Explore Linux security mechanisms

After ten years of development, Linux's functions are constantly enhanced, and its security mechanism is gradually improved. According to the TCSEC evaluation standard, the current Linux security level basically reaches C2, and a higher security level Linux system is under development.

Next, let's take a look at the existing security mechanisms in Linux. Some of these mechanisms have been accepted by standard Linux, while others only provide "patches.

PAM Mechanism

PAMPluggable Authentication Modules) is a shared library designed to provide a framework and a set of programming interfaces. the Authentication work is handed over to the Administrator by the programmer. PAM allows the Administrator to choose between multiple Authentication methods, it can change the local authentication method without re-compiling the authentication-related applications.

PAM functions include:
● Encryption passwords include algorithms other than DES );
● Restrict user resources to prevent DOS attacks;
● Allow random Shadow passwords;
● Restrict specific users to log on from a specified location at a specified time;
● Introduce the concept "client plug-in agents" to enable PAM to support machine-machine authentication in C/S applications.

PAM facilitates the development of more effective authentication methods. On this basis, it is easy to develop an authentication method that replaces conventional user names and passwords, such as smart card and fingerprint identification.

Intrusion Detection System

Intrusion detection technology is a relatively new technology. Few operating systems have installed intrusion detection tools. In fact, the standard Linux version was recently installed with this tool. Although the history of the intrusion detection system is very short, it has developed rapidly. Currently, Snort, Portsentry, and Lids are popular intrusion detection systems.
Using Linux tools and tools downloaded from the Internet, you can enable Linux to have advanced intrusion detection capabilities, including:

● Record intrusion attempts and notify the Administrator in time when an attack occurs;
● Take pre-prescribed measures when a specified attack occurs;
● Send some error messages, such as disguising them as other operating systems, so that attackers will think they are attacking a Windows NT or Solaris system.

Encrypted File System

Encryption technology plays an increasingly important role in the security of modern computer systems. The encrypted file system introduces the encryption service to the file system to improve the security of the computer system. There are too many reasons to encrypt the file system, such as preventing Hard Disk theft and unauthorized access.

Currently, Linux has multiple encrypted File systems, such as CFS, TCFS, and CRYPTFS, which are representative of TCFSTransparent Cryptographic File System ). By tightly integrating the encryption service with the file system, the user cannot feel the file encryption process. TCFS does not modify the data structure of the file system, and the semantics of backup and repair and user access to confidential files remain unchanged.

TCFS makes confidential files unreadable to the following users:

● Users other than the legal owner;
● Eavesdropping on the communication line between users and remote file systems;
● File System server superuser.

For legal users, there is almost no difference between accessing confidential files and accessing common files.

Security Audit

Even if the system administrator takes a variety of security measures, he may unfortunately find some new vulnerabilities. Before the vulnerability is fixed, attackers can quickly seize the opportunity to break as many machines as possible. Although Linux cannot predict when the host will be attacked, it can record the attacker's whereabouts.

Linux can also detect and record time information and network connection information. This information will be redirected to the log for future reference.

Logs are an important part of the Linux security structure. They provide only real evidence of attacks. Because of the various attack methods, Linux provides network, host, and user-level log information. For example, Linux can record the following content:

● Record all system and kernel information;
● Record each network connection and their source IP address and length, and sometimes include the username and operating system of the attacker;
● Records the files requested by remote users to access;
● Record which processes can be controlled by the user;
● Record each command used by a specific user.

When investigating network intruders, log information is indispensable, even if the investigation is performed after the actual attack.

Mandatory Access Control

MAC, Mandatory Access Control) is an Access Control defined and implemented by the system administrator from the perspective of the entire system. It marks the subject and object in the system, it is mandatory to restrict the sharing and flow of information, so that different users can only access the information related to it and the specified range, and fundamentally prevent information leakage and access confusion.

The traditional MAC implementation is based on the MLS policy defined in TCSEC, but because of the disadvantages of MLS, such as flexibility, poor compatibility, and difficult to manage ), researchers have proposed various MAC strategies, such as DTE and RBAC. Since Linux is a free operating system, there are currently several implementing mandatory access control on it, typical of which include SElinux, RSBAC, MAC, etc, the policies used are also different.

The SELinux security architecture launched by NSA is called Flask. In this structure, the logic of security policies and general interfaces are encapsulated in components independent of the operating system, this independent component is called a security server. SELinux's security server defines a hybrid security policy consisting of Type implementation (TE), role-based access control (RBAC), and multi-level security (MLS. By replacing the security server, you can support different security policies.

SELinux defines the security policy using the policy configuration language, and then compiles the policy in binary format through checkpolicy, stores it in the file/ss_policy, and reads the kernel space during kernel boot. This means that the security policy is different every time the system is booted. You can even use the security_load_policy interface to change the policy during system operations as long as the policy is configured to allow such changes ).

RSBAC is short for Rule Set Based Access Control Based on Rule Set Access Control. It is developed Based on the Generalized Framework for Access Control (GFAC) model proposed by Abrams and LaPadula, you can provide flexible access control based on multiple modules. All security-related system calls extend the security implementation code, which calls the Central Decision component and then calls all activated decision modules to form a comprehensive decision, then the system calls the extension to implement this decision. RSBAC currently contains MAC, RBAC, and ACL modules.

MAC is a very basic MAC Access Control compiled by Malcolm Beattie for Linux 2.2 in the UK. It separates a running Linux system into multiple invisible or restricted subsystems, these subsystems can be managed as a single system. MAC is implemented based on the traditional Biba integrity model and BLP model, but the author does not seem to continue his work.

Firewall

A firewall is a component or a series of components that restrict access between a protected network and the Internet or between other networks.

The Linux firewall system provides the following functions:

● Access Control: You can execute access control policies based on address sources and targets, users, and time to prevent unauthorized access and protect internal users' legal access from being affected.
● Audit, record network access through it, establish complete logs, audit and track network access records, and generate reports as needed.
● Anti-attack: the firewall system is directly exposed to untrusted networks. For the outside world, the internal network protected by the firewall is like a point, and all attacks are directly targeted at it, this is called a bastion host. Therefore, the bastion host must be highly secure and capable of resisting various attacks.
● Other ancillary functions, such as audit-related alarms and intrusion detection, access control-related identity authentication, encryption and authentication, and even VPN.