Linux Process Execution Control and Security Enhancement Solution

In Linux systems, users with execution privileges can freely run programs within an SSH session.
However, for the sake of system security and stability, there are situations where the execution of specific programs must be restricted.
While the system inherently distinguishes between root and regular users and controls execution privileges, this level of control may not be sufficient in certain scenarios.
To address this, there is a need for a technological foundation that allows real-time monitoring and blocking of process creation and execution.

This whitepaper introduces a solution that monitors and controls processes at the Linux kernel level.
Our solution implements the following key features:

• Real-time child process monitoring

• Detection of unauthorized programs

• Immediate blocking of attempts to execute restricted programs

These features serve as the technical foundation for implementing advanced security solutions in the future, including user-specific permission control, detailed audit logging, and policy management.

Issues to Solve

Many organizations, particularly in sectors such as finance, healthcare, and government, are subject to regulatory requirements that mandate the recording of all system access and activities. Security certifications like ISMS-P, ISO/IEC 27001, PCI DSS, and SOC require the ability to track who performed which action, when, and on what system.

These activity logs play a crucial role in both preventing and investigating incidents.
They help prevent system failures caused by administrative errors or malicious insider data breach attempts by blocking them in advance.
In case of an issue, the work history can help quickly identify the root cause and, if necessary, restore the system to its previous state.

By recording and controlling system administrators' activities, accountability can be strengthened. Unauthorized actions or access to sensitive information can be effectively controlled, leading to improved system stability and efficiency.

However, these requirements cannot be fully met with just the basic user privilege system or system logs in Linux. Therefore, an additional security framework that can monitor and control user activities is necessary.

Idea

In our SAC solution, we provide auditing and control functionalities for commands executed by system users. The command control feature, in particular, uses a low-level system approach to verify commands based on predefined security policies before the executable file is loaded. This method is simple yet effective, as it eliminates the need to consider various cases such as hiding commands within shell scripts or using aliases.

The advantages of this structure are as follows:

• By utilizing system call hooking techniques, we intervene at the point of command execution, effectively blocking bypass attempts at their source. No matter how the user tries to execute a command, they cannot avoid the validation of our solution.

• Since it operates at the system level rather than the application level, it is not dependent on specific environments or shells.

• Because there is no need to consider various cases, the code remains simple and stable.

With this approach, we were able to implement a blocking solution that is much more robust and effective compared to our competitors. In the next section, we will demonstrate how the blocking program works.