Computer Security & SELinux
Content
_______________________________________________Computer Security & SELinux
Chapter 1
Introduction
1.1 Overview:
The collection of tools designed to protect data, files& information stored
on computer became evident from hackers, intruders& unauthoried party is called
computer security!
1.2 Hackers Vs Crackers:
" hacker is someone #ho en$oys the challenge of figuring out ho#
complex systems #ork! %ackers take great satisfaction in mastering the esoteric details of
a computer system and using that information to analye its performance or predict ho#
other parts of the system #ill #ork!
Crackers are hackers #ho use their skills to bypass system security and
manipulate computers and information illicitly! &nce the cracker has entered the system,
he may use its resources, modify information stored in it, prevent others from accessing
it, or use it to launch an attack on another system!
What Do Crackers Do?
'f a cracker breaks into your system, he may do the follo#ing(
• )se system resources *disk space, C+) cycles, net#ork band#idth, you #ant for
you or other users
• -eny services to you or other users..either maliciously or because he/s using the
resources himself
• Steal valuable information
• -estroy files..either maliciously or to cover his tracks
0
_______________________________________________Computer Security & SELinux
• )se your computers to break into other sites
• Cause you to lose staff time *read( money, in tracking him do#n and putting
compromised systems back in order
"ll attacks depend on gaining initial access to the computer! 1ou should put yourself in
the cracker/s shoes and think about ho# you could attack your o#n system! 's it used by
you alone or by many people2 's it accessible via a phone line or connected to a private or
public net#ork2 'f it/s connected to a net#ork, is the net#ork physically secure2 "re your
computers locked up or in a public site2 3here are your backup tapes stored2 Can a
cracker get access to them, thereby gaining access to your files #ithout ever breaking into
your computer2 'f you/re responsible for administering a multiuser system, ho# #ise are
your users2 3hat #ill they do if they receive a phone call from the 4system
administrator4 asking for their pass#ords for 4special maintenance42
These 5uestions cover many..but certainly not all..of the approaches a cracker might use
to gain access to your computer or data! The attacks fall into the follo#ing four basic
categories(
• +hysical security attacks
• Social engineering attacks
• -umpster.diving attacks
• 6et#ork. and phone.based attacks!
The point of any attack is to gain access to a legitimate user/s account, or to exploit bugs
in system programs to get a command shell #ithout actually compromising an account!
1.3 Peope Issues:
Social engineering on the part of crackers is a subtle and difficult threat to
address! "s you may guess, the best defense against social engineering is user and staff
education! 1our users should kno#, for instance, that because you have superuser
privileges you never have any reason to ask for their pass#ords, and that any such re5uest
7
_______________________________________________Computer Security & SELinux
should be reported to you immediately! +art of the goal of a security policy is to educate
your users on such matters!
" second #ay to counter the social engineering threat is to limit system
use on the part of temporary #orkers, employees of other companies, ne# hires, and
others #ho have not yet been trained or #hose commitment to maintaining system
security is not obvious! This #ill re5uire management guidance and support, but can be a
surprisingly effective measure to take! &ften ne# hires are not yet ready to make
productive use of the system, for instance! 'f your company includes security and
application training as part of the orientation process before system access is granted,
such users are less likely to be vulnerable to the #iles of friendly crackers!
)ser education is important because security is often inconvenient and
users are devious..they #ill th#art your best.laid plans unless they understand the
reasons for the inconvenience! 8any users may feel that their account security is a
personal matter, similar to the choice of #hether to #ear seat belts #hile driving!
%o#ever, a multiuser computer system is a community of sorts, and one #eak account is
all a cracker needs to compromise an entire system!
9
_______________________________________________Computer Security & SELinux
Chapter 2
!uthentication
2.1 "ser !uthentication:
Authentication is a fancy name for identifying yourself as a valid user of a
computer system, and it/s your first defense against a break.in! )ntil recently, )6': user
authentication meant typing a valid login name and pass#ord! This is kno#n as reusable
password authentication, meaning that you enter the same pass#ord each time you log in!
;eusable pass#ord authentication is too #eak for some systems and #ill eventually be
replaced by one.time pass#ord systems in #hich you enter a different pass#ord each
login!
;eusable pass#ords are strong enough for some sites as long as users
choose good pass#ords! )nfortunately, many don/t! ;esearch has sho#n that as many as
9<= to ><= of pass#ords on typical )6': systems can easily be guessed! 1our security
policy should both re5uire strong pass#ords and provide guidelines for choosing them!
2.2 Pickin# $ood Passwords:
?ood pass#ords are six to eight characters long, use a rich character set
*upper. and lo#ercase letters, digits, punctuation, and control characters,, are not in
English or foreign.language dictionaries, and don/t contain any public information about
you, such as your name or license number! -etailed guidelines for choosing pass#ords
are presented in the security books mentioned in the section 4@inding 8ore 'nformation4
later in this chapter, but one good method is to take a random phrase and modify it in
ingenious #ays! @or instance, the phrase 4'f pigs had #ings4 could yield the pass#ord
40fpi?h#!4 This pass#ord is a combination of a misspelled #ord *40f4 standing for
4if4,, a misspelled #ord #ith odd capitaliation *4pigA4,, and the first letters of t#o more
#ords! 't/s as secure as a reusable pass#ord can be because it isn/t found in any
B
_______________________________________________Computer Security & SELinux
dictionary, uses a fairly rich vocabulary *the digit 404 and capitaliation,, and it/s easy to
remember *but not to type,!
2.3 Password %creenin#:
;etroactive pass#ord vetting puts you in the role of the cracker! 1ou make
your best effort to break your users/ pass#ords, and if you succeed you notify the user
and re5uire her to change her pass#ord to something safer! The public domain program
crack, #ritten by "lec 8uffett and available for anonymous ftp from ftp.cert.org
and other sites, is one of the best! crack uses various tricks to permute login names and
finger information into likely pass#ords and #hatever #ord lists you specify! 'f you/ve
got the disk space and C+) cycles, you can feed crack the huge English and foreign.
language #ord lists available for ftp from the host black.ox.ac.uk!
The problem #ith crack and similar programs is that users hate being told
that you/ve cracked their pass#ords! 't/s kind of like having a neighbor say, 4Cy the #ay, '
#as rattling doorknobs last night and noticed that yours #asn/t locked!4 %o#ever, crack
is useful for gathering information you can use to make a case to management for
stronger pass#ord security! @or instance, if you can sho# that 9<= of your users/
pass#ords are easily guessed, you may be able to persuade your boss that proactive
pass#ord screening is a good idea! "nd if you do plan to crack pass#ords, your users
may react more positively if you make that clear in your security policy!
+roactive pass#ord screening is more like a preemptive strike! 'f you
prevent your users from choosing poor pass#ords, there/s no reason to run crack! 3ith
proper education via your security policy, users #ill react more positively *or at least less
negatively, to being told they must choose a more secure pass#ord than to being told that
you broke their current one! The passwd+ and npasswd programs screen pass#ords and
can replace your standard passwd program! passwd+ is available for ftp from the host
ftp.wustl.edu and others, and npasswd from ftp.luth.se!
>
_______________________________________________Computer Security & SELinux
2.& Password !#in#:
SD;B )6': also provides pass#ord aging facilities! +ass#ord aging
places a time limit on the life of a pass#ord! The longer you keep the same pass#ord, the
better the chance that someone #ill crack it by guessing it, #atching you type it, or by
cracking it offline on another computer! Changing pass#ords every one to six months is
sufficient for many sites, and pass#ord aging enforces that policy by re5uiring users to
change their pass#ords #hen they expire! %o#ever, a poor implementation of pass#ord
aging is #orse than none at all! )sers should be #arned a fe# days in advance that their
pass#ords #ill expire, because they may choose poor pass#ords if forced to choose on
the spur of the moment!
2.' Password (or %)ste* !ccounts:
The system administrator must take special care in choosing a good
pass#ord for her account and the superuser account! The superuser account must be
protected because of the po#er it gives a cracker, and the system administrator/s account
because it can give access to the superuser account in many #ays! @or instance, if a
system administrator/s account is broken, the cracker can install a fake su program in his
private bin directory that records the root pass#ord, removes itself, and then invokes the
real su program! The system administrator account may have other special privileges that
a cracker can make use of, for instance, membership in groups that allo# you to read..or
#orse, #rite..system memory or ra# disk devices, and permission to su to the superuser
account! The systems administrator and root pass#ords should be changed often and
should be as strong as you can make them!
2.+ %hadow Password:
SD;B )6': also provides shado# pass#ords! )6': pass#ords are
encrypted in the pass#ord file, but access to the encrypted version is valuable because it
allo#s a cracker to crack them on her o#n computer! " fast personal computer can try
E
_______________________________________________Computer Security & SELinux
thousands of guesses per second, #hich is a huge advantage for the cracker! 3ithout
access to the encrypted pass#ords, the cracker must try each of her guesses through the
normal login procedure, #hich at best may take five to 0< seconds per guess!
Shado# pass#ords hide the encrypted pass#ords in a file that is readable only by the
superuser, thereby preventing crackers from cracking them offline! 1ou should use them!
2., One -i*e Passwords:
;eusable pass#ords may be a serious problem if your users use your site
to connect to remote sites on the 'nternet or if your local net#ork is not physically secure!
&n @ebruary 9, 0FFB, the CE;TGCC issued advisory C".FB(<0! Crackers had broken into
several ma$or 'nternet sites, gained superuser access, and installed soft#are to snoop the
net#ork and record the first packets of telnet, ftp, and rlogin sessions, #hich contain
login names and pass#ords! "ccording to the CE;TGCC advisory, 4_all systems that offer
remote access through rlogin, telnet, and @T+ are at risk! 'ntruders have already
captured access information for tens of thousands of systems across the 'nternet4
*emphasis added,! "s this alert suggests, there is a real threat that persistent pass#ords
#ill be captured and used to hack your system!
'nternet programs such as telnet send unencrypted pass#ords over the
net#ork, making them vulnerable to snooping! The only #ay to truly solve this problem
is to change the protocols so that user authentication doesn/t re5uire sending pass#ords
over the net#ork, but that #on/t happen soon!
;eusable pass#ords are valuable precisely because they/re reusable! &ne.
time pass#ords get around this problem by re5uiring a ne# pass#ord for each use..the
bad guys can sniff all they #ant, but it does them no good because the pass#ord that logs
you in on Tuesday is different from the one you used 8onday!
H
_______________________________________________Computer Security & SELinux
Chapter 3
%ecurit)
This chapter covers the basics of keeping your system secure! 't takes a
5uick look at the primary defenses you need to protect yourself from unauthoried access
through telephone lines *modems,, as #ell as some aspects of net#ork connections! 'n
addition, it explains ho# to protect your user files and ensure pass#ord integrity!
This chapter doesn/t bother #ith complex solutions that are difficult to
implement because they re5uire a considerable amount of kno#ledge and apply only to a
specific configuration! 'nstead, it looks at basic security methods, most of #hich are
do#nright simple and effective!
3.1 I*provin# Passwords:
The most commonly used method for breaking into a system either
through a net#ork, over a modem connection, or sitting in front of a terminal is through
#eak pass#ords! 3eak *#hich means easily guessable, pass#ords are very common!
3hen system users have such pass#ords, even the best security systems cannot protect
against intrusion!
'f you are managing a system that has several users, implement a policy
re5uiring users to set their pass#ords at regular intervals *usually six to eight #eeks is a
good idea, and to use non.English #ords! The best pass#ords are combinations of letters
and numbers that are not in the dictionary! Sometimes, though, having a policy against
#eak pass#ords isn/t enough! 1ou may #ant to consider forcing stronger pass#ord usage
by using public domain or commercial soft#are that checks potential pass#ords for
susceptibility! These packages are often available in source code, so you can compile
them for Linux #ithout a problem!
3hat makes a strong pass#ord *one that is difficult to break,2 %ere are a fe# general
guidelines that many system administrators adhere to(
I
_______________________________________________Computer Security & SELinux
• "void using any part of a user/s real name and any name from the user/s family or
pets *these pass#ords are the easiest to guess,!
• "void using important dates *birthdates, #edding day, and so on,in any variation!
• "void numbers or combinations of numbers and letters #ith special meaning
*license plate number, telephone number, special dates, and so on,!
• "void any place names or items that may be readily identified #ith a user
*television characters, hobby, and so on,
• "void any #ord that could be in the dictionary *don/t use real #ords,!
+roducing a strong pass#ord isn/t that difficult! ?et your users into the habit of mixing
letters, numbers, and characters at random! Suppose a user #ants to use lionking as a
pass#ord! Encourage modification to lionJkingJ, l_ionk_ing, lion>king, or some similar
variation! Even a slight variation in a pass#ord/s normal pattern can make life very
difficult for someone trying to guess the pass#ord!
Change the root pass#ord often and make it very difficult to guess! &nce someone has
the root pass#ord, your system is totally compromised!
Check the GetcGpass#d file at regular intervals to see #hether there are entries you don/t
recognie that may have been added as a route in to your system! "lso make sure each
account has a pass#ord! ;emove any accounts that you don/t need anymore!
3.2 %ecurin# .our /ies:
Security begins at the file permission level! 3hether you #ant to protect a
file from the prying eyes of an unauthoried invader or another user, carefully set your
umask *file creation mask, to set your files for maximum security! 1ou should have to
make a conscious effort to share files!
&f course, this precaution is really only important if you have more than
one user on the system or have to consider hiding information from others! 'f you are on a
F
_______________________________________________Computer Security & SELinux
system #ith several users, consider forcing umask settings for everyone that set read.and.
#rite permissions for the user only and give no permissions to anyone else! This
procedure is as good as you can get #ith file security!
Consider encrypting really sensitive files *such as accounting or employee
information, #ith a simple utility! 8any such programs are available! 8ost re5uire only a
pass#ord to trigger the encryption or decryption process!
3.3 Controin# 0ode* !ccess:
@or most Linux users, protecting the system from access through an
'nternet gate#ay isn/t important because fe# users have an 'nternet access machine
directly connected to their Linux box! 'nstead, the main concern should be to protect
yourself from break.in through the most accessible method open to system invaders(
modems!
8odems are the most commonly used interface into every Linux system
*unless you are running completely stand.alone or on a closed net#ork,! 8odems are
used for remote user access, as #ell as for net#ork and 'nternet access! Securing your
system/s modem lines from intrusion is simple and effective enough to stop casual
bro#sers!
3.& Ca1ack 0ode* Controin#:
The safest techni5ue to prevent unauthoried access through modems is to
employ a callback modem! " callback modem lets users connect to the system as usual,
and then hangs up and consults a list of valid users and their telephone numbers and calls
back the user to establish the call! Callback modems are 5uite expensive, so this solution
is not practical for many systems! Callback modems have some problems, too, especially
if users change locations fre5uently! "lso, callback modems are vulnerable to abuse
because of call.for#arding features of modern telephone s#itches!
0<
_______________________________________________Computer Security & SELinux
The typical telephone modem can be a source of problems if it doesn/t
hang up the line properly after a user session has finished! 8ost often, this problem stems
from the #iring of the modem or the configuration setup!
3iring problems may sound trivial, but many systems #ith hand.#ired
modem cables don/t properly control all the pinsK the system can be left #ith a modem
session not properly closed and a log.off not completed! "nyone calling that modem
continues #here the last user ended! To prevent this kind of problem, make sure the
cables connecting the modem to the Linux machine are complete! ;eplace hand.#ired
cables that you are unsure of #ith properly constructed commercial ones! "lso, #atch the
modem #hen a fe# sessions are completed to make sure the line hangs up properly!
Configuration problems can also prevent line hangups! Check the modem
documentation to make sure your Linux script can hang up the telephone line #hen the
connection is broken! This problem seldom occurs #ith the most commonly used
modems, but off.brand modems that do not have true compatibility #ith a supported
modem can cause problems! "gain, #atch the modem after a call to make sure that it is
hanging up properly!
&ne #ay to prevent break.ins is to remove the modem from the circuit
#hen it/s not needed! Cecause un#anted intruders usually attempt to access systems
through modems after normal business hours, you can control the serial ports the modems
are connected to by using cron to change the status of the ports or disable the port
completely after hours! 'f late.night access is re5uired, one or t#o modem lines out of a
pool can be kept active! Some larger systems keep a dedicated number for the after.hours
modem line, usually different than the normal modem line numbers
@or a user to gain access to Linux through a modem line, the system must
use the getty process! The getty process itself is spa#ned by the init process for each
serial line! The getty program is responsible for getting usernames, setting
communications parameters *baud rate and terminal mode, for example,, and controlling
time.outs! 'n Linux, the GetcGttys file controls the serial and multiport board ports!
00
_______________________________________________Computer Security & SELinux
Some Linux systems allo# a dialup pass#ord system to be implemented!
This kind of system forces a user calling on a modem to enter a second pass#ord that
validates access through the modem! 'f this feature is supported on your system, it is
usually #ith a file called GetcGdialups! The Linux system uses the file GetcGdialups to
supply a list of ports that offer dialup pass#ordsK a second file *such as GetcGd_pass#d,
has the pass#ords for the modem lines! "ccess is determined by the type of shell used by
the user! 1ou can apply the same procedure to ))C+ access!
3.' ""CP:
The ))C+ *)nix to )nix Co+y, program allo#s t#o Linux systems to
send files and e.mail back and forth! "lthough this program #as designed #ith good
security in mind, it #as designed many years ago and security re5uirements have changed
a lot since then! " number of security problems have been found over the years #ith
))C+, many of #hich have been addressed #ith changes and patches to the system! Still,
))C+ re5uires some system administration attention to ensure that it is #orking properly
and securely!
))C+ has its o#n pass#ord entry in the system pass#ord file
GetcGpass#d! ;emote systems dialing in using ))C+ log in to the local system by
supplying the uucp login name and pass#ord! 'f you don/t put a pass#ord on the system
for the ))C+ login, anyone can access the system! &ne of the first things you should do
is log in as root and issue the command
Passwd uucp
To set a ))C+ pass#ord! 'f you #ant remote systems to connect through ))C+, you
have to supply them #ith your pass#ord, so make sure it is different than other
pass#ords *as #ell as difficult to guess,! The slight hassle of having to supply pass#ords
to a remote system administrator is much better than having a #ide.open system!
"lternatively, if you don/t plan to use ))C+, remove the uucp user entirely from the
GetcGpass#ord file or provide a strong pass#ord that can/t be guessed *putting an asterisk
07
_______________________________________________Computer Security & SELinux
as the first character of the pass#ord field in GetcGpass#d effectively disables the login,!
;emoving uucp from the GetcGpass#d file doesn/t affect anything else on the Linux
system!
Set permissions to be as restrictive as possible in all ))C+ directories *usually
GusrGlibGuucp, GusrGspoolGuucp, and GusrGspoolGuucppublic,! +ermissions for these
directories tend to be lax #ith most systems, so use cho#n, chmod, and chgrp to restrict
access only to the uucp login! Set the group and username for all files to uucp as #ell!
Check the file permissions regularly!
))C+ uses several files to control #ho is allo#ed in! These files *GusrGlibGuucpGSystems
and GusrGlibGuucpG+ermissions, for example, should be o#ned and accessible only by the
uucp login! This setup prevents modification by an intruder #ith another login name!
The GusrGspoolGuucppublic directory can be a common target for break.ins because it
re5uires read and #rite access by all systems accessing it! To safeguard this directory,
create t#o subdirectories( one for receiving files and another for sending! 1ou can create
more subdirectories for each system that is on the valid user list, if you #ant to go that
far!
" neat trick to protect ))C+ is to change the ))C+ program login name so that random
accessing to the uucp login doesn/t #ork at all! The ne# name can be anything, and
because valid remote systems must have a configuration file at both ends of the
connection, you can easily let the remote system/s administrator kno# the ne# name of
the login! Then no one can use the uucp login for access!
3.+ 2!3 !ccess:
8ost L"6s are not thought of as a security problem, but they tend to be
one of the easiest methods into a system! 'f any of the machines on the net#ork has a
#eak access point, all the machines on the net#ork can be accessed through that
machine/s net#ork services! +Cs and 8acintoshes usually have little security, especially
over call.in modems, so they can be used in a similar manner to access the net#ork
09
_______________________________________________Computer Security & SELinux
services! " basic rule about L"6 that it is impossible to have a secure machine on the
same net#ork as non.secure machines! Therefore, any solution for one machine must be
implemented for all machines on the net#ork!
The ideal L"6 security system forces proper authentication of any
connection, including the machine name and the username! " fe# soft#are problems can
contribute to authentication difficulties! The concept of a trusted host, #hich is
implemented in Linux, allo#s a machine to connect #ithout hassle assuming its name is
in a file on the host *Linux, machine! " pass#ord isn/t even re5uired in most casesJ "ll an
intruder has to do is determine the name of a trusted host and then connect #ith that
name! Carefully check the GetcGhosts!e5uiv, GetcGhosts, and !rhosts files for entries that
may cause problems!
&ne net#ork authentication solution that is no# #idely used is Lerberos,
a method originally developed at 8'T! Lerberos uses a very secure host that acts as an
authentication server! )sing encryption in the messages bet#een machines to prevent
intruders from examining headers, Lerberos authenticates all messages over the net#ork!
Cecause of the nature of most net#orks, most Linux systems are
vulnerable to a kno#ledgeable intruder! There are literally hundreds of kno#n problems
#ith utilities in the TC+G'+ family! " good first step to securing a system is to disable the
TC+G'+ services you don/t use at all, as others can use them to access your system!
3., -rackin# Intruders:
8any intruders are curious about your system but don/t #ant to do any
damage! They may get on your system #ith some regularity, snoop around, play a fe#
games, and then leave #ithout changing anything! This activity makes it hard to kno#
you are being broken into and leaves you at the intruder/s mercy should he decide he
#ants to cause damage or use your system to springboard to another!
1ou can track users of your system 5uite easily by invoking auditing, a
process that logs every time a user connects and disconnects from your system! "uditing
0B
_______________________________________________Computer Security & SELinux
can also tell you #hat the user does #hile on your system, although this type of audit
slo#s the system do#n a little and creates large log files! 6ot all Linux versions support
auditing, so consult your man pages and system documentation for more information!
'f you do rely on auditing, scan the logs often! 't may be #orth#hile
#riting a 5uick summary script program that totals the amount of time each user is on the
system so that you can #atch for anomalies and numbers that don/t mesh #ith your
personal kno#ledge of the user/s connect times! 1ou can #rite a simple shell script to
analye the log in ga#k! 1ou can also use one of the audit reporting systems available in
the public domain!
Chapter &
0>
_______________________________________________Computer Security & SELinux
!uto*ated %ecurit) -oos
+rogrammers have developed automated security tools *"STs, to assess
your system security! "STs are sharp on both sides..if you don/t use them to find
insecurities, crackers may!
8any crackers #ork from checklists of kno#n bugs, methodically trying
each in turn until they find a #ay in or give up and move on to an easier target! "STs
automate this boring $ob and generate summary reports! 'f you close those holes, a
checklist cracker may move on to less secure hosts, preferably ones you don/t administer!
There are t#o problems #ith "STs! @irst, you may gain a false sense of
security #hen they cheerfully report 4all/s #ell!4 "STs only report kno#n insecurities,
and ne# ones are discovered constantly! " second, related problem is that if crackers
break in to your system, they may alter your "ST to al#ays report good ne#s!
-espite these problems, you should run "STs! They are good tools if you
understand their limitations and especially if you can install them on and run them from
read.only media! 1ou can also use tools such as Trip#ire to verify the integrity of your
"STs!
&.1 COP%:
C&+S *Computer &racle and +ass#ord System, #as #ritten by -an
@armer of Sun 8icrosystems! C&+S has been ported to many different versions of
)6':! 8ost of it is #ritten in Courne shell scripts and perl, so it/s easy to understand
and to modify if it doesn/t do exactly #hat you #ant! C&+S performs comprehensive
checks for user. and system.level insecurities, checks #hether you/ve patched programs
#ith kno#n insecurities, and includes an expert system that tries to determine #hether
your computer can be cracked! 'f you don/t run any other "ST, you should run C&+S!
&.2 4er1eros:
0E
_______________________________________________Computer Security & SELinux
Lerberos is a secure system for providing net#ork authentication services! "uthentication
means(
• The identities of entities on the net#ork are verified!
• Traffic on the net#ork is from the source #ho claims to have sent it!
Lerberos uses pass#ords to verify the identity of users, and these pass#ords are al#ays
sent over the net#ork in encrypted form!
Why Use Kerberos?
8ost conventional net#ork systems use pass#ord.based authentication
schemes! 3hen a user needs to authenticate to a service running on a net#ork server,
they type in their pass#ord for each service that re5uires authentication! Their pass#ord
is sent over the net#ork, and the server verifies their identity using the pass#ord!
Transmission of pass#ords in plaintext using this method, #hile
commonly done, is a tremendous security risk! "ny system cracker #ith access to the
net#ork and a packet analyer *also kno#n as a packet sniffer, can intercept any
pass#ords sent this #ay!
The primary design goal of Lerberos is to ensure that pass#ords are never
sent across a net#ork unencrypted and are preferably never sent over the net#ork at all!
The proper use of Lerberos #ill eradicate the threat of packet sniffers intercepting
pass#ords on your net#ork!
The problem of maintaining security on hundreds of #orkstations installed
in insecure, public sites led the 8assachusetts 'nstitute of Technology/s *8'T/s, +ro$ect
"thena programmers to develop Lerberos!
Lerberos solves some *but not all, of the problems inherent in physically
insecure net#orks and computers! Lerberos net#ork servers verify both their o#n
identity and that of their clients #ithout sending unencrypted pass#ords over the L"6
#here they may be snooped, and can provide privacy via data encryption! +ersons using
0H
_______________________________________________Computer Security & SELinux
Lerberos services can be fairly sure that they/re talking to the real service, and Lerberos
services can be e5ually sure that #hen Moe asks the mail server for his electronic mail, it/s
really Moe! Lerberos is free, and source code is available from the host athena5
dist.*it.edu! The )SE6ET ne#sgroup co*p.protocos.ker1eros is devoted to
discussion of the Lerberos system!
" disadvantage of Lerberos is that each net#ork client and server program
must be Lerberied that is, modified to call the Lerberos subroutines! Lerberied
versions of standard applications such as telnet are supplied #ith Lerberos, and if you
have source code for your applications, you can add calls to the Lerberos subroutines
yourself! %o#ever, many third.party soft#are vendors provide neither source code nor
Lerberied versions of their soft#are!
Lerberos has additional problems! 8any 'nternet servers don/t use it, and
it does you no good to install a Lerberied telnet client if your users connect to remote
hosts that run unLerberied telnet servers! Lerberos doesn/t #ork #ith dumb *"SC'',
terminals or most :.terminals, and on multiuser computers is only as strong as the
superuser account because the superuser can find the secret keys! Lerberos also re5uires
an other#ise.unused, secure host to maintain its database of principals and their secret
keys!
-espite its limitations, Lerberos is useful in certain environments! @or more information,
ftp to the host rtfm.mit.edu and do#nload the Lerberos @"N *@re5uently "sked
Nuestions, document!
&.3 /irewas:
Must as your car/s fire#all is designed to protect you from engine fires, a
net#ork fire#all protects an internal, hidden net#ork from the rest of the 'nternet!
@ire#alls are popular #ith sites that need heightened security, but are unpopular #ith
users!
0I
_______________________________________________Computer Security & SELinux
The basic idea of a fire#all is to establish a single, heavily guarded point
of entry to your local area net#ork *L"6,! The system administrator maintains a high
level of security on the fire#all *or bastion host,, #hich may also be surrounded by
filtering routers that automatically limit access to the fire#all!
@ire#alls *and the interior L"6s they protect, can be made very secure,
but they limit access to 'nternet services! 'n many fire#all implementations, users #ho
#ant access to the 'nternet must first log in to the fire#all host!@ire#all technology is
changing rapidly and many commercial products are no# available!
&.& P!0:
+rograms that give privileges to users must properly authenticate *verify
the identity of, each user! 3hen you log in to a system, you provide your username and
pass#ord, and the login process uses the username and pass#ord to authenticate the login
O to verify that you are #ho you say you are! @orms of authentication other than
pass#ords are possible, and the pass#ords can be stored in different #ays!
+luggable "uthentication 8odules *+"8, is a #ay of allo#ing the system
administrator to set an authentication policy #ithout having to recompile authentication
programs! 3ith +"8, you control ho# particular authentication modules are plugged into
a program by editing that program/s +"8 configuration file in /etc/pam.d!
8ost ;ed %at Linux users #ill never need to alter +"8 configuration files
for any of their programs! 3hen you use 6P0 to install programs that re5uire
authentication, they automatically make the changes necessary to do normal pass#ord
authentication using +"8! %o#ever, if you need to customie your configuration, you
must understand the structure of a +"8 configuration file!
Advantages of PAM:-
3hen used correctly, +"8 provides many advantages for a system administrator, such as
the follo#ing(
0F
_______________________________________________Computer Security & SELinux
• " common authentication scheme that can be used #ith a #ide variety of
applications!
• +"8 can be implemented #ith various applications #ithout having to recompile
the applications to specifically support +"8!
• ?reat flexibility and control over authentication for the administrator and
application developer!
• "pplication developers do not need to develop their program to use a particular
authentication scheme! 'nstead, they can focus purely on the details of their
program!
&.' %ecurit) 6eated Packa#es:
To install the secure server, you #ill need to install three packages at minimum(
Apache
The apache package contains the httpd daemon and related utilities,
configuration files, icons, "pache modules, man pages and other files used by the
"pache 3eb server!
mod_ssl
The mod_ssl package includes the mod_ssl module, #hich provides strong
cryptography for the "pache 3eb server via the Secure Sockets Layer *SSL, and
Transport Layer Security *TLS, protocols!
Openssl
The openssl package contains the &penSSL toolkit! The &penSSL toolkit
implements the SSL and TLS protocols and also includes a general purpose
cryptography library!
7<
_______________________________________________Computer Security & SELinux
"dditionally, other soft#are packages included #ith ;ed %at Linux can provide certain
security functionalities *but are not re5uired by the secure server to function,(
Apache-devel
The apache-devel package contains the "pache include files, header files and
the "+:S utility! 1ou #ill need all of these if you intend to load any extra
modules, other than the modules provided #ith this product! for more information
on loading modules into your secure 3eb server using "pache/s -S&
functionality!
'f you do not intend to load other modules into your secure 3eb server, you do
not need to install this package!
Apache-manual
The apache-manual package contains the "pache +ro$ect/s Apache 1.3 User's
Guide in %T8L format!
&penSS% packages
The &penSS% packages provide the &penSS% set of net#ork connectivity tools
for logging in to and executing commands on a remote machine! &penSS% tools
encrypt all traffic *including pass#ords,, so you can avoid eavesdropping,
connection hi$acking, and other attacks on the communications bet#een your
machine and the remote machine!
The openssh package includes core files needed by both the &penSS% client
programs and the &penSS% server! The openssh package also contains scp, a
secure replacement for rcp *for copying files bet#een machines, and ftp *for
transferring files bet#een machines,!
70
_______________________________________________Computer Security & SELinux
The openssh-askpass package supports the display of a dialog #indo# #hich
prompts for a pass#ord during use of the &penSS% agent #ith ;S"
authentication!
The openssh-askpass-gnome package contains a ?6&8E ?)' desktop
environment dialog #indo# #hich is displayed #hen &penSS% programs prompt
for a pass#ord! 'f you are running ?6&8E and using &penSS% utilities, you
should install this package!
The openssh-server package contains the sshd secure shell daemon and related
files! The secure shell daemon is the server side of the &penSS% suite, and must
be installed on your host if you #ant to allo# SS% clients to connect to your host!
The openssh-clients package contains the client programs needed to make
encrypted connections to SS% servers, including the follo#ing( ssh, a secure
replacement for rshK and slogin, a secure replacement for rlogin *for remote
login, and telnet *for communicating #ith another host via the TEL6ET
protocol,!
Openssl-devel
The openssl-devel package contains the static libraries and the include file
needed to compile applications #ith support for various cryptographic algorithms
and protocols! 1ou need to install this package only if you are developing
applications #hich include SSL support O you do not need this package to use
SSL!
tunnel
77
_______________________________________________Computer Security & SELinux
The stunnel package provides the Stunnel SSL #rapper! Stunnel supports the
SSL encryption of TC+ connections, so it can provide encryption for non.SSL
a#are daemons and protocols *such as +&+, '8"+ and L-"+, #ithout re5uiring
any changes to the daemon/s code!
Table B.0 displays the location of the secure server packages and additional security.
related packages #ithin the package groups provided by ;ed %at Linux! This table also
tells you #hether each package is optional or not for the installation of a secure 3eb
server!
-a1e &51. %ecurit) Packa#es
Packa#e 3a*e 2ocated in $roup Optiona?
apache
System EnvironmentG-aemons no
mod_ssl
System EnvironmentG-aemons no
openssl
System EnvironmentGLibraries no
apache-devel
-evelopmentGLibraries yes
apache-manual
-ocumentation yes
openssh
"pplicationsG'nternet yes
openssh-askpass
"pplicationsG'nternet yes
openssh-askpass-gnome
"pplicationsG'nternet yes
openssh-askpass-gnome
"pplicationsG'nternet yes
openssh-clients
"pplicationsG'nternet yes
openssh-server
System EnvironmentG-aemons yes
openssl-devel
-evelopmentGLibraries yes
stunnel
"pplicationsG'nternet yes
79
_______________________________________________Computer Security & SELinux
Chapter '
%ecurit) Poicies
The single most useful security technology is also the simplest! The right
policies and procedures can significantly increase the security of even the most vanilla
)6': system! Security begins #ith analysis! Cefore you can protect your system in a
cost.effective #ay, you need to kno# #hat resources must be protected, their relative
value to you and your organiation, and the areas in #hich they are most at risk! 1ou also
need to evaluate #hat security protection is already in place!
@or instance, if you administer a database server for a large corporation
and it is only connected to a corporate 3"6 over leased lines, protecting the integrity of
the data on the server #ill be a high priority! 1ou #ill probably decide that the risk of
intrusion from outsiders is less of a threat, because there are no easy public gate#ays into
your net#ork! %o#ever, there is a potential for inadvertent or malicious damage on the
part of other#ise authoried users throughout the company!
&n the other hand, if you administer an 'nternet server, you are vulnerable
to net#ork.oriented attacks from every cracker out there! 1our o#n information and
resources are at risk, and so are the e.mail, 3eb files, and other resources for each of your
customers! 'nadvertent damage #ill be easy to manage, because you are able to keep a
tight rein on the activities of legitimate users!
+olicies and procedures must be #ell thought out and must be easily
enforceable if they are to improve your system/s security! 'n most cases, you #ill need the
active support of management in implementing security measures! )nfortunately, many
managers don/t have the hands.on experience to balance rigorous procedures against
users/ needs! 8anagement #ill need your best professional advice to craft policies and
procedures that are effective #ithout being unreasonable, arbitrary, or a#k#ard for users
to #ork #ithin! 1ou #ill also need management/s help in publiciing the policies,
7B
_______________________________________________Computer Security & SELinux
enforcing the procedures, and establishing an atmosphere of acceptance on the part of
users!
'f you gain the support of management and users for your policies, your
life #ill be much easier and your system is far more likely to become and remain secure!
&ne #ay to gain support is to describe your approach in terms of cost versus benefit
tradeoffs! @or instance, your policy should begin by identifying the degree to #hich this
system/s resources and information are deemed critical to the company, difficult to
replace, proprietary or other#ise in need of strong security measures! The more valuable
the system, the more firm and comprehensive the security approach should be!
8anagement #ill commit money and time to protect assets that are clearly valuable to the
company and users #ill accept more stringent controls on such a system!
Security policies and procedures must also match the culture of your organiation or user
community! @or instance, if your system serves a classified military site, a public agency,
or the finance department of a buttoned.do#n corporation, you may choose an approach
that leaves the user no choice as to ho# he #ill accomplish various computing tasks! &n
the other hand, if your system serves an academic or research community, your users #ill
demand a fair degree of autonomy and flexibility in their use of the system! 'n this case,
your security policy must ensure that an ade5uate degree of protection is in place, but
#ithout other#ise constraining ho# people use the system!
'.1 $oas:
1our system exists to provide services and collect information on behalf of some set of
authoried users! The purpose of your security policy is to protect those resources against
deliberate or inadvertent misuse! There are at least six aspects of the system to consider(
• "vailability! The system and at least the most important information it holds must
be available for use #hen the users need them!
• )tility! The system and the information it holds is intended to serve a purpose!
They must not only be available, but be available in such a #ay that that purpose
is met!
7>
_______________________________________________Computer Security & SELinux
• 'ntegrity! The system and the information it holds must remain intact and
accessible!
• "uthenticity! There must be a #ay for the system to ensure that potential users are
allo#ed access to various resources! Similarly, users should be able to verify that
they are connected to the right system!
• Confidentiality! Some information may be deemed private or semi.privateK
security mechanisms must allo# such designations and control access to that
information appropriately!
• +ossession! The o#ners of the system must be able to control its use and daily
operations! Cecause )6': is a multi.user operating system, if the administrator
loses control of the system to a cracker, all users are affected!
Each security measure, and the overall security approach, should be evaluated against
these criteria! 6ot every security measure #ill address all six ob$ectives, but taken
together, they must provide a comprehensive response to the security threat!
'.2 Ph)sica !ccess to Peope:
+revent potential crackers from #atching the screen as receptionists enter
data, from gaining access to telephone lists and office layout diagrams, and from #alking
through #ork areas! 't/s $ust too easy and natural for users to respond to pleasant 5ueries
by sho#ing an outsider ho# they log in, access information, or do their $obs!
'.3 Ph)sica %ecurit):
" second element of good system security is to control physical access to
your system and any net#orks attached to it! Cegin by auditing your site! 3hat prevents
unauthoried users from doing any of the follo#ing2
• Enter your facility
• ;ead manuals, logon instructions, configuration notes, or system dumps
• Copy or take a#ay tapes, +C8C'" cards, removable disks, or diskettes
• Connect their o#n laptop to a net#ork backbone
7E
_______________________________________________Computer Security & SELinux
• Sit do#n at a #orkstation
• "pproach the system console
• ;ead or take a#ay printer output
• See or modify your telephone panels
• Tap into net#ork transmissions over copper, fiber, infrared, or cellular media
8ake sure your policy and procedures clearly address ho# these forms of system access
#ill be prevented! Then ensure that the policies and procedures are actually
7H
_______________________________________________Computer Security & SELinux
Chapter +
Case %tud) o( %72inu8
+.1 Overview:
SELinux is an operating system based on Linux #hich includes
8andatory "ccess Control! 'n short, #ith SELinux you can define explicit rules about
#hat sub$ects *users, programs, can access #hich ob$ects *files, devices,! 1ou could think
of it as an internal firewall, #hich gives you the ability to separate programs and thereby
ensuring a high level of security #ithin the operating system!
SELinux is designed to meet the 6S"Ps stringent needs for secure
operating system and is available as a module for all ma$or Linux distributions! SELinux
is basically a patch to the Linux kernel to add security features and offers patches to
application to allo# them to determine the security domain in #hich to run processes!
The 6ational Security "gency *6S", and computing go #ay back! The
agency #as founded in 0F>7 #ith the dual mission of protecting )!S! information
systems and producing foreign intelligence information! Since its inception, the 6S" has
had the unenviable $ob of producing security standards that #ill keep all communications
of the federal government and military secure!
?iven that the 6S" has been one of the largest consumers of information
technology on the planet, their interest in and use of Linux did not come as a surprise to
anyone! %o#ever, #hen the development of an 6S".flavored version of Linux, kno#n as
4Security Enhanced4 *SE, Linux, #as announced, it #as something of a surprise! Some
#ere nervous, as the 6S" and hackers have come to blo#s over encryption in the past!
%o#ever, after public examination of SE Linux, it became clear that the 6S" had done
some pretty terrific #ork #ith the Linux kernel!
7I
_______________________________________________Computer Security & SELinux
What Is %7 2inu8?
Security Enhanced Linux has the simple goal of managing access to
system resources through strong typing and domain control! in English, that means SE
Linux *as currently architected, runs a security server inside the kernel that determines
#hat system resources a process has access to! )sing a flexible policy definition system,
SE Linux acts as an arbiter for all ob$ects the kernel makes available to processes,
including files, other processes *for process control security,, and memory!
SE Linux, #hich is available as a tarball from the SE Linux 3eb site is
designed to be installed on top of an existing distribution! 't is not a distribution in and of
itself! &riginally designed for use #ith the 7!7!07 kernel, SE Linux as do#nloaded is
configured to #ork #ith ;ed %at E!0! )sing it #ith other distributions #ill lead to some
policy errors! 3hile #e did not attempt to test SE Linux under ;ed %at H!< or H!0,
according to +ete Loscocco of the 6S" *the pro$ect/s leader,, it #orks, but he doesn/t
recommend using it #ith those distros!
Correctly configured, a system based upon an SE Linux kernel shouldn/t
experience issues #ith users overstepping their bounds! Those familiar #ith computer
security can tell you that gaining control of a user account is the first step to#ards gaining
control of the entire system! 3ith an SE Linux kernel, your system can restrict users into
domains #ith very specific access rights and permissions!
SE Linux/s security policy is very configurable, allo#ing the system
administrator, or more properly, the security policy administrator, to create domains #ith
very specific abilities! @or example, SE Linux can be configured so that it is impossible
for users coming in over the net#ork to s#itch domains *thus, they can be restricted from
entering the system administrator domain,!
/eatures o( the %72inu8:
SELinux prevents processes running on the system from follo#ing
• ;eading unprivileged data and programs!
7F
_______________________________________________Computer Security & SELinux
• Tampering #ith data and programs!
• Cypassing application security mechanism!
• Executing untrust#orthy programs!
'nterfering #ith other processes in violation of the systems security policy
1. What is %ecurit)5enhanced 2inu8?
Security.enhanced Linux is a research prototype of the LinuxQ kernel and
a number of utilities #ith enhanced security functionality designed simply to demonstrate
the value of mandatory access controls to the Linux community and ho# such controls
could be added to Linux! The Security.enhanced Linux kernel contains ne# architectural
components originally developed to improve the security of the @lask operating system!
These architectural components provide general support for the enforcement of many
kinds of mandatory access control policies, including those based on the concepts of Type
EnforcementQ, ;ole.based "ccess Control, and 8ulti.level Security!
2. What does %ecurit)5enhanced 2inu8 #ive *e that standard 2inu8 can9t?
The Security.enhanced Linux kernel enforces mandatory access control
policies that confine user programs and system servers to the minimum amount of
privilege they re5uire to do their $obs! 3hen confined in this #ay, the ability of these user
programs and system daemons to cause harm #hen compromised *via buffer overflo#s
or misconfigurations, for example, is reduced or eliminated! This confinement
mechanism operates independently of the traditional Linux access control mechanisms! 't
has no concept of a 4root4 super.user, and does not share the #ell.kno#n shortcomings of
the traditional Linux security mechanisms *such as a dependence on setuidGsetgid
binaries,!
The security of an unmodified Linux system depends on the correctness of
the kernel, all the privileged applications, and each of their configurations! " problem in
any one of these areas may allo# the compromise of the entire system! 'n contrast, the
security of a modified system based on the Security.enhanced Linux kernel depends
9<
_______________________________________________Computer Security & SELinux
primarily on the correctness of the kernel and its security policy configuration! 3hile
problems #ith the correctness or configuration of applications may allo# the limited
compromise of individual user programs and system daemons, they do not pose a threat
to the security of other user programs and system daemons or to the security of the
system as a #hole!
3. What is it #ood (or?
The Security.enhanced Linux/s ne# features are designed to enforce the
separation of information based on confidentiality and integrity re5uirements! They are
designed for preventing processes from reading data and programs, tampering #ith data
and programs, bypassing application security mechanisms, executing untrust#orthy
programs, or interfering #ith other processes in violation of the system security policy!
They also help to confine the potential damage that can be caused by malicious or fla#ed
programs! They should also be useful for enabling a single system to be used by users
#ith differing security authoriations to access multiple kinds of information #ith
differing security re5uirements #ithout compromising those security re5uirements!
&. How co*pati1e is %ecurit)5enhanced 2inu8 with un*odi(ied 2inu8?
Security.enhanced Linux provides binary compatibility #ith existing
Linux applications! 't provides source compatibility #ith existing Linux kernel modules!
These t#o categories of compatibility are discussed in detail belo#(
"! "pplication compatibility
3e provide binary compatibility #ith existing applications! 3e have
extended kernel data structures to include ne# security attributes, and #e have added ne#
"+' calls for security.a#are applications! %o#ever, #e have not changed any data
structures visible to applications and #e have not changed the interface of any existing
system call, so existing applications can run unchanged if the security policy authories
their operation!
90
_______________________________________________Computer Security & SELinux
C! Lernel module compatibility
3e provide source compatibility #ith existing kernel modules! 3e have
not changed existing exported kernel function interfaces! %o#ever, the changes to kernel
data structures re5uire recompilation of kernel modules in order for them to be used #ith
our kernel!
Security.enhanced Linux also provides a development support kernel
configuration option *C&6@'?_SEC);'T1_SEL'6):_-EDEL&+, that allo#s the
system to be run in a permissive mode that audits but does not enforce the mandatory
access controls! 3e are using this mode #hile developing the mandatory access controls
and security policies in order to determine the permissions re5uired for the system to
operate! 3hen compiled #ith this option, the kernel is initially permissive, and it can be
toggled bet#een being permissive and enforcing permissions at any time! 6e# users of
Security.enhanced Linux #ill likely #ant to use this mode initially because their systems
may re5uire some permission that are not included in the example security policy
configuration, especially since the example configuration is not yet complete! @or
4operational4 use, the kernel should be built #ithout this option!
Security.enhanced Linux should not introduce any interoperability
problems #ith ordinary Linux systems as long as all desired operations are authoried by
the security policy configuration!
'. What are the #oas o( the e8a*pe securit) poic) con(i#uration?
"t a high level the goals are to demonstrate the flexibility and security of
the mandatory access controls and to provide a simple #orking system #ith minimal
modifications to applications! "t a lo#er level, the policy has a number of goals
described in the policy documentation! These goals include controlling ra# access to
data, protecting the integrity of the kernel, system soft#are, system configuration
information and system logs, confining the potential damage that can be caused through
the exploitation of a fla# in a process that re5uires privileges, protecting privileged
processes from executing malicious code, protecting the administrator role and domain
97
_______________________________________________Computer Security & SELinux
from being entered #ithout user authentication, preventing ordinary user processes from
interfering #ith system processes or administrator processes, and protecting users and
administrators from the exploitation of fla#s in their bro#ser by malicious mobile code!
+. Wh) was 2inu8 chosen as the 1ase pat(or*?
Linux #as chosen as the platform for the #ork because of its gro#ing
success and open development environment! Linux provides an excellent opportunity to
demonstrate that this functionality can be successful in a mainstream operating system
and, at the same time, contribute to the security of a #idely used system! " Linux
platform also offers an excellent opportunity for this #ork to receive the #idest possible
revie# and perhaps provide the foundation for additional security research by others!
,. Is it secure?
The notion of a secure system includes many attributes *e!g!, physical
security, personnel security, etc!, and Security.enhanced Linux addresses only a very
narro# set of these attributes *i!e!, mandatory access controls in the operating system,!
+ut another #ay, 4secure system4 means safe enough to protect some real #orld
information from some real #orld adversary that the information o#ner andGor user care
about! Security.enhanced Linux is only a research prototype that is intended to
demonstrate mandatory controls in a modern operating system like Linux and thus is very
unlikely to meet any interesting definition of secure system! 3e do believe that the
technology demonstrated in Security.enhanced Linux #ill be valuable to people that are
building secure systems!
:. How is it di((erent (ro* other e((orts?
Security.enhanced Linux has a #ell.defined architecture for flexible
mandatory access controls that has been experimentally validated through several
prototype systems *-T8ach, -T&S, and @lask,! -etailed studies have been performed of
the ability of the architecture to support a #ide variety of security policies and are
available under http(GG###!cs!utah!eduGfluxGdtosG and http(GG###!cs!utah!eduGfluxGflaskG!
99
_______________________________________________Computer Security & SELinux
The architecture provides fine.grained controls over many kernel
abstractions and services that are not controlled by other systems! Some of the distinctive
characteristics of the Security.enhanced Linux system are(
• Clean Separation of +olicy from Enforcement
• 3ell.-efined +olicy 'nterfaces
• 'ndependent of Specific +olicies and +olicy Languages
• 'ndependent of Specific Security Label @ormats and Contents
• 'ndividual Labels and Controls for Lernel &b$ects and Services
• Caching of "ccess -ecisions for Efficiency
• Support for +olicy Changes
• Controls over +rocess 'nitialiation and 'nheritance and +rogram Execution
• Controls over @ile Systems, -irectories, @iles, and &pen @ile -escriptions
• Controls over Sockets, 8essages, and 6et#ork 'nterfaces
• Controls over )se of 4Capabilities4
+.2 !dvanta#es o( %72inu8 over %tandard 2inu8:
• What is SELinux good for?
4The Security.enhanced Linux/s ne# features are designed to enforce the separation of
information based on confidentiality and integrity re5uirements! They are designed for
preventing processes from reading data and programs, tampering #ith data and programs,
bypassing application security mechanisms, executing untrust#orthy programs, or
interfering #ith other processes in violation of the system security policy! They also help
to confine the potential damage that can be caused by malicious or fla#ed programs!
They should also be useful for enabling a single system to be used by users #ith differing
security authoriations to access multiple kinds of information #ith differing security
re5uirements #ithout compromising those security re5uirements!4
9B
_______________________________________________Computer Security & SELinux
+ersonally, ' think SELinux is best suited to small servers #hich are exposed to the
'nternet, are under threat of being attacked, and therefore re5uire a high level of security!
1ou #ouldn/t use SELinux to run a large application server on your internal net#ork . the
#ork involved #ould exceed the benefits! Cut you #ould use SELinux to secure a #eb,
Email, or -6S server #hich is on the 'nternet . particularly if the server #as running a
number of services! 'f the server is running only one service then there may be little
benefit from using SELinux! 'n an extreme case, a C'6- based -6S server running on a
read.only C-.;om *and a little ;"8 disk, #ould benefit very little from running
SELinux! &n the other hand, if the system is running a number of services #hich need to
be isolated from each other then SELinux is ideal!
&ne of the issues here is that #riting SELinux policies can be difficult for large, complex
servers! 8ost system administrators #on/t kno# the details of ho# their server #orks and
therefore #ill have difficulty in making changes to the security policy!
• Wh) shoud I run %72inu8 and not nor*a 2inu8?
Cecause SELinux gives you the ability to secure processes from each other #ithin the
system! @or example, if you have a #eb server on the 'nternet #hich is also serving Email
and -6S then you #ould not #ant vulnerability in the #eb server process allo#ing the
attacker access to corrupt your -6S server! SELinux is one of the very fe# practical
operating systems available #hich can provide such a level of protection!
9>
_______________________________________________Computer Security & SELinux
;I;2IO$6!PH. ;I;2IO$6!PH.
6e(erence ;ooks
Magazine !inu" #ournal
@eature ( Linux Lernel 'nternals
'ssue ( MuneGMuly 7<<7
8againe !inu" for $ou
@eature ( SELinux
'ssue ( Muly 7<<B
Article %erceptible !inu"& A 'ealit( Check )hitepaper
Company ( 8onta Dista Soft#are 'nc!
"uthor ( Levin 8organ
Dice +resident, Engineering
Cook( Co*puter +ecurit(
"uthor( "nkit @adiya
Cook( Co*puter +ecurit( ,ssentials
"uthor( 3illiam Stallings
);Ls
http(GGtechF!netGrmlGlinux
http(GG###!linux!org
9E
_______________________________________________Computer Security & SELinux
http(GG###!cs!utah!eduGfluxGflask
http(GG###!nsa!govGselinux
ftp(GGtsx.00!mit!eduGpubGlinuxGsourcesG
ftp(GGsunsite!unc!eduGpubGlinuxGkernel
9H
