A fast look with some information and tips about SELinux "Security Enhanced Linux of NSA" and Novell's Open Source "AppArmor" - the future of the Linux firewalls in most of the linux distributions. the below include a briefed comparison between the two open source firewalls.
NSA's Open Source "Security Enhanced Linux"
- SELinux consider the future of the Linux OS but it's very complex and suffer lack of documentation.
- It's reommended to not use X on SELinux working Servers. (Problems with granted access control in X server)
- Security Policies are difficult to be created from scratch, Use the security policy come with the distributor.
- Has bigger performance impact than AppArmor (nearly 7 Percentage) Of perf.
- Both SELinux and AppArmor utilize the Linux Security Modules (LSM) framework,which provides security hooks for operational control of certain Linux kernel objects.
- SELinux is based on Flask Security Architecture.
- Processes are represented as domains, and objects represented as Types.
- SELinux Control processes interactions (Domain to domain)
- SELinux Control access to objects (domain to type)
- SELinux Control any entry to the domain.
- SELinux has tools such as SETools and Slat for Policy Analysis, Audit Analysis, and User management.
Novell's AppArmor:
- Original developed by ImmUnix Company. (Linux Security Company)
- Provides a policy-based approach for application-behavior enforcement.
- Automatically generating security policies through YaST.
- Pre-built security profiles for commonly used applications, such as OpenSSH, DHCP, Samba, Sendmail and MySQL.
- AppArmor has less impact on overall system performance than RedHat's SELinux ( 0 to 2 Percentage of Performance)
- Easier to develop and maintain than SELinux.
- AppArmor allow user to create a profile (Policy) to describe which files any application can use.
- AppArmor defined profile for application specifies program capabilities (POSIX.1e) and set of files the program can access.
- Both SELinux and AppArmor utilize the Linux Security Modules (LSM) framework,which provides security hooks for operational control of certain Linux kernel objects.
- AppArmor comes with System analyzer called UNCONFINED (Scan open ports, listening programs, programs' related profiles
- AppArmor comes with pre-built profiles for network input data such as docs from mails, or ssh clients.
- AppArmor comes with pre-build profiles for local input devices such as keyboard, mouse, card reader .. etc
- AppArmor includes a Log Analyzing program that help user to create program profile in "Learning Mode".
- AppArmor Learning Mode allow to build the application profile by
- Running the application and observing what it does and produce the output to log file.
- Log Analysis Program scans the log file and prompt the user with questions.
- Upon questions, automatically create the program's profile.
- Learning Mode and Log Analyzer can be incrementally improved.
- Ability to use Application profile for forked child processes of application or create its own profiles or leave it unprofiled.
- Ability to monitored the profiled applications through severity level of events notifications, Reports, Application Audit Reports and ability to create on demand report.
- Ability to backup built-in and defined security profiles.
- AppArmor can monitor and profile sub-applications of parent application such as Web Application from Apache by making the application "ChangeHat Aware", so any changes in Apache by adding application will be profiled automatically.