LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Improving Linux Security Using Medusa Print E-mail
User Rating:      How can I rate this item?
Features Medusa is a kernel patch that improves security by providing a seamless protective layer between system resources and applications, providing access control to system resources.

Brief


A project called Medusa provides a Linux kernel patch that intercepts certain kernel routines and queries an extra-kernel security provider.  While this is similar to PAM, it has a number of advantages.  First and foremost, applications are ignorant of the security system; they don't have to be specially coded to take advantage of the system.  Second, security applies to a wide range of system resources, with a high level of granularity.  Medusa, therefore, provides not only file-level access control, but can also be configured to control access to processes, or virtually any other system resource.

Detailed


Introduction


Security in Linux, for a long time, has been no better than Unix in general; that is to say, "not good".  Linux security has been better than for manyother common operating systems, but suffers from one fundamental flaw: the superuser.

Linux vs. MVS security


In Unix, if you compromise one user in particular, 'root', you have access to the entire system; no actions are denied you. You can hack the system and then cover your tracks, erasing log files and emplacing back-doors.  This is a greater problem than it initially appears, because of the fact that many daemons run as root.  Bugs in the daemons often lead to exploits which leave the intruder with root access, without the intruder ever having to have dealt with the normal Linux authentication mechanism.  Fixing security problems by addressing each bug in the daemons is akin to cutting heads off a hydra.  The bugs need to be addressed, but a better solution is one where it the amount of damage that can be caused by the exploit of a bug in a program is minimized.

MVS does not have this problem.  Root's responsibilities are divided up among multiple administrative users, so that no one user alone can compromise a system.  It does this through a mechanism in the kernel that queries an external security manager program when certain kernel routines are called. Examples of these routines are exec(), kill(), nice(), and the various file access methods.  If the security manager allows the action, the kernel goes ahead and performs the action.

Taking the security manager out of the kernel has numerous advantages.  It allows the security manager to be updated without recompiling the kernel, it allows systems administrators to (more) easily implement their own security extensions, and in decoupling the kernel from security decisions, it makes the system more objectified.

There are several things that can be done with MVS-style security that simply can't be done with vanilla Unix, and which are not available with any one extension mechanism.  PAM allows Linux to swap out authentication mechanisms, but the software that uses PAM must be PAM aware, and PAM's functionality domain is strictly in authentication.  You can not, for instance, provide file system ACLs using PAM alone.  While there are some file systems and extensions to file systems which implement ACLs, they do not provide ACL control of processes.  There are few, if any, process control extensions, and those that do exist generally don't provide the ability to restrict root's god-like powers over the system.

Enter Medusa


Medusa, at http://medusa.fornax.sk/, is a project to provide MVS-like security management for Linux.  At this point, Medusa only exists for the Linux kernel.  Together with PAM, Medusa provides all of the tools that are needed to make Linux as secure as MVS.

Medusa consists primarily of a kernel patch and a security agent.  The kernel patch provides intercepts for certain kernel functions.  When one of these kernel functions is called, Medusa takes over and passes state information to the security agent process which uses the information to decide whether or not to allow the action.  The security agent, called "constable", can choose to allow or deny the action, as well as redirect the action. Redirecting simply means performing some other action than the one requested.

With Medusa in place, the granularity of control over system security is much better than that of vanilla Linux.  One of the most important ways that Medusa can help secure a system is in restricting root.  For example, a new user, called "logadmin" could be created.  This user would be given complete control over the log files and the syslog daemon.  Even root would not be able to delete log files or kill the syslog daemon.  Therefore, even if root were compromised, the intruder would not be able to cover his or her tracks.  Obviously, a secure system would require more than just this, and would require a number of security checks for certain actions which alone could compromise a system.  Another example of what can be done with Medusa is a configuration that could allow all local processes access to /etc/passwd, but all network processes that try to access /etc/passwd can be redirected to /net/passwd.  Yet another feature of Medusa is the ability to grant access in a way impossible with vanilla Linux security: user-defined ACLs.  For example, user X could configure an ACL which would allow users Y and Z to renice X's "setiathome" process during the hours of 9:00 to 17:00, M-F.  File level ACLs are also possible with Medusa.  The advantage here is that Medusa ACLs are compatible across file systems, whereas most ACL mechanisms work by patching the file system code and therefore only work on one type of file system. Rudimentary tests show that it contributes little overhead, and Medusa can be configured to bypass itself if the constable daemon is not running.  This means that you can install Medusa and play with the constable configuration file, restarting the constable daemon, without worrying too much about locking up your system; if you feel like not using Medusa while you are testing it, simply don't run constable.  When you have your system configured the way you want it, and you are comfortable with your security model, you can replace the init daemon with an init wrapper supplied by Medusa which first runs constable and then runs the standard init daemon, thus ensuring that your security mechanism can't be bypassed with a simple reboot.

Summary


Medusa is easy to install, it is small, and it is powerful.  Medusa provides high granularity in the control over system security.  It also provides the mechanism by which the greatest security hole that Linux inherited from Unix can be solved: the root user.

Disclaimer


I have no association with the Medusa development group, aside from the
fact that I use their software.

Return To LinuxSecurity.com

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.