Chapter 6: Managing Linux Security and Identities
- Using the
firewall-cmdfile or by deploying XML files in the/etc/firewallddirectory. - Otherwise it's runtime only and not persistent across reboots.
- In Linux, you can restrict access using ACLs in Systemd. Some applications also provides other Host Allow/Deny options. In Azure, you have the network security groups and the Azure Firewall service.
- DAC restricts access based on users/groups and permissions on files. MAC further restricts access based on classification labels for each resource object.
- If you gain access illegally to an application or system, in DAC, there is no way to prevent further access, especially for files with the same user/group owner and files with permissions for others. MAC frameworks utilitizing the Linux Security Modules to fix this problem are as follows:
- SELinux: Red Hat-based distributions and SUSE
- AppArmor: Ubuntu and SUSE
- The lesser known Tomoyo: SUSE, not covered in this book
- Besides the fact that SELinux can protect more resource objects, AppArmor protects per application, while SELinux protects the whole system:
- Kerberos client for authorization
- SSSD: A backend that is responsible for the configuration and utilization of features such as using and caching credentials
- Samba libraries to be compatible with Windows features/options
- Some utilities to join and manage the domain, such as
realm,adcli, and thenetcommand
