I had a few thoughts about making Linux more secure by way of a few mechanisms already in the operating system.
The filesystem for Linux includes the ability to make a file immutable, a.k.a. can not be changed, only read. It should be possible to make a version of yum or any updater aware of this feature. So in this case, when a system update comes in the, the updater verifies all of the signatures and security of the files, then quickly turns off immutable for the file to be updated, overwrites that file and then turns on immutable again. This would prevent an attacker from changing critical system files with malicious code.
The files in sbin should only be executed by root, so in this case the permissions should be 500 since there is no need to write to any of these files. If a user needs to run this file, they will need to have sudo access to it.
There should be no files in the sbin or buin directory that has world enabled flags and no write flags should be on as well.
Configuration files should also be immutable with a separate program to modify them. This should include a way to verify that the file was only changed by this program; a hash signature tied to a database that can be checked.
Log files should be set with the append only flag and when they are rolled over they should be set with the immutable flag until they are ready to be deleted.
Library files need to be just library files. The system should check to see that when a library file is called, that it really is a library file and not an executable. Executable files need to be labeled and in the bin or sbin directory.
The system would need to have a program that verifies the signatures of the files that are on the system, much like 'rpm -Va' but with additional check to make sure that the files are immutable and that configuration files have only been updated by their configuration programs.
All of the above checks could then be used by a kernel that verifies the signature of a program before allowing it to execute.
All of the pieces to make this happen are in Linux today, they just need to be pulled together.
Ultimately the operating system would need to change to two version, one without these protections that would be for development and the other for production. A development version would be used by the developers and when they are done, the program files will need to be packaged up and signed. This would enable the production system to verify that the codes have meet some form of security before being installed on the system.
No comments:
Post a Comment