Linux security modules were enhancements done to Linux kernel to bring security mechanisms by restricting entities - programs or files, to their specific role. These enhancements were introduced by NSA, bringing security features as needed but come with a heavy price of maintenance.
Mandatory Access Control
Most operating systems use access controls to determine whether an entity file or program can access a given resource. Linux based systems use a form of discretionary access control (DAC). For examples, files in GNU/Linux have an owner, a group, and a set of permissions. The permissions define who can access a given file, who can read it, who can write to it, and who can execute it. These permissions are split into three sets of users, representing the user (owner of the file), the group (all users who are members of a group), and others (all users who are neither members of the group nor owner of the file). A program executed with high privileged user can be exploited, doings things at the user’s access level, which is undesirable. Rather than defining privileges in such fashion, it may be better to define a minimal set of functions, which a program can perform. For e.g. if it a function of the program to listen on socket, it should not get access to file-system details. This type of control are call Mandatory Access Control.
Role based Access Control
Another approach to controlling access is role-based access control (RBAC). In RBAC, permissions are provided based on roles that are granted by the security system. The concept of a role differs from that of a traditional group in that a group represents one or more users. A role can represent multiple users, but it also represents the permissions that a set of users can perform.
Security-Enhanced Linux SELinux
SELinux adds both MAC and RBAC to the GNU/Linux operating system. SELinux provides all necessary tools for creating a MAC and RBAC policy. The policy implementation adds extended attributes to the entities - program or files, thus associating each entity with its role.
AppArmor
AppArmor was developed by security vendor Immunix. AppArmor has many features for SELinux but boosts of simplicity that serves as a main selling point. A security policy called profile, is assigned to each application, which defines the system resources and privileges that the application can access.
GRCSEC
Grsecurity is a patch for Linux kernel that allows you to increase prevention, protection and detection. Its main feature is hardening of chroot, grsecurity’s chroot hardening automatically converts all uses of chroot into real jails with confinement levels equivalent to containers. Processes inside a chroot will not be able to create suid/sgid binaries, see or attack processes outside the chroot jail, mount filesystems, use sensitive capabilities, or modify UNIX domain sockets or shared memory created outside the chroot jail.
Feature Comparison
Each of these security enhancements come with their pros and cons. They promise lot of features, but before anything of these can be recommended, the table below compares each of these against set of features offered.
FEATURE
|
SELINUX
|
APPARMOR
|
GRCSEC
|
Admin Skill Set
(Learning Curve)
|
High
|
Medium
|
Medium to Low
|
Complex and powerful
|
Yes
|
Yes
|
Somewhat less
|
Detailed configuration
required
|
Yes
|
Yes
|
Seems like have a
learning algorithm
|
GUI tools to write /
modify rules set
|
Yes
|
Yes
|
No
|
Ease of use
|
Horrible
|
Horrible
|
Somewhat less
horrible
|
Binary package
|
Most Linux support
|
Ubuntu, Centos, not
all
|
Ubuntu, Centos, not
all
|
System performance
impact
|
None
|
None
|
None
|
Typical user base
|
Enterprise
|
Enterprise
|
web-server and
hosting companies
|
Documentation
|
Plenty
|
Plenty
|
Not, much
|
Auditing and logging
supported
|
Yes
|
Yes
|
Yes
|
Conclusion
It can be easily argued that features supported by these extensions are not only use-full but important. At the same these score real low when measured for their aesthetics. The skills needed to use any such tool equals to compare of a system administrator. The system once configured tends to remain stable but becomes very inflexible to changes. The SELinux tags entities - files & program, making it next to impossible to bring any change.
Datacenter is now heading for a change, the roles of administrators is vanishing, with infrastructure providing all the what an end user would demand. An end user wants agility, flexibility, workload migration, guaranteed resource availability. All these requirement bring bigger challenges and system which cannot adhere such needs, is not needed.
No comments:
Post a Comment