First page Back Continue Last page Overview Graphics
Integrity and Access Control
NSA Security-Enhanced Linux ( www.nsa.gov/selinux/)
- A result of several NSA security research projects, from design to implementation approach
- “Security-enhanced Linux is only a research prototype that is intended to demonstrate mandatory controls in a modern operating system like Linux and thus is very unlikely to meet any interesting definition of secure system.” -- NSA SELinux FAQ
- A starting point and a theoretical model for future kernel development and Linux Security Module work (http://lsm.immunix.org/)
-
- “Root has too much power.”
- Access Control List implementation patch for Linux kernel
- file/process protection and capabilities control
- An opensource community's equivalent of NSA SELinux?
-
- A large collection of security enhancement patches for Linux kernel
- Buffer overflow/memory protections, ACLs for files/sockets/consoles/processes/whatever,, logging, resource restrictions/limits, network invisibility/OS signature hiding etc.
Notes:
NSA SELinux
- based on NSA research on operating systems and security features
- a collection of kernel and utility patches to provide mandatory access control, traceability, Type Enforcement®, Role-based Access Control, Multi- level Security.
- is a research project not a trusted operating system
LIDS is a kernel patch and admin tool to enhance the Linux kernel security, it provides:
- implementation of reference monitor in the kernel
- mandatory access control in the kernel
- protection of files and processes, root has no power over lids, processes and files can be hidden
- security alert from the kernel
- port scanner detector in the kernel
- LIDS seems to be the open source community's equivalent of NSA SELinux functionality
grsecurity is a combined collection of security enhancement patches for Linux kernel:
- OpenWall buffer overflow protection (system will not allow execution of code on the stack)
- memory page protection, readable != executable
- randomize the address space layout of programs on each execution
- proc/mem/resources limitations (fork bomb protection)
- wide access control for users, processes, sockets, network connections, consoles etc.
- kernel logging extensions
- give examples from web page