In a world so largely dependent on computer systems, inadequate security measures could lead to anything from having a single person’s financial information compromised to an electronic 9/11 against some of our country’s most secure federal computer networks. In the modern computer based society we live in, security is essential to protecting everything from personal desktops all the way up to the most secure federal databases. And many corporate and government level computers are based on the Linux kernel.
SELinux has 3 states it can be in if on a system: Enabled, Disabled, and Permissive. Enforcing means SELinux security policy is active, Disabled means SELinux security policy is not active, and Permissive is a diagnostic state commonly used for troubleshooting. To better understand what improvements Mandatory Access Control (MAC) can provide for security, one needs to know about the standard Linux security provision called Discretionary Access Control (DAC). DAC, though it is still a form of security, only provides minimal protection to a Linux file system.
With DAC, access to files merely requires needed permissions from the owner of the file to access (commonly referred to as file permissions), often requiring a password to open. A basic weakness of DAC is not being able to fundamentally differentiate between human users and computer programs. And with so many systems often having such large numbers of users, it only takes hackers accessing a single user’s account to have access to any and all of the files they have permissions for. If the compromised user account were to have super-user (root) access, the hacker could then gain access to an entire file system.
This became the basis for coming up with a more secure way of protecting wrongful access into standard Linux based systems. SELinux utilizing MAC, on the other hand, was created to address this very weakness that DAC has as the standard Linux security. The way MAC helps improve overall security of SELinux is by providing what is called granular permissions for every subject (user, program, process) and object (file, device). In other words, through MAC, you only grant any subject the specific object or objects required to perform a specific function, and no more.
Compared to DAC, security is more compartmentalized and has more layers of protection. Hence, SELinux provides a much more secure environment than the original Linux security features alone can. Another feature providing further security for a network is TCP Wrappers. TCP Wrappers work by controlling access through the utilization of IP addresses. In Linux, this is accomplished through 2 specific files that need to be created. The first file, hosts. deny, is a file listing names of hosts that are to be denied access to the network.
The second file, hosts. allow is a file listing the names of hosts that are allowed access to the same network. The absence of theses 2 files, would allow the entire Internet access to network services, severely lowering the security of a host. This lowers a system being compromised through a sort of “gate guard with an access list” policy. If your name appears on the list, you gain access; if it’s not, you don’t. Creating an artificial root directory is yet another way to provide security for Linux systems, and is commonly referred to as a chroot jail.
This prevents accessing or modifying, possibly maliciously, any file outside the directory hierarchy. The command required to create a chroot jail is /usr/sbin/chroot. Note, you must be working as root inside the Linux shell to do this. By creating a chroot jail, it prevents users from navigating up the hierarchy as high as possibly “/” (root). Even if the user did not have permissions required to edit higher directories, they may still be able to see files they don’t have any reason to have any access to.
Chroot can be useful for providing basic preventative security by making it more difficult to exploit information on a server. But, by limiting user access in this way, if a user account were ever hacked, it still provides yet another layer of security by limiting the amount of access each user account has to begin with. It is important to understand that you must run a program in chroot jail as a user other than root (/). This is because root can break out of jail, making the chroot jail not provide the security it is intended to against unwanted access.
Setting up iptables is another form of network security in Linux. They allow for setting up a firewall on the network. Iptables allow for network packet filtering rules. The use of iptables function allows rules to be set up that can reject inbound packets opening new connections and accept inbound packets that are responses to locally initiated connections. This basic feature therefore acts as a firewall to the system, preventing unwanted outside attempts to hack into a host network.
In conclusion, with the technological direction of our future apparent, security technologies will be a continuing issue that will never stop making further advances. After all, the financial, physical, and ideological future of our country, and people as a whole, cannot afford to do otherwise. As our children, and children’s children, begin to take the reins of this electronically motivated world, computer security technologies will continue to be an important issue as long as we continue as a society. References: * http://www. omnisecu. om/gnu-linux/redhat-certified-engineer-rhce/what-is-security-enhanced-linux-selinux. htm * http://fedoraproject. org/wiki/SELinux_FAQ * http://www. nsa. gov/research/_files/selinux/papers/x/img3. shtml * http://docs. redhat. com/docs/en-US/Red_Hat_Enterprise_Linux/4/html/SELinux_Guide/selg-preface-0011. html * http://docs. fedoraproject. org/en-US/Fedora/13/html/SELinux_FAQ/ * http://www. bu. edu/tech/security/firewalls/host/tcpwrappers_macosx/ * http://www. serverschool. com/dedicated-servers/what-is-a-chroot-jail/ * http://en. wikipedia. org/wiki/Chroot