An Introduction Into Linux Security Modules

An Introduction Into Linux Security Modules

Background

Like normal kernel modules, security modules extend the basic functionality of the Linux kernel. The need for a modular structure was proposed when SELinux was being introduced. There was a little discussion to use modules or not, as SELinux was the only one being available. Some people proposed apply it as a kernel patch, but in the end Linux creator Torvalds, decided to make this type of functionality modular. The first security module was born.

How it works

Linux security modules are relying on kernel hooks. These fixed pointers in the kernel, or kernel interface, allow an external component to influence the behavior of the kernel. The interesting part of these modules, is that they are restrictive in nature. This means they will lower the privileges someone, or some process, already might have. This is the opposite of tooling like sudo for example, where one actually acquires new privileges.

Common frameworks

SELinux is one of the most known Linux security modules available. This framework uses the approach named MAC, short for mandatory access control. MAC based systems use subjects and objects. Subjects are the “active” participant, like a user or process, where objects are the items to be accessed (e.g. a file). Together you can form a policy, which decides who can do (to) what.

AppArmor

Created by Immunix, AppArmor is a similar MAC based framework as SELinux. Immunix was acquired by Novell, resulting AppArmor to be found on SUSE Linux. AppArmor has been ported to others, like Debian, Gentoo and Ubuntu.

A big difference between is in the way files (objects) are monitored. AppArmor monitors files by path, where SELinux does it by security labels.

Some benefits over SELinux:

  • Considered to be easier in administration
  • File system independent, which means no specific support within the file system is needed (security labels)

Disadvantages:

  • When creating a hardlink of a file, it may become accessible again (as the inode has changed)
screenshot of apparmor_status command output on Ubuntu

AppArmor status on Ubuntu system

Module configuration

Most Linux security modules can be installed as a package. Depending on the specific distribution you are using, it may be installed by default. For example SELinux is commonly found on Red Hat based systems, where AppArmor is available on SUSE Linux and Ubuntu.

Usually a Linux security module is configured with its own configuration files, while being enabled or disabled via a sysctl value. Others are so small, that they can be tuned via just sysctl. For example the ptrace capabilities on processes via YAMA:

kernel.yama.ptrace_scope = 1

Overview by Year

1998

AppArmor (then SubDomain), used in Immunix Linux

2007

Introduction of SMACK

AppArmor ported to Ubuntu Linux and AppArmor development taken over by Canonical.

2009

TOMOYO Linux

 

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


Leave a Reply

Your email address will not be published. Required fields are marked *