February 15, 2005

Securing Linux with Mandatory Access Controls

Author: Preston St. Pierre

Some in the security industry say that Linux is inherently insecure, that the way Linux enforces security decsions is fundamentally flawed, and the only way to change this is to redesign the kernel. Fortunately, there are a few projects aiming to solve this problem by providing a more robust security model for Linux by adding Mandatory Access Control (MAC) to the kernel.

The most well-known of these projects is Security Enhanced Linux (SELinux), which was developed by the U.S. National Security Agency (NSA). The Rule Set Based Access Control (RSBAC) project, the Linux Intrusion Detection System (LIDS), and grsecurity are other popular projects with the same goal. All of these projects are open-source and licensed under the GPL.

DAC vs. MAC

The security model used by most mainstream operating systems is based on Discretionary Access Control (DAC), which enforces security by ownership. If a user owns a file, he is allowed to set the read, write, and execute permissions for that file. In this model, users control the data at their discretion. The owner of the system does not have total control over the system; the users do.

However, the biggest concern with the Linux model is the danger presented by the root account. This super-user has the power to control all files and processes. If the root account, or a process that runs with its privileges, is compromised, an attacker can take control of the system and its data.

A more secure approach would limit or even eliminate the need for a root account, and shift the power from the user accounts to the owner of the system. This is MAC's approach.

MAC makes the enforcement of security policies mandatory instead of discretionary, as you might imagine from the name Mandatory Access Control. Security policies can be set by the system owner and implemented by a system or security administrator. Once these policies are in place, users cannot override them, even if they have root privileges. With MAC, file and process protection is independent of owners.

All of the above are requirements to meet the Department of Defense criteria for "trusted" operating systems. These criteria are laid out in the DOD publication "Trusted Computer System Evaluation Criteria," otherwise known as the Orange Book (due to the color of its cover). By one day gaining Orange Book B1-level certification, Linux can be more widely used in government.

Now let's take a brief look at some of the projects that add MAC to Linux.

SELinux

SELinux was originally a kernel patch developed by the NSA to add MAC to the Linux kernel. It has since been ported to a module that hooks into the Linux Security Module framework and is now included in 2.6 kernels. SELinux implements MAC through the use of Type Enforcement (TE), Role Based Access Controls (RBAC), and Multi-Level Security (MLS).

With TE, every object on the system is assigned a type. The security administrator then defines policies that indicate what access is allowed between pairs of types. TE allows for fine-grained permissions to be set on files and processes.

RBAC allows users to be assigned a set of roles that allow or restrict actions. With RBAC the security administrator can grant users some of the power of the root account without granting them total control over the system. A user could be assigned the role of Mail Administrator, for instance, and then be able to manage all aspects of the mail server without needing root access to the system.

MLS allows for classified information to be shared at different security clearance levels -- a requirement for government systems that contain classified data. For example, if data classified as "secret" is mixed with data that is classifed as "top secret," the resulting data needs to classified as top secret. This feature of SELinux is still considered experimental; it will be some time before it is in widespread use.

Rule Set Based Access Control

RSBAC is a kernel patch and set of administration tools that adds a number of security modules to the kernel. The security administrator can pick and choose which modules to use. Prepatched 2.4 and 2.6 series kernels are also available for download. RSBAC has been in development since 1996 and in production since 2000. In addition to MAC, RSBAC includes modules for:

  • Restricting the power of root
  • Access control lists
  • Process jails
  • Resource limitation
  • Limiting network access
  • Role-based access controls
  • Address space protection with PaX

Linux Intrusion Detection System

The Linux Intrusion Detection System is a kernel patch and set of administration tools that adds MAC as well as several other security enhancements to the standard Linux kernel. Patches are available for 2.4 and 2.6 series kernels. With LIDS it is possible to:

  • Restrict the power of root
  • Enable fine grained access control with ACLs
  • Protect files and processes
  • Restrict network access
  • Detect port scans

Sample ACLs are available for Apache, dnscache, IMAP, MySQL, OpenLDAP, OpenSSH, qmail, and TinyDNS.

grsecurity

Grsecurity is another patch that adds much more than MAC to the Linux kernel. MAC is implemented using RBACs and defined through the use of its gradm utility. Both the 2.4 and 2.6 series of kernels are supported. Grsecurity provides the following security enhancements:

  • An RBAC system that generates least-privilege policies with no configuration
  • Change root (chroot) hardening
  • /tmp race prevention
  • Extensive auditing
  • Address space protection with PaX
  • Additional randomness in the TCP/IP stack
  • Users are only allowed to view their own processes
  • Security alerts and audits that contain the IP address of the machine that caused the event

The Grsecurity Quick Start Guide is a good place to start reading about the project.

So many choices

With so many options, choosing which project to implement comes down to your administrators feel most comfortable with. SELinux has the backing of the NSA, but it also has the steepest learning curve and most technically dense documentation. Until production-ready distributions start shipping with predefined policies, it will be the hardest to implement. RSBAC has good documentation and allows you to administer it with menu-based tools, but learning about all the modules and deciding which ones to use will take some time. The LIDS documentation is both highly technical and written in broken English. However, RSBAC provides predefined ACLs for many common programs. Grsecurity wins hands-down when it comes to user-friendly documentation. Its quick start guide is an excellent resource that includes step-by-step instructions and screenshots.

When it comes to enhancing the security of the Linux kernel, different projects have different opinions on how to do it best. In the end, it is this broad exchange of ideas that benefits us all and leads to better, more secure software.

Click Here!