A systems administrator is hardening a new public-facing Linux web server. According to a new security policy, all processes must be constrained, limiting them to a minimal set of required resources. The administrator needs to implement a security mechanism that actively prevents the web server process from accessing files outside of its designated web root directory, even if a vulnerability in the web application were to be exploited. Which of the following tools is BEST suited for this type of security policy enforcement?
The correct answer is SELinux. Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting mandatory access control (MAC) security policies. It can confine processes, like a web server, to a very specific set of files, directories, and network ports they are allowed to interact with. This directly addresses the scenario's requirement to prevent a process from accessing unauthorized files, which is a key enforcement action.
iptables is a firewall utility that manages network packet filtering. It can control network access to and from the server but does not control a process's access to the local file system.
nmap is a network scanner used for discovery and auditing. It can identify open ports and services but does not enforce any security policies on processes or network traffic.
tripwire is a file integrity monitoring (FIM) tool. It detects and reports on unauthorized changes to files after they have occurred but does not actively prevent the changes from happening in the first place.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SELinux, and how does it enforce access control?
Open an interactive chat with Bash
How does SELinux differ from a traditional file permission system?
Open an interactive chat with Bash
What are some typical use cases for SELinux other than securing web servers?