This is easy: I love Linux. I’m the new Linux blogger for CSOonline, and I just want to get that out up front. I taught myself Linux while I was stationed in Germany with nobody around to teach me how to do it, and it took me 6 months of digging through the Linux Documentation Project files included with the Red Hat 4.2 CDs before I found out that “resolv.conf” only has one “e” in it.Technology and personal preference aside, though, there are some reasons why the security geek in me loves Linux, and these are the key ones:Flexibility and Modularity = Availability Linux is fun. I found that out when I lived in Eugene, OR, and we had a clinic every Thursday night to build and repair Linux installs. Part of that fun was the flexibility that you can have with typical Linux software. Everything is modular, so if you don’t like, say for instance, the command line interface or the desktop environment, or even the kernel version, you can swap it for another.That same flexibility lets you do “unnatural things” with the software and still walk away virtually unscathed. For example, software raid for your root partition means that you can take the hard drives out of one server, drop them into another, and recover data without having to worry about what raid controller you’re using. Open = Assessability of RiskIt’s been said probably a thousand times already, but with open source, I can assess the code or I can pay somebody to assess the code without a Non-Disclosure Agreement. I can’t do that with a closed-source system—I have to rely on how responsive the vendor is to vulnerability disclosure, development, testing, and patching.Licensing != availabilityLicensing is designed to keep you from doing some things with the software. These usually become a problem in an operational environment when you absolutely need to do more “unnatural things” to revive systems, like cross-connect servers to different LAN segments and have them serve as temporary firewall, web, and database servers.Simplicity = Easy to HardenIt’s a basic principle for security engineering: less to secure is easier to secure. If you don’t need it, don’t run it, and don’t install it. Unix = Reliable Security ModelIt’s all the security models you learned in school. Network-centric design? Check. Principle of Least privilege? Check. Role-based access control? Check. Access Control Lists? Check. Thirty years of improvement and refinement? Check. Yes, the Unix model has had some problems over the years, but it doesn’t do “dumb unnatural acts” for the most part like letting userland programs have direct kernel-level privilege (yes, yes, Vista fixes this with LUA). Related content opinion Modifying Embedded Linux Devices By Michael Smith Aug 13, 2007 2 mins Data and Information Security opinion USB Firewall--It Runs Linux! By Michael Smith Jul 30, 2007 2 mins Data and Information Security opinion Linux, the Government, and SE-Linux By Michael Smith Jun 30, 2007 3 mins Data and Information Security opinion Why I Hate Linux By Michael Smith Apr 10, 2007 3 mins Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe