Tip

How to smack IT intruders with MACs

Hardening operating systems for security often require interesting sleights of technology, if not of hand. Security-Enhanced Linux (SELinux) uses a more powerful and refined notion of access controls, called mandatory access controls (MAC), to help lock itself down from unauthorized access and use. With a few tricks up your sleeve, you can use this technique to get almost magical security protection.

    Requires Free Membership to View

More Security-Enhanced Linux links:

Red Hat SELinux Guide

Red Hat bug tracker

Writing SELinux policy HOWTO

SELinux for distributions

SELinux policy extensions

Standard Linux distributions implement a basic file permission model called Discretionary Access Control (DAC). In this model, specific users own resources and files but they may delegate primitive access rights to other users throughout the system. Therefore, decisions regarding access to files and resources under this model rely on user identity and ownership.

If an application is subject to problems or mistakes with implementation or configuration, it may sometimes allow unauthorized users to assume the owner's credentials. Not only does this compromise the application itself, but it can even affect other processes or personnel depending on the owner's permissions to other files and resources. The worst-case scenario occurs when an application with root or administrator privileges is compromised and creates a massive single point of failure or vulnerability.

Using the MAC paradigm, fine-grained control over all user- and process-based interactions can be enforced. Granular, role-based access control is the key from an administrative standpoint, and is defined by objects, subjects and attributes. Each attribute of a given object detailed in a policy defines precisely who (personnel or processes) may access what (applications and data) and exactly how they may do so (create, modify or remove).

By leveraging extended MAC-based attributes for a given process, the scope of application activity can be safely narrowed to allow only the functionality it requires to operate, and no more. This effectively creates a logical divide between a known resource and the rest of the operating system by enforcing the principle of least privilege. This creates multiple points of failure or compromise.

At one time, SELinux kernel extensions were a pet project of the National Security Agency's Information Assurance initiative. It now has found its way into mainstream Linux distributions including FedoraCore and Debian. It has two modes of operation: permissive mode (debugging policies) and enforcement mode. There is any number of ways to determine its presence on a system (if you don't already know), one of which is the presence of a directory titled "selinux" at the root path. SELinux behavior is influenced by Boolean flags as follows:

    [root@host]# /bin/echo 1 > /selinux/booleans/docked
    [root@host]# /bin/echo 0 > /selinux/booleans/audit_on

Newly defined values must be explicitly committed to take effect:

    [root@host]# /bin/echo 1 > /selinux/commit_pending_bools

Attributes of Ping:

    [root@host]# /usr/sbin/getfattr -dm "^security" /bin/ping
    security.evm.hash="\\1\265Ad6a4d94fb694cffd2847acf40dbc6485"
    security.evm.hmac=0s8ZT9309FkQBag7HkqqieSeuya3s=
    security.evm.packager="\\1\265
    security.evm.version="\\1\265A20020927(rel16)"
    security.selinux="system_u:object_r:bin_t\000"
    security.slim.level="SYSTEM"

The native network diagnostic utility ping helps illustrate the need for better MAC-based mechanisms. Ping requires raw socket access (the basic ability to modify packets beyond the kernel network code) which requires super-user privileges. However, ping is a diagnostic utility useful to more than the super-user, so delegating raw socket access to ping and limiting the scope of its capabilities otherwise is critical. Using traditional DAC-based controls, this is not entirely possible. Only where MAC is properly implemented can fine-grained access to all system resources be fully exercised.

The key concept in this architecture comes from understanding what makes sense for the target application to be able to do. Only those things that are necessary should be permitted, and everything else should be denied. By establishing security levels, creating secure hash keys and host-based mandatory access controls and controlling the underlying binary code package, you can properly scope and secure applications. This also prevents anyone from tampering with their contents or security attributes.


About the authors: Ed Tittel is a full-time freelance writer and trainer based in Austin, Texas, who specializes in markup languages, information security and IT certifications. Justin Korelc, a long-time Linux hacker who works with Ed, concentrates on hardware and software security topics. Together, the two have recently authored a book on Home Theater PCs and Tom's Hardware 2005 Holiday Buyer's Guide.

This was first published in December 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.