...IT302 7/9/2012 Research Linux Security Basics Linux, being one of the most secure operating systems in the world, has many features and services that enhance security to the maximum. Linux isn’t completely secure, like some people like to claim, but many distributions strive to make security a key feature. One of the greatest reasons Linux is more secure, is the simple fact of having a smaller user base than other operating systems; this means that Linux is a smaller target for most malicious intents. That doesn’t mean that distributions rely on this to secure their OS. There are many great and complex security features and services that come with Linux. One of the most complicated security features, I believe, is SELinux. Security Enhanced Linux is a security model developed by the NSA and provides a fine grained permissions system for files, users, groups, sockets, ports, and processes. SELinux was conceived because the current user level security system that Linux, and other operating systems, offer is insufficient for. To ensure a maximum security environment, SELinux uses the MAC security model. This means that an object only has the minimal set of permissions it requires to operate. SELinux uses sets of policies to handle permissions providing the system with a great level of security. These policies can be assigned as roles to users enabling specific rules and regulations for specific individuals. SELinux may be a powerful security feature, but it can also be a pain...
Words: 1200 - Pages: 5
...Configure Basic Security Controls on a Fedora Linux Server The students are required to submit their lab assignment answers through this website. All lab assignment questions listed are for each course's week lab activity. This may be a theory based or lab based activity. Lab assessment results and answers are due at the beginning of class the following week. Students are encouraged to perform and submit their lab assessment results immediately upon completion of the lab activity or prior to the due date. During this lab students will properly secure a Linux server system. They will perform steps to secure the bootloader, enable iptables and run SELinux to help lock down the Linux OS. The students will also apply ACLs to directories and files and then check those ACLs and permissions on the system. To accomplish the lab assignment below, students will need to obtain a copy of the Fedora Image provided to you by the Substitute Instructor and complete a basic VMware installation of Fedora. The questions in the lab book will be based on the installation experience. Assigned Pages: 10-26 Questions: 1 through 10. This assignment is due by the beginning of class for Unit 3. 1. What is GRUB and why is it important to lock it down? GRUB stands for Grand Unified Bootloader (1 of 2 boot menus' for the operating system) which is important to lock down is for security reasons. These reasons include being used to start other operating systems (eg. other versions of Linux or Microsoft...
Words: 745 - Pages: 3
...Linux Security Technologies SELinux (Security Enhanced Linux) is a mandatory access control in the Linux kernel that was originally developed by NSA (National Security Agency) with direct contributions provided by Red Hat Enterprise Linux (RHEL) via the Fedora Project. In the day and age of identity theft and attempted sabotage from terrorists against our country, it should be very apparent why an organization like NSA had such an interest in heading up development of a more secure way to better protect our nation’s computer systems. In a world so largely dependent on computer systems, inadequate security measures could lead to anything from having a single person’s financial information compromised to an electronic 9/11 against some of our country’s most secure federal computer networks. In the modern computer based society we live in, security is essential to protecting everything from personal desktops all the way up to the most secure federal databases. And many corporate and government level computers are based on the Linux kernel. SELinux has 3 states it can be in if on a system: Enabled, Disabled, and Permissive. Enforcing means SELinux security policy is active, Disabled means SELinux security policy is not active, and Permissive is a diagnostic state commonly used for troubleshooting. To better understand what improvements Mandatory Access Control (MAC) can provide for security, one needs to know about the standard Linux security provision called Discretionary...
Words: 1124 - Pages: 5
...Paper 07/13/2012 Linux Security Technologies In today’s world there are many ways to gain access to the internet. You can go to your local library, a Starbucks, any airport, or even a McDonald’s. With all of these ways to have free access to the Web, the opportunity for hacker’s to get to your personal information is at an all time high. Linux programming has many ways to combat this situation with security technologies such as SELinux, chroot jail, iptables, and virtual private networks (VPN’s) to name a few. The basics of Linux security start with Discretionary Access Control, which is based by users and groups. The process starts with a user, who has access to anything that any other user can have access to. At first, it may seem great to be able to have that access, but the security in it is not so great. The US National Security Agency (NSA) developed the SELinux (Security Enhanced Linux) to combat the lack of strong security. (National Security Agency Central Security Service, 2009) Other organizations behind SELinux include the Network Associate Laboratories (NAI) labs which implemented several additional kernel mandatory access controls, developed the example security policy configuration, ported to the Linux 2.4 kernel, contributed to the development of the Linux Security Modules kernel patch, and adapted the SELinux prototype to LSM. The MITRE Corporation which enhanced several utilities to be SELinux-aware, and developed application security policies. And the...
Words: 1207 - Pages: 5
...several security measures with Linux programming, which the majority of the software is free. Some of those security technologies are SELinux, TCP Wrappers, IPtables and Chroot Jail to name a few. In basic Linux security, Discretionary Access Control is based practically by users and groups. The process is run by a user and then has access to anything other users has access to, making it not so secure. The U.S. National Security Agency (NSA) developed the SELinux (Security Enhanced Linux) to combat the lack of strong security. The SELinux implements Mandatory Access Control (MAC) in the Linux kernel which enforces policies that limits the user or a program of what they can do. It is designed to prevent process from reading and/or tampering of data and programs. MAC is an important tool for containing security threats made by user errors, hackers or software errors. It’s pretty hard to bypass the security measure since the kernel is checking the MAC rules right after checking the DAC rules on a constant basis. There are three states you can place SELinux to run in; Enforcing, Permissive and Disabled. Enforcing is the default setting where no program or user can do anything not permitted by the security policy. Permissive is a diagnostic state where it sends warning but does not enforce the policy but you can use to build a new security policy. Disabled is where it does not enforce any security policies at all. Another Linux based security program...
Words: 827 - Pages: 4
...| Linux Security | A review of some current technologies | | | | | In the pre-Internet world you have criminals looking for “hard” assets: money, jewelry and other items that could be easily turned into hard currency. We have always had “white-collar” crime such as embezzlement, fraud and insider trading. With the proliferation of the Internet and our personal and professional lives stored in the cloud; criminals can now take one ubiquitous piece of information and turn themselves into a whole other person. The ease in which such information can be used has turned people who would never think of ever holding up a bank, mugging someone or other physical crime, into criminals. This type crime has spawned a whole new “industry”: cyber security. One of the most important aspects of a network administrator’s job is to secure the system from any person who wishes to do criminal activities. These people are both within and outside the organization. With the Linux system there are three main technologies that are in use today. They are SELinux, chroot jail, and iptables. The first line of defense in a Linux system is chroot jail. Chroot is a process or application that changes the root directory for a user. To the user it appears that they are in their root directory, but they are actually in a modified root directory. This modified root directory is called jail. Without a chroot jail, a user with limited file permissions would still be able to navigate...
Words: 942 - Pages: 4
...IT302 Linux System Administration Research Assignment 1 SELinux or Security Enhanced Linux uses an architecture that separates enforcement from access policy decisions. With this architecture different types of policies can be implemented, including Role-Based Access Control (RBAC), Type Enforcement (TE), and Multi-Level Security (MLS). The module assigns security labels to each subject or object. It uses a security class to determine the kinds of relationship a pair of labels might have. The triplet consisting of a pair of labels and a class are then sent to a policy server to determine if access is allowed. The security labels are assigned dynamic integer security ID's (SID's); the reply from the policy server is cached in an 'access vector cache' for performance reasons. SELinux was developed in coordination with the open source community and the National Security Agency (NSA) to provide the highest level of security for the Linux operating system. Linux V-Server – The three basic elements of the VServer are: * The security context. A process in one security context cannot see processes in other security contexts, neither with the 'ps' command, nor with 'cat /proc' nor in any other way. As side-effect, this means that a process in one context cannot kill processes in other contexts. * Capabilities. The existing Linux kernel provides a wide variety of capabilities which can be taken away from processes. These include the ability to change network addresses...
Words: 423 - Pages: 2
...Term paper Linux Security Technologies There are many ways to have internet access these days. Coffee shops, libraries, airports and even public buses have free wireless access. With all these free accesses to the World Wide Web, there is also many potential ways for hackers to potentially get your personal information and use it for their gain. There are many ways to combat this situation by using several security measures with Linux programming, which the majority of the software is free. Some of those security technologies are SELinux, TCP Wrappers, IPtables and Chroot Jail to name a few. In basic Linux security, Discretionary Access Control is based practically by users and groups. The process is ran by a user and then has access to anything other users has access to, making it not so secure. The U.S. National Security Agency (NSA) developed the SELinux (Security Enhanced Linux) to combat the lack of strong security. The SELinux implements Mandatory Access Control (MAC) in the Linux kernel which enforces policies that limits the user or a program of what they can do. It is designed to prevent process from reading and/or tampering of data and programs. MAC is an important tool for containing security threats made by user errors, hackers or software errors. It’s pretty hard to bypass the security measure since the kernel is checking the MAC rules right after checking the DAC rules on a constant basis. There are three states you can place SELinux to run in; Enforcing...
Words: 311 - Pages: 2
...Since its release to the public in 1991, the Linux operating system has become one of the most widely used operating systems in the world. This is largely because of the security features. The most popular of these three technologies are SELinux, chroot jail and iptables. We are going to break down the advantages and benefits of each of these features. The United States National Security Agency (NSA), the original developer of SELinux released the first version of this feature in December of 2000. According to a statement by the NSA "NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals" It provides the ability to separate information based on confidentiality and integrity requirements. The flexibility allows control over what activities can be done by each daemon, user, or process. Standard Linux access controls are modifiable by the user and the applications which the user runs. SELinux access...
Words: 600 - Pages: 3
...critical research problem. Linux has several security developments included in its open source operating system. Among these are SELinux, chroot jail, and iptables to name a few. SELinux is Security Enhanced Linux. The National Information Assurance Research Laboratory of the National Security Agency was in charge of carrying out the research and advanced development of technologies needed to enable the NSA to provide the solutions, products, and services to achieve Information Assurance for information infrastructures essential to the security of the U.S. National Security. The Security-enhanced Linux prototype was developed by the NSA along with research partners from NAI Labs, Secure Computing Corporation (SCC), and the MITRE Corporation. Many other contributions have followed since the initial release.(NSA-National Security Agency, 2009) Researchers in the National Information Assurance Research Laboratory of NSA worked with Secure Computing Corporation (SCC) to develop a strong, flexible mandatory access control architecture based on a mechanism first developed for the LOCK system called Type Enforcement. The NSA and SCC then worked with the University of Utah’s Flux research group to transfer the architecture to the Fluke research operating system. The architecture was enhanced, when it was transferred, to provide better support for dynamic security policies. This enhanced architecture was named Flask. SELinux implements the Flask security architecture which uses flexible...
Words: 1498 - Pages: 6
...Fedora 12 Security-Enhanced Linux User Guide Murray McAllister Scott Radvan Daniel Walsh Dominick Grift Eric Paris James Morris Security-Enhanced Linux Fedora 12 Security-Enhanced Linux User Guide Edition 1.4 Author Author Author Author Author Author Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. For guidelines on the permitted uses of the Fedora trademarks, refer to https://fedoraproject.org/wiki/ Legal:Trademark_guidelines. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. All other trademarks are the property of their respective owners...
Words: 26838 - Pages: 108
...Security in Linux Linux, like any other computing platform, is constantly changing. There are a few major focus points for new and upgraded platforms, one of which is how user friendly it is. User friendliness goes beyond the ability to simply point and click, it also goes behind the lines deep into the inner workings of the system. Security is one of the most important functions of any operating system, very commonly overlooked and taken for granted. A system administrator can configure tables that are provided by the Linux kernel firewall in a program called iptables. Iptables has the ability to redirect, modify or stop packets of data all based on the state of a connection at any given time. There are many different tables that can be defined and each table contains built in chains or user defined chains. Every chain is essentially a list of rules that matches a set of packets and it specifies what to do with a packet that matches the rules. For the casual user it is best to use the predefined rules, they are often more than adequate. In an enterprise situation the administrator would likely want to define additional rules in order to best suit the business needs. Before iptables Linux mainly used ipchains as a firewall package. Iptables is an improvement on ipchains because it monitors the state of connections. Iptables can use the state of the connection as opposed to ipchains using the source destination and content only, to redirect, modify or drop a packet. At least...
Words: 965 - Pages: 4
...Chapter 2 Installation Overview 1. A Net Boot CD is a way to install a new system from a hard disk or over a network. 2. Three considerations for planning an installation are; a. SELinux improves system security by implementing mandatory access control policies in the Fedora kernel b. Install a Graphical desktop environment (GUI) such as GNOME and/or KDE. c. Install additional software and services packages to fit the need of the user. 3. By default Fedora divides the disk into three partitions, including ‘/boot’ and Logical Volume Manager (LVM). 4. Manual partitioning the hard disk has its advantages, such as being able to isolate a filesystem for security or backup needs. 5. The / (root) partition is the main filesystem on the hard disk. Any new created directories will become part of the root filesystem unless a filesystem is created. 6. The swap partition is where Linux temporarily stores programs and data when it does not have enough RAM to hold all the information it is processing. 7. The /boot partition holds the hernel and other data the system needs when it boots. In order for the /boot partition to work properly it must be one of the first partitions on the disk. 8. The /var (variable) partition holds the bulk of system logs, package information, and accounting data. The /var/log partition is commonly used in a separate partition to isolate system logs from other files in the /var directory. 9. The /home partition is...
Words: 831 - Pages: 4
...Linux Security Technology Security of a system is important in our today’s use of the internet. That is why Linux with its many layers that are always evolving in security to protect against all kinds of hackers or othe types of attacks . SELinux, Chroot Jail, IPTables, Mandatory Access Control and Discrestionary Access Control, just to name a few. SELinux is an access control implementation for the Linux kernel. Take for instants that you are the administrator and you define rules in user space and if the Linux kernel has been added with SELinux support, then those rules will be followed by the kernel. SELinux is a NSA Security-Enhanced Linux, in which the mandatory access control is flexible. The structure of SELinux supports against all kinds of mandatory access control policies. Some of which are Role-Based Access Control and Multi-Level Security. It was designed by NSA for the purpose of protecting a server against malicious daemons, by telling the daemons what they can and can’t do. This type of technology was created by Secure Computing Corporation, but was supported by the U.S. National Security Agency. In 1992, the thought for a more intense security system was needed and a project called Distributed Trusted Match was created. Some good solutions evolved from this, some of which were a part of the Fluke operating system. Which then became the Flux and finally led to the creation of the Flask architecture. Eventually it was combined with the Linux kernel, which...
Words: 873 - Pages: 4
...In This paper we will talk about SELinux what it is, what it does, and who uses such a product. What is SELinux? In short, Security-Enhanced Linux or SELinux is a Linux feature that provides a way for supporting access control security policies, through the use of Linux Security Module or LSM in the Linux kernel. Its architecture works in a way to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement. So, what does it do? Here is list I found on the internet for all techs out there who love this technical stuff. * Clean separation of policy from enforcement * Well-defined policy interfaces * Support for applications querying the policy and enforcing access control (for example, crond running jobs in the correct context) * Independent of specific policies and policy languages * Independent of specific security label formats and contents * Individual labels and controls for kernel objects and services * Support for policy changes * Separate measures for protecting system integrity (domain-type) and data confidential multileveled security * Flexible policy * Controls over process initialization and inheritance and program execution * Controls over file systems, directories, files, and open file descriptors * Controls over sockets, messages, and network interfaces * Controls over use of "capabilities" * Cached information...
Words: 656 - Pages: 3