AKARI is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. It is a Linux kernel module based on TOMOYO Linux, which was launched in 2003.
AKARI focuses on the behaviour of a system. Every process is created to achieve a purpose, and like an immigration officer, AKARI allows each process to declare behaviours and resources needed to achieve their purpose. When protection is enabled, AKARI acts like an operation watchdog, restricting each process to only the behaviours and resources allowed by the administrator.
In a normal operating system (OS), every application is unmonitored and it is difficult to determine what is happening in a system:
If AKARI is introduced, each application can be monitored to determine exactly what it is doing and a policy configuration can be automatically generated. Every action that an application performs is automatically appended to an Access Control List (ACL). Browsing this list can allow a precise understanding of what each application is doing:
AKARI can therefore be used as a system analysis tool, which can aid in:
- debugging applications
- understanding the behaviour of a Linux system
- writing documentation
If protection is enabled, AKARI uses Mandatory Access Control to restrict each application to do only what the administrator has allowed it to do:
AKARI can therefore be used as a system restriction tool, which can aid in:
- restricting services such as SSH and Apache
- restricting system administrator operations
- creating per-application networking firewalls
- reducing damage caused by buffer overflows and other security exploits
- deploying a honeypot system