Paranoid Penguin - Security Features in Debian 3.1
If you want a hypervisor-based virtual machine environment, such as Xen for Debian, you need to obtain and compile source code, though that's not too huge of a barrier. Debian has no Xen packages. Debian does include, however, binary packages for two other general-purpose virtual machine environments: user-mode Linux (UML) and Bochs. (It also includes Wine, but this is more of a shim for running specific Windows applications than a virtual machine per se.)
Of Debian's two officially supported virtual machines, user-mode Linux is probably the most viable option for using virtual hosts to segregate different application environments, for example, Apache on one virtual machine and BIND9 on another. This is because of performance limitations in Bochs: Bochs emulates every single x86 CPU instruction and all PC devices. Bochs therefore would appear to be more suited to single guest-system applications, such as running Windows applications on your Linux desktop system. The Bochs Project home page (see Resources) includes official documentation and links to mailing lists, discussion boards and so forth. Debian's bochs-doc package also contains Bochs documentation.
User-mode Linux doesn't support Windows guest systems, but it is much faster than Bochs and has the added advantage of running all guest systems' kernels as nonprivileged users (that is, not as root, like the underlying “host” kernel). See Debian's user-mode-linux-doc package for more information. If you run a Debian guest on an underlying Debian host, you may need to install the user-mode-linux package (on the guest) from Debian's unstable release—the stable version is unavailable for some reason.
I must add a disclaimer at this point: I've never used UML myself, being a VMware user of long standing (see my review of VMware Desktop 5.5 on page 56). Therefore, I can't tell you firsthand how to use UML or even how well it works in Debian.
Several packages in Debian GNU/Linux 3.1 enhance local access controls. The trustees package lets you define multiple sets of permissions on a single file/directory/device object by associating a trustee object with it. For example, you can give members of the users group read-only access to the file foo.txt, and give members of the foomasters group write privileges to the same file.
A much more comprehensive set of controls is provided by SELinux, the US National Security Agency's type-enforcement and role-based access control system for the Linux kernel. SELinux makes it possible to manage users, groups and system resources with a very high level of granularity, even to the extent of making it possible to restrict root's own privileges.
The trade-off is complexity. Creating and managing SELinux policies that don't impair needed functionality can be involved. Luckily, besides its standard selinux-utils package, Debian includes checkpolicy, an SELinux policy compiler, and setools, a group of utilities for analyzing SELinux policies and managing users.
If SELinux is more than you're willing to tackle, Debian provides several other tools for delegating root's authority. sudo, of course, is the classic in this category, but there's also osh, the Operator's Shell.
Another interesting category of tools that are well represented in Debian are limited-feature Secure Shell (SSH) tools. SSH, of course, is an encrypted, strongly authenticated means of running remote shells, executing remote commands and even for tunneling other TCP-based network applications including the X Window System. But what if you want to offer users only a subset of SSH functionality—for example, encrypted file transfers, without giving them shell access?
Two Debian packages that address this problem are rssh, which allows users to use scp, rdist, rsync, cvs or sftp over SSH without actual shell access, and scponly, which allows scp without allowing remote shells.
The last category of security tools I highlight here is filesystem encryption. These are different from more general-purpose encryption tools, such as gnupg and bcrypt, which are used to encrypt individual files. Filesystem encryption tools let you encrypt entire volumes (directory structures), for example, on USB drives and other removable media.
Three Debian packages that provide filesystem encryption are cryptsetup, which manages loopback-device encryption via the Linux 2.6 kernel's dm-crypt functionality; encfs, which doesn't require use of loopback devices; and lufs-cryptofs, an encryption module for the Linux Userland Filesystem (lufs). Of the three, cryptsetup offers the best performance, because it operates at the kernel level. The user-space filesystems, encfs and lufs, work at a higher layer of abstraction than the kernel—that is, they're less efficient. They're also, however, more useful for networked filesystems.
Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report
August 27, 2015
12:00 PM CDT
DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.
Free to Linux Journal readers.Register Now!
- Hacking a Safe with Bash
- Django Models and Migrations
- Secure Server Deployments in Hostile Territory, Part II
- The Controversy Behind Canonical's Intellectual Property Policy
- Huge Package Overhaul for Debian and Ubuntu
- Home Automation with Raspberry Pi
- Shashlik - a Tasty New Android Simulator
- Embed Linux in Monitoring and Control Systems
- KDE Reveals Plasma Mobile
- diff -u: What's New in Kernel Development