ZeroLock & SELinux Comparison and Compatibility
ZeroLock® is 100% compatible with SELinux. You do not need to disable SELinux protections to use ZeroLock. Overall, SELinux provides powerful, effective MAC for Linux systems. However, SELinux requires detailed knowledge, adequate time, and enough personnel to manage for an acceptable security posture.
SELinux
Lockdown Framework
SELinux provides a framework for establishing fine-grained Mandatory Access Control (MAC) policies that define what programs and files another program is allowed to execute and access.
ZeroLock provides the same capability with Lockdown Rules in a format that is easier to understand and manage.
Distribution Versitality
SELinux comes preinstalled in some distributions of Linux, such as CentOS and RedHat. Difficult to use on non-Fedora based distributions.
ZeroLock can be installed with a single command on any distribution of Linux.
Rule Priming
Some services come with preloaded SELinux profiles that lock down the application and reduce its attack surface.
ZeroLock provides a set of Lockdown Rules that are continuously updated to handle the latest threats. Securing a fleet of systems with best practices is achievable in minutes.
Capabilities
SELinux is easy to disable. A root level user can disable SELinux protection by simply running the command “setenforce 0”. At this point, an attacker is free to do whatever they wish on the targeted system.
SELinux cannot be used to establish login restrictions.
SELinux does not correlate events across many data sources or across multiple events and cannot effectively detect and stop ransomware attacks that act across multiple files. SELinux only takes actions based on system call information and can’t stop cryptojacking which executes almost no system calls.
Standard SELinux profiles are infrequently updated. Thus, they do not account for the latest threats.
ZeroLock provides sophisticated anti-tampering capabilities to ensure attackers cannot simply disable protection to achieve their goals. These protections stop even root-level users from performing malicious activity.
ZeroLock provides Multifactor Authentication for SSH.
ZeroLock continuously analyzes program behavior over time to provide advanced detection of attacker techniques and entire classes of malware such as ransomware and cryptojacking.
ZeroLock’s detection engines are routinely updated to handle the latest, most sophisticated threats to Linux systems.
Ease of Use
SELinux is known for its complexity. Edits to SELinux policies require expert knowledge of the system being hardened, proper syntax, and profile management.
SELinux is not pre-loaded on many distributions of Linux. Debian distributions use AppArmor. This decision was made because although AppArmor is less powerful than SELinux, the policy files are easier to understand. This requires organizations with a diverse Linux environment to understand and manage two unique MAC security solutions.
SELinux provides no central log viewing capability. SELinux events are logged on the protected system to the audit log or AVC log if the audit daemon is not installed. A SIEM or other log aggregation tool must be used to obtain centralized, real-time alerting across a fleet of machines.
SELinux profiles are hard to modify without expert knowledge. Because of this challenge, SELinux is routinely disabled because false positives generated by it break applications.
ZeroLock’s Lockdown Rules are easy to understand and create. ZeroLock also provides a set of Lockdown Rules that are continuously updated to handle the latest threats.
ZeroLock provides a single solution that is deployable across all distributions of Linux, meaning you only need to learn and understand one solution to protect diverse Linux fleets.
ZeroLock provides centralized management and logging out of the box. Simple install the server with a single command, then agents with a single command, and you are ready to go.
ZeroLock provides easy-to-use facilities for managing and avoiding false-positives to ensure your workloads run maximally protected with minimal interruption.
Cost
Maintaining timely knowledge about the latest threats, updating systems against these threats, developing centralized management infrastructure, and handling false positives all require massive amounts of background knowledge and time with SELinux.
ZeroLock is ready to go with best practices developed by Linux experts out of the box. We research and keep your systems protected against the latest threats so you don’t have to. ZeroLock can be set up to protect your Linux fleet quickly.
ABOUT VALI CYBER
Vali Cyber, Inc. was founded in 2020 with the mission of addressing the specific security needs of Linux. Based on DARPA-funded research from MIT and CMU, we created ZeroLockTM, a security product that provides comprehensive lockdown capability and unparalleled threat detection efficacy while consuming a mere fraction of the resources required by current Linux security offerings. Our approach is built to put our clients in control—by automating the time-consuming (and error prone) tasks of securing systems against attack, using state-of-the-art behavioral and AI/ML techniques to detect and stop threats, and automating recovery from attacks. Imagine detecting and fully remediating a ransomware attack in milliseconds… that dream has become reality.
See ZeroLock in action. Schedule a demo at [email protected].