Help answer threads with 0 replies.
Go Back > Blogs > zeebra
User Name


Rate this Entry

In regards to GNU/Linux security modules, tools and models - part 2 - some practical steps and experiences

Posted 11-08-2022 at 10:23 PM by zeebra
Updated 11-08-2022 at 10:24 PM by zeebra (broken link)

The main point here is to go into some topics of "easy", practical and doable steps in regards to security and to focus on that rather than better but more impractical options or things that you can do, but will end up not doing because it is too complicated, impractical or difficult. In a way this is a continuation of this:

LSM, MAC, Tomoyo, Audit - (Kernel provided security)
Probably the best way to secure your GNU/Linux system is to use a Linux Security Module for Mandatory Access Control and in my opinion the very best option for doing so is Tomoyo Linux.

You can use Tomoyo Linux without having to label your whole filesystem(s), which is a theoretical disadvantage over SELinux, but Tomoyo is compatible with SELinux, so you can add SELinux after if you want. One major advantage of Tomoyo is the KISS principle, which I as a Slackware user find highly "compatible" with Slackware ideas and my own ideas. Tomoyo is basically only dependent on the Kernel and ncurses, and can be controlled with a simple and easy (and nice) ncurses interface or through files and Tomoyo tools to manipulate those files to create/edit policies in relatively easy but practical ways.

All MAC tools are overwhelming in nature due to their fine grained control of the system, and none is more so than Xorg and desktop environments, so for these intents and purposes ditching Xorg for Wayland and a Desktop Environment for a simple Window Manager is the better option. But Tomoyo and its learning mode, combined with the practical and relatively simple ways to edit policies is a viable way to build a full system security policy. Just to give an example, I have a system where every part of the system is restricted with Tomoyo, from boot, to system and even Wayland/KDE, every single action and component of the system is enforced with Tomoyo Linux and can't do anything else than what I've allowed it to do. I've slapped a KVM/QEMU virtual machine on it to make it more practical for everyday use, but this virtual machine is also enforced by Tomoyo, and inside the virtual machine there is a more relaxed Tomoyo MAC policy. It's usable, but not really a practical system, but with Tomoyo, even a "layman" can secure and control a whole system.
The practical limitations of MAC have been described as ending with Xorg and whatever Desktop Environment, and with Xorg and DE policies, actions, calls and everything else will just grow exponentially and make policies so large that it would be a full time job just to manage it. I think this is why SELinux says there is no policy for Xorg, because it's not viable. And one of the main SELinux distros, Fedora/Redhat, is using "targeted" policies, meaning they target certain components and try to enforce those. And having tried and heard from experiences with Fedora/Redhat, even that is problematic, so much so that for many users the "first solution" to many things is to disable SELinux. Things like Xorg (and Wayland) and KDE seems to be nearly impossible to control/contain due to the scope of those components.

Using Bash with MAC and/or securing Bash with MAC is just impractical. Having experimented alot with this, you can secure Bash in general, but leave other Bash pathways to instances of Bash that can do a restricted set of things. You can also make a "secret" pathway to an instance of bash which is free to do everything. Generally this leaves you with a "default" bash which isn't allowed to do anything aside from creating instances of Bash that can do some things, and one of those instances could open the "secret" instance of bash which can be used as normal.

Another point worth mentioning is that Tomoyo comes with its own subset of the Kernel Audit mechanism, which is very useful in analyzing your system. It's worth mentioning Kernel Audit in general as something that is security related, and there are so many ways of auditing your system with Kernel Audit, but one of those are the LSM relevant auditing parts. Auditing beats logs, and part of securing your system should be to know what your system is doing, and there is no better way to do that than using auditing. Logs are good, but audit is even better.

Some practical steps you can do to test MAC (you could alternatively do these steps with SELinux)
1. Just install Tomoyo Linux and get it up and running
2. Use the analyze features of Tomoyo
3. Enforce a policy for a single program
4. Don't enforce any policies, but play around with (and edit) some policies

Anyhow, MAC is THE main way to secure you system, that's why it exists and the purpose of it. There are many other ways to improve your system security, but they are generally futile if you intend not to use MAC. That's why the 1st order of security really is MAC and there is no workaround for it. And in my opinion, the best "workaround" for that is to use Tomoyo as your primary LSM. At/as the very start you can use Tomoyo to analyze your system. Getting started with Tomoyo is VERY easy, provided you can deal with the Kernel and know your basic command line stuff and it helps to have a decent idea how your system works. That actually brings us to the issue of Kernel Security of which LSM is a part (Kernel provided security). But before that, here is an article on Slackware documentation for how to get started with Tomoyo: (it generally applies to all distroes)

Kernel security
In regards to the Kernel:
- Keep it up to date
- Hardening
- Booting
- Minimize it
- Mitigation

It's hard to talk about any security without mentioning the Kernel itself, and also booting it, and even validating it. If you're booting into a "fake" Kernel, then what is the point of talking about any other security measures at all? All security flies out the window if that is the case. Even just booting the "wrong" Kernel, it can disable things like LSM or other security which is provided by the Kernel. At the very least you need to know the boot chain and be confident that it's working as it should. I've not really gotten far into the finer details of this topic myself, but it's highly important and can't go without a mention here either. There are many theoretical and practical ways to deal with this topic, but for now we'll leave it at that.

So many security features of GNU/Linux systems are implemented in the Kernel and provided by the Kernel, so it's difficult to even talk about them without mentioning the Kernel itself, but let's try to split them into Kernel security and those that are more or less implemented in/by userland features. It's probably best to think about things like crypto, network and namespaces as more type of userland security features, although in practice they work in the same way as LSM, but they are all Kernel provided security(/)features, while things like booting is more relevant to Kernel security, but a category of its own.

Keeping your Kernel up to date is not imperative, but in the context of security - important. Many of the Kernel hardening features and mitigations were not previously available, and Kernel updates comes with patches to known security issues. Those may or may not be relevant to you, but if you can, you should keep your Kernel up to date to make sure you don't have unpatched known security issues. In regards to security, you should keep your Kernel up to date. It will also give you access to new security features.

Minimize your Kernel if you can. Having a custom Kernel and removing Kernel drivers and features you don't need will reduce the amount of potential bugs that comes with your Kernel (and modules) and so will improve the security situation. In regards to this, it is potentially possible for someone to load a buggy Kernel module on your machine and exploit it too. But in general it's better for a module to be a module than to be built into the Kernel, unless it will and needs to be loaded anyways (for sure) on boot. That way a potentially bugged module might just be an unloaded module instead of loaded. So, it's more secure to run an optimized and minimal Kernel than to run a default generic one with a bunch of drivers and features you don't need. Doing so reduces the attack surface and bug potential.

Kernel Mitigation and hardening in many cases overlapse each other, but the general difference is that mitigations are issues that can't be solved with the Kernel itself, things like hardware issues, among others the famous Intel (and AMD) issues from things like "speculative execution" and various "threading" techniques implemented at the CPU level. The Kernel release mitigations to these kind of issues when possible, and some of those are released as hardening features (mostly memory) and others as mitigation implemented with CPU microcode. It's a big topic, but if you care about security you should generally implement as many of those microcode mitigations as you can. But, beware, due to the nature of these issues, mitigations come at a performance cost. Here is a short overview about how to do it on Slackware docs: (generally applies to all distroes)

Kernel hardening
Kernel hardening and hardening in general is a huge topic, so I'm not going to go into much detail here, but most hardening options are found in the Kernel configuration sections "general setup", "processor types and features" and "security options". But quite frankly, the best way to get to know these is when you configure your Kernels and get used to seeing these kind of features, so that's my personal recommendation of how you get to know them. You can study what each of them do to your hearts content. Furthermore, there is alot of documentation online about hardening features in the Kernel. There is alot of good indepth technical details and news about Kernel security on this page:
I mention that page, because often when I have looked for details about specific hardening modules or such, I've found the answers on articles on that page.

Do familiarize yourself with the Kernel
Being able to customize your Kernel and deal with the boot features to run custom Kernels (and stock Kernels) is tremendously helpful in so many situations. At the same time you customize a Kernel and minimize it, you get familiar with content and features in the Kernel, among others the hardening features. It does take alot of reading and alot of time, but it actually is a very enjoyable process, so brew yourself a pot of coffee (or tea) or whatever else you prefer and just sit down and take the time to do it. And don't forget to get the microcode loading up and running either, as it's the only way to mitigate some of the major processor security issues. This process really is part of your necessary steps to properly learning GNU/Linux.

Userland security tools
- Network: Iptables
- Crypto: Encryption
- Namespaces: Cgroups, containers
- Virtualization
- Sandbox
- Polkit, PAM

All these are massive topics, and I'm not going to cover them much right now. However, there are a few interesting things of note. Many of these abovelisted things seem to want to solve some "inherent" issues with GNU/Linux, perceived or actual, and some just want to make things easier by technically bypassing "normal" security. Pwnkit is a good example. Containers and such tech have become massively popular in recent years, and for good reason. It seems programs/software is "no longer" necessarily "safe by default" and dividing fine grained control over resources to programs and tasks is a good thing. All these things are much better understood by others than by me. But in the context of security it is interesting to look into.

Virtualization, containers and sandboxes
All these is a kind of collective thing, or a group of things. They certainly can be and are relevant to security and in a security context. As I mentioned earlier I found it for good to completely lock down one of my systems and run a less locked down system on top of that through an unprivileged QEMU/KVM virtual machine. Many people already run programs such as Firefox through sandboxing solutions like Firejail. One of my main personal issues have been with Firefox and its "problematic" resource consumption and potential security issues. This was the reason I put it in a Virtual Machine in the first place. Using the biggest hammer to solve that issue after running many experiments of how to solve those issues; the solution is not great, but it works, but the hammer is much bigger than I would like. Obviously the desire, perception and demand for these kind of things is huge, and something that ideally should be resolved in the "GNU/Linux way". I'm sure Docker is great and all, but do you really want to add that much uncontrolled complexity to your system? These things need more KISS and more "do one thing and do it well" kind of solutions. And such solutions already exist, and are on their way. Seccomp has already been a thing for a long time, and is one of the enablers of these kind of projects and functions and programs and such, and yes, it's a good thing. Then there is the relatively new Landlock, also a kind of sandboxing feature implemented at the Kernel level. Anyways, problems perceived or actual.

For me, LSM is just a far more clearcut and easier way to handle some of those same things quite frankly, but a virtual machine is not exactly an efficient way to solve the issues of lack of clearcut and crisp ways of implementing namespaces and sandboxes. LXC seems more clearcut, but wants things like Cgroups2, which seems to only(??) be implemented in the gigantic software suite SystemD for some reason. Hopefully these kind of tendencies towards huge uncontrollable software suits will not continue, and there will be more KISS and "do one thing and do it well" kind of thinking in the future. Software suits in themselves are a security issue due to their scale, complexity and all the functions added.

Don't need to add much about this. Alot of people already use encryption in various ways, although end-to-end encryption in daily communication online seems to be a bit of an issue still. But, many people seem to encrypt their data, which is generally a good thing (unless there is some disk corruption and you need to recover the data). Anyhow, my personal opinion is that private data is encrypted, that way if your computer is lost or stolen, whomever then ends up with your computer will not have access to your personal data. That pretty much covers it. That's just my opinion, and it's not necessarily right.

Network security is a massive topic, and I'm not going to delve into it much. But with a minimal effort and just a few IPtable rules, you can substantially decrease potential network access to your computer. It's well worth having a look into and doing. Network security ofcourse is a broad and complex topic, but even just small steps can make a big difference. IPtables in itself is complex and somewhat difficult to learn, but take it in steps. Just learning the basics is not that difficult and very much doable.

I guess that pretty much covers it for now. There are alot of other topics to go into, and each of many of these deserve going further into on their own. Perhaps another time will be good to cover some other topics, or go more into depth about some of the topics above. And well, there are other obvious topics that I've come to think about that I didn't even mention. Like turning off and reducing numbers of running daemons or services. But that might well be a better topic to discuss alongside securing the boot process and init and such things. So, to sum it up for now, things that you should be doing that are very doable:

1. Use Mandatory Access Control! (but not apparmor)
2. Keep your Kernel up to date, customize it, minimize it and use the hardening and mitigation features
3. Start using IPtables and/or similar things
4. Use encryption
5. Familiarize yourself with virtualization, containers and sandboxing and start using some of the simple solutions (or advanced if you can ofcourse)

There is no single solution to security, and many of the topics mentioned above are huge in and of themselves, and there are many other topics like these as well. Obviously security that you use need to fit what your abilities and time you have available for it, but don't be afraid to learn new things! Just the basic "smaller" security precautions that alot of people do or have habits of doing are also useful (even without MAC), but security can also be fun, and exploring new avenues can be an enjoyable and useful experience.
Views 103 Comments 0
« Prev     Main     Next »
Total Comments 0




All times are GMT -5. The time now is 08:39 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration