Cyber security is on everyone’s minds these days. Embedded devices like cameras have been used by bad guys to launch attacks on the Internet. People worry about data leaking from voice command devices or home automation systems. And this goes for the roll-your-own systems we build and deploy.
Many network-aware systems use Linux somewhere — one big example is pretty much every Raspberry Pi based project. How much do you think about security when you deploy a Pi? There is a superior security system available for Linux (including most versions you’d use on the Pi) called SELinux. The added letters on the front are for “Security-Enhanced” and this project was originally started by the NSA and RedHat. RedHat actually has — no kidding — a coloring book that helps explain some of the basic concepts.
We aren’t so sure the coloring book format is really the right approach here, but it is a light and informative read (we didn’t stay in the lines very well, though). Our one complaint is that it doesn’t really show you anything in practice, it just explains the ideas behind the different kind of protections available in SELinux. If you want to actually set it up on Pi, there’s a page on the Pi site that will help. If you have an hour, you can get a good overview of using SELinux in the video below.
By default, the Linux security model is pretty simple. You have four conceptual groups of people: the root user, the owner of something, groups of users, and everyone who doesn’t fit in any of the previous categories. Files and things that look like files can have read, write, and execute permissions that apply to the owner, the owner’s group, and everyone. There are some special rules for directories and a few other features, but that’s it in a nutshell. It is easy to make a file (like a shell script) that you can read, write and execute. Maybe users in your group can read and execute, and everyone else can only execute. On some Pi systems, this is probably fine because you are the only user anyway, so groups and all don’t make much sense. However (as you’ll see in the video) using it to control access from, say, a web server, can make your system less vulnerable to attack.
With SELinux you can put labels on processes and file system objects and use those to control access. The example in the coloring book focuses on making sure dogs eat the right dog food and cats eat cat food. You can get very fine-grained control using these methods. You can also use MLS (multi-level security) like the government does and have things be secret, top secret, etc.
Take some time to make sure you get basic Linux security right. This way hackers (the bad kind, not our kind) will have to work a lot harder to cause mayhem. We’ve seen some pretty incredible efforts like hacking a modern Linux box with 6502 code aimed at the Nintendo. It is no secret that Internet-connected devices are becoming a target of choice for the black hats.