A Consideration of What it Means to be Secure
Only the paranoid survive, and that is no less true when securing Linux® systems as any other. Fortunately, a host of security features are built into the kernel, are packaged with one of the many Linux distributions, or are available separately as open source applications. The first in a series, this article starts you on your way to understanding security concepts and potential threats, and sets the stage for what you really need to know: how to secure and harden a Linux-based installation.
In this series of articles, you’ll see how to plan, design, install, configure, and maintain systems running Linux in a secure way. In addition to a theoretical overview of security concepts, installation issues, and potential threats and their exploits, you’ll also get practical advice on how to secure and harden a Linux-based system. We will discuss minimal installation, hardening a Linux installation, authorization/authentication, local and network security, attacks and how to protect against them, as well as data security, virus, and malware programs.
For this first article, we’ll begin by reviewing the considerations for securing data and the systems that provide it. Our goal is to develop a deeper understanding of what security actually means.
Security is an important topic in today’s IT-related headlines. Frequent system vulnerabilities and security patches as well as viruses and worms are common ground for everyone using computers. As nearly every computer system is interconnected to other computers or to the Internet, securing these computers is critical to mitigate break-ins, data theft or loss, misuse, or even liabilities to third parties.
Even securing a stand-alone computer, one not connected to a network, is not trivial. Applications have to be installed from trustworthy sources, such as from a verified and virus-checked CD-ROM. You have to be equally cautious with application data. For example, software packages (office suites, etc.) can execute powerful macro languages or present malformed data and can be used to execute arbitrary code by exploiting software flaws. Therefore, application data has to be checked for integrity before you copy it to the computer. Access to the system can be controlled by placing the data in a secured area (disregarding attacks from authorized personnel, of course).
Things get even more difficult when a system is connected to a network and offers services to other computers –- intentionally or unintentionally. In that case, the system administrator might not be the only source of data, as client programs make use of the offered services, and system vulnerabilities might allow an intruder to take control of the computer.
That’s why dealing with security is essential throughout the entire life cycle of a system, from the planning stages until it is dismantled. But what does security exactly mean?
In general, data security and system security can be separately distinguished. Data security is commonly understood to refer to all efforts taken to ensure:
Taken together, these are referred to as the “CIA” of data stored on a computer. Protection of configuration data such as /etc/passwd can be subsumed under data security. System security refers to the computing platform itself. The U.S. National Information Systems Security Glossary (see Resources for a link) defines system security as follows:
System Security. The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.
It is important to realize that system security enforces an iterative process consisting of applying security patches, regular audits, and controls, as well as having a secure system configuration to begin with. In this context, it is impossible to guarantee absolute security, as it is impossible to provide a 100% secure service. The goal is rather to find a tradeoff between security, usability of the system, and efforts required to maintain this security level. This compromise is influenced by the importance of the data stored on the computer to be secured and its intended usage scenario (read Secrets and Lies by Bruce Schneier, John Wiley & Sons, 2000; see Resources for a link).
Data with integrity is valid and has not been changed accidentally or maliciously. Integrity should be considered when data is stored or exchanged. Data received at the destination must be an exact copy of the source data. This means that, on the one hand, physical transmission and storage media must be reliable, so that data is transferred correctly without bit errors. On the other hand, data must not be altered by unauthorized entities having access without being detected. The scope of integrity begins after the user — the ultimate authority — entrusts data to the system. User errors are therefore out of scope of integrity.
For network connectivity, take special care to ensure integrity, regardless of whether the network is secured (for example, by encrypting transmission) or not. Third parties with access to the transport medium may re-route or alter data in transit. The aspects of integrity referring to the physical environment of the network and the interconnected computers are not specific to Linux and are valid for any computer installation; it is therefore out of scope of this article. However, measures taken to protect data integrity on a physical level include, among other things, restricting access to computers, keeping transmission media (such as cables and connectors) protected, and avoiding power outages and electrostatic discharges (read “Building the Ideal Web Hosting Facility: A Physical Security Perspective”; see Resources for a link).
This series of articles will concentrate on security measures taken in the operating system and application environment, such as encryption and signatures, to actively ensure integrity. It will also focus on auditing mechanisms to identify loss of integrity and determine responsible parties.
Confidentiality is maintained when protected data can only be read or modified by authorized people or systems. It is a distinct concept from integrity: when data is sent over a network, it might be transmitted correctly without changes so that integrity is ensured, but it would no longer be confidential if intercepted by a third party. Integrity is not sufficient when unauthorized persons gain access to the data transmitted and extract valuable information from it. The confidentiality of data brings up three further questions:
• Who wants to access the data? (Authentication)
• What data can be accessed? (Authorization)
• How is data protected from unauthorized access?
Linux has several approaches to ensure that the entity trying to access data is the one it claims to be. Via Pluggable Authentication Modules (PAM), you can implement several authentication strategies, from simple username/password combinations stored on the local machine over a centralized directory (NIS, Kerberos, LDAP, etc.) to hardware tokens or biometric scans. File access authorization can be issued using the classical (coarse) UNIX file permissions: read, write, and execute permissions on user, group, or world level. Newer fine-grained approaches — Access Control Lists — allow you to grant or deny specific rights to specific users.
The standard Linux security concept is implemented in software and relies on the kernel disallowing access to resources a user is not authorized to use. However kernel bugs (privilege elevation/escalation, unchecked parameters, etc.) may allow a user to access previously inaccessible memory regions, disk space, networks, or other resources. Physical access to the hardware allows users to bypass software checks by installing keyloggers, taking away hard drives and reading them in other machines, sniffing network traffic, and so on. Thus, further efforts, such as encryption of file systems, of individual files, of network traffic, and/or on the application level, have to be taken to secure confidential data. Again, physical measures such as secured areas, secure deletion of data, and accounting procedures for confidential information need to be considered, but are not covered here.
Even if integrity and confidentiality are ensured, data is useless if it cannot be accessed and is not available. Availability measures ensure that data is never lost and is accessible at a predefined performance level when it is requested. Availability can be compromised in various ways:
• Destructive attacks — called Denial-of-Service (DoS) attacks — which target availability. They aim at making a computer or service unavailable or unusable by consuming all available network, CPU, storage, or operating system resources (such as file handles).
• Attacks that aim at the data itself by trying to delete or overwrite it.
• Accidental destruction of data. In most cases, it is not possible to prevent accidental destruction of data, because a user with the appropriate rights is seen as the ultimate authority. You can only be forearmed by having a backup/restore infrastructure in place.
• Last, but not least, bugs, configuration errors, physical environment, hardware failures, power outages, unwanted system reboots, and more can also affect availability. The software-related topics in this list fit better into the category of system security and will be discussed in more detail later. As mentioned above, hardware-related topics are not discussed within this article, but if you are interested in these topics, see the Resources section for links to further reading.
To address the first two items in the list above, Linux-specific measures include firewalling/filtering of network packets, protecting file system integrity, and planning for additional resources that can be added on demand (for example, by using Tivoli® Intelligent Orchestrator; see Resources for a link).
Linux System Security
Linux is a modern, open source operating system that can be distributed and copied freely. Every user has the right to access and modify its source code, making it easy to customize Linux to your own environment, add new features to the operating system, find bugs and provide patches, and check the source code for security holes.
Although data security and system security can be considered separately, system security can have a major impact on data security. That is why Linux has a lot of integrated features that address the main security issues of confidentiality, integrity, and availability as well as system security itself. Among them are IP firewalling, authentication mechanisms, system logs and auditing, cryptographic protocols and APIs, kernel-level VPN support, and many more. Additionally, system security can be supported by (open source) software applications that offer secure services, harden and/or control the Linux system, prevent and detect intrusions, check system and data integrity, and provide barriers to different attacks.
One major factor with respect to security that differentiates Linux from closed source operating systems lies in the open source development process itself. Because every user and developer of software has access to its source code, many eyes are controlling and scanning the source code for possible security holes. Software flaws are detected promptly. On the one hand, this leads to early exploits; on the other hand, security patches are available quickly.
Next in the Series
Linux has proved suitable for professional enterprise applications with respect to its reliability, stability, scalability, manageability, performance, and last, but not least, its security features. The next installment in this series, “Securing Linux, Part 2: Planning the installation,” goes into detail about developing a complete Linux security plan, including assessing inventory, analyzing risk, indentifying users and access privileges, choosing a Linux distribution, and acquiring it safely.
• Read the other installments in this Securing Linux series on developerWorks.
• See the Committee on National Security Systems’ National Information Assurance Glossary for a compendium of system security definitions.
• Bruce Schneier’s Secrets and Lies: Digital Security in a Networked World (John Wiley & Sons, 2004) is an exploration of computer system threats, the hacker mindset, prevention, security system implementation, and more.
• For a general overview and resource guide for those working to provide a secure Linux environment, read Addressing security issues in Linux ( developerWorks , June 2001).
• Practical Linux security ( developerWorks , October 2002) emphasizes that good security begins with good user management.
• The Secure programmer column on developerWorks is an ongoing series dedicated to helping you write secure programs for Linux.
• Integrity: further reading
• Building the Ideal Web Hosting Facility: A Physical Security Perspective by Seth Friedman (SANS Institute, February 2003) looks at physical security in the context of building a Web hosting facility.
• Wikipedia explains the man in the middle attack, a type of attack in which a third party is able to read and modify messages sent between two unknowing victims.
• Confidentiality: further reading
• Pluggable Authentication Modules allow multiple authentication mechanisms to be configured and leveraged within the Linux operating system.
• This NIS-Howto describes how to configure Linux as an NIS(YP) or NIS+ client and how to install an NIS server.
• The Kerberos Infrastructure HOWTO describes the design and configuration of a Kerberos infrastructure for handling authentication with Linux.
• This LDAP whitepaper describes how to set up a Linux workstation to use an LDAP server for user information and authentication.
• This Access Control Lists patch/user code combination allows supporting full access control lists (ACLs) for the Linux kernel.
• The GNU Privacy Guard is an open source encryption software stack.
• Availability: further reading
• The Tivoli Intelligent Orchestrator helps increase server utilization by automatically triggering the provisioning, configuration, and deployment of a server into production.
• IBM Redbooks Technote Patterns for the Edge of Network contains guidelines to keep in mind when planning a high availability configuration.
• The Redbook Continuous Availability — Systems Design Guide guides you through a complete cycle of analysis, design, and implementation of continuously available systems.
• American Power Conversion’s Effect of UPS on System Availability explains how system availability and uptime can be affected by AC power outages.
• IT availability Check List ( availability.com , 2004) provides a quick checklist for issues to take care of regarding availability.
• Computerworld explains how to defend against DDoS attacks.
• Linux security projects
• Security Enhanced Linux: This Linux version incorporates a strong, flexible mandatory access control architecture into the kernel.
• Openwall GNU/Linux: A security-enhanced server operating system with Linux and GNU software as its core.
• Bastille Linux: The Bastille Hardening System attempts to “harden” or “tighten” UNIX operating systems.
• IPCop Firewall is one of the major Linux Firewall distributions.
• Knoppix security tools distribution focuses on information security and network management tools on a bootable CD.
• For more Linux security projects, look for Distributions: Secure on LinuxLinks.com
• Find more resources for Linux developers in the developerWorks Linux zone.
• Get involved in the developerWorks community by participating in developerWorks forums and blogs.
• Purchase Linux books at discounted prices in the Linux section of the Developer Bookstore.
• Order the no-charge SEK for Linux, a two-DVD set containing the latest IBM trial software for Linux from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.
• Innovate your next Linux development project with IBM trial software, available for download directly from developerWorks.