//-------------------------------------
접근 통제 기법

* DAC ( Discretionary Access Control) 임의 접근 통제
    - 사용자 권한으로 통제
    - 리눅스 기본 보안


* MAC ( Mandatory Access Control ) , 강제 접근 통제
    - 보안 정책으로 통제
    - SELinux, AppArmor
    - 네트워크, 파일 접근 제어
    - 해킹을 당해도 정해진 포트와 파일만 접근가능하게 해서 피해를 최소화



//-------------------------------------
* SELinux(Security-Enhanced Linux)
    2000년 미국 국가안보국 [National Security Agency (NSA)]에서 만듬
    v3.2 , 2021/03
https://github.com/SELinuxProject/selinux
https://www.redhat.com/ko/topics/linux/what-is-selinux
    MAC 방식
    - LSM을 이용해 구현

    - 보안레이블(security labels)을 제공하는 파일시스템에만 설치 가능
        - NFS에 설치 불가
    - AppArmor비해 설정이 복잡
    - RPM-based : Red Hat, Fedora, CentOS (Oracle Linux, Amazon Linux 2)
        Android

sestatus


//-------------------------------------
AppArmor
    Immunix(1998) -> SUSE(2005) -> Canonical(2009)
    v3.0.1 , 2020/12
https://apparmor.net/
https://gitlab.com/apparmor
https://help.ubuntu.com/community/AppArmor

    Ubuntu 8 부터 기본 설치
    - DEB-base : Debian , Ubuntu , Synology 

        , SUSE (RPM)

    MAC 방식
    프로그램 별로 profile 설정해서 제어
    - LSM을 이용해 구현

sudo aa-status


//-------------------------------------
// 참고
https://2infinity.tistory.com/59
https://help.ubuntu.com/community/AppArmor

//-------------------------------------
LSM ( Linux Security Modules )
    - 리눅스 커널 수준 보안을 위한 프레임워크
    - 리눅스 커널 2.6 부터 표준

Multi-Level Security (MLS)
Multi-Category Security (MCS)

//-----------------------------------------------------------------------------
https://www.redhat.com/sysadmin/apparmor-selinux-isolation
Technology Type Enforcement  MLS/MCS Policy generator Generator for containers
AppArmor Yes No Yes No
SELinux Yes Yes No* Yes

 

반응형
Posted by codens