© SANS Institute 2003, Author retains full rights
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2003, As part of the Information Security Reading Room. Author retains full rights.
hardening techniques at the application level are typically inadequate as a means in
protecting the rest of the system from flaws in the applications. Regardless of the time
spent hardening applications, a vulnerability exploited in one application will often lead
to a full system compromise. As the dependency upon network connectivity increases,
the need to look at lower level methods for preventing successful attacks becomes
apparent.
The Linux Kernel
The lowest software level components of “[e]ach computer system includes a basic set
of programs called the operating system. The most important program in the set is
called the kernel. It is loaded into RAM when the system boots and contains many
critical procedures that are needed for the system to operate.”(4) While the system is
running, the kernel acts as a mediator between the hardware components and the
processes running on the system – none of the processes directly access any hardware
components on their own. At an even lower level, features built into hardware
components help to enforce the separation between those that can (“kernel mode”) and
cannot (“user mode”) directly interact with the hardware components.
The Linux kernel provides for a multiuser operating system. This means that any user
can run any program at any time without worrying about the other users. Due to the
multiuser nature of the system, the kernel is also responsible for providing mechanisms
for user authentication and access control to prevent users or applications from
interfering with the activity of other users or programs. The access control system built
into the standard Linux kernel is based on the traditional Discretionary Access Control
(DAC) model. DAC is discussed in further detail later in this document.
Linux Kernel Modules
At a time when memory (RAM) was an expensive commodity, the idea of a modular
kernel was introduced in a few commercial UNIX distributions which allowed the loading
and unloading of pieces of kernel code to free up memory without having to rebuild the
entire kernel. Although memory is much less expensive today, the flexibility that
loadable kernel modules offer is one of the main reasons that they are still used heavily
today. The Linux kernel is one of the few modern monolithic kernels with the ability to
load and unload modules on the fly. This can prove to be a big time-saver as it prevents
an administrator from having to recompile the whole kernel and then reboot the system
for every minor change.
“Linux was first developed for 32-bit i386-based PCs. These days it also runs on (at
least) the Compaq Alpha AXP, Sun SPARC and UltraSPARC, Motorola 68000,
PowerPC, PowerPC64, ARM, Hitachi SuperH, IBM S/390, MIPS, HP PA-RISC, Intel IA-
64, DEC VAX, AMD x86-64 and CRIS architectures.”(5) Due to the variance in
hardware components between the platforms, many Linux distributions provide stock
kernels that rely heavily on the use of kernel modules. Not only does this approach
greatly assist in the initial setup of a Linux system, but it also allows Linux distributions
to maintain a small number of pre-built kernel images optimized for the various CPU
configurations. While this approach eliminates the need for a custom built kernel on
@ 2021 SANS Institute Author Retains Full Rights