Security has always been a trending topic for an IT manager, but after latest ransomware episodes we’ve seen in Garmin©, MAPFRE© and others, all technology managers become more scared and faced security as a real problem for everyone. Remember, a security breach is like a fire in your house: nobody thinks that it can happen, but if it happens, it is too late to buy a fire extinguisher.
This article is the first in a series of articles I’ll post here explaining security hardening techniques on Informix + Red Hat EL 8 servers. Usually, in IIUG Conferences, presenters focus Informix security as the capability to securize access to data. This posts will explain some RHEL 8 procedures to harden Informix servers to do not become a security breach in your organization. Also, all IBM RHEL derivatives like CentOS, Fedora , ROSA or ClearOS will work with techniques explained in this posts.
As I explained to attendants in last year at IIUG Conference presentation, security is like a tooth ache. As more security implementation techniques you implement in your organization, less sleeping hours and more nightmares you’ll get. But even security is not easy to implement and hard to keep, you should realize that you need to keep your IT environment as secure as possible. It really worth it!
There are bad guys out there and if they point to your organization you’ll be in a big problem. Hackers getting access to systems are usually gained by simple flaws in servers: bad passwords, non firewall protected systems, no updated software, etc. If you keep you servers secured following security procedures, getting access from outside will be really hard.
What is system “hardening”?
Hardening a system is the act of making the system more secure—a more difficult target for the bad guys. Imagine you had a white picket fence protecting your home. It’s probably enough to keep the honest people out. They see the fence and decide to respect the fact that you obviously don’t want people in your yard.
Hardening would be like upgrading the white picket fence to a six-foot-tall chainlink one and adding a latch with a lock on it.This will keep most of people, even thieves, out. But a good thieve is going to traverse your fence.
You can construct a concrete wall 12 feet-tall and put a door with 6 locks. Nobody is wanting to enter your house and you’ll keep out even your friends. Nobody is going to visit your house and your home will become like a prison.
So, securizing your systems isn’t about being completely unbreakable; it’s about being just secure enough to be really hard to break in, while still open enough that your system can actually do what it’s designed to do.
SCAP Securization Rules (Perimetral server security)
The National Institute of Standards and Technology (NIST) developed a Security Content Automation Protocol (SCAP) creating rules to hardening all kind of IT systems. You can get more information about SCAP at: https://csrc.nist.gov/CSRC/media/Projects/Security-Content-Automation-Protocol/documents/docs/scap-nistir-7343.pdf
In Resume, focusing in Linux servers, we can say SCAP is a check list of rules to make your servers more secure.
The OpenSCAP project is a collection of open source tools to implement and comply with this standard, and was certified SCAP 1.2 by NIST in 2014. The SCAP Security Guide, together with the OpenSCAP tools, can be used for the implementation of continuous management of security in an automated way in your organization.
Governments worlwide are taking security as a global threat that we all must face. As an example, Spanish National Security Agency has developed also an open document list with rules to securize all kind of IT devices and operating systems. To all our Spanish-speaking audience, you can get all this manuals at: https://www.ccn-cert.cni.es/guias/guias-series-ccn-stic/guias-de-acceso-publico-ccn-stic.html
Inside OpenSCAP we find:
- SCAP Workbench: The graphical scap-workbench utility designed to perform configuration and vulnerability scans on a single local or remote system. It can also be used to generate security reports based on these scans and evaluations.
- OpenSCAP: The oscap command line utility designed to perform configuration and vulnerability scans on a local system, to validate security compliance content, and to generate reports and guides based on these exams and assessments.
- Script Check Engine: SCE is an extension to the SCAP protocol that allows administrators to write their security content using a scripting language, such as Bash, Python, or Ruby.
- SCAP Security Guide: The scap-security-guide package that provides an up-to-date collection of security policies for Linux systems. The guide consists of a catalog of practical tips for providing security, linked to the requirements of the corresponding IT governance. The project connects generalized policy requirements and specific implementation guidelines.
The SCAP protocol is a model that tries to respond to the needs that are identified in the analysis of Information Technology Security. It is also an open specification in its definition, which makes it especially interesting in that it is possible to use and modify it by any person or entity that wishes to participate in its evolution.
OpenSCAP software is included in RHEL 8 and you can get the packages list by executing: dnf search openscap
This article purpouse is about SELinux, not about Linux perimeter securization and there are lots of articles in Internet explaining how to install and use OpenSCAP tools. If you like this article and wants me to explain more about some security topic like openSCAP, just drop me an e-mail.
About SELinux (Mandatory Access Control)
The predominant type of access control we have inherited in all our operating systems is named discretionary access control (DAC). The primary feature of DAC is that individual users, often a resource “owner”, can specify who may or may not access the resource. As you will see, DAC has some fundamental security weaknesses that are intrinsic to its nature. To overcome these weaknesses, the computer security community has been trying to develop useful mandatory access control (MAC) mechanisms. MAC is intended to avoid the weaknesses of DAC while providing the security required. Unfortunately, creating a useful MAC mechanism that is secure yet flexible enough to address a wide range of problems has proven difficult. The primary value that SELinux brings to Linux is a flexible, configurable MAC mechanism.
SELinux defines the access and transition rights of every user, application, process, and file on the system. SELinux then governs the interactions of these entities using a security policy that specifies how strict or lenient a given Red Hat Enterprise Linux installation should be.
When a subject, (for example, an application), attempts to access an object (for example, a file or a network port), the policy enforcement server in the kernel checks if the application has explicit access to this resource. By default, all resources and actions are forbidden. SELinux has fine-grained security access permissions. for example in a file, you can give access to read, write, open, append, rename, link, unlink, etc.
I’m not going to explain internals about SELinux but I understand reading technology documentation about SELinux can be like “Matrix”. It’s hard to understand what’s going on, but if somebody open your eyes, then everything is crystal clear.
If you want me to explain more about SELinux just drop me an e-mail
Informix and SELinux implementation
SELinux is largely transparent to ordinary system users and presents system administrators with few complications.IBM has acquired Red Hat, but the only database with predefined SELinux target securization policy is Oracle. Yes, you’re not dreaming, neither IBM DB2 or IBM Informix has security policies for SELinux by default in RHEL. If you’re interested in security and want IBM do the right things and be compatible with their own products, write a message to your IBM representative and ask him to implement SELinux Informix policy target into default RHEL packages.
As this is not going to happen in the next years, just keep alert and wait for the next part of this article series as I’m going to explain how to securize Informix using SELinux and will provide you a SELinux Informix targeted policy.
If you liked this article and want me to explain more about some of the products and technologies explained here, send me a message at vicente(at)iiug.org
Now, just wait for Informix and SElinux Part.2
Vicente Salvador Cubedo