Transcription
An Overview of RedHawk LinuxSecurity FeaturesKernel- and User-level Security Features Join to HardenRedHawk to Military-grade om(800) 666.4544 or (954) 974-1700
2 of 5An Overview of RedHawk LinuxSecurity FeaturesKernel- and User-level Security Features Join to HardenRedHawk to Military-grade StandardsOverviewRedHawk Linux provides several kernel-leveland user-level security features that together canprovide powerful levels of security capable ofhardening RedHawk systems to military-gradestandards. This document discusses several mainRedHawk security features including SELinux,Secure Boot, FIPS, STIG, LUKS and TPM.SELinuxSecurity-Enhanced Linux (SELinux) is a set ofkernel modifications and user-space tools thathave been developed by the National SecurityAgency (NSA) and Red Hat. All RedHawkkernels include the SELinux security module,and SELinux user-space tools are installedas part of a standard RedHawk Linux productinstallation. RedHawk also provides a default setof security policy configuration files designed tomeet general-purpose security goals, and thesepolicies can be tailored for site-specific securityrequirementsThe SELinux kernel security module implementsa powerful and flexible Mandatory AccessControl (MAC) architecture on top of each majorsubsystem of the Linux kernel. MAC enforces theseparation of information into different securitylevels based on confidentiality and integrity;blocks all attempts to tamper with or bypasssecurity mechanisms; and significantly containsand controls any damage that may be caused bymalicious or flawed applications.
An Overview of RedHawk Linux Security FeaturesKernel- and User-level Security Features Join to Harden RedHawk toMilitary-grade Standards3 of 5Secure BootSecure boot is a security standard agreedupon by members of the PC industry/OriginalEquipment Manufacturers (OEMs) to validatesoftware through the entire boot cycle. Validationof software starts at the hardware level andcontinues up the stack through UEFI firmwaredrivers (ROMs), EFI bootloaders, kernels, andfinally to drivers. All Redhawk kernels are signedby a secure, Certificate Authority (CA)-basedkey that is validated by a secure EFI bootloader.RedHawk provides tools for creating and signingcustom RedHawk kernels and drivers for use withsecure boot systems.Secure boot relies on closely guarded privatekeys that are used to sign all software involvedwith the boot process. Only signed, trustedsoftware may be loaded onto a system. Thisprevents a bad actor from adding untrustedsoftware or malicious malware such as rootkits toa system. Any unsigned software is immediatelyrejected by the system when there is no trustedsignature associated with the binaries. Thus, thefirmware, kernel and all underlying drivers alwaysmaintain a high degree of integrity.FIPSThe Federal Information Processing Standard(FIPS) publication is a security standard thatcertifies cryptographic modules. FIPS definescritical encryption standards for protectingsensitive data. RedHawk supports all encryptionmethods used within FIPS protocols. RedHawkkernels support booting in FIPS compliantmode where all encryption is based on theFIPS security level required. The FIPS standardprovides four security levels that cover differentindustry, security, and administration needs. TheRedHawk kernel is fully compatible with RHEL/CentOS software which maintains FIPS-relatedpackages.FIPS is enabled at boot time, which loads therequired cryptographic modules into the RedHawkkernel. These modules are responsible forcryptographic key generation for ciphers andMessage Authentication Codes. FIPS algorithmsrely on hardware-based entropy within the systemto generate encryption keys. By enforcing FIPS,RedHawk systems can enforce cryptographicstandards used by government agencies andthird-party vendors.
An Overview of RedHawk Linux Security FeaturesKernel- and User-level Security Features Join to Harden RedHawk toMilitary-grade Standards4 of 5STIGSecurity Technical Implementation Guide (STIG)is a cybersecurity methodology for standardizingsecurity protocols with logical designs, networks,servers and computers to enhance overallsecurity. STIG protocols are developed andpublished by the Department of Defense (DoD).STIGs are defining protocols that encompass thetotality of a RedHawk system from defining filesystem types and encryption to network securityprotocols. STIG rules enforce compliance ofRedHawk user-level packages to meet stringentsecurity standards.RedHawk offers STIG compliance via theRedHawk Architect tool. Architect is a powerfultool that can be used to configure an entireRedHawk system for compliance with variousSTIG protocols. You can choose from severaldifferent STIG protocols and Architect will preparethe system and begin running STIG compliancetests to validate system integrity. The DoDreleases STIG guidelines in machine readableXML files that can be directly passed to Architectto create highly secure RedHawk systems.
An Overview of RedHawk Linux Security FeaturesKernel- and User-level Security Features Join to Harden RedHawk toMilitary-grade Standards5 of 5LUKS And TPMRedHawk provides full support for hard diskencryption through the Linux Unified Key Setup(LUKS) standards. LUKS provides securemanagement of passphrases by storing encryptedkeys in partition headers, and LUKS prevents auser from unlocking partitions and booting thesystem without first manually supplying a correctpassphrase.In addition, RedHawk provides full support forthe hardware Trusted Platform Module (TPM)standards. The TPM can be securely configuredto automatically unlock LUKS partitions at boottime for situations where manually entering apassphrase is not practical. Even when the TPMis used, LUKS encryption remains strong andany attempt to remove the hard disk and boot itin another system will fail unless a user manuallyenters a correct passphrase.SummaryRedHawk maintains a high degree of compliancewith security protocols recommended bythe Department of Defense, the NationalSecurity Agency and the National Institute forStandards and Technology. This high degree ofcompliance allows RedHawk to meet the strictestrequirements of government agencies and theirthird-party vendors. These features improve theIT infrastructure by reducing the attack surface ofcritical RedHawk systems.RedHawk is fully compatible with Red HatEnterprise Linux (RHEL) Software whichmaintains Common Criteria standards (EAL3 andEAL4) and FIPS security certifications. WhileRHEL certifications are not automatically inheritedby RedHawk, its close compatibility with RHELenables RedHawk to be certified to the samestandards. Please contact us to learn more.About Concurrent Real-TimeHeadquartered in Pompano Beach, FL,Concurrent Real-Time is the industry’sforemost provider of high-performancereal-time computer systems, solutions andsoftware for commercial and governmentmarkets worldwide. Its real-time Linuxsolutions deliver hard real-time performancein support of the world’s most sophisticatedhardware in-the-loop and man-in-the-loopsimulation, high-speed data acquisition,process control and low-latency transactionprocessing applications. With over 50 years ofexperience in real-time solutions, ConcurrentReal-Time provides sales and support fromoffices throughout North America, Europe andAsia.More InformationConcurrent om(800) 666.4544 or (954) 974-1700
An Overview of RedHawk Linux Security Features Kernel- and User-level Security Features Join to Harden RedHawk to Military-grade Standards 4 of 5 STIG Security Technical Implementation Guide (STIG) is a cybersecurity methodology for standardizing security protocols with logical designs, networks, servers and computers to enhance overall security.
