If there’s one thing that the Shellshock Bash Bug has taught us….. it’s that securing our technology infrastructure is more important than ever. The potential havoc that can be wreaked on a system vulnerable to the Shellshock bug is just a nightmare!
All software has bugs, and there’s no finger pointing going on here. At least not in that respect. But where finger pointing may be justified is on systems where tight security measures haven’t been put in place. The days of being caught with your pants down on the security-front are over. Better buy a belt and pair of braces!
I’ve put a quick 10-minute Shellshock Primer and SELinux Primer video together for Pluralsight. If you want to know the basics of how Shellshock works and how SELinux may be able to help, take a look at the video
No Sleeping While On Guard
Sure, we all run firewalls, have strong passwords, patch our systems, and encrypt our data…. But on there’s no time to rest on the digital security front – it’s as bad as drugs in sport > the bad guys are always trying to be one step ahead of the god guys. And when it comes to Shellshock…. firewalls, strong passwords and encrypting data won’t do us a great deal of good.
The Dawn of Mandatory Access Control
Now I’m obviously not knocking firewalls and strong passwords and the likes – they’re essential of course. But an all-too-often overlooked layer of infrastructure security is Mandatory Access Control (MAC) implemented at the OS/kernel level. And if you’re an infrastructure guy and you don’t know what that is, I suggest you go away and look into it. It’s been a nice-to-have for too long now. In today’s world it’s a must-have!
SELinux and Shellshock
If you don’t know, SELinux is an implementation of MAC on the Linux platform. It implements an additional layer of access control on top of existing discretionary access controls. And in the world of security, more is better!
SELinux labels every object on the system with an additional security context, and effectively sandboxes processes so that
if when they are compromised, the amount of damage they can do is massively restricted.
Effectively…. on an SELinux hardened system, compromised processes can only do damage in their walled-off little corner of the system – they can’t break out and walk all over the entire system.
Now clearly, SELinux doesn’t fix the Shellshock bug. But if you’ve got it turned on (and in enforcing mode) there’s a damn good chance it’ll minimise the damage the Shellchock exploit can cause. Not perfect, but better than nothing, and will almost certainly buy you time to patch and the likes.
But its not just Shellshock. We’ll see more and more of these types of exploits in the future, and those of us running SELinux hardened systems will sleep better at night than those of us who aren’t.
Even Android (from v4.4 KitKat and onwards) is running SELinux in enforcing mode. Albeit only targeting certain system processes at the moment. But the point is… the guys at Google see the importance of SELinux, and so should we!
NOTE: SELinux comes with different policies and can run in different modes. The devil is in the detail. Run it in permissive mode and it aint gonna help you one bit. But run it in enforcing mode with an appropriate policy, and it’ll be valuable layer of protection for your Linux systems.