Paranoid Penguin - Security Features in Debian 3.1
If you want a hypervisor-based virtual machine environment, such as Xen for Debian, you need to obtain and compile source code, though that's not too huge of a barrier. Debian has no Xen packages. Debian does include, however, binary packages for two other general-purpose virtual machine environments: user-mode Linux (UML) and Bochs. (It also includes Wine, but this is more of a shim for running specific Windows applications than a virtual machine per se.)
Of Debian's two officially supported virtual machines, user-mode Linux is probably the most viable option for using virtual hosts to segregate different application environments, for example, Apache on one virtual machine and BIND9 on another. This is because of performance limitations in Bochs: Bochs emulates every single x86 CPU instruction and all PC devices. Bochs therefore would appear to be more suited to single guest-system applications, such as running Windows applications on your Linux desktop system. The Bochs Project home page (see Resources) includes official documentation and links to mailing lists, discussion boards and so forth. Debian's bochs-doc package also contains Bochs documentation.
User-mode Linux doesn't support Windows guest systems, but it is much faster than Bochs and has the added advantage of running all guest systems' kernels as nonprivileged users (that is, not as root, like the underlying “host” kernel). See Debian's user-mode-linux-doc package for more information. If you run a Debian guest on an underlying Debian host, you may need to install the user-mode-linux package (on the guest) from Debian's unstable release—the stable version is unavailable for some reason.
I must add a disclaimer at this point: I've never used UML myself, being a VMware user of long standing (see my review of VMware Desktop 5.5 on page 56). Therefore, I can't tell you firsthand how to use UML or even how well it works in Debian.
Several packages in Debian GNU/Linux 3.1 enhance local access controls. The trustees package lets you define multiple sets of permissions on a single file/directory/device object by associating a trustee object with it. For example, you can give members of the users group read-only access to the file foo.txt, and give members of the foomasters group write privileges to the same file.
A much more comprehensive set of controls is provided by SELinux, the US National Security Agency's type-enforcement and role-based access control system for the Linux kernel. SELinux makes it possible to manage users, groups and system resources with a very high level of granularity, even to the extent of making it possible to restrict root's own privileges.
The trade-off is complexity. Creating and managing SELinux policies that don't impair needed functionality can be involved. Luckily, besides its standard selinux-utils package, Debian includes checkpolicy, an SELinux policy compiler, and setools, a group of utilities for analyzing SELinux policies and managing users.
If SELinux is more than you're willing to tackle, Debian provides several other tools for delegating root's authority. sudo, of course, is the classic in this category, but there's also osh, the Operator's Shell.
Another interesting category of tools that are well represented in Debian are limited-feature Secure Shell (SSH) tools. SSH, of course, is an encrypted, strongly authenticated means of running remote shells, executing remote commands and even for tunneling other TCP-based network applications including the X Window System. But what if you want to offer users only a subset of SSH functionality—for example, encrypted file transfers, without giving them shell access?
Two Debian packages that address this problem are rssh, which allows users to use scp, rdist, rsync, cvs or sftp over SSH without actual shell access, and scponly, which allows scp without allowing remote shells.
The last category of security tools I highlight here is filesystem encryption. These are different from more general-purpose encryption tools, such as gnupg and bcrypt, which are used to encrypt individual files. Filesystem encryption tools let you encrypt entire volumes (directory structures), for example, on USB drives and other removable media.
Three Debian packages that provide filesystem encryption are cryptsetup, which manages loopback-device encryption via the Linux 2.6 kernel's dm-crypt functionality; encfs, which doesn't require use of loopback devices; and lufs-cryptofs, an encryption module for the Linux Userland Filesystem (lufs). Of the three, cryptsetup offers the best performance, because it operates at the kernel level. The user-space filesystems, encfs and lufs, work at a higher layer of abstraction than the kernel—that is, they're less efficient. They're also, however, more useful for networked filesystems.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Chris Birchall's Re-Engineering Legacy Software (Manning Publications)
- Petros Koutoupis' RapidDisk
- ServersCheck's Thermal Imaging Camera Sensor
- Linux Mint 18
- The Italian Army Switches to LibreOffice
- Cipher Security: How to harden TLS and SSH
- Firefox 46.0 Released
- Oracle vs. Google: Round 2
- The FBI and the Mozilla Foundation Lock Horns over Known Security Hole
Until recently, IBM’s Power Platform was looked upon as being the system that hosted IBM’s flavor of UNIX and proprietary operating system called IBM i. These servers often are found in medium-size businesses running ERP, CRM and financials for on-premise customers. By enabling the Power platform to run the Linux OS, IBM now has positioned Power to be the platform of choice for those already running Linux that are facing scalability issues, especially customers looking at analytics, big data or cloud computing.
￼Running Linux on IBM’s Power hardware offers some obvious benefits, including improved processing speed and memory bandwidth, inherent security, and simpler deployment and management. But if you look beyond the impressive architecture, you’ll also find an open ecosystem that has given rise to a strong, innovative community, as well as an inventory of system and network management applications that really help leverage the benefits offered by running Linux on Power.Get the Guide