• United States



Why I love Linux

Apr 02, 20073 mins
Data and Information SecurityIT Leadership

This is easy: I love Linux. I’m the new Linux blogger for CSOonline, and I just want to get that out up front. 

I taught myself Linux while I was stationed in Germany with nobody around to teach me how to do it, and it took me 6 months of digging through the Linux Documentation Project files included with the Red Hat 4.2 CDs before I found out that “resolv.conf” only has one “e” in it.

Technology and personal preference aside, though, there are some reasons why the security geek in me loves Linux, and these are the key ones:

Flexibility and Modularity = Availability

Linux is fun. I found that out when I lived in Eugene, OR, and we had a clinic every Thursday night to build and repair Linux installs. Part of that fun was the flexibility that you can have with typical Linux software. Everything is modular, so if you don’t like, say for instance, the command line interface or the desktop environment, or even the kernel version, you can swap it for another.

That same flexibility lets you do “unnatural things” with the software and still walk away virtually unscathed. For example, software raid for your root partition means that you can take the hard drives out of one server, drop them into another, and recover data without having to worry about what raid controller you’re using.

Open = Assessability of Risk

It’s been said probably a thousand times already, but with open source, I can assess the code or I can pay somebody to assess the code without a Non-Disclosure Agreement. I can’t do that with a closed-source system—I have to rely on how responsive the vendor is to vulnerability disclosure, development, testing, and patching.

Licensing != availability

Licensing is designed to keep you from doing some things with the software. These usually become a problem in an operational environment when you absolutely need to do more “unnatural things” to revive systems, like cross-connect servers to different LAN segments and have them serve as temporary firewall, web, and database servers.

Simplicity = Easy to Harden

It’s a basic principle for security engineering: less to secure is easier to secure. If you don’t need it, don’t run it, and don’t install it.

Unix = Reliable Security Model

It’s all the security models you learned in school. Network-centric design? Check. Principle of Least privilege? Check. Role-based access control? Check. Access Control Lists? Check. Thirty years of improvement and refinement? Check. Yes, the Unix model has had some problems over the years, but it doesn’t do “dumb unnatural acts” for the most part like letting userland programs have direct kernel-level privilege (yes, yes, Vista fixes this with LUA).


Michael Smith is the Chief Information Security Officer with a managed services provider based in Reston, Virginia. His scope of responsibility includes both providing governance and managing risk for several data centers, Security Operations Center, Network Operations Center, Server Management Team, and several disaster recovery sites. Michael started his adult life as a Russian Linguist in the US Army and migrated from there to Linux system administration and on to the security world. He is a member of the ISM-Community Steering Committee and teaches government information assurance through the Non-Profit Potomac Forum . Michael is both a Certified Information System Security Professional (CISSP) and an Information System Security Engineering Professional (ISSEP). You can read Michael's non-Linux personal blog at .