I'm glad that this called out systemd in the very first section, because it told me that the rest of it probably wasn't going to actually talk about anything actually meaningful for security.
Edit: Oh god I hadn't even gotten to the end of that same section where it recommends Gentoo???? This article is written for people who read Cryptonomicon and took it a little too seriously.
Don't see anything wrong with Gentoo in their context.
Author says in disclaimer This guide is focused purely on security and privacy, not performance, usability, or anything else. He's not wrong. Gentoo makes it easier to have compile flags while building your system. Say you want to disable pulseaudio support completely? You can get rid of it completely from anything that might link to it by setting it globally as a flag you want to avoid.
Sure the guide doesn't follow a threat model, but there's still some good advice in there. If someone follows the guide as dogmatic gospel, as a list of rules to follow at all cost, that's on them. If one is responsible for securing down their stack, maybe they should know better than following everything down to the bone as if it's some gospel.
Yeah probably. Its support for easily configuring daemons to run under dynamic users, with private tmp, lesser capabilities, read only root, etc etc makes it quite attractive.
Even more attractive if you’re writing a blog post about hardening Linux against ill specified ill specified threats. Writing a bunch of config files to “lock down” random daemons seems like it’d be right up this guy’s alley
No, I wouldn't. Qubes likely has the most security features out of the box without configuration for the average person trying to lock down their computer. BSD and Arch-flavours certainly have plenty going for them though and I wouldn't speak badly of their intent+outcomes.
systemd has a strong track record of finding and fixing security issues and getting the CVE published. This is important if you want to consider "secure software" and getting things resolved in a timely manner.
People focus on the attack surface, but most of it is local exploits where the threat model is "someone has shell on your box".
Absolutely nothing at all, but it is not a 'more secure choice' than an LTS distribution of a mainline distro and while this guide can't really decide if it's targeting local or server usecases, I can't imagine a worse existence than being responsible for a fleet of servers running Gentoo.
Systemd is evil. What alternatives are there which were designed with security and speed in mind? I would prefer something simple instead of a lot of features.
Inanimate things without preprogrammed social behaviours are neither good nor evil. There are lots of alternative inits and you can use all the same namespacing tricks yourself with unshare and ip. But you'll have to maintain them for each service yourself and that's A LOT of work.
Edit: Oh god I hadn't even gotten to the end of that same section where it recommends Gentoo???? This article is written for people who read Cryptonomicon and took it a little too seriously.