Clear Linux* OS aims to make systemic and layered security-conscious decisions that are both performant and practical. This security philosophy is rooted within the project’s codebase and operating culture.
The Clear Linux OS team believes in the benefits of software security through open sourcing, incremental updates, and rapidly resolving known security advisories.
The latest Linux codebase
Clear Linux OS uses the newest version of the Linux kernel which allows the operating system to leverage the latest features from the upstream Linux kernel, including security fixes.
Automated Effective Updating
Clear Linux OS is incrementally updated multiple times per day.
This rolling release model allows Clear Linux OS to consume the latest security fixes of software packages as soon as they become available. There is no waiting for major or minor releases on Clear Linux OS.
An update is not effective if it is just simply downloaded onto a system. It needs to be obtained AND ensured that the new patched copy is being used; not an older copy loaded into memory. Clear Linux OS will let you know when a service needs to be rebooted or do it for your automatically after a software update, if desired.
In Clear Linux OS updates are delivered automatically, efficiently, and effectively. For more information see documentation about Software Updates in Clear Linux OS.
Automated CVE Scanning and Remediation
The sheer number of software packages and security vulnerabilities is growing exponentially. Repositories of Common Vulnerabilities and Exposures (CVEs) and their fixes, if known, are published by NIST in a National Vulnerability Database https://nvd.nist.gov/ and at https://cve.mitre.org/ .
Clear Linux OS employs a proactive and measured approach to addressing known and fixable CVEs. Packages are automatically scanned against CVEs daily, and security patches are deployed as soon as they are available.
These combined practices minimize the amount of time Clear Linux OS systems are exposed to unnecessary security risk.
Minimized attack surface
Clear Linux OS removes legacy, unneeded, or redundant standards and components as much as possible to enable the use of best known security standards. Below are some examples:
- RC4, SSLv3, 3DES, and SHA-1 ciphers which have had known vulnerabilities, have been explicitly disabled within many Clear Linux OS packages to avoid their accidental usage.
- Services and subsystems which expose sensitive system information have been removed such as the finger and tcpwrappers.
- SFTP has been disabled by default due to security considerations. See the openssh-server reference page for more details.
Clear Linux OS encourages the use of secure practices such as encryption and digital signature verification throughout the system and discourages blind trust. Below are some examples:
- All update operations from swupd are transparently encrypted and checked against the Clear Linux OS maintainers’ public key for authenticity. More information can be found in this blog post: blog post about swupd security
- Before being built, packages available from Clear Linux OS verify checksums and signatures provided by third party project codebases and maintainers.
- Clear Linux OS features a unified certificate store, clrtrust which comes ready to work with well-known Certificate Authorities out of the box. clrtrust also offers an easy to use command line interface for managing system-wide chains of trust, instead of ignoring foreign certificates.
Compiled with secure options
While Clear Linux OS packages are optimized for performance on Intel® architecture, security conscious kernel and compiler options are sensibly taken advantage of. Below are some examples:
- Kernels shipped with Clear Linux OS are signed and disallow the usage of custom kernel modules to maintain verifiable system integrity.
- Address space layout randomization (ASLR) and Kernel address space layout randomization (KASLR) are kernel features which defend against certain memory based attacks. More information can be found in a blog post about PIE executables .
- dm-verity is a kernel mechanism readily available in Clear Linux OS which verifies integrity of the devices being written to, like hard disks, to help ensure they have not been tampered with.
Simple, yet effective, techniques are used throughout the Clear Linux OS system design to defend against common attack vectors and enable good security hygiene. Below are some examples:
- Full disk encryption using Linux Unified Key Setup (LUKS) is available during installation.
- Clear Linux OS uses the PAM cracklib module to harden user login and password
security resulting in:
- No default username or root password set out of the box with Clear Linux OS, you will be asked to set your own password immediately.
- Simple password schemes, which are known to be easily compromised, cannot be set in Clear Linux OS.
- A password blacklist, to avoid system passwords being set to passwords which have been compromised in the past.
- Tallow, a lightweight service which monitors and blocks suspicious SSH login patterns, is installed with the openssh-server bundle.