| Tutorial details | |
|---|---|
| Difficulty | Intermediate (rss) |
| Root privileges | No |
| Requirements | None |
SELinux is an acronym for Security-enhanced Linux. It is a security feature of the Linux kernel. It is designed to protect the server against misconfigurations and/or compromised daemons. It put limits and instructs server daemons or programs what files they can access and what actions they can take by defining a security policy.
DAC: Traditional Unix / Linux security mechanism
DAC is an acronym for Discretionary Access Control (DAC). It is the standard mechanism for Linux, *BSD, Apple OSX, and Unix like operating system security. Under DAC, each processes run under a user and group. For example, httpd process run with an associated user and a group called apache. httpd process has access to all files and directories that the apache can access. If httpd process got cracked it can create a number of security problems. Hacked httpd process can access, modify and destroy all files that belong to the apache user. It may access temporary directories (/tmp/ or /var/tmp) and world readable files. The /tmp or /var/tmp or any other legitimate directories such as caching directories can be used to install backdoor and take full control of your Linux system. Ownership of a file provides risky control. A cgi or php script with an unexpected access right can do anything it wants to the files owned by the apache user. It can perform any operations on files in the apache group. An attacker can use this misocofigured cgi/php script or broken apache server to gain root level access. This will give superuser access on a Linux based system. Once rooted an attacker can steal your private data or gain access other parts of your internal network (LAN).
Fig.01: Linux or Unix Server With DAC Security Model
MAC: Security mechanism via SELinux
MAC is an acronym for Mandatory Access Control (MAC). SELinux is an implementation of a MAC security mechanism. It is built into the Linux kernel and enabled by default on Fedora, CentOS, RHEL and a few other Linux distributions. SELinux allows server admin to define various permissions for all process. It defines how all processes can interact with other parts of the server such as:
- Pipes
- Files
- Network ports
- Sockets
- Directories
- Other process
SELinux puts restrictions on each of the above object according to a policy. For example, an apache user with full permission can only access /var/www/html directory, but can not touch other parts of the system such as /etc directory without policy modification. If an attacker managed to gain access to sendmail mail or bind dns or apache web server, would only have access to exploited server and the files normally has access as defined in the policy for the server. An attacker can not access the other parts of the system or internal LAN. In other words, damage can be now restricted to the particular server and files. The cracker will not able to get a shell on your server via common daemons such as Apache / BIND / Sendmail as SELinux offers the following security features:
- Protect users' data from unauthorized access.
- Protect other daemons or programs from unauthorized access.
- Protect network ports / sockets / files from unauthorized access.
- Protect server against exploits.
- Avoid privilege escalation and much more.
Please note that SELinux is not a silver bullet for protecting the server. You must follow other security practices such as
- Implementing firewalls policy.
- Server monitoring.
- Patching the system on time.
- Writing and securing cgi/php/python/perl scripts.
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 1 comment… read it below or add one }
The problem with SELinux is that while there is documentation that shows HOW to create policies, I have yet to see anything published that shows how to determine WHAT policies you need to A) make sure you don’t break any of your applications, while B) still getting some level of protection. We don’t write our own applications so we don’t “just know” what sort of access each application requires.