Hardening your operating system? Red Hat Enterprise Linux to the rescue!

Security is important in enterprise scenarios, where core business applications need to run seamlessly but are often connected to the external world where they are vulnerable to attack.

Malware, unauthorized access to files and execution of unverified code are just some examples of how system security can be compromised, not only by exploiting known bugs and vulnerabilities, but also by the lack of appropriate countermeasures.

Red Hat Enterprise Linux (RHEL) can help, as it provides some tools and services that can natively support the process of system hardening to help make your system more secure.

In this article, we explore some of the tools included in RHEL that will help you start hardening your systems to better prevent access to files, processes and applications.

Implementing access control with SELinux

Many RHEL customers and users have experienced issues when trying to run custom applications, operating on standard folders and locations of common processes, or even just trying to open ports for their web services.

In 99% of these cases, the "issues" were caused by Security-Enhanced Linux (SELinux).

SELinux comes enabled by default in RHEL and it is a security framework that helps system administrators implement Mandatory Access Control (MAC) instead of Discretionary Access Control (DAC). MAC takes into account access modes, groups and users that can operate on files, folders and applications. Additionally, it implements a complex set of access rules, based on labels and types, that uniquely identify which processes can access specific files, folders and ports.

MAC example

Let's look at httpd as an example:

• Httpd runs with a default SELinux type of httpd_d
• The folder /var/www/html/ has httpd_sys_content_t
• SELinux expects the process to access specific ports (80, 443, 8080, 8443 among others) and has assigned those ports a specific label, http_port_t

Suppose we try to run httpd with a different folder (i.e. /var/www/my_site) and a different port (i.e. 4449). When we try to start the httpd service, SELinux will prevent it until we manually add the new folder and the chosen port to the labels mentioned above.

Rules for most of the applications and processes that are shipped with RHEL are already established, but they can be customized and extended to match your needs, so you can adapt them to custom applications.

Out of the box, RHEL offers a dedicated system role for Ansible that will simplify and automate the operations involving SELinux labeling and verification.

Preventing non-standard applications from running in your environment with fapolicyd

With SELinux we can control how processes can access files, folders and ports, but what if we want to make sure that only what comes with the RHEL can be executed?

fapolicyd is a lightweight security framework that includes a daemon whose role is to make sure that only applications that are installed as trusted RPMs can be executed.

This is possible because fapolicyd uses a specific database and a set of rules that keeps track of packages and their content that are installed using the package manager (and are present in the RPM database), so those, and only those, can be executed.

With fapolicyd installed and running in your RHEL machine, trying to create and run a Bash script or move and run the default applications present in the /usr/bin or /bin folders elsewhere in the system will result with a permission denied error.

Similar to SELinux, fapolicyd comes with a set of predefined rules that can be easily extended to match your operative requirements, also covering rules for scripts, MIME types and more.

By default, fapolicyd operates on byte size of the executable, but it can also support integrity checking.  This means that even if an attacker manages to replace an executable with a malicious version that's the same size, fapolicyd can still prevent it from running.

This is crucial when it comes to preventing unwanted applications such as rootkits, malware or any other harmful executables from running and disrupting your system.

Intrusion detection made simple - AIDE, IMA and EVM

One of the most common attack vectors is when existing files and processes are altered to inject malicious code or configurations, making the system vulnerable to attacks or exploits.

Advanced Intrusion Detection Environment (AIDE) is a tool, included in RHEL, that enables integrity checks for the whole system, maintaining an updated database of all files and folders to track any added or removed files, location changes or other suspicious activity.

The database can be updated using a cron job, so it is always up-to-date and aligned with the current system status.

RHEL also supports a lower-level Integrity Measurement Architecture (IMA) that is implemented at kernel level. This supports creating and maintaining hashes of all local files, and can implement a runtime check using a kernel hook to prevent executing and/or accessing files that have been altered or have failed verification checks.

If used in combination with the Extended Verification Module (EVM) kernel module, the kernel can also perform checks on the extended attributes of files, drastically reducing the chances that any modification performed by a malicious entity can compromise the integrity of the system.

Wrap up

The tools we discussed here are just some of the utilities and frameworks that RHEL includes to improve system security and integrity.

In a previous article, we also covered how Red Hat Insights, the SaaS (Software as a Service) solution hosted on Red Hat Console can be used to detect malware in systems.

Please don’t hesitate to contact us if you would like to learn more!

Further reading

• Enhancing security with the Kernel integrity subsystem
• RHEL Security hardening