🔐 The Linux Security Architecture - PAM, Capabilities, MAC & Beyond

#linux #linuxhardening #linuxsecurity #cybersecurity

Linux powers everything from cloud servers to Android smartphones - trusted not just because it's open-source, but because its security architecture is layered, modular, and resilient.

Instead of depending on a single control, Linux enforces defense-in-depth through authentication frameworks, access controls, kernel-level enforcement, and isolation.

Here's a breakdown of the 7 key layers that make Linux secure:

1️⃣ Discretionary Access Control (DAC) - The Classic Unix Model

DAC is the foundation of Linux security. Every file and process has:

An owner
A group
Permissions for user */ **group */ **others

Example:

-rwxr-xr--  root  admin  script.sh

👉 Fast and simple
❌ But compromise the owner → attacker inherits full access
This is why Linux security evolved beyond just DAC.

2️⃣ Pluggable Authentication Modules (PAM) - How Users Login & Prove Identity

PAM decides how authentication works in Linux - and it's completely modular.

It controls:

Authentication - passwords, MFA, smart cards
Account restrictions - lockouts, expiration, allowed login times
Session rules - mounting home directories, environment setup
Password policies - complexity, aging, history

Example policy enforcement:

password required pam_pwquality.so retry=3 minlen=10 ucredit=-1 lcredit=-1

Admins can enhance security without modifying applications - big win.

3️⃣ Linux Capabilities - Breaking the "Root is God" Problem

Historically, root ** meant **unlimited power.
Even to bind to port 80 → full root access required.

Capabilities divide root into small, controlled privileges:

CAP_NET_BIND_SERVICE - bind to privileged ports
CAP_SYS_ADMIN - broad admin power
CAP_SETUID - change user IDs

Example - secure Nginx without full root:

sudo setcap 'cap_net_bind_service=+ep' /usr/bin/nginx

Result → drastically reduced attack surface.

4️⃣ Mandatory Access Control (MAC) - Security Even Root Must Obey

MAC enforces zero-trust on system resources.

Two major Linux MAC systems:

SELinux - label-based, very fine-grained
AppArmor - profile-based, simpler to implement

Even if root is compromised:

✋ MAC blocks access to confidential files and processes

E.g., a hacked Apache process cannot read /etc/shadow.

Containment becomes default behavior.

5️⃣ Namespaces & cgroups - The Core of Container Security

Containers are secure because the kernel enforces isolation:

Namespaces- isolate visibility of PIDs, networking, users, etc.
cgroups - restrict CPU, memory, and I/O usage
seccomp- block dangerous syscalls (like ptrace)

This ensures:

✔ Containers can't spy on others
✔ Rogue containers can't hog resources
✔ Attackers face syscall roadblocks

Ideal for cloud + microservices workloads.

6️⃣ Linux Security Modules (LSM) - The Kernel Enforcement Engine

LSM provides security hooks inside the kernel, used by:

SELinux
AppArmor
Landlock
TOMOYO
Yama

Check what's active:

cat /sys/kernel/security/lsm

This makes security pluggable, similar to PAM but inside the kernel.

7️⃣ Secure Boot, dm-crypt, TPM - Protecting Integrity & Data-at-Rest

Modern Linux supports enterprise-grade protection:

Secure Boot - blocks boot-level malware/tampering
TPM- hardware root-of-trust, key attestation
dm-crypt / LUKS - encrypted disks → stolen device ≠ stolen data

Security now starts before the kernel even loads.

🧩 Linux Security Layered Model - Quick Summary

1️⃣ Identity & ownership → DAC
2️⃣ Who can log in → PAM
3️⃣ Least privilege → Capabilities
4️⃣ Mandatory rules → MAC
5️⃣ Strong isolation → Namespaces & cgroups
6️⃣ Kernel enforcement → LSM
7️⃣ Trusted boot & encryption → Secure Boot, TPM