Security is important in enterprise scenarios, where core business applications need to run seamlessly but are often connected to the external world where they are vulnerable to attack.
Malware, unauthorized access to files and execution of unverified code are just some examples of how system security can be compromised, not only by exploiting known bugs and vulnerabilities, but also by the lack of appropriate countermeasures.
Red Hat Enterprise Linux (RHEL) can help, as it provides some tools and services that can natively support the process of system hardening to help make your system more secure.
In this article, we explore some of the tools included in RHEL that will help you start hardening your systems to better prevent access to files, processes and applications.
Implementing access control with SELinux
Many RHEL customers and users have experienced issues when trying to run custom applications, operating on standard folders and locations of common processes, or even just trying to open ports for their web services.
In 99% of these cases, the "issues" were caused by Security-Enhanced Linux (SELinux).
SELinux comes enabled by default in RHEL and it is a security framework that helps system administrators implement Mandatory Access Control (MAC) instead of Discretionary Access Control (DAC). MAC takes into account access modes, groups and users that can operate on files, folders and applications. Additionally, it implements a complex set of access rules, based on labels and types, that uniquely identify which processes can access specific files, folders and ports.
MAC example
Let's look at httpd as an example:
- Httpd runs with a default SELinux type of httpd_d
- The folder /var/www/html/ has httpd_sys_content_t
- SELinux expects the process to access specific ports (80, 443, 8080, 8443 among others) and has assigned those ports a specific label, http_port_t
Suppose we try to run httpd with a different folder (i.e. /var/www/my_site) and a different port (i.e. 4449). When we try to start the httpd service, SELinux will prevent it until we manually add the new folder and the chosen port to the labels mentioned above.
Rules for most of the applications and processes that are shipped with RHEL are already established, but they can be customized and extended to match your needs, so you can adapt them to custom applications.
Out of the box, RHEL offers a dedicated system role for Ansible that will simplify and automate the operations involving SELinux labeling and verification.
Preventing non-standard applications from running in your environment with fapolicyd
With SELinux we can control how processes can access files, folders and ports, but what if we want to make sure that only what comes with the RHEL can be executed?
fapolicyd is a lightweight security framework that includes a daemon whose role is to make sure that only applications that are installed as trusted RPMs can be executed.
This is possible because fapolicyd uses a specific database and a set of rules that keeps track of packages and their content that are installed using the package manager (and are present in the RPM database), so those, and only those, can be executed.
With fapolicyd installed and running in your RHEL machine, trying to create and run a Bash script or move and run the default applications present in the /usr/bin or /bin folders elsewhere in the system will result with a permission denied error.
Similar to SELinux, fapolicyd comes with a set of predefined rules that can be easily extended to match your operative requirements, also covering rules for scripts, MIME types and more.
By default, fapolicyd operates on byte size of the executable, but it can also support integrity checking. This means that even if an attacker manages to replace an executable with a malicious version that's the same size, fapolicyd can still prevent it from running.
This is crucial when it comes to preventing unwanted applications such as rootkits, malware or any other harmful executables from running and disrupting your system.
Intrusion detection made simple - AIDE, IMA and EVM
One of the most common attack vectors is when existing files and processes are altered to inject malicious code or configurations, making the system vulnerable to attacks or exploits.
Advanced Intrusion Detection Environment (AIDE) is a tool, included in RHEL, that enables integrity checks for the whole system, maintaining an updated database of all files and folders to track any added or removed files, location changes or other suspicious activity.
The database can be updated using a cron job, so it is always up-to-date and aligned with the current system status.
RHEL also supports a lower-level Integrity Measurement Architecture (IMA) that is implemented at kernel level. This supports creating and maintaining hashes of all local files, and can implement a runtime check using a kernel hook to prevent executing and/or accessing files that have been altered or have failed verification checks.
If used in combination with the Extended Verification Module (EVM) kernel module, the kernel can also perform checks on the extended attributes of files, drastically reducing the chances that any modification performed by a malicious entity can compromise the integrity of the system.
Wrap up
The tools we discussed here are just some of the utilities and frameworks that RHEL includes to improve system security and integrity.
In a previous article, we also covered how Red Hat Insights, the SaaS (Software as a Service) solution hosted on Red Hat Console can be used to detect malware in systems.
Please don’t hesitate to contact us if you would like to learn more!
Further reading
About the author
Alessandro Rossi is an EMEA Senior Specialist Solution Architect for Red Hat Enterprise Linux with a passion for cloud platforms and automation.
Alessandro joined Red Hat in 2021, but he's been working in the Linux and open source ecosystem since 2012. He's done instructing and consulting for Red Hat and delivered training on Red Hat Enterprise Linux, Red Hat Ansible Automation Platform and Red Hat OpenShift, and has supported companies during solutions implementation.
More like this
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit