Comparative Security Matrix

Below we tried to quantify relative level of security based on the criteria discussed above. Of course this methods has its limitations (we assume equal weight of each component of the metric and the scoring is subjective). Still I think that total scores provide some useful insights into the integral security of the OSes involved. Here are total scores for each OS. The total cores are as following:

Red Hat	Suse	Solaris on Sparc	Solaris on Opteron	AIX	HP-UX	Windows
148	137	176	163	159	150	129 (+12)

Notes:

While Red Hat has a better score (after all this is the dominant Linux distribution with probably 2/3 share of the Linux market), Novell is the only company that has existing rights for using Unix products, so that they can indemnify their customers against SCO and other related lawsuits; that may be a major consideration).

Windows Server 2003 would have total score 141 if we compensate for two n/a entries.

Below we will reproduce the whole matrix:

Name	Red Hat ES	SuSE	Solaris on Ultra Sparc	Sola-ris on Opte-ron	AIX	HP-UX on PA RISK	Win-dows Server 2003	Notes
Accounts and passwords security	8	8	8	8	8	7	8	Linux provides reasonable level of account security but it does not support RBAC. Some features of RBAC can be emulated via sudo that is preinstalled in both Red Hat and Suse distributions.
Root security	7	7	6	6	6	6	n/a	In Linux root by default has in own directory /root that improves the security of this account.
Filesystem security	8	8	9	9	9	8	7	Linux provides an extensive set of filesystems mounting attributes and can mount filesystem as read-only and NOSUID. Still virtualization capabilities are very rudimentary and here Linux is far behind leading commercial Unixes (AIX and Solaris). Linux has only basic filesystem virtualization mechanisms (chroot)
File Permissions	8	7	9	9	9	8	8	Some Linux filesystems like Ext3 support ACLs but quality of support of ACLs in commercial Unixes is higher. Ext3 supports BSD-style extended attributes.
Integrity checking	8	7	8	8	6	6	7	Linux approximately equal Solaris in integrity checking capabilities and Red Hat ships with Tripwire as an installation option. Still in Linux there is no MD5 database like in Solaris although some features of it can be emulated using RPM database.
Shell and scripting security	7	7	8	8	8	8	8	Neither operating system have advantages in this area but Linux has some additional vulnerabilities due to a large number of shells and scripting languages installed by default.
SSH support	8	8	8	8	6	6	5	Like in Solaris in Linux ssh is supported out of the box (is an installation option)
PAM support	9	9	8	8	6	6	5	Linux looks quite competitive with Solaris and has wider selection of PAMs then Solaris. Both of them definitely surpass AIX and HP-UX.
X11 security	4	4	6	6	6	6	n/a	The problems with X security on Linux are mainly due to lesser security of its desktop managers Gnome and KDE (especially Gnome).
TCP wrapper support	8	8	8	8	6	6	1	Linux has TCP wrapper functionality ion xnetd daemon
NFS	6	6	9	9	8	8	5	Linux NFS support is rudimentary and is not that stable. Solaris has a much better implementation.
Built-in firewall	8	8	8	8	6	6	8	Linux has a built-in firewall that is enabled by default
Quotas enforcement and accounting data collection	6	6	8	8	8	8	8	Commercial Unixes are still superior in this area.
Logging	6	6	8	8	7	7	7	All Unixes are approximately equal in this area, but Linux has better log postprocessing tools. Solaris has much better kernel based logging mechanisms that help in the debugging.
Patching process quality	6	6	9	9	8	8	8	Patching in Linux involves updating the whole packages. Patching process in both Red Hat and Suse is weaker then Solaris patching process and patching support requires maintenance contract.
The number of Exploits and Hacking Attacks Statistics	4	4	8	7	8	8	4	As for number exploits Linux is less secure then commercial Unixes; it can be rated as equal in insecurity to Windows.
Process security	6	6	9	9	10	6	8	Solaris 10 has zones, AIX 5.3 partitions available by default.
Kernel security	4	4	9	8	9	7	6	Security of the kernel in Linux is hampered by the number of contributors and complexity of the built process. Security-wise Linux kernel does not have capabilities of Solaris or AIX kernels.
Network security	4	4	8	8	7	7	4	Linux network security is bad due to the number of installed network applications.
Package management	8	7	6	6	4	4	6	RPM is an impressive package manager created by Red Hat and Red Hat RPM based packages dominate among all applications in Linux space.
Education and Security Certifications	9	7	8	7	7	6	10	The number of books devote to Red Hat security is considerable and by an order of magnitude surpass the number of Solaris books. Red Hat offers four security-related training courses (approximately the same as Sun for Solaris). We judge that in this area Linux surpasses all other Unixes and trails only Windows.
Hardware Related Security Issues	6	6	8	7	8	8	6	32 bit Intel hardware is the most hacked hardware in existence and is widely available to hackers of any country on the globe. By just switching to 64-bit hardware we can somewhat decrease hardware-related security risks.

Legend:

10.0 (Perfect):
This exceedingly rare score is reserved for a feature that is as perfect as it could be. A feature that receives this rating is almost impossible to improve in a meaningful way.
9.0 to 9.9 (Excellent):
A feature that receives a rating in this range scores high on all of its rating criteria. It succeeds at meeting all of its intended users' needs and has no meaningful drawbacks. It would be difficult, though not impossible, to improve upon a feature that scores in this range.
8.0 to 8.9 (Very good):
A feature that receives a rating in this range is superior in so many ways that its relatively few drawbacks are not very important.
7.0 to 7.9 (Good):
While the strengths of a feature scoring in this range certainly outweigh its weaknesses, it has some faults that users should be aware of.
6.0 to 6.9 (Fair):
This range represents a feature that is average for its market. Its strengths and weaknesses balance each other out, making it adequate for most uses but far from a standout.
5.0 to 5.9 (Mediocre):
A feature that scores in this range is merely average in the negative sense--in other words, mediocre. These features tend to have enough weaknesses to dampen their strengths. A much better implementations of this feature probably exists in its category, so you should consider others first.
4.0 to 4.9 (Poor):
Features that just don't work well tend to fall into this range. While they may have some positive qualities, the overall package simply lacks the cohesive quality
3.0 to 3.9 (Very poor):
It has few positive qualities, if any, and its weaknesses outweigh them.
2.0 to 2.9 (Terrible):
A feature that receives a rating in this range scores low on all of its rating criteria. It does not satisfy any of its intended users' needs and has no meaningful strengths. It would be difficult, though not impossible, to find a worse feature in its category.
1.0 to 1.9 (Abysmal):
A feature in this range would have virtually no effective or fully functional features. The rare feature that falls into this bottom-of-the-barrel range has no redeeming qualities at all.

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with.
We do not warrant the correctness of the information provided or its fitness for any purpose
In no way this site is associated with or endorse cybersquatters using the term "softpanorama" with other main or country domains (e.g. softpanorama.com) with bad faith intent to profit from the goodwill belonging to someone else.

Created May 1, 2004; Last modified: February 18, 2009