This paper evaluates three foundational Linux security technologies: chroot jail, iptables, and SELinux. For each tool, the analysis covers the organization or individual responsible for its development, how the technology modifies the Linux operating system to enhance security, and the specific categories of threats it is designed to mitigate. chroot jail is examined as a user-account isolation mechanism originating in Unix; SELinux is analyzed as an NSA-developed access control framework integrated into the Linux kernel; and iptables is discussed as a flexible firewall configuration system built on the Netfilter project. Together, these tools represent complementary layers of Linux system security.
The pervasive adoption of the Linux operating system has led to a proliferation of security tools and applications designed to protect systems and the software running on them. This analysis evaluates three such technologies: chroot jail, iptables, and SELinux. Each is examined from the standpoint of the organization or individual behind its development, how the technology modifies Linux to improve security, and the specific types of threats it is designed to eliminate.
The chroot jail command was developed and first introduced during the initial development of the Unix Version 7 operating system in 1979. Its original purpose was to ensure that users of UNIX-based workstations could navigate directory structures without accessing areas outside their designated scope. The Berkeley Software Distribution (BSD) versions of UNIX, which became very popular around 1982, immediately adopted this command as a means of protecting the rapidly expanding number of user accounts on those systems.
The chroot jail command was designed to restrict user account-level access to the /home/user directory. Without this command, any user could navigate to the very top of the directory tree and view any account and its contents. It also protected the entire file system from unwanted access across all system resources and programs. The developers specifically focused on creating a more effective strategy for managing user accounts and eliminating the threat of a single attacker gaining access to every user account on a Unix — and later Linux-based — system (Rooney, 2004). The command has since become widely used for creating development "sandboxes" that define protected test regions on Linux systems, shielding them from errant process threads. It is now commonly employed to create controlled, user-account-based testing environments that ensure applications run correctly in isolation.
Originally developed by the U.S. National Security Agency (NSA), SELinux was first introduced in December 2000 as part of the GNU GPL release of the Linux operating system. It was subsequently integrated into the mainline Linux kernel as part of the 2.6.0-test3 update in August 2003. The technology supports access control policies across all user accounts, ports, applications, and integration points throughout a single Linux operating system instance and its network. SELinux can also be configured at the role-based and user levels to ensure that all access points are protected from inbound attacks through ports that may be opened by individual applications.
SELinux is also a valuable tool for managing the coordination of services across the entire Linux kernel, both before and after recompilation of specific sections and functional areas. It has increasingly been relied upon for managing active ports on smartphones and portable laptops running compatible Linux kernels (Greenemeier, 2005). All of these capabilities are often combined in an enterprise-wide strategy that supports access control protocols and the continuous monitoring of ports and programs across an entire Linux-based network running TCP/IP.
"Netfilter-based firewall configuration via iptables"
The basis of the command is the allocation of space within memory-based tables residing in Linux firewall code. Using the many options available, Linux system administrators can tailor the Netfilter modules and chains for use across a wide variety of protocols, including IPv4, IPv6, arptables for ARP, and ebtables for Ethernet frames. The command was specifically designed to equip internet firewalls with stateful inspection engines (MacVittie, 2005). It was also designed to block NAT-based inbound traffic that imitates or emulates IP addresses, and to detect and block unauthorized access across the iproute2 system and QoS commands on policy routers. In short, iptables enables the complete configuration of software-based firewalls in Linux environments, blocking threats ranging from the simplest to the most complex inbound attacks.
Forristal, J. (2001). Fireproofing against DoS attacks. Network Computing, 12(25), 65–74.
Greenemeier, L. (2005). More-secure Linux still needs to win users. InformationWeek, (1029), 28.
MacVittie, L. (2005). Linux models a few new hats. Network Computing, 16(3), 28–30.
Rooney, P. (2004). Migrating to Linux. CRN, (1092), 28.
You’re 87% through this paper. Sign up to read the remaining 1 section.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.