Clear Linux* OS aims to make systemic and layered security-conscious decisions that are both performant and practical. This security philosophy is rooted within the project’s codebase and operating culture.
The Clear Linux OS team believes in the benefits of software security through open sourcing, incremental updates, and rapidly resolving known security advisories.
The latest Linux* codebase¶
Clear Linux OS uses the newest version of the Linux kernel which allows the operating system to leverage the latest features from the upstream Linux kernel, including security fixes.
Automated effective updating¶
Clear Linux OS is incrementally updated multiple times per day.
This rolling release model allows Clear Linux OS to consume the latest security fixes of software packages as soon as they become available. There is no waiting for major or minor releases on Clear Linux OS.
An update is not effective if it is just simply downloaded onto a system. It needs to be obtained AND ensured that the new patched copy is being used; not an older copy loaded into memory. Clear Linux OS will let you know when a service needs to be rebooted or do it for your automatically after a software update, if desired.
In Clear Linux OS updates are delivered automatically, efficiently, and effectively. For more information about software updates in Clear Linux OS, refer to the swupd guide.
Automated CVE scanning and remediation¶
The sheer number of software packages and security vulnerabilities is growing exponentially. Repositories of Common Vulnerabilities and Exposures (CVEs) and their fixes, if known, are published by NIST in a National Vulnerability Database https://nvd.nist.gov/ and at https://cve.mitre.org/ .
Clear Linux OS employs a proactive and measured approach to addressing known and fixable CVEs. Packages are automatically scanned against CVEs daily, and security patches are deployed as soon as they are available.
These combined practices minimize the amount of time Clear Linux OS systems are exposed to unnecessary security risk.
Minimized attack surface¶
Clear Linux OS removes legacy, unneeded, or redundant standards and components as much as possible to enable the use of best known security standards. Below are some examples:
- RC4, SSLv3, 3DES, and SHA-1 ciphers which have had known vulnerabilities, have been explicitly disabled within many Clear Linux OS packages to avoid their accidental usage.
- Services and subsystems which expose sensitive system information have been removed such as the finger and tcpwrappers.
- SFTP has been disabled by default due to security considerations.
Clear Linux OS encourages the use of secure practices such as encryption and digital signature verification throughout the system and discourages blind trust. Below are some examples:
- All update operations from swupd are transparently encrypted and checked against the Clear Linux OS maintainers’ public key for authenticity. More information about swupd security can be found in the Security for software update in Clear Linux* OS blog post.
- Before being built, packages available from Clear Linux OS verify checksums and signatures provided by third party project codebases and maintainers.
- Clear Linux OS features a unified certificate store, clrtrust which comes ready to work with well-known Certificate Authorities out of the box. clrtrust also offers an easy to use command line interface for managing system-wide chains of trust, instead of ignoring foreign certificates.
Compiled with secure options¶
While Clear Linux OS packages are optimized for performance on Intel® architecture, security conscious kernel and compiler options are sensibly taken advantage of. Below are some examples:
- Kernels shipped with Clear Linux OS are signed and disallow the usage of custom kernel modules to maintain verifiable system integrity.
- Address space layout randomization (ASLR) and Kernel address space layout randomization (KASLR) are kernel features which defend against certain memory based attacks. More information about PIE executables can be found in the Recent GNU* C library improvements blog post.
Simple, yet effective, techniques are used throughout the Clear Linux OS system design to defend against common attack vectors and enable good security hygiene. Below are some examples:
- Full disk encryption using LUKS is available during installation. Refer to cryptsetup for additional information about LUKS.
- Clear Linux OS uses the PAM cracklib module to harden user login and password
security resulting in:
- No default username or root password set out of the box with Clear Linux OS, you will be asked to set your own password immediately.
- Simple password schemes, which are known to be easily compromised, cannot be set in Clear Linux OS.
- A password blacklist, to avoid system passwords being set to passwords which have been compromised in the past.
- Tallow, a lightweight service which monitors and blocks suspicious SSH login patterns, is installed with the openssh-server bundle.