Chapter 8. Layered Security Using Enterprise-Class Open Source Tools

Because any system is only as strong as the weakest link in its security armor, EnGarde Secure Linux defends itself using layers of open source defenses, extending from the Linux kernel out to the boundaries of the public network. In this chapter, you will be introduced to the most of the important of these defensive technologies, beginning with SELinux, and will learn how they are managed through WebTool.

8.1. SELinux and Mandatory Access Control

The greatest weakness of most operating systems, both open source and proprietary is their vulnerability to compromise through the subversion of user privileges leading to compromise of the all-powerful root account, a process sometimes referred to as privilege escalation. EnGarde Secure Linux neutralizes these attacks and prevents rootkit and even "zero-day" attacks by implementing Security-Enhanced Linux (SELinux), a security model that places all processes and applications under the control of individualized security policies that define the actions the process may take and the resources it may access, hence "mandatory" access control rather than merely "discretionary". Unlike many systems that use SELinux, EnGarde comes out-of-the-box with a fully developed SELinux policy for every service and application.

To help you manage the SELinux policy environment, WebTool offers a unique SELinux Control Console. To use the console, Select SELinux Control Console from the System menu:

Figure 8-1. SELinux Control Console

Because Guardian Digital has created a uniquely secure SELinux environment for EnGarde Secure Linux, adding packages not included in EnGarde's base installation or modifying the services you have installed may require you to temporarily disable SELinux policy enforcement or to disable specific restrictions. The SELinux Control Console allows you to make these changes easily by using the Toggle Current Mode action to turn off policy enforcement while continuing to monitor policy violations; simply click the Toggle Current Mode mode and then click the Yes, Disable Enforcing Mode button and your machine will be put into Permissive Mode. You will now see the Current Mode change from Enabled to Permissive.

You can also disable certain specific elements of policy by changing the status of policy "boolean" switches. For example you can allow your Web server and its CGI or PHP scripts to communicate with HTTP/HTTPS services on remote machines by toggling the httpd_script_remote boolean setting.

The SELinux Control Console also illustrates the EnGarde contextual help system found in all WebTool modules. To see specific help text for any field in a module, for example in the SELinux Boolean list above, just hold your mouse over a field and an explanatory text box will appear until you roll off of it. [change screenshot to include rollover text box from Boolean list]