HiHO,
regarding the GUI tools, I am not aware of a single standard OS security component within linux that operates only via GUI, on the contrary all occurs on the command line! the gui that you possibly see are only a frontend application to the actual command line tools. some propriatary or exceptional third party software might work only via gui such as checkpoint.
once more sudos main task is to authenticate and authorize, what this means is with authentication you need to give credentials and there are many different types of credential authorization within sudo, RSA, OTP etc. the distros often only use the users own pass. this is done to simplify distro installation, usage and distribution but any good linux user would harden his system by adding restrictions to all the different security components within linux for example configure sshd not to accept root account and for example to drop connections when bruteforce login occurs.
when it comes to authoriztion, you can fine grain and define what commands users can execute but if you really want to hardened it up, you would even jail the user. jail is not a single solution nor the only solution to note and impliment, its one of the tools that is recommended to use, its main purpose is to be used by deamons but some people even jail the whole operating system so go figure!!
personally in day to day work i brake out of restrictions when possible, how?
sudo -u root su -
what that does is that as root sudo executes su with the - paramenter. the benefit of that is that i can bypass poorly configured sudo and with su go straight into root account. the su - parameter loads the root environment variables so i dont have to manually add them. this way i own the system.
Linux is not perfect but sure beats windows in many things, i would use unix/linux as a desktop if it wasnt for compatibility issues with some applications and the fact that i do not have the time to wait the extra 10sec for a compatibility work arround to work. one of the down sides with linux is the basic ACL. there is an extention where you can fine grain and give a single defined user access to a file or folder, but then again not all Filesystems support that.
regarding X, X has always been a burden. but to the likes of several other applications, they all are being revamped to be more compliant.
on linux you can achieve most/all of the hardening required but that requires manual tuning, setup and awareness for debuging when troubleshooting update compatibility issues. usually once you have hardened a box properly, you seldomly go on about updating it too often, maybe 2-3x a year. with linux you can reach a far higher level of security in comparison to any microsoft windows OS. the only competition comes form bsd and commercial UNIX systems. but even the commercial unix systems are hampered with legacy limitations and this is one of the facts why linux is considered to be cutting edge in comparison to others. for example in hpux environment, they intentionally use an older version of korn shell code where all the bugs and work arrounds are known for security and support reasons. even thou newer versions are available, the older one has prooven itself in many perspectives when it comes to that. then again hpux, doesnt have any disk encryption features without addon requirements (actually in the latest hpux release disk encryption has been included in the OS).
linux is not perfect but it is very good. the last couple of weeks i have been furstrated by the fact that simple basic issues that you excpect to work are not working because of the current kernel design. the issue that im facing is workable but you need to know how to walk blindly because the kernel itself is not "aware" of the ongoing changes, that is why in my case a reboot is required so that the kernel does its thing properly.
so im waiting for the day that the kernel become more selfaware and would then become enterprise level reliable and would start to beat other unix systems.
hussam wroteI haven't tried Vista (haven't used a windows machine since 2004) but Microsoft doesn't really care about security,
Giving people the power to perform administrative tasks using their own passwords has many security implications. Linux is a multi user operating system. If you don't have the root password, it means you're not supposed to run administrative tools. It means only the person with the root password should.
There are also other basic security faults in modern Linux usage such as considering it normal for a system administrator to run X11 applications. That's why all administrative tools should be command line only.
Another thing home Linux users ignore is the need to use block device encryption like LUKS. If someone gains physical access to your machine, he can steal the hard disk, put it in his machine and chroot into it. Luks encryption will sort of help prevent that.