The development of Linux operating system was designed with a strong focus on security. The open source nature and capability of Linux operating system allows administrators, auditors, developers and end users to review its vulnerabilities on regular basis. As a result Linux has emerged as one of operating systems with little security loopholes. Hontañón (2001) says that the ability of developers and end users to review its capabilities makes Linux the platform of choice in environments where security is just as important as high availability. Some of the security options available in Linux include outside the box or standard security, AppArmor and SELinux security approaches
The security methods implemented in the Linux operating system should provide flexible support for the wide range of security policies. The approach used should enable the administrators to configure the system to meet a wide range of security requirements. Also the flexibility of the approach should allow the policy to be modified and extended to customize the security policy as required for any given installation of Linux operating system or the applications to run on it.
2.0 Linux operating system security approaches
2.1 Standard (“out-of-the box”) security
Standard security is used to explore practical methods of protecting the Linux server network from internet threats while still offering users an acceptable level of service and connectivity. Linux file system access control capabilities provide some quick techniques for auditing the system files and directories to ensure they meet good security practice (Terpstra, Love & Reck, 2004). Linux distributions have evolved enough that out of the box implies a file system that is already configured with proper restrictions. This also implies that all configuration files log files, and programs are owned by the root user and exceptions are made only where necessary. Terpstra, Love & Reck (2004) continues to say that root ownership of a file or directory is more secure because it limits what other users of the system can access or modify, and the trick is to maintain that integrity while adding users, permitting users to add their own files and installing new applications.
Stanger & Lane (2001) says that Linux is capable of high-end security however the out of the box configurations must be altered to meet the security needs of most business with an internet presence. Brenton & Hunt (2002) on the other hand says that many excellent security checklists exist for the various Linux based systems. In the current trend “Out of box security” requires that vendors to release systems preconfigured to be more secure.
Buy Linux Security essay paper online
Brenton & Hunt (2002) continues to say that the most important instruction concerning operating system security has to do with network connectivity. In out of box security one has to ensure that a system has as many security controls set as possible before connecting it to any type of network that might be possibly compromised (Brenton & Hunt, 2002).During the system configuration it is important as one installs the operating system, one has to keep in mind the basic principle of system security to enable only what one will use (Brenton & Hunt, 2002). Using this approach it not only conserves critical resources but the approach helps one to avoid unwanted complexity.
In their studies, Eilert et al., (2003) say that total security is an unattainable ideal, but security as a goal must be continually revisited and refined. In the standard security each platform comes with a degree of built-in security and going beyond that means cost and effort. According to Terpstra, Love & Reck (2004) Linux creates a uniform behavior, naming and expectations among diverse Linux distributions. The standard security is of Linux which comes with fedora installation DVD dictates that only the user’s home, /tmp, /var/tmp, and var/opt/package directories are expected to have write permissions even if the package does not own the directory.
The package of standard security in Linux should not expect to have write privileges to any file not owned by the UID or GID of the user executing the process. This means that no files should be world writeable (Terpstra, Love & Reck, 2004). The standard security enables the package not to have read or execute access to all files on the operating system. The package should not also expect other files to have SUID or SGID permissions. Terpstra, Love & Reck (2004) says that these means that the installation package may install a SUID/SGID file but it should not expect other files not installed by the package to have those permissions. These are good guidelines for creating a strong security policy for custom applications or modified applications that should be deployed in the operating system (Terpstra, Love & Reck, 2004).
Eilert et.al (2003) Identification and authentication provides the first level of protection in standard security of Linux operating system when permitting entry to the machine. Users identify themselves and give some piece of information that authenticates who they are. Eilert et.al (2003) continues to say that identification and authentication in general can be done by many different means such as certificates, user IDs and passwords.
Standard security also uses authorization such that when the machine knows who you are it can decide what you are it can decide what you are allowed to do (Eilert et.al, 2003). Authorization means that a user ID and a password combination gives users access to files with which they are thus authorized to work. Using the standard security the file system provides the security service of allowing access to file only when presented with the correct password.
In Linux, confidentiality is gained when a cryptographic algorithm is used to make the data available to only a trusted group of users. This implies that data is transformed from clear text into cipher text by using an encryption algorithm and a key. The data is unintelligible in cipher text form and can be decrypted only using the correct algorithm. Linux uses RSA public key as a method of ensuring confidentiality.
In Linux data integrity can be validated through the use of a one way cryptographic function. Eilert et.al (2003) says that a hash function is sometimes used by the owner of critical data to come up with a digest of the data
Information should be accessible to authorized users any time that it is needed. Availability is a warranty that information can be obtained with an agreed upon frequency and timelines.
According to Thomas (2006) AppArmor is a Linux application security framework project steered by Novell that can be used to control exactly which resources a running program can access. It’s a hugely powerful tool which is designed to be used on large server systems. Thomas (2006) AppArmor works on the basis of application profiling and the profile contains details of exactly which system resources an application can access (p. 165). He continues to say that once the profile is created, the application will not be able to access any application or system resources not listed within the profile (Thomas, 2006).
The degree of security offered by the AppArmor system has some limitations. Some of these limitations include: AppArmor guards only software for which a profile is created, all other software has full run of the system as with any Linux system (Thomas, 2006). Thomas (2006) says that “special attention should be given to each AppArmor profile to ensure that all contingencies of using the application are covered and if anything is missing from the profile the program might not function correctly” (p. 165). Another limitation of using AppArmor requires considerable knowledge of how Linux operates hence users need to know how Linux refers to the various resources on the system and what various low level applications do.
On the other hand AppArmor is designed as an alternative to SELinux (Petersen, 2009). The security model is much less complicated but makes use of the same kernel support provided for SELinux. Petersen (2009) continues to say that “AppArmor is a simple method for implementing MAC for specified Linux applications” (p. 274). AppArmor is used specifically to control network servers such as web, FTP, samba and Common Unix printing System (CUPS) servers.
Compared to SELinux, AppArmor is much more limited in scope than SELinux which tries to cover every object. Petersen (2009) thus says that instead of labeling each object, as SELinux does AppArmor identifies an object by its pathname. AppArmor can apply either enforce or a complain mode to a particular profile. Petersen (2009) indicated that “in the enforce mode a profile restrictions are excuted, denying access to processes or user not permitted to access the profiled application” (p. 274).
AppArmor tools have several security tools which include enforce. Petersen (2009) says that “AppArmor to enforce restrictions on a profile and complain which instructs AppArmor to only issues warning messages for a profile” (p. 274).
Petersen (2009) says that the audit tool turns on AppArmor message logging for an application uses enforce mode.
Petersen (2008) says that though numerous security tools exist for protecting specific services as well as user information and data, no tool has been available for protecting the entire system as the administrative level. As a result Security-Enhanced Linux is a project to provide built in administrative protection aspects of the Linux operating system. Petersen (2008) continues to say that” instead of relying on users to protect their files or on a specific network program to control access, security measures would be built into the basic file management system and the network access methods” (p, 227). Therefore all controls are managed directly by the administrator as part of Linux system administration.
Petersen (2008) established that Security-Enhanced Linux (SELinux) is a project developed and maintained by the national Security Agency (NSA), which Linux as its platform for implementing a secure standard feature of its distribution. Generally Linux and Unix systems normally use a discretionary access control (DAC) method for restricting access. According to Petersen (2008) using these approach users and the objects they own such as files determine permissions. The weak point in the majority of Linux or Unix systems has been the user administrative accounts because if an attacker manages to have access to an administrative account, they would have complete control over the service the account manages.
It has been noted that access to root user would give control over the entire system, all its users and any network services running (Petersen, 2008). To counter this weakness NSA through SELinux set up a mandatory access control (MAC) structure. This means that instead of an all or nothing set of privileges based on accounts, services and administrative tasks are compartmentalized and separately controlled with policies detailing what can and cannot be done. Using SELinux Petersen (2008) says that access id granted not just because one is an authenticated user, but when specific security criteria are met.
SELinux uses a combination of the Type Enforcement (TE), Role based Access Control (RBAC) and Multi-Level Security (MLS) security models (Petersen, 2008). This is way it is recommended as one of the strongest security measures available for Linux operating systems. Petersen established that Type Enforcement focuses on objects and processes like directories and applications while Role Based Access Enforcement controls user access (2008). He further says that for the type enforcement model the security attributes assigned to an object are known as either domains or types. Types are used for fixed objects such as files and domains are used for processes such as running applications. SELinux makes use of Role Based Access Control model for user access.
Using SELinux RBAC model users are assigned roles for which permissions are defined. The role restricts what objects and processes a user can access. Petersen (2008) also says that the security context for processes includes a role attribute, controlling what objects it can access. The major difference between Linux standard security and SELinux is that in SELinux users are given separate SELinux identities while in standard operating system security user IDs are set up under user creation operations. Also Petersen (2008) indicated that despite the fact that both security models may have the same identifiers Standard Linux identities can be easily changed with commands such as setuid and su. Changes to the Linux user ID will not affect the SELinux ID. Petersen (2008) therefore says that the major advantage of SELinux is even if a user changes its ID, SELinux will still be able to track it maintaining control over that user.
SElinux creates identities with control access (Petersen, 2005). SELinux can set up a separate corresponding identity for each user though on the less secure policies like targeted policies and general identities. Authentication in SELinux is accomplished in way that a general user identity is used for all normal users, restricting users to user level access access whereas administrators are given administrative identities (Petersen, 2008). Authentication in SELinux enables the operating system to effectively accomplish authorization because users are capable of accessing what they are supposed to access.
In SELinux domains are used to identify and control processes. Petersen (2008) says that each process is assigned a domain within which it can run hence a domain sets restrictions on what a process can do. While the standard security gives a process a user ID to determine what it can do and many have to have root user ID to gain access to the full file system.
In addition to that Petersen (2008) says that types in SELinux control objects like files and directories. Files and directories are grouped into types that can have access to them. Petersen (2008) also says that unlike domains type’s reference objects including files, devices and network interfaces. Petersen (2007) indicated that with Security-Enhanced Linux a refined administrative approach is provided for greater security control. User access to different parts of the operating system can be limited using roles and security contexts. This means that only qualified users can have access to certain objects like files and applications (Petersen, 2007). SELinux can either be either is strict or targeted. A targeted policy applies restrictions to daemons like internet servers; restricting access for users that access those severs.
SELinux has a special audit features which are saved in the /var/log/audit/audit.log file. These according to Petersen (2006) are important if you are using the permissive mode to test a policy you want to later enforce and checking the audit trails. SELinux audit messages tell what part of the policy denied access. Petersen (2006) all are listed in the Administration menu and are part of the set tools package.
Fedora Documentation Project (2009) indicated that “fine grained access control and SELinux access decisions are based on all available information such as an SELinux user, role, type, and optionally, a level” (p. 17). SELinux policy is administratively defined, enforced system-wide and is not set at user discretion.
SELinux has reduced vulnerability to privilege escalation attacks. Fedora Documentation Project (2009) says that since processes run in domains and are therefore separated from each other and because SELinux policy rules define how processes access to the other processes. Fedora Documentation Project (2009) continues to say that if a process is compromised, the attacker only has access to the normal functions of that process and to files the process has been configured to have access.
SELinux can be used to enforce data confidentially and integrity as well as protecting processes from un-trusted inputs (Fedora Documentation Project, 2009).
3.0 Difference between SELinux, AppArmor and Standard security
According to InfoWorld 19 Jun 2006 AppArmor and SELinux function in similar ways they provide a system watchdog that is configured with known boundaries around individual applications and services such as Apache and Samba and will work towards preventing these applications from treading outside their known safe space. The magazine thus says that through these functions it greatly reduces the risk of individual application exploits from interfering with the operating system at large (InfoWorld 19 Jun 2006).
Another major difference is that although both SELinux and AppArmor use the Linux Security Module interface which provides the hooks interface, which provides the hooks necessary to handle application security at kernel level. The biggest dissimilarity in this case is the management tools. InfoWorld 19 Jun 2006 says that SELinux is very complete but is hard to mange due to the limited front end tools. The magazine notes that AppArmor comes with a YaST-integrated GUI interface to ease the admin burden and provide reports on the operating system and applications behavior.
Research indicates that SELinux is a security mechanism in Linux that has been developed to support a wide range of security policies (Rao & Upadhyaya (2009). Rao & Upadhyaya (2009) further say that “the architecture of SELinux separates policy decision making logic from the policy enforcement logic” (p. 339). SELinux policies include features as type enforcement, role based access control and multilevel security.
Rao & Upadhyaya (2009) says that SELinux policies are complex and intimidating to configure in such a way that SELinux has 29 different classes of objects, hundreds of possible operations and thousands of policy rules for a typical system. Rao & Upadhyaya (2009) “continues to say that SELinux policy interface is daunting even for security experts” (p. 341). It is also worthy to note that although SELinux makes sense in a setting where the systems run similar applications and sophisticated security expertise is available its applicability to a more general setting where additional configuration by local system administrators is unclear.
Compared to SELinux, AppArmor is an access control system that confines the access permissions on a per program basis. Unlike SELinux Rao & Upadhyaya (2009) says that it tries to follow the least privilege principle in such a way that for every protected program, AppArmor defines a list of permitted accesses including file accesses and capabilities. A major weakness of AppArmor is that unlike SELinux it identifies a number of programs that when compromised could be dangerous and confine them by a policy.
According to Rao & Upadhyaya (2009) “if a program has no policy associated with it can then it is by default not confined and if a program has a policy then it can access only the objects specified in the policy by AppArmor” (p. 342). This approach remains vulnerable to Trojan horse attacks.
Beale, et al., (2007) says that while AppArmor makes use of security policies called profiles, where individual applications along with their associated privileges are defined. Also according to Beale, et al., (2007) AppArmor provides a number of default profiles and claims to be essay enough to use that it can be configured and deployed for even very complex applications in a few hours. AppArmor has also a significant advantage over SELinux in that there is less system overhead (0-20%) as opposed to roughly 7% for SELinux and ease of policy creation.
Unlike AppArmor security, Beale, et al., (2007) says that “SELinux enforces information separation based on requirements such as integrity and confidentiality. They thus said that mandatory access control policies in SELinux are used to confine applications and system servers to the minimum privilege level required for performing their tasks” (p. 108).
Comparing the three security models found in Linux operating system one can establish that they are different although they are geared towards providing better security models for Linux operating system. The standard (“out box security”) security comes with Fedora installation DVD. The set up of this type of security is done during the installation process of the operating system. It sets the general security features although the security model does not entail advanced security properties. Some of the security features include user access control, file security. In out of box security the system administrator must ensure that a system has as many security controls set as possible before allowing connections to other types of network that might be possibly compromised. The standard security is not a strong security feature for Linux operating system and therefore can be easily compromised unlike SELinux.
AppArmor is an application developed by Novell to enhance security in Linux operating system. It provides security for applications running on Linux operating system by creating profiles for each application. The level of security provided by AppArmor is higher than that provided by the standard security “out of the box” in Linux operating system. Studies show that security features found AppArmor have some limitations because the security approach is vulnerable to repudiation meaning that it can be vulnerable to Trojan horse attacks. AppArmor has more advanced security features than standard security normally configured during the operating system installation.
SELinux is an advanced security approach implemented in the Linux operating system and is used for implementing a secure standard feature of its distribution. It is a better security approach in Linux that AppArmor and the standard security. The advantage of this security approach over AppArmor and the standard security is that users and the objects they own such as files determine permissions. Unlike the standard security configured during Linux installation, SELinux involves aspects of confidentiality, integrity, authentication, authorization, auditing and non-repudiation. All these features are available in SELinux and therefore they make this security approach better than AppArmor and the standard security.
The three security approaches which can be implemented in Linux operating system provide some level of security to the system resources. Linux system administrators should note that the higher the level of security provided by a particular type of approach the greater the complexity. For example AppArmor is known to provide a number of profiles and policies which are not complex to use that it can be configured and deployed for even very complex applications in a few hours. Also research indicates that AppArmor has a significant advantage over SELinux in that there is less system overhead (0-20%) as opposed to roughly 7% for SELinux and ease of policy creation. In a business environment it is advisable for apply SELinux security because it provides better security features than standard and AppArmor security.