Ask the Expert

2.6 security tools and commands: Making them work

What security tools and commands are built into 2.6? Can you describe some good ways to use them?

    Requires Free Membership to View

The 2.6 version of the Linux kernel contains a number of enhanced security features over the 2.4 kernel release. It has also included a number of bugs and security holes. If you are migrating to a 2.6 kernel ensure you have a version that is recent. There are quite a few major security features introduced by the 2.6 kernel. The major features are:
  • Posix ACLs or Access Control Lists
  • LSMs or Linux Security Modules
  • A new CryptoAPI including integration of IPSec and encrypted file systems into the kernel
  • Enhancements to netfilter

Let's look at each of these features and what they offer.

Posix ACLs

The first, and in my opinion, most significant enhancement in the 2.6 kernel is the addition of Posix ACLs or Access Control Lists. So what are ACLs? Well most traditional Unix-based or Unix-like systems have a file security and permissions model based around read, write, and execute permissions for everyone, groups and users. Some Unix-like systems also use sticky bits to perform various functions such as setuid or setgid. This permissions model is fairly limited and lacks the flexibility and power to truly ensure real file security on your hosts. This is certainly true when you compare Unix-based file security with Microsoft Windows systems where permissions and controls are both powerful and flexible (if usually more poorly implemented by system's administrators than on Unix systems).

Access Control Lists provide a significant enhancement to this model and provide much more granular access control to your files and objects in a similar way that Microsoft Windows systems offer. This can allow in many cases the introduction of Role Based Access Controls (RBAC) and thus the ability to ensure only those users and groups that require access to specific files and resources get that access.

Linux Security Modules

In addition to ACLs, the 2.6 kernel has some new functionality called LSM or Linux Security Modules. This is a standardized framework that allows the kernel to check access requests and calls against an external security mechanism. The most commonly known of these external security mechanisms is SELinux which is an NSA-developed security mechanism for mandatory access control. Crudely speaking (very crudely), SELinux is a large-scale, highly customisable chroot jail for any applications and tools that you wish to secure with it.

Other modules also exist including the LIDS (Linux Intrusion Detection System) and the LSM Openwall port. I am sure as this functionality is bedded down that additional modules will be developed, including modules that draw on the ACL functionality I previously discussed.

CryptoAPI

The new CryptoAPI offers two major enhancements to the Linux kernel. The first is the much welcome addition of native support for IPSec. IPSec is a set of network encryption and authentication protocols designed to secure network traffic at the IP layer. It operates at a lower level to SSL/TLS and provides network-layer encryption and authentication and is commonly used in VPN tunnels.

Previously IPSec was provided by the addition of add-ons like FreeS/WAN. Many of these add-ons had license issues, were unstable and often hard to integrate with all hardware configurations. The movement and complete re-write of this functionality into the 2.6 kernel represents a significant enhancement of the capabilities available to your Linux hosts –- especially in an enterprise or distributed environment where you may use IPSec tunnels to secure traffic between critical applications, the Internet or between sites.

The next enhancement is the availability of dm-crypt modules in the kernel. This is a much cleaner and more fully featured block device encryption tool that allows you to encrypt file systems on your Linux host. Personally, I find it is much more efficient and easier to use than the previously available CryptoLoop file systems.

Lastly, the CryptoAPI presents a solid base for further cryptographic (barring legal impediments) enhancement to the Linux kernel that could see significant enhancements in the available capabilities in this area.

Netfilter enhancements

Additionally in the 2.6 kernel, a number of enhancements have been added to the Netfilter module (which provides iptables firewalling). The most obvious enhancement is the ability for Netfilter to see bridged packets on your host. If you have an interest in iptables firewalling I recommend subscribing to the netfilter and netfilter-devel lists to read about further 2.6-based enhancements.

This was first published in September 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: