I want to shift the discussion to the large number of opportunities for
hardening and detection that are fairly easy and that we can do right now.
Immutable systems are a great idea and provide ONE layer in good
security. However, there are no truly immutable systems. Yes, the root
file system in Aeon/Kalpa and Silverblue/Kinoite is mounted read-only,
but that can be easily circumvented. Also, I know some people will want
to argue with me on this point, I or other people will be happy to prove
you wrong. What else can we do? A common story is a program that
modifies something in /usr/bin, etc. We can easily prevent that with
SELinux. For the vast majority of users, there is NO reason for anything
other than RPM/Zypper/transactional-update/rpm-ostree/snapper to modify
anything in /usr/bin, etc. You can easily extend that to flatpak for
/var/lib/flatpak. If you need to allow another program to modify
something in one of the common bin/lib directories, then you can add an
exception. Yes, even SELinux can be circumvented and have
undisclosed/discovered vulnerabilities. However, using SELinux to
confine the number of application that can modify bin/lib files greatly
reduces the cross-section, vigilance, and effort required. It would also
add one more critical layer to our security model.
Another thing that really bothers me is the huge number of applications
that have access to the entire filesystem AND the network. As an
industry we need to stop writing program like that, but that is a
different (lengthy) argument. We can mitigate this for a good number of
applications via SELinux and Flatpak. For example, does Kate really need
access to the network and my SSH and GPG keys? NO! Again, with some
judicial use of tools we already have, we can reduce the cross-section
for Aeon/Kalpa/Tumbleweed.
These are just two of the things I have been thinking about and trying
with my own systems. I am not a sysadmin. I am a programmer. However, I
would be happy to help these ideas be implemented. I would like your
thoughts and ideas for easy big impact ideas.
--
Tony Walker