<li><p><a class="reference external" href="https://github.com/clearlinux/tallow">Tallow</a>, a lightweight service which monitors and blocks suspicious SSH
|
||
login patterns, is installed with the <strong class="command">openssh-server</strong> bundle.</p></li>
|
||
</ul>
|
||
<p><em>Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries.</em></p>
|
||
</section>
|
||
</section>
|
||
|
||
|
||
<div class="clearer"></div>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
<div class="sphinxsidebar" role="navigation" aria-label="Main">
|
||
<div class="sphinxsidebarwrapper">
|
||
<p class="logo"><a href="../../index.html">
|
||
<img class="logo" src="../../_static/clearlinux.png" alt="Logo of Clear Linux* Project Docs"/>
|
||
</a></p>
|
||
<div>
|
||
<h3><a href="../../index.html">Table of Contents</a></h3>
|
||
<ul>
|
||
<li><a class="reference internal" href="#">OS Security</a><ul>
|
||
<li><a class="reference internal" href="#security-in-updates">Security in updates</a><ul>
|
||
<li><a class="reference internal" href="#the-latest-linux-codebase">The latest Linux* codebase</a></li>
|
||
<li><a class="reference internal" href="#automated-effective-updating">Automated effective updating</a></li>
|
||
<li><a class="reference internal" href="#automated-cve-scanning-and-remediation">Automated CVE scanning and remediation</a></li>
|
||
</ul>
|
||
</li>
|
||
<li><a class="reference internal" href="#security-in-software">Security in software</a><ul>
|
||
<li><a class="reference internal" href="#minimized-attack-surface">Minimized attack surface</a></li>
|
||
<li><a class="reference internal" href="#verified-trust">Verified trust</a></li>
|
||
<li><a class="reference internal" href="#compiled-with-secure-options">Compiled with secure options</a></li>
|
||
</ul>
|
||
</li>
|
||
<li><a class="reference internal" href="#security-in-system-design">Security in system design</a></li>
|
||
</ul>
|
||
</li>
|
||
</ul>
|
||
|
||
</div>
|
||
<div>
|
||
<h4>Previous topic</h4>
|
||
<p class="topless"><a href="performance.html"
|
||
title="previous chapter">Performance</a></p>
|
||
</div>
|
||
<div>
|
||
<h4>Next topic</h4>
|
||
<p class="topless"><a href="stateless.html"
|
||
title="next chapter">Stateless</a></p>
|
||
</div>
|
||
<div role="note" aria-label="source link">
|
||
<h3>This Page</h3>
|
||
<ul class="this-page-menu">
|
||
<li><a href="../../_sources/guides/clear/security.rst.txt"
|
||
rel="nofollow">Show Source</a></li>
|
||
</ul>
|
||
</div>
|
||
<search id="searchbox" style="display: none" role="search">
|
||
<h3 id="searchlabel">Quick search</h3>
|
||
<div class="searchformwrapper">
|
||
<form class="search" action="../../search.html" method="get">
|
||
<input type="text" name="q" aria-labelledby="searchlabel" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"/>
|
||
<input type="submit" value="Go" />
|
||
</form>
|
||
</div>
|
||
</search>
|
||
<script>document.getElementById('searchbox').style.display = "block"</script>
|
||
</div>
|
||
</div>
|
||
<div class="clearer"></div>
|
||
</div>
|
||
<div class="related" role="navigation" aria-label="Related">
|
||
<h3>Navigation</h3>
|
||
<ul>
|
||
<li class="right" style="margin-right: 10px">
|
||
<a href="../../genindex.html" title="General Index"
|
||
>index</a></li>
|
||
<li class="right" >
|
||
<a href="stateless.html" title="Stateless"
|
||
>next</a> |</li>
|
||
<li class="right" >
|
||
<a href="performance.html" title="Performance"
|
||
>previous</a> |</li>
|
||
<li class="nav-item nav-item-0"><a href="../../index.html">Documentation for Clear Linux* project</a> »</li>
|
||
<li class="nav-item nav-item-1"><a href="../index.html" >Guides</a> »</li>
|
||
<li class="nav-item nav-item-this"><a href="">OS Security</a></li>
|
||
</ul>
|
||
</div>
|
||
<div class="footer" role="contentinfo">
|
||
© Copyright 2022 Intel Corporation. All Rights Reserved..
|
||
Last updated on Nov 04, 2024.
|
||
Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 8.1.3.
|
||
</div>
|
||
</body>
|
||
</html> |