Research Assignment 1

IT 302
Linux System Administration

January 21, 2013

The purpose of this paper is to secure UNIX/Linux operating systems from unscrupulous people. It shall be focused on SELinux, chroot jail, and iptables. Each of the three focus areas will be detailed, with specific interest in the following. What organization is behind it and reason entity is involved. How each technology changes the operating system to enforce security, and if the security measure can be easily bypassed. And finally, describe the types of threats each of the technologies is designed to eliminate. Since no two UNIX-based operating system builds are exactly alike, it is important to note that each build may have its own inherent security flaws.

SELinux was developed by The United States National Security Agency (NSA). The first version was made available to the open source development community under the GNU GPL on December 22, 2000. The software merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003. Other significant contributors include Network Associates, Red Hat, Secure Computing Corporation, Tresys Technology, and Trusted Computer Solutions. Experimental ports of the FLASK/TE implementation have been made available via the TrustedBSD Project for the FreeBSD and Darwin operating systems. The reason NSA is involved in this project is because this organization is responsible for carrying out the research and advanced development of technologies needed to enable NSA to provide the solutions, products, and services to achieve Information Assurance for information infrastructures critical to U.S. National Security interests. Security-Enhanced Linux (SELinux) is an implementation of a mandatory access control mechanism in the Linux kernel, checking for allowed operations after standard discretionary access controls are checked. The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

The chroot jail was introduced during development of UNIX Version 7 in 1979, and added to BSD by Bill Joy on 18 March 1982. A chroot jail effectively changes the root directory to something else. For instance, if you set aside /tst/chroot as a new root directory for a server, all file references made by the server will be relative to /tst/chroot rather than the true root directory. Thus, even if a server is compromised and the attacker uses it to modify /etc/passwd, the modification will actually affect /tst/chroot/etc/passwd, which is not nearly as serious a matter as a change to the real /etc/passwd. The chroot mechanism is not intended to defend against intentional tampering by privileged (root) users. On most systems, chroot contexts do not stack properly and chrooted programs with sufficient privileges may perform a second chroot to break out. To mitigate the risk of this security weakness, chrooted programs should relinquish root privileges as soon as practical after chrooting, or other mechanisms – such as FreeBSD Jails - should be used instead. Note that some systems, such as FreeBSD, take precautions to prevent the second chroot attack.

Next I am going to talk about iptables. The netfilter/iptables project was started in 1998 by Rusty Russell. The predominant reason for their creation was updated firewalls. Iptables uses tables of rules, each of which specified what to match within a packet, and what to do with such a packet. For example, one table was consulted when deciding whether to NAT a packet, and another consulted when deciding how to filter a packet. In addition, the three filtering points in a packet's journey were altered such that any packet only passes through one filtering point. This split allowed iptables, in turn, to use the information the connection tracking layer had determined about a packet. The information was previously tied to NAT. This makes iptables superior because it has the ability to monitor the state of a connection and redirect, modify or stop data packets based on the state of the connection, not just on the source, destination or packet data content. A firewall using iptables this way is said to be a stateful firewall versus a stateless firewall. Iptables can make better decisions on the fate of packets and connections.

--------------------------------------------
[ 1 ]. "National Security Agency Shares Security Enhancements to LINUX". NSA Press Release. Fort George G. Meade, Maryland: National Security Agency Central Security Service. 2001-01-02
[ 2 ]. http://www.ibm.com/developerworks/linux/library/l-selinux/ 2012-05-17
[ 3 ]. http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-Introduction.html 2013-01-21
[ 4 ]. http://www.nsa.gov/research/selinux/faqs.shtml 2013-01-21
[ 5 ]. http://www.itworld.com/security/138981/security-tip-how-set-a-chroot-jail 2011-03-03
[ 6 ]. http://flylib.com/books/en/3.151.1.175/1/ Advanced Linux Networking Authors: Smith R.W.
Published year: 2002
[ 7 ]. http://www.freebsd.org/cgi/man.cgi?query=chroot&sektion=2 2013-01-21
[ 8 ]. http://www.netfilter.org/about.html 2013-01-21