Security is one of the most important features when choosing an Operating System. As most Linux distributions are running more or less the same code, they tend to all be affected by the same security issues. The differences, then, are in how quickly vendors produce updates for these problems, how well they are tested, and how easy it is to manage deployment of these updates.
Security Update Schedules
Even before considering deploying a server, it's important to know how long one can expect security updates for the OS and applications to be released for. Some distributions, for example Fedora, only produce updates for 13 months after initial release. Others - Gentoo being the most obvious example - offer no security updates at all, and merely expect users to upgrade to the latest version. This is unacceptable for a server, where it's important to have a consistent environment. All the distributions compared here will provide back-ported security fixes for the versions provided in their distribution - meaning there's no need to worry about an update breaking your application.
| Distribution | Updates policy | Current version supported until |
|---|---|---|
| Red Hat Enterprise | Updates produced for 7 years after initial release | 31 March 2014 |
| CentOS | Re-releases RHEL packages | 31 March 2014 |
| Ubuntu | 5 years for long-term support (LTS) versions, 18 months for 'normal' releases | 30 April 2013 |
| Debian | Updates continue for one year after next stable version is released | January 2010 (estimated) |
| SuSE Enterprise | 5 years from release | 31 Jul 2011, 31 Jul 2013 for 'extended' support (at additional cost) |
On this simple metric, Red Hat Enterprise (and by extension CentOS) is the best supported distribution.
Management Consoles
One significant advantage Red Hat Enterprise and SLES have over the competition is in their web-based security panels. These provide an administrator with an easy to use overview of all systems, combined with the status of any security updates that need to be applied. Deployment of patches can be scheduled from this interface, making it extremely easy to manage even large networks.
For those paying for commercial support for Ubuntu, a similar control panel is available in the form of 'Landscape'.
No such control panels are available for CentOS or Debian.
Additional Security Mechanisms
There are two commonly used additional security mechanisms in Linux - Security-Enhanced Linux (SELinux) and Novell AppArmor. Novell AppArmor has been criticised for its path based security mechanism, which makes it easily circumventable. Of the two, SELinux offers greater control and higher security. Unfortunately, this comes at the price of ease of use, and in fact it's very common for servers to run with SELinux disabled because of this - a problem not faced by AppArmor. There's no doubt that when configured correctly SELinux can offer a much higher level of security than any standard Linux, but its low take-up make these benefits something of a moot point.
