How to temporary disabled SELinux

This is an article where the discussion is specified in the title of this article. It is about how to temporary disabled SELinux. As we already knew, SELinux is a feature available in a Linux operating system distribution, as it is shown in the part of the name ‘SELinux‘, it is available to support the access control security policy mechanism.

SELinux which stands for Security Enhanced Linux is must be configured to be activated in order for all the rules available as part of SELinux can be implemented within the operating system. But activating this security feature can also be troublesome sometimes because not all of the features or functionality which has already run in the first time before SELinux is implemented can still run properly after SELinux is being activated.

In the troubleshooting step, it is sometimes for the sake of finding the culprit of the problem, SELinux is disabled temporary. The purpose for disabling SELinux is actually to check whether the main problem causing an application, database or even the feature or functionality possessed by the operating system itself for not being able to be utilized or to be functioned properly is the security policy implemented by SELinux itself.

Continue reading “How to temporary disabled SELinux”

Disable squashfs Filesystem in Linux

Created as one of the article to review on one of the compiled recommendation from CIS (Center for Internet Security) about CentOS 7 Linux benchmark focusing on providing an establish standard for guidelines to implement secure configuration in machine or server running CentOS 7 with the architecture either 32-bit or 64-bit, the focus will be pointed on disabling squashfs filesystem.

The purpose for disabling squashfs is for hardening the security of the operating system. One of Wikipedia’s page define squashfs with the following definition :

SquashFS is a compressed read-only file system for Linux. SquashFS compresses files, inodes and directories, and supports block sizes up to 1 MB for greater compression. SquashFS is also the name of free software, licensed under the GPL, for accessing SquashFS filesystems.

Continue reading “Disable squashfs Filesystem in Linux”

Disable udf Filesystem in Linux

This is another  article which is also  a review about one of the recommendation which is compiled from CIS (Center for Internet Security) regarding on CentOS 7 Linux benchmark. The recommendation which focus on providing a guidelines to establish standard of a secure configuration implemented in server running CentOS 7 either in x86 or x64 platforms is disabling udf filesystem.

By disabling udf which is one of linux filesystem’s type, it is expected to add another point for hardening security in the operating system level. In this context, udf based on Wikipedia’s definition is known as Universal Disk Format (UDF), it is a profile of the specification known as ISO/IEC 13346 and ECMA-167 and is an open vendor-neutral file system for computer data storage for a broad range of media. In practice, it has been most widely used for DVDs and newer optical disc formats, supplanting ISO 9660. The information about udf itself in the previous definition can be found in this link and it also can be viewed in a more detailed description.

Depends on the version of the operating system, in this case CentOS Linux distribution can use the recommendation which is classified and specified not only in the Guide to the Secure Configuration of Redhat Enterprise Linux 6 where the full recommendation of it can be accessed as a webpage in this link but also in the Guide to the Secure Configuration of Redhat Enterprise Linux 7 which can be found in this link in form of a webpage. The PDF file version is available for download in this link. The CCE Identifiers or CCE ID for Disabling Mounting of udf is CCE-26677-5 in RedHat Enterprise Linux 6 and on the other hand the CCE ID for Disabling Mounting of UDF isCCE-80143-1 for RedHat Enterprise Linux 7.

Continue reading “Disable udf Filesystem in Linux”

Disable cramfs Filesystem in Linux

In this article, there will be a review about one of the recommendation which is compiled from CIS (Center for Internet Security) regarding on CentOS 7 Linux benchmark. The focus is providing a guidelines to establish standard for a secure configuration implemented in server running CentOS 7 either in x86 or x64 platforms. For further reference, it can be viewed in the following link. It is the website intended for security benchmarking which is supported by an organization called CIS (Center for Internet Security) and it can be visited in this link.

The recommendation in this context is  disabling cramfs which is one of a type of linux filesystem. In this context, cramfs based on Wikipedia’s definition is know as compressed ROM file system (or cramfs), and it is a free (GPL‘ed) read-only Linux file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems. The information about cramfs can be found in this link.

The recommendation itself is one of CCE Identifiers specified in Guide to the Secure Configuration of Redhat Enterprise Linux 6. The CCE Identifiers or CCE ID for Disabling Mounting of cramfs is CCE-26340-0. The full recommendation can be accessed as a webpage in this link. On the other hand, CentOS 7 which is analog and can be compared generally with Redhat Enterprise Linux 7 has its own full recommendation which can be found in this link in form of a webpage and in this link in form of PDF file. The CCE ID for the recommendation on Disabling Mounting cramfs is CCE-80137-3.

Continue reading “Disable cramfs Filesystem in Linux”

Using SELinux for Security Context Labeling

SELinux or Security-Enhanced Linux is one of the security mechanism which is implemented in the kernel level. The security mechanism itself is called the Mandatory Access Control (MAC) which is introduced for the first time in CentOS 4 and in every next version until this article is released to CentOS 7.

Every file and every process where SELinux is implemented has its own security context.  We can also label files or processes when they don’t even have any security context yet. To be able to give security context label to either files or processes we have to look out for the condition or the situation based on the files or processes itself.

To be able to look for the security context label, we have to run the following command :

ls –lZ

The above command, ‘ls’ is used to list directory content.

Continue reading “Using SELinux for Security Context Labeling”