Chapter 2: Why do I need AKARI?
AKARI is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. It is a Linux kernel module based on TOMOYO Linux, which was launched in 2003.
AKARI focuses on the behaviour of a system. Every process is created to achieve a purpose, and like an immigration officer, AKARI allows each process to declare behaviours and resources needed to achieve their purpose. When protection is enabled, AKARI acts like an operation watchdog, restricting each process to only the behaviours and resources allowed by the administrator.
In an operating system (OS), each program or process is mostly unrestricted in the tasks that they are able to perform (see illustration below). A security focused OS should implement some form of restriction that prevents a process from performing tasks that they should not perform, or that the administrator specifically wants to prevent them from performing. For example, a web server such as Apache should be allowed to provide only web services. It should not have access to areas of the filesystem that it does not need, and it should not be allowed to start or interact with other unrelated processes. The Linux filesystem Access Control Lists (ACLs) provide little protection, especially as many services are run as the root user. MAC on the other hand can take this protection much further, allowing very precise control over what each process is allowed to do, even for processes running as root (see illustration below). This is important in the event that a process is compromised. Without MAC, a compromised process would be free to do what it wants!
Unrestricted access on a normal OS:
Restricted access on an OS using MAC:
MAC therefore provides a way to create a "policy of least privilege". This is where each process has a definition of what they are allowed to do, which is called the "policy". This policy allows as little as possible for the process to function normally. If a process or application tries to perform a task that is not allowed by this policy, it is denied the ability to perform this task. This prevents any unwanted activity from occurring.
An important part of MAC is the creation and management of this policy for every process in a system, which requires knowledge of precisely what each process should be allowed to do. This may sound like a fiendishly difficult task and it requires a high degree of understanding and skill. However, AKARI provides a "Learning Mode" for automatically generating policy easily and can provide a base from which policy can be developed and refined. This "Learning Mode" can thus be used alongside a firm understanding of the concepts involved in AKARI to secure a system in a short amount of time. Any experienced Linux administrator should be able to set up and use AKARI within a day!
A restricted system helps to reduce the damage done when an application is compromised. For example, damage can be reduced from security exploits such as buffer overflows. Such protection is therefore especially important for internet-facing services such as Apache or SSH. If a policy of least privilege is in place, a remote attacker that gains control of such an application can be prevented from further compromising a system.