Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux Operating System Security Study     - How to create a cloud encrypted file system in Linux systems (Linux)

- The most concise Systemd tutorial, just ten minutes (Linux)

- Using Linux stat command to view the files (Linux)

- MySQL server after an unexpected power outage can not start (Database)

- How to Create a file can not be changed under Linux (Linux)

- Simple RPM package production (Linux)

- ElasticSearch basic usage and cluster structures (Server)

- VMware virtual machine to use bridged mode fast Internet access (Linux)

- C ++ pointer of the (error-prone model) (Programming)

- Compare several ways to transfer files between Linux hosts (Linux)

- Achieve single backup of MySQL by innobackupex (Database)

- How to turn Java String into Date (Programming)

- Linux upgrade Glibc (Linux)

- Calculate CPU utilization (Linux)

- Bash common several configuration files (Linux)

- Ubuntu 14.04, 13.10 install OpenCV 2.4.9 (Linux)

- Linux system security audit tools scan nessus installation tutorial (Linux)

- Construction LVM-based raw device Oracle10g Database on Oracle Linux 5.11 (Database)

- Linux at command (Linux)

- Android development environment to build under Fedora 13 (Linux)

 
         
  Linux Operating System Security Study
     
  Add Date : 2018-11-21      
         
         
         
  Linux operating system security is obvious, compared to the Windows operating system, Linux in the end what excels? Here we will initiate the selection of three important features for everyone to explain, why the Linux operating system, security system other incomparable superiority.

Linux Operating System Security Study

Division 1, the user / file permissions

User permissions in the Windows operating system is not strange, but the Windows operating system in a strict and effective user and file permissions than the Linux operating system. A case is obvious, even if you set up a multi-user Windows operating system, but between different users through a certain way, or can communicate with each file, which lost authority significance.

LINUX file permissions for the objects in three categories (mutually exclusive relationship):

1. user (file owner)

2. group (group the file belongs to, but not including the user)

3. other (than other users, namely the user and group)

LINUX with a 3-bit binary number corresponding to the three kinds of file permissions (1 means that permission, 0 for no):

The first one read r 100 4

The first two write w 010 2

Section 3 Executive x 001 1

View permissions

#ls -l

The first column, a total of 10 (drwxrwxrwx), represents the file permissions:

1) The first is a d represents a directory, if the display "-", then is not a directory

2) 2-4 privilege on behalf of the user

3) 5-7 privilege on behalf of the group

4) 8-10 of authority on behalf of other

For post-9:

r represents read (read), whose value is 4

w for write (write), whose value is 2

x represents an executable (execute), whose value is 1

- Representatives do not have the authority, and its value is 0

Modifying File Permissions

# Chmod [ugoa] [+ - =] [rwx] file name

1) Users

u for user

Representative group g

o representatives of other

a representative of all the people, that is including the u, g and o

2) Action

+ Means add permissions

- Expressed delete permissions

= Indicates making it the only permission

3) permission

rwx also can use the numeric notation, but a lot of trouble to do the math, such as rw = 6

Common permissions

-rw-- (600) Only the owner has read and write permissions

-rw-r - r-- (644) Only the owner has read and write permissions, the group and others have only read access

-rwx-- (700) Only the owner has read, write, and execute permissions

-rwxr-xr-x (755) Only the owner has read, write, and execute permissions, the group and others have only read and execute permissions

-rwx - x - x (711) Only the owner has read, write, and execute permissions, the group and others have only execute permissions

-rw-rw-rw- (666) everyone has read and write permissions

-rwxrwxrwx (777) everyone has read, write and execute permissions, the maximum authority.

Iptables Linux system core in the firewall

Perhaps you will say, Windows operating system does not have built-in firewall, Linux system built-in firewall anything extraordinary. In fact, iptables is not just a firewall, and even a firewall, the firewall it is compared with our common Windows operating system, and more professional and more powerful.

iptables is integrated with the Linux kernel IP packet filtering system, if the Linux system is connected to the Internet or LAN, LAN connection and the Internet server or proxy server, the system facilitates the Linux system to better control the IP packet filtering and firewall configuration.

netfilter / iptables IP packet filtering system is a powerful tool that can be used to add, edit and remove rules that are doing packet filtering decisions, firewall and of rules to follow. These rules are stored in a dedicated packet filter table, and the tables integrated in the Linux kernel. In the packet filtering table, the rules are grouped on our so-called chain (chain) in.

Although the netfilter / iptables IP packet filtering system is known as a single entity, but it is actually made up of two components netfilter and iptables composition.

netfilter module, also known as the kernel space (kernelspace), is part of the kernel, some of the information from the packet filtering tables, these tables contain the kernel used to control packet filtering rule set.

iptables module is a tool, also called user space (userspace), it makes the insertion, modification and removal of the packet filtering rules in the table becomes easy. Unless you are using Red Hat Linux 7.1 or later, or need to download and install the tool to use it.

netfilter / iptables biggest advantage is that it can be configured stateful firewall, which is an important feature for ipfwadm and ipchains before, such tools are not available. Stateful firewall and remember to specify the status of the connection to send or receive information packets created. Firewalls can obtain this information from the connection tracking state information packet. In determining the new packet filtering, firewall status information can be used to increase its efficiency and speed. There are four active, names are ESTABLISHED, INVALID, NEW and RELATED.

ESTABLISHED state indicates that the packet belongs to an established connection, the connection has been used to send and receive packets and fully effective. INVALID status indicates that the packet flow or with any known connections are associated, it may contain faulty data or headers. NEW status means that the packet has or will start a new connection, or it has not been used in connection with the associated send and receive packets. Finally, RELATED means that the packet is starting a new connection, and it is associated with a connection has been established.

Another important advantage of netfilter / iptables is that it gives users complete control over the firewall configuration and packet filtering. You can customize your own rules to meet your specific needs, so as to allow only the network traffic that you want to enter the system.

In addition, netfilter / iptables is free, which for those who want to save costs, it is ideal, it can replace expensive firewall solution.

SELinux national security subsystem

Security-Enhanced Linux SELinux is an abbreviation, is the US National Security Agency NSA (The National Security Agency) and SCC (Secure Computing Corporation) expansion of a Linux developer mandatory access control security module. Fluke was originally developed in 2000 to GNU GPL release.

SELinux (Security-Enhanced Linux) for the implementation of mandatory access control, Linux is the most prominent new security subsystem. NSA is the development of an access control system with the help of the Linux community under such restrictions in access control system, the process can access only those in his task by the required documents. SELinux installed by default on Fedora and Red Hat Enterprise Linux, it can be used as easy to install on other distributions package available.

For the currently available Linux Security Modules, SELinux is the most comprehensive and most fully tested, it is built in the MAC study based on 20 years. Merge SELinux multi-level security on the server type mandatory or an optional multi-class strategies, and uses the concept of role-based access control.

Most people who are using SELinux SELinux release ready for use, they are enabled in the kernel, SELinux, and provide a customizable security policy, but also provides a lot of user-level libraries and tools, they can use SELinux function.

SELinux is a domain-based - type model (domain-type) Mandatory Access Control (MAC) security system, which was written by NSA and is designed to contain a kernel module into the kernel, corresponding to certain security-related applications was hit SELinux patches, and finally there is a corresponding security policies.

As we all know, the standard UNIX security model is "discretionary access control" DAC. That is, any program of its resources have complete control over. Suppose a program intended to file potentially contains important information thrown into the / tmp directory, then in the case of DAC no one can stop him! The MAC security policy in case of full control over the access to all resources. This is the essence of the difference between the MAC and DAC. SELinux provides a better authority than traditional Unix access control.

Editorial comment:

Linux operating system in the server space is already occupied by a strong territory, which with its own free, open source, as well as high security inseparable. Linux operating system to do maintenance, we need to make good use of Linux tools for system resources efficiently. Only skilled use of well-known Linux temperament to this unknown treasure to the limit.
     
         
         
         
  More:      
 
- Brief Linux commands (Linux)
- PostgreSQL Source Customization: Online global read only (Database)
- Python basis: os module on the file / directory using methods commonly used functions (Programming)
- Detailed steps - GAMIT solver (Linux)
- CentOS7 installation configuration Redis-3.0.0 (Database)
- Install MATE desktop environment adjustment tools Mate Tweak 3.3.6 (Linux)
- Introduction to thread pooling and simple implementation (Programming)
- Android gets the global process information and the memory used by the process (Programming)
- Source Analysis: Java object memory allocation (Programming)
- Ubuntu Learning Advanced article - to teach you to further enhance system security (Linux)
- C # asynchronous delegates (Programming)
- Oracle SDE and maintain common commands - Display space (Database)
- Advanced Linux security settings (Linux)
- Linux system performance and usage activity monitoring tools -Sysstat (Linux)
- Mutt - an email client that sends messages through the terminal (Linux)
- Improve the Ubuntu SSH login authentication approach speed (Linux)
- GlusterFS distributed storage deployment (Server)
- MySQL multi-master-slave synchronization (Database)
- Linux Monitoring Command (Linux)
- MySQL stored procedures execute dynamic sql statement (Database)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.