Home - mikejl/research GitHub Wiki

Welcome to the SII research wiki!

Abstract

SELinux is lacking methods to prove compliance with security policies and detect change. The SELinux Integrity Instrumentation (SII) parses key parts of SELinux and the Linux operating system that provide a configuration baseline. SII uses sets of hashing algorithms that allow snapshots to be taken and compared against the baseline. Configuration changes to Services, Booleans, and File Context were detected, and differences displayed. Further, the type (domain) is parsed, and relationships between services, Booleans, and file context can be viewed based on the domain. SII offers a foundation that can be explored for use standalone or integrated into existing SELinux tools. SII can be used by security administrators to ensure configuration integrity and the ability to audit configurations to security goals. It is critical to measure what needs to be managed, and SII brings a unique and innovative way to help manage SELinux.

Problem

There is a lack of methods to ensure SELinux configuration compliance.

Dissertation

SELinux Integrity Instrumentation (SII): Instrumenting SELinux for configuration auditing and integrity monitoring Libassi, Mike.   Colorado Technical University ProQuest Dissertations & Theses,  2016. 3717282. ProQuest

Research Process

Research was performed in Design Science Research in Information Systems

Proposition

New SELinux Integrity Instrumentation (SII) can prove compliance to security policies through detection of change.

Research using a quantitative framework that detects changes of SELinux's configuration will mitigate configuration uncertainties. In addition the mapping of services, objects and policies will allow for monitoring, auditing and reporting of the SELinux configuration.

Research Question(s)

  • RQ1. Does collecting the relationship of service to policy to object by domain detect changes to services and indicate related policies and object context?
  • RQ2. Does collecting the relationship of service to policy to object by domain detect changes to policies and indicate related services and object context?
  • RQ3. Does collecting the relationship of service to policy to object by domain detect changes to object context and indicate related services and policies?
  • RQ4. Does collecting the relationship of service to policy to object by domain detect services not covered under any security policies?