This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This paper explains about linux security issues with three tools which are SELinux, IPtables and Bro IDS. All the tools are contains the same technical issues (download, installation, configuration, etc.,) and architectural issues.
SELinux (Security Enhanced Linux)
It is an MAC (Mandatory Access Control) implementation in Linux Kernel. SELinux can able to add capability to administratively describe policies on all subjects (processes) and objects (devices and files). The ACL (Access Control List) provides some additional securities for unauthorized persons expanded privileges.
The Security Enhanced Linux is also known as SELinux which developed on 22nd December 2000 by NSA (National Security Agency). This is used in many Linux distributions. In Linux kernel, since 2002, Fedora, since Core 2 (2004), RHEL, (RedHat Enterprises Linux) since version 4 (2005), In Debian, since Etch (2007), In Ubuntu, since Hardy Heron 8.04 (2008).
SELinux is compiled into kernel, used to security policy, checks rules database on syscalls, allows or denies based on policies.
Prerequisites to SELinux:
* Strong working skills of Linux (especially Red hat Enterprise Linux)
* If we need to administrate the services, some experience and skills are necessary. Such as Red Hat Certified Engineer (RHCE) or Red Had Certified Technician (RHCT).
* Understanding traditional Linux/Unix
* Understanding basic functions and policies of linux system.
* Familiar with macro languages which is useful for understand the SELinux policy.
1) Types: It contains files and directories are collectively derived from their fundamental security equality.
httpd_sys_content_t is placed in the /var/www directory etc_t is placed in the /etc directory
2) Domains: All processes are running in domain.
named_t refers named daemon, initrc_t refers init scripts and unconfined_t refers processes which are ambiguously confined within SELinux policy.
3) Roles: Roles refers which process or users access what process and what type(directories, files)
user_r refers users of an ordinary system, sysadm_r refers system administrators and system_r refers that all the process starts from the system_r role. To alteration for a new role command is #newrole -r sysadm_r
4) Identity: These are applied to user accounts and it doesn't change, decides user roles what they can enter.
user_u refers basic un-privileged user identity and root refers special account.
5) Security Context: all object or process on a system that has the security context implemented to it. It has three fields which divided by colons identity:role:type or identity:role:type
system_u:system_r:httpd_t refers apache daemon and system_u:object_r:etc_t refers /etc/passwd directory.
The ACM (Access Control Mechanisms) can able to allow or deny particular resource's use by particular entity.
The DAC (Discretionary Access Control) refers unix groups, bits of permission to access the file system and owner who can manage access control to an object.
The MAC (Mandatory Access Control) is a core security policy of SELinux. In this security policy, users can't modify and the system administrator can allow the permissions.
The security decisions goes to DAC, if its yes, then goes to MAC.
It had distributed as binary and it compiled once but distributed many. The RHEL5 introduce policy modules for SELinux. There are two polices which are strict and targeted.
To enable SELinux, we should use a variable (SELINUX) in the /etc/sysconfig/selinux directory and we need to assign the setenforce to SELINUX variable during runtime.
To disable SELinux, we need to put this into permissive mode. it's not a best idea to disable SELinux.
SELinux in Action:
A hacker has permission to access the /var/www/cgi-bin/ directory through a danger or uncertified web application and cgi-bin script uploaded by them. Hacker can open the cgi-bin script in web browser and executing his vulnerable scripts through web application without SELinux. The hacker can able to do on a server or host with SELinux.
Befits of SELinux:
* SELinux can able to confine services
* Debugging the application
* It provides good core access control.
* It examines the logs for report.
* The security server deployed by IBM.
What is IPtables?
The users package of iptables can be downloaded from netfilter official site (http://www.netfilter.org/downloads.html), and it can also be configured in kernel during make configure and by using following commands,
CONFIG_PACKET: applications works directly in certain network. Example: tcpdump
CONFIG_NETFILTER: to use our computer as firewall or gateway to the internet and the drivers like Ethernet adaptor, PPP and SLIP interfaces needs to be installed.
CONFIG_IP_NF_CONNTRACK: used to make connection tracking among NAT and Masquerading. Mostly requires during firewalling machines on a LAN.
CONFIG_IP_NF_FTP: Used to do connection tracking on FTP connections, without adding this comment FTP through firewall cannot be done properly.
CONFIG_IP_NF_IPTABLES: It is required to do any kind of filtering, Masquerading and NAT. It adds the whole IPTABLES identification to kernel. We can't do anything in IPTABLES without using this command.
CONFIG_IP_NF_MATCH_LIMIT: It's used to control the packets per minute which are to be matched with a certain rule. It's not an essential command.
CONFIG_IP_NF_MATCH_MAC: Used to match packets based on the MAC address.
CONFIG_IP_NF_MATCH_MARK: Used to MARK match.
CONFIG_NF_IP_MATCH_MULTIPORT: Used to match the packets with all range of destination and source ports.
CONFIG_IP_NF_MATCH_TOS: used to match packets based on their Type of service (TOS).
CONFIG_IP_NF_MATCH_TCPMSS: Allows matching TCP SYN packets based on their MSS Field.
CONFIG_IP_NF_MATCH_STATE: using this we can do stateful matching on packets.
And still we have many commands like this used in IPTABLES.
After installing the software, additional modules are loaded into it. The module dependencies are updated to date. It is checked using /sbin/depmod. After loading the required modules the load ipt_owner module is loaded. Then the ip_conntrack_ftp and ip_conntrack_irc which is used by the matching filters are loaded.
Initiating the Kernel for IP forwarding:
After finishing the loading process the IP forwarding is started by echoing a1 to /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward:
It is used when dynamic IP support such as SLIP, PPP etc are used.
echo "1" > /proc/sys/net/ipv4/ip_dynaddr:
It is used when any other options are used.
Starting the Masquerading:
To start off, the rules are added in the POSTROUTING chain which will masquerade all packets going out of the interface connected to the internet. I have used t ,which tables to use in this case nat and a to add a new rule to the existing chain. The next step is to add ACCEPT all packets traversing the forward chain. The last thing to do is to the log all the traffic that is dropping out of the border.
Displacement of placement to different chains:
I have taken considerable care on security more than the use of CPU. First i have allowed to all the TCP packets to traverse all the chains. The routing decision is taken first if its destined to the host, its sent as an input and if its destined to some other box its sent to the FORWARD If the localbox responds to the packet then it is sent to the OUTPUT.
SETTING UP DIFFERENT CHAINS:
What is Bro?
Bro is a tool which is a Unix-based Network Intrusion Detection (IDS).
It monitors the network traffic, traffic content and characteristics. It finds intrusions by sending network traffic through describing rules that are considered as difficult. These rules might describes actions (some hosts are connecting to few services), which actions are worth alarming (attempts to given different systems or hosts constitutes as “scan”), or signatures (known attacks or vulnerabilities).
We can download Bro from the official site http://www.bro-ids.org/download.html. There is few Bro versions are available. We can download whatever we want (version). After the download, the file will be *.tar.gz file extension. So we need to extract that file using the following command
tar xvzf filename.tar.gz
We need to type the above command in linux terminal window.
bala@ubuntu:~/myfiles$ tar xvzf filename.tar.gz
localnets: local subnets for network. Bro needs to know which networks are Internal, which are External.
Interface names: the capture interface names in our host. We can use ifconfig -a to find out all interface on our Bro host.
If we want to use Bro periodic email report feature, we will also need to:
And then type the following command to install
To update existing Bro installation with new standard file and binaries, we can use make update instead of make install. By using this, it keeps updating all our local customizations.
The configuration script used in Bro Lite, helps to configure Bro automatically. The script checks our system BPF settings, makes bro account and installs the script at boot time to start, installs cron jobs to run reports and handle the log files.
The packet capture layer utilizes libpcap to capture packets from the network. After a filtering process this layer sends remaining packets up to the event engine. The event engine layer reassembles the packets and handles states and low-level protocol analysis.
The event engine eventually generates events which it passes up to the policy layer for application level processing. This way of layering makes Bro very efficient since just the packets of interest are inspected at the event layer. In addition, the policy layer only works on high-level events.
Scripts used in Bro:
site-report.pl: it automatically sends e-mail reports when alerts or alarm occurs.
mail_reports.sh: it sends e-mail reports.
check_disk.sh: it checks disk low space and send e-mail.
bro_log_compress.sh: compress or remove old log files.
We can use all of the above files by editing bro.cfg file from bro installed path (/etc/bro.cfg)
* Sending (E-mail):
daily an internal report created by Bro that contains three set of information. Such as network traffic information, incident information and Bro operational status.
it contains three parts. The first one, summary which consist of some statistics information, the second one, incident which consist of some information about process which performed by Bro system, the final one is scans which contains details (data and time) about host which attacked by someone.
In this paper, i explained about the three linux security tools and an overview about the tools technical and architectural issues.