Security Hardening F5's BIG-IP with SELinux

Updated for BIG-IP Version 15!

When a major release hits the street, documentation and digital press tends to focus on new or improved user features, seldom do underlying platform changes make the spotlight. Each BIG-IP release have plenty new customer-centric features but one unsung massive update is SELinux’s extensive enforcing mode policy across the architecture. This isn’t one change nor is this one development group making a few updates. This represents a commitment by F5's Product Development to ensure their code and modules comply with the ever-increasing security requirements the industry look for from our platforms. We practice what we preach; F5 is a security company. BIG-IP and SELinux are no strangers, having coexisted since 2009, but comparing our original efforts to our current SELinux implementation is akin to having your kid's youth soccer team shoot penalties against David Seaman.

A Brief Understanding of SELinux

In Linux land, security is enforced via Discretionary Access Controls (DAC). A resource is associated with a user/group and given a permission set (read, write, execute). The permissions of a resource are validated against the requestor and granted or denied based on those permissions. This is useful for user access to resources but most processes run root level permissions; you know, the account you’re not supposed to run things as if you don’t have to.  An application or user running as root, if compromised, negates the security defined on the system.

SELinux (Security-Enhanced Linux) provides secondary granular security complimenting DAC with Mandatory Access Control (MAC) policies. SELinux implements a policy database to govern how a subject is allowed to interact with an object, and either grants permission or denies access based on those predefined rules. A subject in this context is any process that “acts” on something; an object is whatever is being acted on by the subject. This could be an http daemon (subject) requesting a port (object) or mysql (subject) accessing it’s own database files (object). Since an object can be a directory, file, socket, pipe, memory, IPC… the amount of potential policy rules one can create on a system is overwhelming. Now you’re starting to realize how large this undertaking this can be.

BIG-IP and SELinux

SELinux can run in Permissive or Enforcing mode, where permissive will log denials but still allow the interaction of subject and object (disabled is also a mode, albeit not useful in our case). Enforcing mode will log and prohibit any policy violations and is how security appliances should work.  To run

sestatus
and see
Current mode: enforcing 
is only step A. If the SELinux policy is empty, you’re enforcing nothing. To get a better idea of the massive policy expansion between 11.6 and current versions, we can compare policy summaries on each version using
checkpolicy
:

v.11.6

Reading policy... 
libsepol.policydb_index_others: security: 3 users, 6 roles, 1904 types, 258 bools 
libsepol.policydb_index_others: security: 1 sens, 1024 cats 
libsepol.policydb_index_others: security: 65 classes, 105769 rules, 53457 cond rules 
binary policy file loaded

v.12.1

Reading policy...
libsepol.policydb_index_others: security:  9 users, 12 roles, 4053 types, 225 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  81 classes, 361831 rules, 305448 cond rules
binary policy file loaded

v.12.1.3

checkpolicy:  loading policy configuration...
libsepol.policydb_index_others: security:  9 users, 12 roles, 4062 types, 225 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  81 classes, 366513 rules, 305674 cond rules

v.13.1.0.2

checkpolicy:  loading policy configuration...
libsepol.policydb_index_others: security:  9 users, 12 roles, 4225 types, 232 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  81 classes, 453588 rules, 321284 cond rules

v.15.1.0.1-0.0.4

checkpolicy:  loading policy configuration from /etc/selinux/targeted/policy/policy.30
libsepol.policydb_index_others: security:  8 users, 14 roles, 5230 types, 313 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  91 classes, 115994 rules, 22910 cond rules

Note the growth in rules and in conditional rules as versions mature. Product development has been very busy to ensure functional parity while further restricting permission maps of how processes operate in their respective domains against their intended targets. Any attempt to override or elevate privileges on processes or objects would be met with a denial and log entry.

Moving Forward….

SELinux on BIG-IP is one of those features you should be excited about but don’t actually play with, and that’s ok. For the SELinux admin, you understand the effort required and it’s quite impressive. For those new to SELinux and think this isn't a big deal, there are plenty of information on the internet to help understand how it can improve and complicate your various systems.  In BIG-IP we took care of the heavy lifting for you. Below are more resources for further reading so you can be the life of any party. Thanks for playing.

Related SELinux Resources:

Updated Jun 06, 2023
Version 2.0
  • Way to go guys. This is a really important piece of work. And I'm glad you wrote an article about it, because it's really interesting and I'd probably never have noticed on my own (I don't tend to run comparisons of rule counts on every new version I install :) ).

     

  • We're glad you liked it. We wanted to highlight this internal development program since it gets no visibility externally. We started this for v12 because that's when the program really kicked off and it's nice to see it's an active effort to secure the internal BIG-IP mechanisms.