Free Essay

Security Enhanced Linux (Selinux), Chroot Jail, and Iptables

In: Computers and Technology

Submitted By msnake
Words 848
Pages 4
Three of the most important types of Linux security technologies are Security Enhanced Linux (SELinux), chroot jail, and iptables. These security measures aide in the subversion of theft and malicious activity. We will discuss these items in depth to address who created them and for what reason. Along with how these technologies changed the operating system to enforce security, and the types of threats that these security systems are design to eliminate. Security Enhanced Linux was released in December of 2000 from the National Security Agency (NSA), under the GNU general public license. SELinux is not a Linux distribution; it is a set of kernel modifications and tools that can be added to a variety of Linux distributions. SELinux is currently a part of Fedora Core, and it is supported by Red Hat. Incarnations of SELinux packages are also available for Debian, SuSe, and Gentoo. Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible Mandatory Access Control (MAC).
MAC provides an enhanced process to enforce the separation of information based on confidentiality and integrity requirements, as well as the confinement of damage that can be caused by malicious or flawed applications. The previous security structure, discretionary access control (DAC), allowed threats of tampering and avoidance of security mechanisms, because DAC gives the user ownership of files and allows users the ability to make policy decisions and assign security attributes. Under MAC, administrators control every interaction on the software of the system. Standard UNIX permissions are still present, and are consulted before the SELinux policy during access attempts. When the standard file permissions allow access, the SELinux policy will be consulted and access is either gained or denied based on security of the source process and the targeted object.
The chroot system call was introduced during the development of Version 7 Unix in 1979, and added by Bill Joy on 18 March 1982, a year and a half before 4.2BSD was released in order to test its installation and build system. A chroot on a UNIX based operating systems, like Linux, is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name or access files outside the designated directory tree. On a web server, it is very useful for the security of shared hosting accounts. Without a chroot jail a user with limited file permissions can navigate to the top level directories. Although that user does not have permission to make changes, they can invade the files and access information.
An important use of chroot is it’s utilization within virtual environments. In a Virtual Private Server, the user has a complete operating system within a chroot directory. This user has root privileges for his or her own account, but can’t access higher directories or be aware of their existence. Virtualization is great for test environment that can be set up in the chroot for software that might be too risky to deploy on a production system. Virtual environments are often used for compatibility issues. Legacy software or software using a different interface must sometimes be run in a chroot because their supporting libraries or files may otherwise clash with those of the host system. Also chroot is often used for recovery purposes. A chroot can be used to move back into a damaged environment after bootstrapping from an alternate root file system.
Rusty Russell was the initial author of and head behind netfilter/iptables project in 1998, but there have been numerous contributions by independent software developers. Iptables is a user space application program that allows a system administrator to configure the tables that are made available by the Linux kernel firewall and the chains; and rules it stores. Different kernel modules and programs are in use for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.
Elevated Privileges in iptables are required for operation, and root user must be used or iptables will not function. With most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page, which can be opened using man iptables. There is a set of user interface tools that can be used to manage your system’s security profile in a more user friendly manner. The user interface firewall management tools include Bastille, and GUI tools with like KDE’s Guarddog. There are Linux distributions whose main purpose is to provide a GUI front end to iptables with a variety of configurations.
Iptables allows the system administrator to define tables containing chains of rules for the treatment of packets. Each table is associated with a different style of packet processing. Packets are processed by sequentially traversing the rules in chains. A rule in a chain can cause a goto or jump to another chain, and this can be repeated to whatever level of nesting is desired and every network packet arriving at or leaving from the computer traverses at least one chain.

Similar Documents

Premium Essay

Linux Security Technologies

...Paper 07/13/2012 Linux Security Technologies In today’s world there are many ways to gain access to the internet. You can go to your local library, a Starbucks, any airport, or even a McDonald’s. With all of these ways to have free access to the Web, the opportunity for hacker’s to get to your personal information is at an all time high. Linux programming has many ways to combat this situation with security technologies such as SELinux, chroot jail, iptables, and virtual private networks (VPN’s) to name a few. The basics of Linux security start with Discretionary Access Control, which is based by users and groups. The process starts with a user, who has access to anything that any other user can have access to. At first, it may seem great to be able to have that access, but the security in it is not so great. The US National Security Agency (NSA) developed the SELinux (Security Enhanced Linux) to combat the lack of strong security. (National Security Agency Central Security Service, 2009) Other organizations behind SELinux include the Network Associate Laboratories (NAI) labs which implemented several additional kernel mandatory access controls, developed the example security policy configuration, ported to the Linux 2.4 kernel, contributed to the development of the Linux Security Modules kernel patch, and adapted the SELinux prototype to LSM. The MITRE Corporation which enhanced several utilities to be SELinux-aware, and developed application security policies. And the...

Words: 1207 - Pages: 5

Free Essay

It302 Research Assignment 1

...Research Assignment 1 IT 302 Linux System Administration January 21, 2013 The purpose of this paper is to secure UNIX/Linux operating systems from unscrupulous people. It shall be focused on SELinux, chroot jail, and iptables. Each of the three focus areas will be detailed, with specific interest in the following. What organization is behind it and reason entity is involved. How each technology changes the operating system to enforce security, and if the security measure can be easily bypassed. And finally, describe the types of threats each of the technologies is designed to eliminate. Since no two UNIX-based operating system builds are exactly alike, it is important to note that each build may have its own inherent security flaws. SELinux was developed by The United States National Security Agency (NSA). The first version was made available to the open source development community under the GNU GPL on December 22, 2000. The software merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003. Other significant contributors include Network Associates, Red Hat, Secure Computing Corporation, Tresys Technology, and Trusted Computer Solutions. Experimental ports of the FLASK/TE implementation have been made available via the TrustedBSD Project for the FreeBSD and Darwin operating systems. The reason NSA is involved in this project is because this organization is responsible for carrying out the research and advanced development of technologies...

Words: 900 - Pages: 4

Free Essay

Security in Linux

...Security in Linux Linux, like any other computing platform, is constantly changing. There are a few major focus points for new and upgraded platforms, one of which is how user friendly it is. User friendliness goes beyond the ability to simply point and click, it also goes behind the lines deep into the inner workings of the system. Security is one of the most important functions of any operating system, very commonly overlooked and taken for granted. A system administrator can configure tables that are provided by the Linux kernel firewall in a program called iptables. Iptables has the ability to redirect, modify or stop packets of data all based on the state of a connection at any given time. There are many different tables that can be defined and each table contains built in chains or user defined chains. Every chain is essentially a list of rules that matches a set of packets and it specifies what to do with a packet that matches the rules. For the casual user it is best to use the predefined rules, they are often more than adequate. In an enterprise situation the administrator would likely want to define additional rules in order to best suit the business needs. Before iptables Linux mainly used ipchains as a firewall package. Iptables is an improvement on ipchains because it monitors the state of connections. Iptables can use the state of the connection as opposed to ipchains using the source destination and content only, to redirect, modify or drop a packet. At least...

Words: 965 - Pages: 4

Premium Essay

Linux Security

...| Linux Security | A review of some current technologies | | | | | In the pre-Internet world you have criminals looking for “hard” assets: money, jewelry and other items that could be easily turned into hard currency. We have always had “white-collar” crime such as embezzlement, fraud and insider trading. With the proliferation of the Internet and our personal and professional lives stored in the cloud; criminals can now take one ubiquitous piece of information and turn themselves into a whole other person. The ease in which such information can be used has turned people who would never think of ever holding up a bank, mugging someone or other physical crime, into criminals. This type crime has spawned a whole new “industry”: cyber security. One of the most important aspects of a network administrator’s job is to secure the system from any person who wishes to do criminal activities. These people are both within and outside the organization. With the Linux system there are three main technologies that are in use today. They are SELinux, chroot jail, and iptables. The first line of defense in a Linux system is chroot jail. Chroot is a process or application that changes the root directory for a user. To the user it appears that they are in their root directory, but they are actually in a modified root directory. This modified root directory is called jail. Without a chroot jail, a user with limited file permissions would still be able to navigate...

Words: 942 - Pages: 4

Premium Essay

Linux Security

...The Linux security technologies I researched are SELinux, chroot jail and iptables. SELinux (Security-Enhanced Linux) is a Linux feature that provides the mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement. The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency. The United States National Security Agency (NSA), the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000. The software merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003. Other significant contributors include Network Associates, Red Hat, Secure Computing Corporation, Tresys Technology, and Trusted Computer Solutions. Experimental ports of the FLASK/TE implementation have been made available via the TrustedBSD Project for the FreeBSD and Darwin operating systems. It provides an enhanced mechanism to enforce the separation of information based on confidentiality...

Words: 1300 - Pages: 6

Free Essay

It302 Reserch 1

...several security measures with Linux programming, which the majority of the software is free. Some of those security technologies are SELinux, TCP Wrappers, IPtables and Chroot Jail to name a few. In basic Linux security, Discretionary Access Control is based practically by users and groups. The process is run by a user and then has access to anything other users has access to, making it not so secure. The U.S. National Security Agency (NSA) developed the SELinux (Security Enhanced Linux) to combat the lack of strong security. The SELinux implements Mandatory Access Control (MAC) in the Linux kernel which enforces policies that limits the user or a program of what they can do. It is designed to prevent process from reading and/or tampering of data and programs. MAC is an important tool for containing security threats made by user errors, hackers or software errors. It’s pretty hard to bypass the security measure since the kernel is checking the MAC rules right after checking the DAC rules on a constant basis. There are three states you can place SELinux to run in; Enforcing, Permissive and Disabled. Enforcing is the default setting where no program or user can do anything not permitted by the security policy. Permissive is a diagnostic state where it sends warning but does not enforce the policy but you can use to build a new security policy. Disabled is where it does not enforce any security policies at all. Another Linux based security program...

Words: 827 - Pages: 4

Premium Essay

Linux Security Measures

...There a numerous security measures that are available for administrators of Linux systems. This paper will introduce and briefly explain three that are useful in the constant fight to keep a system safe and secure for users. Security-Enhanced Linux (SELinux) is a security feature that was developed by the National Security Agency (NSA) of the United States of America. As the agency itself states, “The National Security Agency has long been involved with the computer security research community in investigating a wide range of computer security topics including operating system security” (Security-Enhanced Linux - NSA/CSS. 2009). As long proponents of computer security, the NSA worked to develop SELinux. SELinux is an application of the FLASK architecture, which provides Mandatory Access Control (MAC) as part of the operating system kernel. According to a paper presented at the 2001 Ottowa Linux Symposium, “The security policy decision logic has been encapsulated into a new kernel component called the Security Server (SS)” (Loscocco and Smalley. 2001), this allows the kernel to enforce policy decisions without needing direct access to the policy itself. SElinux provides MAC measures to secure data, files, directories files, network interfaces, and all other components of a Linux operating system. SELinux is designed to address many security holes in a computer system including “...preventing processes from reading data and programs, tampering with data and programs, bypassing...

Words: 1101 - Pages: 5

Premium Essay

Linux

...SELinux (Security-Enhanced Linux) was developed by the U.S National Security Agency and essentially enforces security policies that limits what a user or program can do by implementing MAC (Mandatory Access Control) in the Linux kernel. It defines a security policy that controls many different things such as files, devices, sockets, ports and even some processes. The Security-enhanced Linux's features are designed to enforce the separation of information based on confidentiality and integrity requirements. They are designed for preventing processes from reading data and programs, tampering with data and programs, bypassing application security mechanisms, executing untrustworthy programs, or interfering with other processes in violation of the system security policy. They also help to confine the potential damage that can be caused by malicious or flawed programs. They should also be useful for enabling a single system to be used by users with differing security authorizations to access multiple kinds of information with differing security requirements without compromising those security requirements. SELinux can be in one of three states or modes and the first mode would be the enforcing/active state. This is the default state wherein no user or program will be able to do anything not permitted by the security policy. The next mode would be the permissive/warn state wherein SELinux sends warning message to a log but does not enforce the security policy. Later, an...

Words: 799 - Pages: 4

Premium Essay

Assignment 2 Linux Security

...Linux Security Technology Security of a system is important in our today’s use of the internet. That is why Linux with its many layers that are always evolving in security to protect against all kinds of hackers or othe types of attacks . SELinux, Chroot Jail, IPTables, Mandatory Access Control and Discrestionary Access Control, just to name a few. SELinux is an access control implementation for the Linux kernel. Take for instants that you are the administrator and you define rules in user space and if the Linux kernel has been added with SELinux support, then those rules will be followed by the kernel. SELinux is a NSA Security-Enhanced Linux, in which the mandatory access control is flexible. The structure of SELinux supports against all kinds of mandatory access control policies. Some of which are Role-Based Access Control and Multi-Level Security. It was designed by NSA for the purpose of protecting a server against malicious daemons, by telling the daemons what they can and can’t do. This type of technology was created by Secure Computing Corporation, but was supported by the U.S. National Security Agency. In 1992, the thought for a more intense security system was needed and a project called Distributed Trusted Match was created. Some good solutions evolved from this, some of which were a part of the Fluke operating system. Which then became the Flux and finally led to the creation of the Flask architecture. Eventually it was combined with the Linux kernel, which...

Words: 873 - Pages: 4

Free Essay

Linux Security

...I. Chroot jail “Chroot jail is a UNIX feature that creates a limited sandbox allowing a process to view only a single sub-tree of the file system.” “In order for it to work properly, some common programs and libraries need to be copied or linked to the appropriate locations in the new directory tree.” (Haas) The term sandbox is a metaphor for the type of security that chroot jail uses. Once you put a program or utility into the jail, it only knows of what is contained in the cell, the rest of your system becomes invisible to it. It does this by changing the apparent root directory for the current running process and its children. A program that is run in a modified environment cannot name files outside the designated directory tree. For example if you place Apache into a chroot jail and somebody would hack into your system, the only thing that they would be able to see and access would be Apache and the files needed to run it, the rest of your system does not even exist according to chroot jail. Chroot makes it more difficult for attacks to take place in your environment. To set up a useful chroot jail, first determine which utilities and or programs the users of the chroot jail will need. Then you must copy the appropriate binaries and their libraries into the jail. II. SELinux SELinux was developed by The U.S. National Security Agency(NSA). “SELinux was released under the NSA under the GNU GPL open source license. SELinux is essentially a Linux kernel with a number...

Words: 1582 - Pages: 7

Free Essay

Linux

...qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwer...

Words: 1010 - Pages: 5

Free Essay

Linux Security Technologies

...critical research problem. Linux has several security developments included in its open source operating system. Among these are SELinux, chroot jail, and iptables to name a few. SELinux is Security Enhanced Linux. The National Information Assurance Research Laboratory of the National Security Agency was in charge of carrying out the research and advanced development of technologies needed to enable the NSA to provide the solutions, products, and services to achieve Information Assurance for information infrastructures essential to the security of the U.S. National Security. The Security-enhanced Linux prototype was developed by the NSA along with research partners from NAI Labs, Secure Computing Corporation (SCC), and the MITRE Corporation. Many other contributions have followed since the initial release.(NSA-National Security Agency, 2009) Researchers in the National Information Assurance Research Laboratory of NSA worked with Secure Computing Corporation (SCC) to develop a strong, flexible mandatory access control architecture based on a mechanism first developed for the LOCK system called Type Enforcement. The NSA and SCC then worked with the University of Utah’s Flux research group to transfer the architecture to the Fluke research operating system. The architecture was enhanced, when it was transferred, to provide better support for dynamic security policies. This enhanced architecture was named Flask. SELinux implements the Flask security architecture which uses flexible...

Words: 1498 - Pages: 6

Free Essay

Linux Security Technologies

...people who don’t know what they are doing, and even people who you may call your best friend. Threat comes in many shapes and sizes which is why operating systems such as Linux develop ways to keep your personal files safe from these unwarranted threats. Some of these measures include, but is not limited to; iptables, SELinux, chroot jail, TCP Wrappers, firewalls, PolicyKit, NX or No eXecute, PIE or Position Independent Executables, Netfilter, and the list goes on (“Fedora Projects” & Vepstas). When a user first approaches Linux it looks similar to what a windows operating system would resemble. With Linux a user has the ability to access every file within the operating system through the use of a terminal or command prompt. Through the use of Linux programming potential threats can gain access to you file system and everything housed within it. Linux is free software that comes with many great security features that any user or administrator greater access and control over the system. The choice can be a bit much for most, but we will discuss a few of these choices here. Security-Enhanced Linux also known as SELinux is a security program that was developed in partner by the National Security Agency or NSA and Red Hat Developers (“Fedora Project”). So what exactly is it that SELinux does? SELinux was designed so that the Administrator could enforce policies that will limit what a user or particular program...

Words: 1082 - Pages: 5

Free Essay

Linux Security Technologies

...Linux Security Technologies   SELinux (Security Enhanced Linux) is a mandatory access control in the Linux kernel that was originally developed by NSA (National Security Agency) with direct contributions provided by Red Hat Enterprise Linux (RHEL) via the Fedora Project. In the day and age of identity theft and attempted sabotage from terrorists against our country, it should be very apparent why an organization like NSA had such an interest in heading up development of a more secure way to better protect our nation’s computer systems. In a world so largely dependent on computer systems, inadequate security measures could lead to anything from having a single person’s financial information compromised to an electronic 9/11 against some of our country’s most secure federal computer networks. In the modern computer based society we live in, security is essential to protecting everything from personal desktops all the way up to the most secure federal databases. And many corporate and government level computers are based on the Linux kernel. SELinux has 3 states it can be in if on a system: Enabled, Disabled, and Permissive. Enforcing means SELinux security policy is active, Disabled means SELinux security policy is not active, and Permissive is a diagnostic state commonly used for troubleshooting. To better understand what improvements Mandatory Access Control (MAC) can provide for security, one needs to know about the standard Linux security provision called Discretionary...

Words: 1124 - Pages: 5

Premium Essay

Linux Security

...Robert Hoffman Linux Research 2.1 Security for computers is one of the most important aspects of a system that has to be in place. For this paper I will be writing about four security features that Linux systems use; these are SELinux, chroot jail, openSSH, and iptables. I will briefly describe what they do to provide security. SELinux (security enhanced Linux) was developed by the NSA, who chose Linux as its operating system to create a more secure operating system. Since the development of SELinux by the NSA most Linux distributions now implement SELinux as a standard. Traditional Linux systems use a security called (DAC) discretionary access control. With this approach users and their objects, i.e., files or processes run by the user have the same access as the user. So if an attacker got hold of an admin account they would have complete control over any files or services that account runs or has access to. SELinux uses (MAC) mandatory access control. With this, services and files are controlled by policies saying what may or may not be done. MAC enforces these security policies that limit what users and programs can do. Security threats coming from user errors, attackers, or software problems are limited by MAC. SELinux has three modes that it can function in: Enforcing- This is the default state where SELinux security policy is enforced, anything not permitted by the security policy can not be done. Permissive-...

Words: 999 - Pages: 4