...technologies that are available for certain Operating Systems such as SELinux, chroot jail, and iptables. SELinux stands for security enhanced Linux, it was developed by the National Information Assurance Research Laboratory of the NSA. They believe that creating a secure operating system is still a problem, but the NSA believes that a secure operating system can be accomplished through mandatory access control. Mandatory access control allows the administrator to manage access controls, which allows the administrator to define usage and access policy. The access policy indicates the access users have to files and programs. By using an access policy it it easier to limit the resources users have so that a user does not have access to information and programs they shouldn’t, thus bringing down the chances of a security breach. Security enhanced linux is not easily bypassed, by controlling the access users get it limits the amount of damage an attacker can do. Even if an attacker manages to get some limited control most of their commands will fall through, at the same time as SELinux logs everything the attacker is attempting to do making it much easier to spot them. SELinux is designed to stop many threats and make the operating system overall more secure. It prevents processes from reading or tampering with data and programs, bypassing application security mechanisms and executing untrustworthy programs. SELinux also helps to confine potential damage done by malicious or flawed...
Words: 283 - Pages: 2
...Three of the most important types of Linux security technologies are Security Enhanced Linux (SELinux), chroot jail, and iptables. These security measures aide in the subversion of theft and malicious activity. We will discuss these items in depth to address who created them and for what reason. Along with how these technologies changed the operating system to enforce security, and the types of threats that these security systems are design to eliminate. Security Enhanced Linux was released in December of 2000 from the National Security Agency (NSA), under the GNU general public license. SELinux is not a Linux distribution; it is a set of kernel modifications and tools that can be added to a variety of Linux distributions. SELinux is currently a part of Fedora Core, and it is supported by Red Hat. Incarnations of SELinux packages are also available for Debian, SuSe, and Gentoo. Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible Mandatory Access Control (MAC). MAC provides an enhanced process to enforce the separation of information based on confidentiality and integrity requirements, as well as the confinement of damage that can be caused by malicious or flawed applications. The previous security structure, discretionary access control (DAC), allowed threats of tampering and avoidance of security mechanisms, because DAC gives the user ownership of files and allows users the ability to make policy decisions...
Words: 848 - Pages: 4
...APPLY HARDENED SECURITY FOR CONTROLLING ACCESS 1. Suppose the domain hackers.com is denied for all services in the hosts.deny and the host.allow file has the rule ALL:ALL. Will TCPWrappers allow hackers.com access? ALL:ALL, TCPWrappers will not allow hackers.com access. 2. How do you enable SELinux? Configure /etc/selinux/config file from permissive to enforcing to enable SELinux. 3. What are three modes of SELinux? Explain their basic functionality. SELinux modes are enforcing, permissive, and disabled. Enforcing is when SELinux security policy is enforced. Permissive is when SELinux prints warnings instead of enforcing, and disabled is when SELinux is fully disabled. 4. Consider the following firewall rule, and describe what this permits or denies. 5. What command would you use to allow all the traffic from the loopback? -A INPUT –I lo –j ACCEPT 6. What command would you use to view the network port configuration for the iptables? Iptables –L 7. If a service is to allow in one place and to deny in another, what is the outcome? The outcome would be to allow because access rules in hosts.allow are applied first and take precedence over rules specified in hosts.deny. 8. Is the order of the rules important? If you deny something within the IP network layer, but permit something within the TCP transport layer that uses the IP network layer that you just denied, will your TCP traffic be permitted? The order of the rules are important...
Words: 291 - Pages: 2
...to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. For guidelines on the permitted uses of the Fedora trademarks, refer to https://fedoraproject.org/wiki/ Legal:Trademark_guidelines. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. All other trademarks are the property of their respective owners. Murray McAllister Scott Radvan Daniel Walsh Dominick Grift Eric Paris James Morris mmcallis@redhat.com sradvan@redhat.com dwalsh@redhat.com domg472@gmail.com eparis@parisplace.org jmorris@redhat.com The SELinux User Guide assists users and administrators in managing and using Security-Enhanced Linux®. Preface v 1. Document Conventions...
Words: 26838 - Pages: 108
...situation with security technologies such as SELinux, chroot jail, iptables, and virtual private networks (VPN’s) to name a few. The basics of Linux security start with Discretionary Access Control, which is based by users and groups. The process starts with a user, who has access to anything that any other user can have access to. At first, it may seem great to be able to have that access, but the security in it is not so great. The US National Security Agency (NSA) developed the SELinux (Security Enhanced Linux) to combat the lack of strong security. (National Security Agency Central Security Service, 2009) Other organizations behind SELinux include the Network Associate Laboratories (NAI) labs which implemented several additional kernel mandatory access controls, developed the example security policy configuration, ported to the Linux 2.4 kernel, contributed to the development of the Linux Security Modules kernel patch, and adapted the SELinux prototype to LSM. The MITRE Corporation which enhanced several utilities to be SELinux-aware, and developed application security policies. And the Secure Computing Corporation (SCC), which developed a preliminary security policy configuration for the system that was used as a starting point for NAI Labs configuration. SELinux changes the operating system by which you can run it in one of three settings; Enforcing, Permissive, and Disabled. Enforcing in which it will use the the targeted SELinux policy on...
Words: 1207 - Pages: 5
...that are always evolving in security to protect against all kinds of hackers or othe types of attacks . SELinux, Chroot Jail, IPTables, Mandatory Access Control and Discrestionary Access Control, just to name a few. SELinux is an access control implementation for the Linux kernel. Take for instants that you are the administrator and you define rules in user space and if the Linux kernel has been added with SELinux support, then those rules will be followed by the kernel. SELinux is a NSA Security-Enhanced Linux, in which the mandatory access control is flexible. The structure of SELinux supports against all kinds of mandatory access control policies. Some of which are Role-Based Access Control and Multi-Level Security. It was designed by NSA for the purpose of protecting a server against malicious daemons, by telling the daemons what they can and can’t do. This type of technology was created by Secure Computing Corporation, but was supported by the U.S. National Security Agency. In 1992, the thought for a more intense security system was needed and a project called Distributed Trusted Match was created. Some good solutions evolved from this, some of which were a part of the Fluke operating system. Which then became the Flux and finally led to the creation of the Flask architecture. Eventually it was combined with the Linux kernel, which created another project called SELinux. Since NSA realized that the Linux operation system did not have any security that would enforce access...
Words: 873 - Pages: 4
...accounts which lead to credit card theft and identity theft. This paper will explain a few of Unix/Linux’s security operations such as SELinux, Chroot, and IPtables. Security-Enhanced Linux is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense style mandatory access controls. These functions were run through the Linux Security Modules in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating system kernels, such as Linux and that of BSD. SELinux was developed by the United States National Security Agency, it was released to the open source development community under the GNU GPL on December 22, 2000. SELinux users and roles are not related to the actual system users and roles. For every current user or process, SELinux assigns a three string context consisting of a role, user name, and domain. This system is more flexible than normally required: as a rule, most of the real users share the same SELinux username, and all access control is managed through the third tag, the domain. Circumstance for when the user is allowed to get into a certain domain must be configured in the policies. The command runcon allows for the launching of a process into an explicitly specified context, but SELinux may deny the transition if it is not approved by the policy configuration. The security of an unmodified Linux system depends on the...
Words: 907 - Pages: 4
...Security in Linux Linux, like any other computing platform, is constantly changing. There are a few major focus points for new and upgraded platforms, one of which is how user friendly it is. User friendliness goes beyond the ability to simply point and click, it also goes behind the lines deep into the inner workings of the system. Security is one of the most important functions of any operating system, very commonly overlooked and taken for granted. A system administrator can configure tables that are provided by the Linux kernel firewall in a program called iptables. Iptables has the ability to redirect, modify or stop packets of data all based on the state of a connection at any given time. There are many different tables that can be defined and each table contains built in chains or user defined chains. Every chain is essentially a list of rules that matches a set of packets and it specifies what to do with a packet that matches the rules. For the casual user it is best to use the predefined rules, they are often more than adequate. In an enterprise situation the administrator would likely want to define additional rules in order to best suit the business needs. Before iptables Linux mainly used ipchains as a firewall package. Iptables is an improvement on ipchains because it monitors the state of connections. Iptables can use the state of the connection as opposed to ipchains using the source destination and content only, to redirect, modify or drop a packet. At least...
Words: 965 - Pages: 4
...programming, which the majority of the software is free. Some of those security technologies are SELinux, TCP Wrappers, IPtables and Chroot Jail to name a few. SELinux is a security enhancement to Linux which allows users and administrators more control over access control. Access can be constrained on such variables as which users and applications can access which resources. Was developed by the NSA in December of 2000. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications. SELinux also adds finer granularity to access controls. Instead of only being able to specify who can read, write or execute a file, for example, SELinux lets you specify who can unlink, append only, move a file and so on. SELinux allows you to specify access to many resources other than files as well, such as network resources and interprocess communication (IPC). SELinux is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of a system to define how applications and users can access different resources such as files, devices, networks and inter-process communication. SELinux can help protect you from bugs in applications. Most people...
Words: 1350 - Pages: 6
...Secure File Storage Server First World Bank Savings and Loan has a need to deliver highly confidential customer data in PDF format for online customers. This can be done by uploading data to a Linux file server by bank employees within the LAN. This however is inaccessible for customers. First World Bank Savings and Loan has created a plan to make a secure web server so clients can access the data. In order to do this, we will set up a separate Linux virtual machine that will be running SFTP service that only works with a SSH connection. In order to connect with a SSH connection, users have to pre-authenticate through the web server and traffic needs to be forwarded from that web server to the SFTP server. The SFTP server will then take off the SSH “shell” and be able to read the SFTP traffic. In order to do this, we will implement MySecureShell software that will be installed on an Ubuntu release server. According to http://xmodulo.com/, MySecureShell is an OpenSSH server system that: •Limit per-connection download/upload bandwidth •Limit the number of concurrent connections per account •Hide file and directory owner/group/rights •Hide files and directories which user has no access to •Limit the life time of a connection •Chroot SFTP user into his/her home directory Secure Web and Database Servers Based on what is being asked I am recommending a database and Web server architecture along with this there will be explanations as to how they are secure and...
Words: 1306 - Pages: 6
...SELinux SELinux was developed by the United States National Security Agency. It was then released for open source development on December 22, 2000 and was merged into the main Linux kernel version 2.6.0-test3 on August 8, 2003. SELinux was designed to change the access control protocols for Linux users, to make them more secure and computer resources and applications less likely to be exploited. Prior to the development of SELinux, systems used a form of DAC, Discretionary Access Control. In this set up, placed all clients into three categories: user, group, and other. If an application or file were "exploited," it would allow the current user to access the file(s) or application at the highest permission allow, the owner of the file, or user. SELinux introduced two new ways to allow permissions to be determined by the client computer. The first of these is MAC, Mandatory Access Control. This new protocol introduce the principle of least privilege, which simply allows programs to use what resources they need to do the task at hand, and nothing else. An example from an article I found online: "if you have a program that responds to socket requests but doesn't need to access the file system, then that program should be able to listen on a given socket but not have access to the file system." The second protocol is RBAC, Role-based Access Control. In this protocol, "permissions are provided based on roles that are granted by the security system." From what I read of roles...
Words: 792 - Pages: 4
...Introduction Today we live in a world where technology is the way to go. Even in this century there are people that are still clueless on the operating system. It is different, exciting when a new and advance system comes out. But some of us are so confused when it comes to the basics of new technology. Operating systems are programs which manages the computer’s hardware. The systems provide a basic for the applications programs between the computer user and its hardware. When looking, there are so many different types of operating systems that are available. The four main operating systems that are used are Windows, Mac, UNIX, and Linux. For every computer there are many different items that make the system a whole. When it comes to the different operating systems there are different features available, even though when you think of computers a person might think security will all be the same but there are difference between each one. As you read more you will understand the security and the difference between a MAC, UNIX/LINUX and Windows systems and how each one works. Access control goal is to protect a resource from unauthorized access while facilitating seamless and legitimate use of such resources. Presently, each day users hold the need to access to those resources through a broad line of devices, such as PCs, laptops, PDA, smartphones and kiosks. Most organizations need to provide protection for their files and allow the correct people to access...
Words: 2672 - Pages: 11
...would be SELinux, there are many contributors to SELinux but it all really comes back to four major organizations that are responsible for the initial public release of SELinux. These organizations include The National Security Agency, Network Associates Laboratories, The MITRE Corporation, and finally the Secure Computing Corporation. From my research I have found that it all really started with the NSA when they developed the LSM-based SELinux and made it part of Linux 2.6, and this has also led to the development of similar controls in the X Window System (XACE/XSELinux) and for Xen (XSM/Flask). Then NAI Labs implemented several additional kernel mandatory access controls, developed the example security policy configuration and also contributed to the development of the Linux Security Modules kernel patch. The MITRE Corporation helped several common Linux utilities because SELinux-aware and developed application security policies. The SCC developed a preliminary security policy configuration for the system that was used as a starting point for NAI Labs’ configuration, and also developed several new or modified utilities. SELinux controls access between applications and resources, and it does this by using mandatory security policy SELinux enforces the security goals of the system regardless of whether applications misbehave or users act carelessly. You can check of SELinux is enabled in Red Hat, or Fedora by using the getenforce command, if it returns enforcing SELinux is enabled...
Words: 541 - Pages: 3
...1. Suppose the domain hackers.com is denied for all services in the hosts.deny and the hosts.allow file has the rule ALL: ALL. Will TCPWrappers allow hackers.com access? Yes 2. How do you enable SELinux? In the /etc/selinux/config check to see of the SELinux is enabled in the status. If in the disabled status, enter command rpm -qa | grep selinux 3. What are three modes of SELinux? Explain their basic functionality. Enforcing: SELinux policy is enforced/SELinux denies access based on policy rules Permissive: SELinux policy is not enforced/SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode. Disabled: SELinux is disabled/Only DAC (Discretionary Access Control) rules are used. 4. Consider the following firewall rule, and describe what this permits or denies. Allow http (web) traffic through SSL using SSH & allow ICMP pings, while denying all other traffic. 5. What command would you use to allow all the traffic from the loopback? iptables -A INPUT -i lo -m ACCEPT iptables -A OUTPUT -o lo -m ACCEPT 6. What command would you use to view the network port configuration for the iptables? /etc/network/interfaces 7. If a service is to allow in one place and to deny in another, what is the outcome? Allow, because deny is the file pulled first and then the allow file, so the last one pulled is to allow. 8. Is the order of the rules important? If you deny something within the IP network...
Words: 355 - Pages: 2
...2002). Users can access lower level documentation, but they cannot access higher level without the process of declassification. Access is authorized or restricted based on the security characteristics of the HTTP client. This can be due to SSL bit length, version information, originating IP address or domain, etc. Systems supporting flexible security models can be SELinux, Trusted Solaris, TrustedBSD, etc. DAC checks the validity of the credentials given by the user. MAC validate aspects which are out of the hands of the user (Coar, 2000). If there is no DAC list on an object, full access is granted to any user (Microsoft, 2012). SELinux SELinux has three states of operation. These states are enforcing, permissive, and disabled. SELinux was developed by the U.S. National Security Agency (NSA) and implements MAC in a Linux kernel (Sobell, 2011). Enforcing is the default state for Linux. This is enforcing the security policies. No programs or users are able to do anything not permitted by the security policies. System is somewhat degraded in performance in this state. Permissibe mode is the diagnostic state. SELinux sends warning messages to log file and does not enforce the security policy. This is useful for debugging and troubleshooting...
Words: 875 - Pages: 4