Manualshelf

White Papers

ManualsBrandsDell ManualsConverged InfrastructureSystems Management Solution Resources
12345678
6 Improved Server Security with iDRAC9 and SELinux
2 Security initiatives
2.1 SELinux framework
The first initiative is the adoption of the SELinux security framework. Dell EMC wrote comprehensive security
policies for every task that runs on the iDRAC and then ran comprehensive tests to ensure that no features
were broken in the process. SELinux operates at the core kernel level on the iDRAC and does not need any
input or configuration from the users. SELinux adds a mitigation factor that prevents many programming flaws
from being further exploited to gain elevated access to the system. Moreover, SELinux logs security
messages when an attack is detected. These log messages indicate when and how an attacker tried to break
into the system. Currently, these logs are available through SupportAssist to customers enrolled in this new
feature. In future release of iDRAC, these logs will be available in the Lifecycle Controller Logs.
SELinux is a core Linux security technology that is merged in the standard Linux kernel. SELinux has been
gaining adoption within many Linux distributions. Red Hat Enterprise Linux (RHEL) was one of the first
adopters other Linux users followed. SELinux is now maintained in the core Linux kernel by a dedicated group
including Red Hat, Network Associates, Secure Computing Corporation, Tresys Technology, among others.
This security technology uses a method referred to as Mandatory Access Control. This method enables you
to specify all the privileges that internal processes need to complete their tasks and also limits the access to
only those tasks. This is important because most attempts to hack a system involve trying to make processes
do things that are outside of the original design.
2.2 Processes with Unix root privilege
The other major initiative is to eliminate processes that run with Unix root privileges. IDRAC was originally
ported from an OS that did not have the concept of user privilege separation and that remnant lasted for
several generations. Dell EMC has undertaken a major initiative to ensure that all internal processes running
inside iDRAC run with the least-required privileges; a core Unix security concept. This approach provides
protection against programming flaws. This protection ensures that the process of a system that might get
attacked cannot access files or hardware that are outside the scope of that process. For example, the process
that provides Virtual KVM support should not be able to change fan speeds. Running these two processes as
different users helps protect the system by preventing attacks from propagating from one process to another.