In regards to GNU/Linux security modules, tools and models - notes to self
Is GNU/Linux inherently an unsafe system since so many different security modules, tools and models exist, or is it merely an extension that makes it possible to harden a GNU/Linux system beyond comprehension and basically lock down everything, control everything and see and log everything?
Some distroes say that KISS (keep it simple stupid) provides a better security, and they might be right.. It should minimize potential holes, errors and reduce the attack surface. While others include complex security systems like SELinux by default. So where does that leave me exactly?
To be frank, I'm not exactly sure. I'm running a system which comes with PAM, Polkit, Iptables/Shorewall and related tools as part of the standard security installation. But I felt an urge to install Tomoyo in addition, which again arrived from issues with deploying SELinux in this distro. But do I even need it? Perhaps.. But it would be nice to learn SELinux, just to have it done.. Anyways.. What is security these days?
I would say we can split it into many levels:
- Kernel security
- Kernel provided security
- "Init" security aka system security
- userland security tools
(-boot/init security as another topic)
Considering these often work together to form the security model, I think it is best to list only kernel, system and "userland" security concepts. So to start of, we can go for Kernel:
- Kernel tracing
- Kernel linux security modules
- Crypto
- Network
- Namespaces
So, not only can you monitor and log what is going on in your system, but you can also do the same with the Kernel. You can add a security module. Most people use various features of crypto, network and namespaces. So, here is a list of things of interest:
Kernel tracing: tracers, ftrace, audit, (logging), (debug)
LSM: Selinux, Smack, Tomoyo, Apparmor (and other relevant like Yama, grsecurity and the new "kernel lockdown")
Crypto: a bunch (algorithms, digests), but a good example is commonly used dm-crypt
Network: mainly netfilter/iptables (aka nf_tables, xtables)
Namespaces: cgroups, linux containers (and seccomp)
Worth mentioning is ofcourse also virtual machines and KVM for example. It's also relevant to security models.. The Integrity subsystem is also worth mentioning and the various memory management security "stuff" (aka "hardening").
These are mainly things I'm noting down to myself to keep track of these things, and should cover the main topics of interests in relations to the Kernel itself, and also Kernel provided security. If you were to get involved in all possible security related to this, it would bog you down and take all your time. So "wise" compromises have to be made, in combinations with system security.. Since we live in the days of alot of distroes running systemd, and systemd having taken over or integrated projects of this type, we can also perhaps call them "init" security, without referring to bootloader and init process security, which would be another topic (that I will not cover for myself at this point..)
SO, then we move on to init security/system security, many of which is provided by the kernel and supplemented by userland stuff and fluff, but let's try to ignore that for now and just list the main types of system security, and then examples of "userland" security in the very end:
Polkit, PAM, Cgroups, Iptables/firewall, containers, virtual machines, sandboxing(concept), logging.
The list is surely incomplete, but this is what I can remember on the top of my head as the most important ones.
Just some example of Userland security, and yes, some might be implemented in the system, but I put them here nonetheless.. And there are thousands of userland security tools, so I'm just mentioning some examples to have that done as well:
Signatures/hashing
GNUpg
nmap
Firejail
Feel free to comment on important missing items.. This list is just a reminder to myself, a place to collect the names of these things..
Some distroes say that KISS (keep it simple stupid) provides a better security, and they might be right.. It should minimize potential holes, errors and reduce the attack surface. While others include complex security systems like SELinux by default. So where does that leave me exactly?
To be frank, I'm not exactly sure. I'm running a system which comes with PAM, Polkit, Iptables/Shorewall and related tools as part of the standard security installation. But I felt an urge to install Tomoyo in addition, which again arrived from issues with deploying SELinux in this distro. But do I even need it? Perhaps.. But it would be nice to learn SELinux, just to have it done.. Anyways.. What is security these days?
I would say we can split it into many levels:
- Kernel security
- Kernel provided security
- "Init" security aka system security
- userland security tools
(-boot/init security as another topic)
Considering these often work together to form the security model, I think it is best to list only kernel, system and "userland" security concepts. So to start of, we can go for Kernel:
- Kernel tracing
- Kernel linux security modules
- Crypto
- Network
- Namespaces
So, not only can you monitor and log what is going on in your system, but you can also do the same with the Kernel. You can add a security module. Most people use various features of crypto, network and namespaces. So, here is a list of things of interest:
Kernel tracing: tracers, ftrace, audit, (logging), (debug)
LSM: Selinux, Smack, Tomoyo, Apparmor (and other relevant like Yama, grsecurity and the new "kernel lockdown")
Crypto: a bunch (algorithms, digests), but a good example is commonly used dm-crypt
Network: mainly netfilter/iptables (aka nf_tables, xtables)
Namespaces: cgroups, linux containers (and seccomp)
Worth mentioning is ofcourse also virtual machines and KVM for example. It's also relevant to security models.. The Integrity subsystem is also worth mentioning and the various memory management security "stuff" (aka "hardening").
These are mainly things I'm noting down to myself to keep track of these things, and should cover the main topics of interests in relations to the Kernel itself, and also Kernel provided security. If you were to get involved in all possible security related to this, it would bog you down and take all your time. So "wise" compromises have to be made, in combinations with system security.. Since we live in the days of alot of distroes running systemd, and systemd having taken over or integrated projects of this type, we can also perhaps call them "init" security, without referring to bootloader and init process security, which would be another topic (that I will not cover for myself at this point..)
SO, then we move on to init security/system security, many of which is provided by the kernel and supplemented by userland stuff and fluff, but let's try to ignore that for now and just list the main types of system security, and then examples of "userland" security in the very end:
Polkit, PAM, Cgroups, Iptables/firewall, containers, virtual machines, sandboxing(concept), logging.
The list is surely incomplete, but this is what I can remember on the top of my head as the most important ones.
Just some example of Userland security, and yes, some might be implemented in the system, but I put them here nonetheless.. And there are thousands of userland security tools, so I'm just mentioning some examples to have that done as well:
Signatures/hashing
GNUpg
nmap
Firejail
Feel free to comment on important missing items.. This list is just a reminder to myself, a place to collect the names of these things..
Total Comments 0
