Friday, June 18, 2021

Tip of the Trade: Grsecurity

Although SELinux and AppArmor get all the attention as the hot new Mandatory Access Control (MAC) infrastructures for Linux and Unix kernels, there is an oft-neglected, battle-scarred oldtimer that has long served well using Role-Based Access Controls (RBAC): grsecurity.

RBAC is similar to MAC but is more flexible and easier to manage. Suppose you’re running a Web server: With grsecurity, you’ll create a role or a number of roles, depending on the complexity of your server, for the various services and processes needed to run the server. Each role will have a set of permissions that ideally will be the minimum necessary, and no more. You’ll have system users and human users, just like in an ordinary Unix system.

However, instead of controlling access with users, groups and file permissions, the users are assigned specific roles. Like SELinux and AppArmor, grsecurity takes away the power of root compromises.
This opens up all kinds of possibilities for delegating and controlling resources. Rather than hassling with permissions and ownership, you can create different roles for different situations (e.g., users who require only a limited set of network clients, such as e-mail and Web browsers, or server administrators restricted to a limited set of services). You can easily assign a junior admin control of an NFS server without giving him keys to the kingdom, and you can just as easily take it away.

grsecurity scales up nicely, as demonstrated by the hosting company Dreamhost, which uses grsecurity to manage shared hosting accounts. It comes with a “learning” tool that builds system policies for you. Visit grsecurity for excellent documentation and help. Kernel Rebuild Guide may also be helpful.

This article was first published on ServerWatch.com.

Similar articles

Latest Articles

GDPR Compliance & Requirements...

The General Data Protection Regulation (GDPR) has positioned itself as one of the strictest laws for the privacy of consumer data, and it's still...

HIPAA Compliance & Regulations...

The Health Insurance Portability and Accountability Act (HIPAA) is one of the most well-known pieces of legislation in health care and related industries. But...

Top Cloud Security Companies...

Cloud security solutions are generally deployed and used to help protect workloads running in both private clouds and across the major public cloud services...

Top Data Visualization Tools...

The amount of data generated and consumed by organizations is growing at an astounding rate. The total volume of data and information worldwide has...