Over a decade ago I naively asked, "What is the best way to secure my UNIX system?" I was not prepared for the answer, "Turn it off! Seal it in concrete and place it at the bottom of the ocean." This answered my question to an extreme that did not help at all. Unfortunately, advice from an eager expert may be accurate, but not useful to a system administrator who must help users to meet business needs while swimming in a pool of alligators.
Security and system hardening are processes that have no end. All software has bugs and vulnerabilities. The security administrators task to fix bug, close out weaknesses as soon as possible after they have been discovered. A failure to do this will leave the network/server/etc. susceptible to intrusion or mischievous abuse.
Some administrators prefer to roll their own systems while others prefer to purchase a system that is maintained by a vendor.
All Linux systems can be made secure with enough effort. Gentoo does a great job at locking down parts of the Linux system. In some areas the enthusiasm to do this can impede expected system operation, for example the removal of the "nobody" account which is needed for Samba operation.
Both Debian and Gentoo distributions are built by competent enthusiasts who have a high regard for security and who tend to believe that an administrator ought to have the knowledge to be able to patch and build the kernel as well as general applications.
Red Hat is a commercial vendor of Linux products. Many of their customers expect them to maintain the kernel and system tools. Red Hat have learned that business consumers are often more conservative (slower to update) than technical consumers. Many business consumers will not permit ad-hoc system updates just to apply a security patch. Red Hat have adjusted well to such demands.
As is clearly demonstrated in a new book I co-authored -- "Hardening Linux" (Publisher: McGraw Hill, ISBN:0072254971) -- there is more to hardening a Linux system than building a heavily-patched kernel. The responsibilities described in this book demonstrate that many issues at the heart of Linux security go well beyond what can be offered or achieved purely in the Linux distribution. After all, the most secure server that has been installed without paying attention to the over-all installation and configuration of network services, of file system permissions, etc., will yet be vulnerable.
Be careful in comparing Linux distributions as such. Take into account the whole network. Then consider the source of your Linux system (which distribution) and ask yourself, "Which source imposes least on my time and effort?" The paranoia of Gentoo may not suit everyone. The commercial focus of Red Hat does not appeal to everyone either.
This was first published in July 2004