- Posix ACLs or Access Control Lists
- LSMs or Linux Security Modules
- A new CryptoAPI including integration of IPSec and encrypted file systems into the kernel
- Enhancements to netfilter
Let's look at each of these features and what they offer.
The first, and in my opinion, most significant enhancement in the 2.6 kernel is the addition of Posix ACLs or Access Control Lists. So what are ACLs? Well most traditional Unix-based or Unix-like systems have a file security and permissions model based around read, write, and execute permissions for everyone, groups and users. Some Unix-like systems also use sticky bits to perform various functions such as setuid or setgid. This permissions model is fairly limited and lacks the flexibility and power to truly ensure real file security on your hosts. This is certainly true when you compare Unix-based file security with Microsoft Windows systems where permissions and controls are both powerful and flexible (if usually more poorly implemented by system's administrators than on Unix systems).
Access Control Lists provide a significant enhancement to this model and provide much more granular access control to your files and objects in a similar way that Microsoft Windows systems offer. This can allow in many cases the introduction of Role Based Access Controls (RBAC) and thus the ability to ensure only those users and groups that require access to specific files and resources get that access.
Linux Security Modules
In addition to ACLs, the 2.6 kernel has some new functionality called LSM or Linux Security Modules. This is a standardized framework that allows the kernel to check access requests and calls against an external security mechanism. The most commonly known of these external security mechanisms is SELinux which is an NSA-developed security mechanism for mandatory access control. Crudely speaking (very crudely), SELinux is a large-scale, highly customisable chroot jail for any applications and tools that you wish to secure with it.
Other modules also exist including the LIDS (Linux Intrusion Detection System) and the LSM Openwall port. I am sure as this functionality is bedded down that additional modules will be developed, including modules that draw on the ACL functionality I previously discussed.
The new CryptoAPI offers two major enhancements to the Linux kernel. The first is the much welcome addition of native support for IPSec. IPSec is a set of network encryption and authentication protocols designed to secure network traffic at the IP layer. It operates at a lower level to SSL/TLS and provides network-layer encryption and authentication and is commonly used in VPN tunnels.
Previously IPSec was provided by the addition of add-ons like FreeS/WAN. Many of these add-ons had license issues, were unstable and often hard to integrate with all hardware configurations. The movement and complete re-write of this functionality into the 2.6 kernel represents a significant enhancement of the capabilities available to your Linux hosts –- especially in an enterprise or distributed environment where you may use IPSec tunnels to secure traffic between critical applications, the Internet or between sites.
The next enhancement is the availability of dm-crypt modules in the kernel. This is a much cleaner and more fully featured block device encryption tool that allows you to encrypt file systems on your Linux host. Personally, I find it is much more efficient and easier to use than the previously available CryptoLoop file systems.
Lastly, the CryptoAPI presents a solid base for further cryptographic (barring legal impediments) enhancement to the Linux kernel that could see significant enhancements in the available capabilities in this area.
Additionally in the 2.6 kernel, a number of enhancements have been added to the Netfilter module (which provides iptables firewalling). The most obvious enhancement is the ability for Netfilter to see bridged packets on your host. If you have an interest in iptables firewalling I recommend subscribing to the netfilter and netfilter-devel lists to read about further 2.6-based enhancements.
This was first published in September 2005