Week 11b: MAC Systems & Security Auditing

Goal

Understand the difference between traditional Linux permissions (DAC) and Mandatory Access Control systems (AppArmor/SELinux). Learn to audit your system’s security posture using Lynis and systematically fix vulnerabilities.

Prerequisites: Week 11a (Hardening Foundations)

This is Part 2 of 4 - Covers MAC concepts and security auditing.

1. Understanding Mandatory Access Control (MAC)

What is MAC vs DAC?

DAC (Discretionary Access Control) - Traditional Linux:

Owner decides who can access their files

Example: You create secret.txt, you decide who can read it
Problem: Malware running as your user inherits ALL your permissions
Weakness: If Firefox is exploited, attacker gets access to everything you own

MAC (Mandatory Access Control) - AppArmor/SELinux:

System-wide security policy restricts what processes can do

Example: Firefox can only access specific directories, even running as you
Benefit: Exploited Firefox still can’t read ~/.ssh/ or ~/.gnupg/
Strength: Limits blast radius of compromised applications

Key Difference:

Aspect	DAC	MAC
Control	User decides	System policy decides
Scope	File ownership	Process capabilities
Bypass	Easy (run as user)	Hard (requires policy change)
Example	`chmod`, `chown`	AppArmor, SELinux

How AppArmor Works (Path-Based MAC)

AppArmor profiles restrict by file path:

# Example: Firefox AppArmor profile snippet
/usr/bin/firefox {
  # Allow reading these locations
  /usr/share/firefox/** r,
  /home/*/.mozilla/** rw,

  # DENY everything else
  deny /home/*/.ssh/** rw,
  deny /home/*/.gnupg/** rw,
}

Key characteristics:

Path-based - Controls access by filesystem location
Easy to understand - Paths match real filesystem
Ubuntu default - Pre-installed and easier for beginners
Complain mode - Learn before enforcing (won’t break apps immediately)

How SELinux Works (Label-Based MAC)

SELinux uses security contexts (labels) on files:

# Check SELinux label on a file
ls -Z /usr/bin/firefox
# Output: system_u:object_r:mozilla_exec_t:s0

# Firefox process gets its own security context
ps -eZ | grep firefox
# Output: system_u:system_r:mozilla_t:s0

Key characteristics:

Label-based - Uses security contexts independent of paths
More powerful - Granular control over capabilities
Red Hat default - Used by RHEL, Fedora, CentOS
Steeper learning curve - More complex policy language
Resistant to path tricks - Hard links, symlinks don’t bypass

When to Use Which?

Use AppArmor if:

Running Ubuntu/Debian-based system
Want simpler, more intuitive policies
Primarily concerned with filesystem access
New to mandatory access control

Use SELinux if:

Running Red Hat/Fedora-based system
Need extremely fine-grained control
Want label-based security (harder to bypass)
Willing to invest time in learning complex policies

For this course: We’ll focus on AppArmor (Ubuntu default, easier to learn, still very effective)

2. Security Auditing with Lynis

What is Lynis?

Lynis is an open-source security auditing tool that scans your Linux system for:

Configuration weaknesses
Missing security patches
Insecure default settings
Hardening opportunities

Think of it as a security consultant that reviews your system and provides actionable recommendations.

Install and Run Lynis

# Install Lynis
sudo apt install lynis

# Run full system audit
sudo lynis audit system

# Save output to file for review
sudo lynis audit system --report-file /tmp/lynis-report.txt

Audit takes 2-3 minutes and checks:

Boot and services
Kernel configuration
Memory and processes
Users, groups, and authentication
File systems and storage
SSH and networking
Logging and auditing
Installed packages

Interpreting Lynis Output

Lynis uses a scoring system:

Hardening index : 68 [############        ]

0-50: Weak security posture (immediate attention needed)
51-75: Moderate hardening (good starting point)
76-90: Strong hardening (well-configured system)
91-100: Excellent hardening (very secure, may impact usability)

Color-coded findings:

Red (WARNING) - Security issue requiring attention
Yellow (SUGGESTION) - Hardening opportunity
Green (OK) - Properly configured

Common Issues and Fixes

Issue 1: SSH allows password authentication

# Lynis warning:
# * Consider hardening SSH configuration [SSH-7408]

# Fix: Disable password auth (use keys only)
sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

Issue 2: World-writable files found

# Lynis warning:
# * Found world-writable files [FILE-6310]

# Find and fix
sudo find / -xdev -type f -perm -002 -exec chmod o-w {} \;

Issue 3: Kernel parameters not hardened

# Lynis suggestion:
# * Harden compilers like restricting access to root user only

# Fix: Restrict compiler access
sudo chmod o-rx /usr/bin/{gcc,g++,cc,as,ld}

Issue 4: Unnecessary services running

# Lynis warning:
# * Check for running services

# Remove unneeded services
sudo apt purge avahi-daemon cups telnet ftp rpcbind
sudo systemctl disable bluetooth.service

Hardening Workflow: Audit → Fix → Retest

Step 1: Initial audit

sudo lynis audit system | grep -i "warning\|suggestion" > lynis-todos.txt

Step 2: Prioritize findings

Focus on red warnings first
Address network-exposed services
Fix authentication weaknesses
Harden kernel and SSH

Step 3: Apply fixes systematically

Fix one category at a time
Document changes made
Test that services still work

Step 4: Re-audit to verify improvement

sudo lynis audit system
# Check if hardening index increased

Goal: Iterate until hardening index reaches 75+ (good balance of security vs usability)

Lab: Run Lynis and Harden Based on Output

Objective: Security audit and systematic remediation

Estimated time: 30-45 minutes

Steps:

Run initial Lynis audit and record hardening score
Save suggestions to a file for review
Fix top 5 highest-priority issues
Re-audit and measure improvement

Commands:

# Initial audit
sudo lynis audit system | tee lynis-initial.txt
# Note the hardening index score

# Extract actionable items
sudo lynis audit system | grep -E "Warning|Suggestion" > lynis-todos.txt

# Fix issues (examples from earlier section)
# - Disable SSH password auth
# - Remove world-writable files
# - Disable unnecessary services

# Re-audit
sudo lynis audit system | tee lynis-final.txt
# Compare scores

Deliverable: Document your initial vs final hardening score and list fixes applied

Up Next

Week 11c covers kernel hardening with sysctl and implementing AppArmor profiles for your applications.

Key Takeaways

DAC (traditional permissions) gives users control but malware inherits all user rights
MAC (AppArmor/SELinux) enforces system-wide policies that contain compromises
AppArmor uses paths and is simpler; SELinux uses labels and is more powerful
Lynis audits your system and provides actionable hardening recommendations
Systematic audit → fix → retest workflow improves security incrementally

Goal#

1. Understanding Mandatory Access Control (MAC)#

What is MAC vs DAC?#

How AppArmor Works (Path-Based MAC)#

How SELinux Works (Label-Based MAC)#

When to Use Which?#

2. Security Auditing with Lynis#

What is Lynis?#

Install and Run Lynis#

Interpreting Lynis Output#

Common Issues and Fixes#

Hardening Workflow: Audit → Fix → Retest#

Lab: Run Lynis and Harden Based on Output#

Up Next#

Key Takeaways#