Paranoid Penguin - Security Features in Debian 3.1
If you want a hypervisor-based virtual machine environment, such as Xen for Debian, you need to obtain and compile source code, though that's not too huge of a barrier. Debian has no Xen packages. Debian does include, however, binary packages for two other general-purpose virtual machine environments: user-mode Linux (UML) and Bochs. (It also includes Wine, but this is more of a shim for running specific Windows applications than a virtual machine per se.)
Of Debian's two officially supported virtual machines, user-mode Linux is probably the most viable option for using virtual hosts to segregate different application environments, for example, Apache on one virtual machine and BIND9 on another. This is because of performance limitations in Bochs: Bochs emulates every single x86 CPU instruction and all PC devices. Bochs therefore would appear to be more suited to single guest-system applications, such as running Windows applications on your Linux desktop system. The Bochs Project home page (see Resources) includes official documentation and links to mailing lists, discussion boards and so forth. Debian's bochs-doc package also contains Bochs documentation.
User-mode Linux doesn't support Windows guest systems, but it is much faster than Bochs and has the added advantage of running all guest systems' kernels as nonprivileged users (that is, not as root, like the underlying “host” kernel). See Debian's user-mode-linux-doc package for more information. If you run a Debian guest on an underlying Debian host, you may need to install the user-mode-linux package (on the guest) from Debian's unstable release—the stable version is unavailable for some reason.
I must add a disclaimer at this point: I've never used UML myself, being a VMware user of long standing (see my review of VMware Desktop 5.5 on page 56). Therefore, I can't tell you firsthand how to use UML or even how well it works in Debian.
Several packages in Debian GNU/Linux 3.1 enhance local access controls. The trustees package lets you define multiple sets of permissions on a single file/directory/device object by associating a trustee object with it. For example, you can give members of the users group read-only access to the file foo.txt, and give members of the foomasters group write privileges to the same file.
A much more comprehensive set of controls is provided by SELinux, the US National Security Agency's type-enforcement and role-based access control system for the Linux kernel. SELinux makes it possible to manage users, groups and system resources with a very high level of granularity, even to the extent of making it possible to restrict root's own privileges.
The trade-off is complexity. Creating and managing SELinux policies that don't impair needed functionality can be involved. Luckily, besides its standard selinux-utils package, Debian includes checkpolicy, an SELinux policy compiler, and setools, a group of utilities for analyzing SELinux policies and managing users.
If SELinux is more than you're willing to tackle, Debian provides several other tools for delegating root's authority. sudo, of course, is the classic in this category, but there's also osh, the Operator's Shell.
Another interesting category of tools that are well represented in Debian are limited-feature Secure Shell (SSH) tools. SSH, of course, is an encrypted, strongly authenticated means of running remote shells, executing remote commands and even for tunneling other TCP-based network applications including the X Window System. But what if you want to offer users only a subset of SSH functionality—for example, encrypted file transfers, without giving them shell access?
Two Debian packages that address this problem are rssh, which allows users to use scp, rdist, rsync, cvs or sftp over SSH without actual shell access, and scponly, which allows scp without allowing remote shells.
The last category of security tools I highlight here is filesystem encryption. These are different from more general-purpose encryption tools, such as gnupg and bcrypt, which are used to encrypt individual files. Filesystem encryption tools let you encrypt entire volumes (directory structures), for example, on USB drives and other removable media.
Three Debian packages that provide filesystem encryption are cryptsetup, which manages loopback-device encryption via the Linux 2.6 kernel's dm-crypt functionality; encfs, which doesn't require use of loopback devices; and lufs-cryptofs, an encryption module for the Linux Userland Filesystem (lufs). Of the three, cryptsetup offers the best performance, because it operates at the kernel level. The user-space filesystems, encfs and lufs, work at a higher layer of abstraction than the kernel—that is, they're less efficient. They're also, however, more useful for networked filesystems.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Firefox 46.0 Released
- Ubuntu Online Summit
- Devuan Beta Release
- The Qt Company's Qt Start-Up
- May 2016 Issue of Linux Journal
- The US Government and Open-Source Software
- The Death of RoboVM
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Open-Source Project Secretly Funded by CIA
- New Container Image Standard Promises More Portable Apps
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide