The more I learn about network security, the more trying to secure a Linux server feels like trying to make my house seaworthy–I’d be better off buying something that was built for seaworthiness from the start, like a boat. Security, like seaworthiness, is not a feature that’s well suited to being added onto a structure after the fact.
Its not just Linux of course…with hundreds of thousands of lines of private code in multiple languages and hundreds more libraries bringing in millions of lines of open source code, plus thousands of lines of configuration for machines and services both real and virtual, some ours, some belonging to others (i.e. our ISP and various 3rd party SaaS providers), I need to be patching every day just to keep up with the known vulnerabilities, to say nothing of the unknown ones. Turns out I took my house boat out to sea, it sprang a thousand leaks, and as soon as I patch the first thousand there will be another thousand to take their place.
I’m starting to understand what OpenBSD is about.