As security issues continue to rise, new strategies for security are
imperative. This is most often true with servers and networked computers
because of the implications for down servers and non-functioning
workstations. SELinux or Security Enhanced Linux was developed by the
US National Security Agency to address the increased need for security
on servers and managing the daemons that exist on the server. SELinux
integrates the security architecture into the kernel using Linux
Security Modules (LSM).
When a multi-user system exists, the environment must determine the
exact rights of each account on the system. In addition, the environment
must protect the system integrity. This process is called access
control. The basic Linux system uses discretionary access control or
DAC. In this system each file, directory, program, etc. is labeled to
indicate which users and groups have specific read/write/execute rights
to that object. This method has worked well for a long time. User
discretion is the basic aspect of this control mechanism. In a
discretionary mechanism programs run with the rights of the user that is
operating the program. This protects the entire system. However, some
programs run in setsuid root enabling root rights for all users who use
the program. Of course there are huge dangers if the program has a
problem with the code or if an attacker targets the whole system because
they have gained root rights using one of these programs. For
example, if a user gained root access to Bind they may gain root access
to the entire system.
In order to deal with the problems of discretionary access control,
an alternative was developed called mandatory access control or MAC.
With this method users no longer control access but real access is
controlled by security policies. Security polices define the rights of
specific users and programs within the system. MAC bases the security
for objects not only on user rights but also any other information which
may impact security on the system as a whole. MAC lives by the
principle of least privilege which only allows programs the very minimum
needed to function. The result of this type of system is that since a
root superuser is not used, a compromise does not provide access to the
whole system. The problem with these types of programs is that they are
difficult to manage, with their main application being for military
systems.
The third type of system that is available is the MAC/DAC
combination. This option provides some of the features of each. One
modified version of MAC exists in AppArmor which is used by Ubuntu and
Suse. AppArmor supplements the discretionary access control with MAC
options.
AppArmor attempts to protect processes on the server or desktop from security threats.
AppArmor enforces limits on what processes can access on the system.
It attempts to restrict processes to those resources that the process
requires to function only. AppArmor will not only define the system
resources a program can access , it will also determine the privileges
with which it can access those resources. To protect applications you
will need to set up a security profile for each application that you
want to protect.
When you have many software applications on a system you have the
risk of hosting software flaws that you are not aware of. These
software flaws provide avenues of access for attackers to compromise
your system. Exploits that are discovered and on the same day that they
are used to crack a system by an attacker are called zero-day
exploits. AppArmor provides protection against these kinds of attacks
by protecting against known and unknown vulnerabilities.
The choice for CentOS is SELinux, Security Enhanced Linux. SELinux is an open source project sponsored by the National Security Agency. The focus is to use SELinux to implement mandatory access control. SELinux provides security at the kernel level. What this does for security is provide a security system at a fundamental level that will not be as impacted by security settings of individual programs. In effect, SELinux takes programs and isolates each program from the system so that it still functions with the system but is in a security sense independent of the system. In other words, if a program is compromised it does not offer more access to the system, rather it offers less access to the system. An added benefit to this isolation is that it protects data from being shared incorrectly, by removing discretion of the user. The image below illustrates this concept. Daemons and their support programs are placed in domains or jails. These jails prevent access to other parts of the operating system. DNS (bind) is separated from the rights to Apache so that if one is compromised the entire system is not compromised.
SELinux uses two components, both the security policy within the
kernel and a user-space component for dealing with role changes, policy
development, etc. These two components work with two security
mechanisms. The first is type enforcement which forces processes (the
actual program) to be isolated from other programs. In this way one
program cannot access the domain of another program. In the example DNS
and Apache are in separate domains. They work together to provide a
server interface for users, but they are in separate domains that will
not allow access to the other domain. This isolation provides
integrity of the system. The other mechanism is role-based access
control. Under this system rights to objects are not determined by rules
for that object but rather by roles which determine which domains can
be used. There are two typical roles:
user_r
sysadm_r
sysadm_r
These roles are assigned to objects and users are assigned to roles.
This information is kept in a security context for each object.
SELinux has become more important in CentOS 5 as it now manages 88 domains verses 14 domains in CentOS 4.
0 comments:
Post a Comment