Although SELinux and AppArmor get all the attention as the hot new Mandatory Access Control (MAC) infrastructures for Linux and Unix kernels, there is an oft-neglected, battle-scarred oldtimer that has long served well using Role-Based Access Controls (RBAC): grsecurity.
RBAC is similar to MAC but is more flexible and easier to manage. Suppose you're running a Web server: With grsecurity, you'll create a role or a number of roles, depending on the complexity of your server, for the various services and processes needed to run the server. Each role will have a set of permissions that ideally will be the minimum necessary, and no more. You'll have system users and human users, just like in an ordinary Unix system.
However, instead of controlling access with users, groups and file permissions, the users are assigned specific roles. Like SELinux and AppArmor, grsecurity takes away the power of root compromises. This opens up all kinds of possibilities for delegating and controlling resources. Rather than hassling with permissions and ownership, you can create different roles for different situations (e.g., users who require only a limited set of network clients, such as e-mail and Web browsers, or server administrators restricted to a limited set of services). You can easily assign a junior admin control of an NFS server without giving him keys to the kingdom, and you can just as easily take it away.
grsecurity scales up nicely, as demonstrated by the hosting company Dreamhost, which uses grsecurity to manage shared hosting accounts. It comes with a "learning" tool that builds system policies for you. Visit grsecurity for excellent documentation and help. Kernel Rebuild Guide may also be helpful.
This article was first published on ServerWatch.com.
One of the ways around the issues of security and control that make some businesses wary of cloud computing is to build a private cloud -- one that remains within the corporate firewall and is wholly controlled internally. Private clouds also increase the agility of IT an organization's IT infrastructure and make it easier to roll out new technology projects. Download this eBook to get the facts behind the private cloud and learn how your organization can get started.