cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
LCon
Cadet
Cadet
‎05-13-2025 02:46 AM
  • 1,029 Views

Implementing Zero Trust in Linux

As the evolution and implementation of Zero Trust Framework continues to push the DoD and many other large companies and firms I have a few questions that I would lovbe to see how the community at large views this. 

First, How can Linux-based Client side DNS configurations help to prevent unauthorized access and DNS Spoofing under Zero Trust Framework?

Second, While looking at the DoD and a Windows heavy useage what advantages does Linux provided to the ZT goals in regard to access control? 

Last, Looking at Attribute Based Access Control (ABAC), Windows requires tools to implement ABAC and many of these are very costly is there an ABAC solution native to Linux that can be used for data and user attributes for access on a network?

Labels (1)
Labels
Join the discussion
6 Replies
Trevor
Commander Commander
Commander
‎05-13-2025 04:05 AM
  • 1,017 Views

Thanks for this query!  

I lean so heavily on SELinux, I never gave any thought that something would come along that would offer an alternative to the security that it provides. And so, the learning journey about ABAC begins!!!

Hadn't heard even a whisper about this before your query, so thanks for bringing this to the community!!!

 

Trevor "Red Hat Evangelist" Chandler
LCon
Cadet
Cadet
‎05-14-2025 10:45 PM
  • 917 Views

I currently am working on a ZT project granted we are 97% windows based but one of the largest hangups we have is ABAC, we are never going to transition to Linux too many people would freeze up. This got me thinking as to how Linux solves the ABAC issues, I have seen where in theory SELinux with AppArmor can be adapted for these uses it traditionally supports Manditory Access Control (MAC) on Linux. I am newer to the Linux world and these questions perplexed me I spoke with some of the guys at work more Linux based users and they could not give a straight forward answer. Figured the best place to gather information on this would be in the RedHat Community.

Trevor
Commander Commander
Commander
‎05-15-2025 04:29 AM
  • 904 Views

Stay tuned LCon, the calvary is on the way!!!!

Trevor "Red Hat Evangelist" Chandler
Chetan_Tiwary_
Community Manager
Community Manager
‎05-15-2025 09:32 PM
  • 867 Views

@LCon Regarding DNS Spoofing ( and DNS cache poisoning, man-in-the-middle attacks, and other unauthorized modifications to DNS data ), DNSSEC is used which is a DNS extension protocol and are used for securing DNS records by employing digital signatures and cryptographic keys (public and private) for encryption and decryption.

DNSSEC has been designed in such a way that it will be completely invisible to applications not supporting DNSSEC.

Both bind and unbound enable DNSSEC by default and are configured with the DNSSEC root key.

example :

1. ~]# dig +dnssec whitehouse.gov    ( dig is a DNS query tool )

 

; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-4.P2.el7 <<>> +dnssec whitehouse.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21388
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;whitehouse.gov.			IN	A

;; ANSWER SECTION:
whitehouse.gov.		20	IN	A	72.246.36.110
whitehouse.gov.		20	IN	RRSIG	A 7 2 20 20130825124016 20130822114016 8399 whitehouse.gov. BB8VHWEkIaKpaLprt3hq1GkjDROvkmjYTBxiGhuki/BJn3PoIGyrftxR HH0377I0Lsybj/uZv5hL4UwWd/lw6Gn8GPikqhztAkgMxddMQ2IARP6p wbMOKbSUuV6NGUT1WWwpbi+LelFMqQcAq3Se66iyH0Jem7HtgPEUE1Zc 3oI=

;; Query time: 227 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 22 22:01:52 EDT 2013
;; MSG SIZE  rcvd: 233

in the ANSWER section, notice the RRSIG - which contains the DNSSEC signature.

 

 

2. If the DNSSEC validation fails , you will get something like this :

 

~]$ dig badsite.dnssec-tools.org
; <<>> DiG 9.9.3-rl.156.01-P1-RedHat-9.9.3-3.P1.el7 <<>> badsite.dnssec-tools.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1010
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;badsite.dnssec-tools.org. IN	A

;; Query time: 1284 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 22 22:04:52 EDT 2013
;; MSG SIZE  rcvd: 60]

check the SERVFAIL entry.

 

Apart from this, in Linux you can have DNS filtering  ( firewall ), auditing, logging and monitoring to have a robust DNS framework.

Refer : https://www.ibm.com/think/topics/dnssec

*************************************************************

Regarding your 2nd question - by continuously verifying every request, granting only the bare minimum privileges, segmenting resources, and assuming breaches can occur at any time. For Linux environments—where servers, containers, and hybrid‑cloud workloads dominate—Zero Trust is essential to protect against modern threats. Implementing it involves strong identity verification (IAM), endpoint security, micro‑segmentation with firewall and service‑mesh tools, least‑privilege enforcement via SELinux/AppArmor, comprehensive monitoring, and use of encrypted DNS.

Linux has its access control extends well beyond just Discretionary Access Control (DAC) and Mandatory Access Control (MAC). In addition to those two core models, Linux supports POSIX capabilities, Role‑Based Access Control (RBAC) within MAC frameworks, and emerging Attribute‑Based Access Control (ABAC) and capability‑list methods.

In summary :

 

DAC (traditional UNIX bits & POSIX ACLs)

MAC via LSMs (SELinux, AppArmor, SMACK, …)

POSIX Capabilities (granular privilege units)

RBAC overlays within SELinux

ABAC and capability‑list frameworks for dynamic policy

**********************************************************

 

ABAC in Linux :  OPA and AuthZForce ( open source java implementation of the XACML  )are popular ABAC implementations.

OPA : https://www.cncf.io/blog/2025/03/18/open-policy-agent-best-practices-for-a-secure-deployment/

Refer this video how Netflix is implementing  OPA in their architecture to solve access / authorization issues : https://www.youtube.com/watch?v=R6tUNpRpdnY

 

ABAC implementation in K8s : https://kubernetes.io/docs/reference/access-authn-authz/abac/

 Ongoing research to implement ABAC in Linux kernel :

Chetan_Tiwary__0-1747340928649.png

 

Citation : Enabling Attribute-Based Access Control in Linux Kernel
HO Sai Varshith , Jaideep Vaidya , Shamik Sural , Vijayalakshmi Atluri
Copyright and License information
PMCID: PMC9825047 NIHMSID: NIHMS1854493 PMID: 36625496

( No copyright infringement intended : citation is strictly for nonprofit educational purposes )

TudorRaduta
Community Manager
Community Manager
‎05-16-2025 06:28 AM
  • 833 Views

@Chetan_Tiwary_  wow, that was an absolutely amazing answer! Thank you for sharing your expertise!

0 Kudos
Trevor
Commander Commander
Commander
‎05-16-2025 05:10 PM
  • 810 Views

And the Calvary (aka Chetan) has arrived!!!!

 

 

Trevor "Red Hat Evangelist" Chandler
0 Kudos
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2025 Red Hat, Inc. Privacy policy Terms of use