Computer security is necessity because of the many ways that your personal information. Millions of people each year are victims of hacked computers and accounts which lead to credit card theft and identity theft. This paper will explain a few of Unix/Linux’s security operations such as SELinux, Chroot, and IPtables.
Security-Enhanced Linux is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense style mandatory access controls. These functions were run through the Linux Security Modules in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating system kernels, such as Linux and that of BSD. SELinux was developed by the United States National Security Agency, it was released to the open source development community under the GNU GPL on December 22, 2000. SELinux users and roles are not related to the actual system users and roles. For every current user or process, SELinux assigns a three string context consisting of a role, user name, and domain. This system is more flexible than normally required: as a rule, most of the real users share the same SELinux username, and all access control is managed through the third tag, the domain. Circumstance for when the user is allowed to get into a certain domain must be configured in the policies. The command runcon allows for the launching of a process into an explicitly specified context, but SELinux may deny the transition if it is not approved by the policy configuration. The security of an unmodified Linux system depends on the correctness of the kernel, all the privileged applications, and each of their configurations. A problem in any one of these areas may allow the compromise of the entire system. In contrast, the security of a modified system based on an SELinux kernel depends primarily on the correctness of the kernel and its security policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole. Some of the features of SELinux are that it has a clean separation of policy from enforcement, a very flexible policy, and support for policy changes. Another one of Linux’s operations is called Chroot. A chroot on Unix Operating systems is an operation that changes the apparent disk root directory for the current running process and its children. The chroot system call was introduced during development of Version 7 Unix in 1979, and also added to BSD by Bill Joy on March 18, 1982. A chroot environment can be used to create and host a separate virtualized copy of the software system. This can be useful for Testing and development, Dependency control, Compatibility, Recovery, and Privilege separation. For Testing and development a test environment can be set up in the chroot for software that would otherwise be too risky to deploy on a production system. For Dependency control software can be developed, built and tested in a chroot populated only with its expected dependencies. This can prevent some kinds of linkage skew that can result from developers building projects with different sets of program libraries installed. Compatibility offers legacy software or software using a different ABI must sometimes be run in a chroot because their supporting libraries or data files may otherwise clash in name or linkage with those of the host system. The chroot mechanism in itself also is not intended to restrict the use of resources like I/O, bandwidth, disk space or CPU time. Most Unixes are not completely file system-oriented and leave potentially disruptive functionality like networking and process control available through the system call interface to a chrooted program. The last Unix operation is called IPtables. IPtables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores. The original author of iptables was Rusty Russell. He worked with a team called Netfilter Core Team and was released in 1998. IPtables preserves the basic ideas introduced with ipfwadm, which was a list of rules each of which specified what to match within a packet, and what to do with such a packet. IPchains added the concept of chains of rules, and iptables extended this further into tables: one table was consulted when deciding whether to NAT a packet and another consulted when deciding how to filter a packet. In addition, the three filtering points in a packet's journey were altered such that any packet only passes through one filtering point. Each rule in a chain contains the specification of which packets it matches. It may also contain a target or verdict. As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or it may not. Matches make up the large part of rulesets, as they contain the conditions packets are tested for

IT 302-Linuz System Administration
Research Assignment 1

Bibliography