Why is our country not using a "hardened" linux as a defense against hacking attacks?
by azalea4va from LinuxQuestions.org on (#5BWVM)
Why has there not been a massive shift from windows to a hardened version of linux. Installing malware should be much harder than it is. (Depending on how hackers were able to change SolarWinds source code, what follows would not address that particular cluster futz).
I had a computer many years ago where the hard disk had a jumper setting to make it read-only. It would be easy to physically alter a computer system to have hard disks connected to physical switches that made disks read-only.
In Linux/unix, everything in /usr is designed so it can operate normally as read-only. The reason there is a /usr is originally disks where not big enough to hold everything needed so /usr stored the less critical OS stuff. In today's environment, everything in directories /bin, /lib could be moved to /usr/bin, /usr/lib. The directory /etc was originally desinged to be for just configuration files but now is a mixture of things including somethings that a really just executables. The excutables could be moved to a /usr/etc.
For true config files, Linux could be easily modified so configuruation files that either are writable or are essentially "executable" shell scripts could automatically run SUID to some unpriviledged user (so if ever executed, they cannot alter "root" files).
That is the basic idea, all system files that execute could be on a read-only disk. What would remain could be in /var and be unexecutable as root. That goes a long way to prevent malware from being installed at a minimal cost. When updates or new software needs to be install, one must flip a switch on the computer to make the /usr hard drive writable. No big deal.
I would guess doing that kind of thing given the design of Windows would require a major rewrite. Making any needed modifications to Linux would be pretty straightforward, if it has not already been done. Given the cost of malware, why hasn't it? Why are not all these critical systems moving quickly from Windows to Linux?
I had a computer many years ago where the hard disk had a jumper setting to make it read-only. It would be easy to physically alter a computer system to have hard disks connected to physical switches that made disks read-only.
In Linux/unix, everything in /usr is designed so it can operate normally as read-only. The reason there is a /usr is originally disks where not big enough to hold everything needed so /usr stored the less critical OS stuff. In today's environment, everything in directories /bin, /lib could be moved to /usr/bin, /usr/lib. The directory /etc was originally desinged to be for just configuration files but now is a mixture of things including somethings that a really just executables. The excutables could be moved to a /usr/etc.
For true config files, Linux could be easily modified so configuruation files that either are writable or are essentially "executable" shell scripts could automatically run SUID to some unpriviledged user (so if ever executed, they cannot alter "root" files).
That is the basic idea, all system files that execute could be on a read-only disk. What would remain could be in /var and be unexecutable as root. That goes a long way to prevent malware from being installed at a minimal cost. When updates or new software needs to be install, one must flip a switch on the computer to make the /usr hard drive writable. No big deal.
I would guess doing that kind of thing given the design of Windows would require a major rewrite. Making any needed modifications to Linux would be pretty straightforward, if it has not already been done. Given the cost of malware, why hasn't it? Why are not all these critical systems moving quickly from Windows to Linux?