Our networks are not secured while we transferring the data or something. So we need more security. This paper explains about linux security issues with three tools which are SELinux, IPtables and Bro IDS. All the tools are contains the same technical issues (download, installation, configuration, etc.,) and architectural issues.SELinux (Security Enhanced Linux)
What is SELinux?
It is an MAC (Mandatory Access Control) implementation in Linux Kernel. SELinux can able to add capability to administratively describe policies on all subjects (processes) and objects (devices and files). The ACL (Access Control List) provides some additional securities for unauthorized persons expanded privileges.
The Security Enhanced Linux is also known as SELinux which developed on 22nd December 2000 by NSA (National Security Agency). This is used in many Linux distributions. In Linux kernel, since 2002, in Fedora, since Core 2 (2004), in RHEL, (RedHat Enterprises Linux) since version 4 (2005), in Debian, since Etch (2007) and in Ubuntu, since Hardy Heron 8.04 (2008).
SELinux is compiled into kernel, used to security policy, checks rules database on syscalls, allows or denies based on policies.
Prerequisites to SELinux:
- Strong working skills of Linux (especially Red hat Enterprise Linux)
- If we need to administrate the services, some experience and skills are necessary. Such as Red Hat Certified Engineer (RHCE) or Red Had Certified Technician (RHCT).
- Understanding traditional Linux/Unix
- Understanding basic functions and policies of linux system.
- Familiar with macro languages which is useful for understand the SELinux policy.
- Domains: All processes are running in domain.
- Roles: Roles refers which process or users access what process and what type(directories, files)
- Identity: These are applied to user accounts and it doesn't change, decides user roles what they can enter.
- Security Context: all object or process on a system that has the security context implemented to it. It has three fields which divided by colons identity:role:type or identity:role:type
Types: It contains files and directories are collectively derived from their fundamental security equality.
httpd_sys_content_t is placed in the /var/www directory etc_t is placed in the /etc directory
named_t refers named daemon, initrc_t refers init scripts and unconfined_t refers processes which are ambiguously confined within SELinux policy.
user_r refers users of an ordinary system, sysadm_r refers system administrators and system_r refers that all the process starts from the system_r role. To alteration for a new role command is #newrole -r sysadm_r
user_u refers basic un-privileged user identity and root refers special account.
system_u:system_r:httpd_t refers apache daemon and system_u:object_r:etc_t refers /etc/passwd directory.
The ACM (Access Control Mechanisms) can able to allow or deny particular resource's use by particular entity.
The DAC (Discretionary Access Control) refers unix groups, bits of permission to access the file system and owner who can manage access control to an object.
The MAC (Mandatory Access Control) is a core security policy of SELinux. In this security policy, users can't modify and the system administrator can allow the permissions.
It had distributed as binary and it compiled once but distributed many. The RHEL5 introduce policy modules for SELinux. There are two polices which are strict and targeted.
To enable SELinux, we should use a variable (SELINUX) in the /etc/sysconfig/selinux directory and we need to assign the setenforce to SELINUX variable during runtime.
To disable SELinux, we need to put this into permissive mode. it's not a best idea to disable SELinux.
SELinux in Action:
A hacker has permission to access the /var/www/cgi-bin/ directory through a danger or uncertified web application and cgi-bin script uploaded by them. Hacker can open the cgi-bin script in web browser and executing his vulnerable scripts through web application without SELinux. The hacker can able to do on a server or host with SELinux. (Cunningham, 2009)
Befits of SELinux:
- SELinux can able to confine services
- Debugging the application
- It provides good core access control.
- It examines the logs for report.
- The security server deployed by IBM.
IPtables:What is IPtables?
It's a user-space command line program that used to configure the linux 2.4.X and Linux 2.6.X Kernel's IPv4 packet filter. Iptables used by system administrators. It is a firewall script which written by shell script that is run when the system starts up as a script. It is located in /etc/init.d/. The directory path is depending on the linux distribution (such as /etc/rc2.d/). Whatever it maybe, the default path specified in the /etc/initab. If we want to write a script in shell, we need to create some variables which are used by the script while running.
After installing the software, additional modules are loaded into it. The module dependencies are updated to date. It is checked using /sbin/depmod. After loading the required modules the load ipt_owner module is loaded. Then the ip_conntrack_ftp and ip_conntrack_irc which is used by the matching filters are loaded.
Starting the Masquerading:
To start off, the rules are added in the POSTROUTING chain which will masquerade all packets going out of the interface connected to the internet. The next step is to add ACCEPT all packets traversing the forward chain. The last one we need to do that the log all the traffic that is dropping out of the border.
Displacement of placement to different chains:
I have taken considerable care on security more than the use of CPU. First i have allowed to all the TCP packets to traverse all the chains. The routing decision is taken first if its destined to the host, its sent as an input and if its destined to some other box its sent to the FORWARD If the localbox responds to the packet then it is sent to the OUTPUT.
Features of IPTables:
It list out the packet filter contents, it adds/removes/modifies rules in packet filter and also listing the packet filter rule counters. We can make firewalls based on state-full and stateless packet filter. From using the masquerading and NAT, we can share the internet access if we don't have enough IP address (public).
Bro2What is Bro?
Bro is a tool which is a Unix-based Network Intrusion Detection (IDS).
It monitors the network traffic, traffic content and characteristics. It finds intrusions by sending network traffic through describing rules that are considered as difficult. These rules might describes actions (some hosts are connecting to few services), which actions are worth alarming (attempts to given different systems or hosts constitutes as "scan"), or signatures (known attacks or vulnerabilities).
We can download Bro from the official site http://www.bro-ids.org/download.html. There is few Bro versions are available. We can download whatever we want (version). After the download, the file will be *.tar.gz file extension. So we need to extract that file using the following command
- Sending (E-mail): daily an internal report created by Bro that contains three set of information. Such as network traffic information, incident information and Bro operational status.
- Reading: it contains three parts. The first one, summary which consist of some statistics information, the second one, incident which consist of some information about process which performed by Bro system, the final one is scans which contains details (data and time) about host which attacked by someone.
(Paxon, et al., 2004)
This paper explained about the three linux security tools and an overview about the tools technical and architectural issues.
- Cunningham, R. (2009) An Introduction to SELinux. [Online] Available from: http://www.slideshare.net/renecunningham/introduction-to-selinux-presentation [Accessed 18th April 2010]
- Seeberg, E. V. (2005) BRO - an IDS. [Online] Available from: http://infosikring.dynalias.com/writings/Seeberg_IDS.pdf [Accessed 24th April 2010]
- Cressy, D. L. (2004) Iptables. [Online] Available from: http://22.214.171.124/dclin/linux/netfilter/iptables2.pdf [Accessed 20th April 2010]
- Paxson, V., Rothfuss, J. and Tierney, B. (2004) Bro Quick Start Guide. [Online] Available from: http://www.bro-ids.org/Bro-quick-start.pdf [Accessed 22nd April 2010]