Back to article
Not Yet Another Setup Tool Anymore
GUI-Based, Application-Level Security Management for Novell's SLES 9
September 23, 2004
Long-time Linux security specialist Immunix has produced one of the first GUIs for YaST, a text-based installation and management environment in Novell's SUSE Linux operating system.
The new point-and-click interface for application security works in conjunction with SUSE Linux Enterprise Server (SLES) 9, as well as with an add-on product called the Immunix SubDomain Host Application Security Suite.
A player in Linux security ever since 1998, Immunix contributed the Linux Security Modules (LSM) interface available on the SUSE 2.6 kernel.
"SLES is the first Linux distribution to use the Linux 2.6 kernel," pointed out Immunix CEO Cheryl Traverse in an interview with LinuxPlanet.
Geared to both novice and expert Linux administrators, Immunix's new security solution is meant to protect against software bugs and misconfigurations that can lead to security vulnerabilities.
"We work with every application that runs on top of 2.6, to make sure the application is doing what it's supposed to do," she told LinuxPlanet.
The main components of the new GUI include the SubDomain Control Center, for managing the Immunix security suite; the Profile Assistant Toolset; providing guided help in generating security profiles for individual applications; and the Server Analysis Tool.
Instead of giving access privileges to users, the Immunix suite grants privileges to applications, according to Traverse. The application profiles in the Immunix suite let administrators decide whether an application is allowed to read, write, and execute.
The Service Analysis Tool audits the system and recommends vulnerable applications as candidates for "security confinement." When applications are confined, however, they are not necessarily totally sandboxed. Administrators can still opt to let the applications interact in controlled ways.
The suite itself includes a Template Generator, which statistically analyzes an application's binary code and generates a profiile template. Another component, Auto Learning Tool, is able to run the application through its normal operations, profiling rule violations but not enforcing them.
The suite's Interactive Optimizer synthesizes log events into a profile. Power users can utilize the product's built-in Visual Editor to view and modify privileges.
Immunix' SubDomain Suite also comes with pre-built profiles for a number of OS services and applications including the Apache Web server; Postfix mail server; Sendmail mail server; MySQL relational database; Squid Web caching proxy; OpenSSH; and FTP, NFS: DNS; DHCP servers. The Apache profile provides confinement for CGI scripts. The OpenSSH profile allows for privilege separation before authentication.
Novell inherited YaST, a long-time installation and administration tool, with its acquisition of SUSE Linux. SUSE now includes two additional systems management environments (SMEs), too: ZenWorks, an environment that originated on the NetWare platform, and Red Carpet, first developed by Ximian Inc., another Novell acquisition.
At BrainShare 2004, Novell's annual spring users' conference, Novell announced a change in YaST licensing to GPL.
However, to spur development of third-party YaST-based applications, YaST had already been released to the open source community even before the Novell show, said Chris Schlaeger, Novell's VP for R&D, during an interview at BrainShare in April.
YaST is built into SUSE Linux Professional and Personal editions, in addition to the Enterprise product. Novell officials have foreseen the development of YaST-based open source applications in areas ranging from local desktop administration to remote management.
"YaST started out in 1994 as a tool for installing a Linux OS. Yet it also has functionality for various other things. One of these things is to serve as a framework for systems administration and management," said Markus Rex, VP and general manager for SUSE Linux, during another interview.
Meanwhile, Novell has been working with partners such as Hewlett-Packard and IBM on building a "unified management layer" around YaST.
Speciifically, YaST's functionality currently includes features such as automatic detection of available hardware; proposals to users for resizing any Windows installations; automatic patch management; and configuration of Internet connections and printers.
By using YaST together with Samba, users can set up Linux and Windows hosts, as well ss DNS, DHCP, and Web servers. By employing YaST with the XNTP module, users can synchronize the host with an atomic clock time server.
Traverse said this month that Immunix is also eyeing possible integration between its security suite and Novell's ZenWorks tools. "But that's at least a year away," she noted.