...e SELinux fosse più sicuro?...and if Linux was more secure? (Play on words with the Italian language)
|
|
- Alyson O’Neal’
- 8 years ago
- Views:
Transcription
1 ...e SELinux fosse più sicuro?...and if Linux was more secure? (Play on words with the Italian language) Marco Pizzoli IMOLUG: Imola e Faenza Linux Users Group 1
2 About the speaker... System and network administrator IT Security enthusiast Computer Science degree Thesys: Digital Identities and PKI Computer Networks and Systems Security degree Thesys: Centralization of information with LDAP Computer Networks and Systems Security degree (II level) (Future) Thesys: Identity, Policy and Auditing... IMOLUG: Imola e Faenza Linux Users Group 2
3 New terms IMOLUG: Imola e Faenza Linux Users Group 3
4 What's the need for a security framework inside the kernel? To enforce Mandatory Access Control (MAC) To better protect against malicious software To limit the vulnerability surface exposed by bugged / not-so-secure software: Buffer overflow Heap overflow The next thing... To better maintain a complex system, by delegating to a single component all security decisions IMOLUG: Imola e Faenza Linux Users Group 4
5 What could be an example of malicious software running on my machine? Bugged software could be exploited to do something not wanted. I.e. a webserver: could open a connection to another host inside the same network could read each file on the file system on which it has read permission could truncate his access logs IMOLUG: Imola e Faenza Linux Users Group 5
6 What could be an example of malicious software running on my machine? Bugged software could be exploited to do something not wanted. I.e. a webserver: Possible solutions: could open a connection to another host inside the same network webserver running with a dedicated user, webserver user prohibited to open network connections with iptables could read each file on the file system on which it has read permission webserver running chroot-ed could truncate his access logs????? IMOLUG: Imola e Faenza Linux Users Group 6
7 The need for a fine-grained control Let's have a look at our open()-syscall flags: O_APPEND, O_ASYNC, O_CREAT, O_DIRECT, O_EXCL,O_LARGEFILE, O_NOATIME, O_NOCTTY, O_NOFOLLOW, O_NONBLOCK or O_NDELAY, O_SYNC, O_TRUNC And now, let's have a look at our httpd_access.log file permissions: -rw-r--r-- 1 root root 0 Oct 1 23:59 httpd_access.log Uh? It seems that, given w permission to the log file, we are not able to limit what can be done on it... and actually it is!!! This is where the Mandatory Access Control (MAC) comes in help IMOLUG: Imola e Faenza Linux Users Group 7
8 DAC versus MAC - DAC Discretionary Access Control is the more familiar to most people: Access to resources is based on user's identity A user is granted permissions to a resource by being placed on an access control list (ACL) associated with resource The DAC model is based on resource ownership It's discretionary in the sense that when a user (or group) is the owner of an object in the DAC model, the user can grant permission to other users and groups. Example: Unix user-group-other (ugo) permission bits IMOLUG: Imola e Faenza Linux Users Group 8
9 DAC versus MAC - MAC Mandatory Access Control is not so common in everyday computers: Users are given permissions to resources by an administrator Only an administrator can grant permissions or rights to objects and resources Access to resources is based on an object's security level, while users are granted security clearance. Only administrators can modify an object's security label or a user's security clearance. To make concepts easier, I like to think to a fashion similar to a network firewall, I.e. SystemA is entitled to connect to systemb, to TCP port x On my FW, I will add a permit rule to let it do...and a deny rule to each other traffic having source SystemA All of this applied to the whole system (over-simplification) IMOLUG: Imola e Faenza Linux Users Group 9
10 DAC coupled to MAC It works! :-) Access is granted as long as both models agree MAC will always have the last word This is the default in SELinux IMOLUG: Imola e Faenza Linux Users Group 10
11 What's the origin of SELinux? Flux Advanced Security Kernel (FLASK) IMOLUG: Imola e Faenza Linux Users Group 11
12 What's the story of NSA and Linux? NSA developed SELinux as patches to Linux Kernel 2.4.x 2001: NSA proposal to integrate SELinux into the official kernel Linus Torvalds refuses: Other security frameworks under active development inside the community Each security framework model was different from each other No formal consensus on the right one to be adopted Need for the devel of Linux Security Modules (LSM): Creation of a large number of hooks throughout the kernel Re-development of SELinux and all other possible security frameworks as modules IMOLUG: Imola e Faenza Linux Users Group 12
13 Linux Security Modules IMOLUG: Imola e Faenza Linux Users Group 13
14 What's the story of LSM? In the official 2.6 kernel since December 2003 For a long time there has been only one implementation: SELinux It has been subject to several criticisms: It imposes a little computational cost (overhead), even if no modules are actually loaded It has been developed to provide for access control but does not actually prevent to be (ab)used for other reasons The LSM API is a moving target, so it is difficult to keep-in-sync IMOLUG: Imola e Faenza Linux Users Group 14
15 What about other security models? AppArmor: Same purpose, different approach (path-based) PRO: simpler configuration CONS: not as secure as SELinux Initially created by Immunix, Inc. Novell acquired Immunix (2005) and continued to develop and sponsor the project until Semptember 2007: they laid off all the AppArmor team Since 2009 active development from Canonical In the official kernel only since release (October 2010) GRSecurity: Set of security patches for the Linux kernel Path-based security model (same of AppArmor) Not an LSM not in the official kernel Some components could be used on a SELinux system Poor documentation RSBAC: Dedicated hooking mechanism not an LSM not in the official Kernel Similar design of SELinux More functionality than SELinux IMOLUG: Imola e Faenza Linux Users Group 15
16 SELinux: how does it works? Based on the concept of security context First distinction: Objects: files, ipc channels, sockets, network hosts, etc... Subjects: processes All objects and subjects have a single security context associated A security context consists of 3 elements: user:role:type We will say that each file has a type and each process has a domain IMOLUG: Imola e Faenza Linux Users Group 16
17 Everything has a security context Files and directories: Saved as extended attributes As a consequence of a mount option mount -t iso9660 -o context=%s As a consequence of a mount option (network fs) mount -t [nfs cifs] -o context=%s Network packets: IMOLUG: Imola e Faenza Linux Users Group 17
18 Everything has a security context - continued Processes: IMOLUG: Imola e Faenza Linux Users Group 18
19 Caveats Working with SELinux entails particular attention to pay on each activity. E.g. IMOLUG: Imola e Faenza Linux Users Group 19
20 A practical example: password change Remember that SELinux adds type enforcement to standard Linux: Both have to be granted, to access the resource Let's look at the standard Linux behaviour: User joe invokes /usr/bin/passwd, which is SUID Digits the new password /usr/bin/passwd, acting as root EUID, changes joe's pw on /etc/shadow IMOLUG: Imola e Faenza Linux Users Group 20
21 A practical example: password change A graph could be of help: IMOLUG: Imola e Faenza Linux Users Group 21
22 Privileges the old way vs. the new We were used to think about user privileges But now we have to think about Type Enforcement IMOLUG: Imola e Faenza Linux Users Group 22
23 A practical example: password change We have seen how the passwd_t type can change the password of a user We have not yet seen how a user can acquire the passwd_t type!! IMOLUG: Imola e Faenza Linux Users Group 23
24 A practical example: password change We have to explicit some other rules... IMOLUG: Imola e Faenza Linux Users Group 24
25 And finally, if something not allowed happens... IMOLUG: Imola e Faenza Linux Users Group 25
26 SELinux operative modes We have the flexibility to enable/test/disable SELinux enforcing Let's see our current mode: IMOLUG: Imola e Faenza Linux Users Group 26
27 Obtaining initial context: pam_selinux.so IMOLUG: Imola e Faenza Linux Users Group 27
28 A question of policy The policy is responsible for the majority of what is allowed and what is not It is comprised of a set of rules to be checked against It leads all access control decisions It could implement any kind of MAC Each time you encounter an access denial... it's due to the policy!* :-) Each system could load a completely different policy: keep it in mind! * over-simplification IMOLUG: Imola e Faenza Linux Users Group 28
29 The Strict Policy Definition: A system where everything is denied by default You must specify allow rule to grant privileges SELinux designed to be a strict policy: The policy rules have only allows, no denies Minimal privileges for every daemon Separate user domains for programs like GPG, X, ssh, etc... Default policy provided by NSA Difficult to enforce in general purpose operating systems Fedora Core 2 Experience: Bogged down handling incredible permutations of Linux Analysis of Strict policy becoming impossible Strict Policy becoming less strict Fixing userspace problems while ignoring server space Caused hundreds of bugs to be reported #1 Question How do I turn off SELinux? Don't want to become Trusted Solaris IMOLUG: Imola e Faenza Linux Users Group 29
30 The Targeted Policy IMOLUG: Imola e Faenza Linux Users Group 30
31 The MLS Policy IMOLUG: Imola e Faenza Linux Users Group 31
32 The Reference Policy IMOLUG: Imola e Faenza Linux Users Group 32
33 The Minimum Policy IMOLUG: Imola e Faenza Linux Users Group 33
34 Extending the target: virtualization svirt: IMOLUG: Imola e Faenza Linux Users Group 34
35 Let's write a policy! It could be not so simple... let's call for help! :-) IMOLUG: Imola e Faenza Linux Users Group 35
36 Let's write a policy! - continued IMOLUG: Imola e Faenza Linux Users Group 36
37 SELinux: How much does it cost? Those guys at Phoronix asked themselves: They actually tested 2 different distributions They compared the performance in different use cases To allow them to have measurable differences they deliberately chose a low-profile platform IMOLUG: Imola e Faenza Linux Users Group 37
38 How much does it cost? - Hardware platform [...] To look for the greatest impact, a low-power netbook was used for testing. This netbook was the Samsung NC10 with an Intel Atom N270 CPU, i945 graphics, 2GB of system memory, and a 32GB OCZ Core Series SSD. A clean install of Fedora 15 (i686) with the Linux kernel, GNOME Shell 3.0.1, X Server , xf86-video-intel , Mesa 7.11-devel, GCC 4.6.0, and an EXT4 file-system were used. [...] IMOLUG: Imola e Faenza Linux Users Group 38
39 How much does it cost? - Apache test IMOLUG: Imola e Faenza Linux Users Group 39
40 How much does it cost? - 7-zip test IMOLUG: Imola e Faenza Linux Users Group 40
41 How much does it cost? - RHEL 5 (2007 version) IMOLUG: Imola e Faenza Linux Users Group 41
42 SELinux and PostgreSQL Attempt to make PostgreSQL SELinux-aware Efficient way to centralize security decisions and to take them out of the DBMS engine. Part of a more challenging target (see later) I want to publicly thank Kohei NEC for permitting me to leverage his images and slides IMOLUG: Imola e Faenza Linux Users Group 42
43 SELinux and PostgreSQL - Concepts 1/2 IMOLUG: Imola e Faenza Linux Users Group 43
44 SELinux and PostgreSQL - Concepts 2/2 IMOLUG: Imola e Faenza Linux Users Group 44
45 SE-PostgreSQL - How does it works? IMOLUG: Imola e Faenza Linux Users Group 45
46 SE-PostgreSQL What could we expect in the future? IMOLUG: Imola e Faenza Linux Users Group 46
47 A more challenging target: A SELinux-aware LAPP stack IMOLUG: Imola e Faenza Linux Users Group 47
48 Apache/SELinux Plus IMOLUG: Imola e Faenza Linux Users Group 48
49 mod_selinux.conf IMOLUG: Imola e Faenza Linux Users Group 49
50 Sviluppi futuri: SELinux e Android IMOLUG: Imola e Faenza Linux Users Group 50
51 To learn SELinux, how can I start? Buy a good book on the topic: Currently there's only one that I'm aware of: Many pictures in these slides have been taken from this book Subscribe to Fedora/SELinux and ReferencePolicy mailing lists: Read each article you find on the web by Dan RedHat: IMOLUG: Imola e Faenza Linux Users Group 51
52 Questions? IMOLUG: Imola e Faenza Linux Users Group 52
53 Grazie per l'attenzione IMOLUG: Imola e Faenza Linux Users Group 53
Safety measures in Linux
S a f e t y m e a s u r e s i n L i n u x Safety measures in Linux Krzysztof Lichota lichota@mimuw.edu.pl A g e n d a Standard Unix security measures: permissions, capabilities, ACLs, chroot Linux kernel
More informationSecure computing: SELinux
Secure computing: SELinux Michael Wikberg Helsinki University of Technology Michael.Wikberg@wikberg.fi Abstract Using mandatory access control greatly increases the security of an operating system. SELinux,
More informationSELinux. Security Enhanced Linux
SELinux Security Enhanced Linux Introduction and brief overview. Copyright 2005 by Paweł J. Sawicki http://www.pawel-sawicki.com/ Agenda DAC Discretionary Access Control ACL Access Control Lists MAC Mandatory
More informationMandatory Access Control in Linux
Mandatory Access Control in Linux CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ In the early 2000s Root and administrator Many
More informationMandatory Access Control Systems
CSE497b Introduction to Computer and Network Security - Spring 2007- Professor Jaeger Mandatory Access Control Systems CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
More informationENTERPRISE LINUX SECURITY ADMINISTRATION
ENTERPRISE LINUX SECURITY ADMINISTRATION This highly technical course focuses on properly securing machines running the Linux operating systems. A broad range of general security techniques such as packet
More informationGL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days
GL-550: Red Hat Linux Security Administration Course Length: 5 days Course Description: This highly technical course focuses on properly securing machines running the Linux operating systems. A broad range
More informationLinux Security on HP Servers: Security Enhanced Linux. Abstract. Intended Audience. Technical introduction
Linux Security on HP Servers: Security Enhanced Linux Technical introduction This white paper -- one in a series of Linux security white papers -- discusses Security Enhanced Linux (SELinux), a mandatory
More informationNSA Security-Enhanced Linux (SELinux)
NSA Security-Enhanced Linux (SELinux) http://www.nsa.gov/selinux Stephen Smalley sds@epoch.ncsc.mil Information Assurance Research Group National Security Agency Information Assurance Research Group 1
More informationGL550 - Enterprise Linux Security Administration
GL550 - Enterprise Linux Security Administration This highly technical course focuses on properly securing machines running the Linux operating systems. A broad range of general security techniques such
More informationSecurity Enhanced Linux and the Path Forward
Security Enhanced Linux and the Path Forward April 2006 Justin Nemmers Engineer, Red Hat Agenda System security in an insecure world Red Hat Enterprise Linux Security Features An overview of Discretionary
More informationLinux OS-Level Security Nikitas Angelinas MSST 2015
Linux OS-Level Security Nikitas Angelinas MSST 2015 Agenda SELinux SELinux issues Audit subsystem Audit issues Further OS hardening 2 SELinux Security-Enhanced Linux Is NOT a Linux distribution A kernel
More informationCSE543 - Introduction to Computer and Network Security. Module: Operating System Security
CSE543 - Introduction to Computer and Network Security Module: Operating System Security Professor Trent Jaeger 1 OS Security So, you have built an operating system that enables user-space processes to
More informationHow To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)
Security principles Firewalls and NAT These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Host vs Network
More informationOracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data
Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data Will Fiveash presenter, Darren Moffat author Staff Engineer Solaris Kerberos Development Safe Harbor Statement The following
More informationENTERPRISE LINUX SECURITY ADMINISTRATION
ENTERPRISE LINUX SECURITY ADMINISTRATION COURSE DESCRIPTION: This highly technical course focuses on properly securing machines running the Linux operating systems. A broad range of general security techniques
More informationVMWARE Introduction ESX Server Architecture and the design of Virtual Machines
Introduction........................................................................................ 2 ESX Server Architecture and the design of Virtual Machines........................................
More informationInformation Security Measures and Monitoring System at BARC. - R.S.Mundada Computer Division B.A.R.C., Mumbai-85
Information Security Measures and Monitoring System at BARC - R.S.Mundada Computer Division B.A.R.C., Mumbai-85 Information Security Approach Secure Network Design, Layered approach, with SPF and Application
More informationConfining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced Linux Michelle J. Gosselin, Jennifer Schommer mgoss@mitre.org, jschommer@mitre.org Keywords: Operating System Security, Web Server Security, Access
More informationExample of Standard API
16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface
More informationJ-202. IT 4823 Information Security Administration. Linux Security Model. Linux Security. In Room. Linux Security April 23
Final Exam Final exam date: May 5, 4:00 5:50 PM. IT 4823 Information Security Administration Linux Security April 23 In Room J-202 Notice: This session is being recorded. Lecture slides prepared by Dr
More informationMandatory Access Control
CIS/CSE 643: Computer Security (Syracuse University) MAC: 1 1 Why need MAC DAC: Discretionary Access Control Mandatory Access Control Definition: An individual user can set an access control mechanism
More informationTrack 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT
Track 2 Workshop PacNOG 7 American Samoa Firewalling and NAT Core Concepts Host security vs Network security What is a firewall? What does it do? Where does one use it? At what level does it function?
More informationWhy is security important? Practical applications of secure operating systems in E-business. Web site defacement activity (May 2000 April 2001)
Why is security important? Practical applications of secure operating systems in E-business Nigel Edwards Hewlett-Packard Internet Security Solutions Division nigel_edwards@hp.com 1 2 Web site defacement
More informationLinux Security Ideas and Tips
Linux Security Ideas and Tips Hugh Brown Sr. Systems Administrator ITS Enterprise Infrastructure University of Iowa October 8, 2014 Hugh Brown (University of Iowa) Linux Security Ideas and Tips October
More informationRSBAC - a framework for enhanced Linux system security
RSBAC - a framework for enhanced Linux system security Marek Jawurek RWTH-Aachen Abstract Operating systems traditionally bring their own means of protection against any kind of threats. But often the
More informationKVM Security - Where Are We At, Where Are We Going
Klaus Heinrich Kiwi Software Engineer LinuxCon Brazil August 31, 2010 KVM Security - Where Are We At, Where Are We Going Klaus Heinrich Kiwi, IBM LTC 2010 IBM Corporation KVM Security - Where Are We At,
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 23 Linux Security EECS 710 Professor: Dr. Hossein Saiedian Presented by Ankit Agarwal 1 Outline Introduction Linux Security Model Linux File-System Security
More informationNetworking in NSA Security-Enhanced Linux
Networking in NSA Security-Enhanced Linux James Morris Abstract Break through the complexity of SE Linux with a working example that shows how to add SE Linux protection to a simple network server. This
More informationSecuring Your Cloud with Xen Project s Advanced Security Features
Securing Your Cloud with Xen Project s Advanced Security Features Russell Pavlicek, Xen Project Evangelist CloudOpen North America 2013 Who is the Old, Fat Geek Up Front? Xen Project Evangelist Employed
More informationLinux Distributed Security Module 1
Linux Distributed Security Module 1 By Miroslaw Zakrzewski and Ibrahim Haddad This article describes the implementation of Mandatory Access Control through a Linux kernel module that is targeted for Linux
More informationManage a Firewall Using your Plesk Control Panel Contents
Manage a Firewall Using your Plesk Control Panel Contents Goals... 2 Linux Based Plesk Firewall... 2 Allow or Restrict Access to a Service... 3 Manage System Policies... 3 Adding Custom Rules... 4 Windows-based
More informationSmall Systems Solutions is the. Premier Red Hat and Professional. VMware Certified Partner and Reseller. in Saudi Arabia, as well a competent
T R A I N I N G C O U R S E S T H E # 1 L I N U X A N D O P E N S O U R C E P R O V I D E R I N S A U D I A R A B I A Introd uction to Linux Administra tion Adva nce Linux Ad ministrati on Linux Identity
More informationContents III: Contents II: Contents: Rule Set Based Access Control (RSBAC) 4.2 Model Specifics 5.2 AUTH
Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension Tutorial Amon Ott Contents: 1 Motivation: Why We Need Better Security in the Linux Kernel 2 Overview of RSBAC 3 How
More informationAccess Control Lists in Linux & Windows
Access Control Lists in Linux & Windows Vasudevan Nagendra & Yaohui Chen Categorization: Access Control Mechanisms Discretionary Access Control (DAC): Owner of object specifies who can access object (files/directories)
More informationTop Secret KVM, Lessons Learned from an ICD 503 Deployment
Top Secret KVM, Lessons Learned from an ICD 503 Deployment Frank Caviggia July 30, 2014 Defense in Depth 2014 1 Overview System Configuration - Hardware - Software Security Controls - Security Concepts
More informationA Firewall Model of File System Security
Ph.D Dissertation Proposal A Firewall Model of File System Security By Lihui Hu Department Of Computer Science Michigan Technological University March 2010 Committee Members: Dr. Jean Mayo, Chair Dr. Steve
More informationHow To Write Security Enhanced Linux On Embedded Systems (Es) On A Microsoft Linux 2.2.2 (Amd64) (Amd32) (A Microsoft Microsoft 2.3.2) (For Microsoft) (Or
Security Enhanced Linux on Embedded Systems: a Hardware-accelerated Implementation Leandro Fiorin, Alberto Ferrante Konstantinos Padarnitsas, Francesco Regazzoni University of Lugano Lugano, Switzerland
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security
More informationAnalysis of the Linux Audit System 1
Analysis of the Linux Audit System 1 Authors Bruno Morisson, MSc (Royal Holloway, 2014) Stephen Wolthusen, ISG, Royal Holloway Overview Audit mechanisms on an operating system (OS) record relevant system
More informationA Comparative Study of Security Features in FreeBSD and OpenBSD
Department of Computer Science Magnus Persson A Comparative Study of Security Features in FreeBSD and OpenBSD Master s Thesis 2006:02 A Comparative Study of Security Features in FreeBSD and OpenBSD Magnus
More informationThe Benefits of Verio Virtual Private Servers (VPS) Verio Virtual Private Server (VPS) CONTENTS
Performance, Verio FreeBSD Virtual Control, Private Server and (VPS) Security: v3 CONTENTS Why outsource hosting?... 1 Some alternative approaches... 2 Linux VPS and FreeBSD VPS overview... 3 Verio VPS
More informationDeploying IBM Lotus Domino on Red Hat Enterprise Linux 5. Version 1.0
Deploying IBM Lotus Domino on Red Hat Enterprise Linux 5 Version 1.0 November 2008 Deploying IBM Lotus Domino on Red Hat Enterprise Linux 5 1801 Varsity Drive Raleigh NC 27606-2072 USA Phone: +1 919 754
More informationSELinux & AppArmor - Comparison of Secure OSes
SELinux & AppArmor - Comparison of Secure OSes Apr 18 2007 Yuichi Nakamura Research and Development Department Hitachi Software Engineering Co., Ltd. ynakam@hitachisoft.jp Contents 0. Background 1. Introduction
More informationRHCSA 7RHCE Red Haf Linux Certification Practice
RHCSA 7RHCE Red Haf Linux Certification Practice Exams with Virtual Machines (Exams EX200 & EX300) "IcGraw-Hill is an independent entity from Red Hat, Inc., and is not affiliated with Red Hat, Inc. in
More informationParallels Plesk Panel
Parallels Plesk Panel Copyright Notice Parallels Holdings, Ltd. c/o Parallels International GMbH Vordergasse 49 CH8200 Schaffhausen Switzerland Phone: +41 526320 411 Fax: +41 52672 2010 Copyright 1999-2011
More informationSWsoft, Inc. Plesk Firewall. Administrator's Guide
SWsoft, Inc. Plesk Firewall Administrator's Guide (c) 1999-2004 ISBN: N/A SWsoft Inc 13800 Coppermine Drive Suite 112 Herndon VA 20171 USA Tel: +1 (703) 815 5670 Fax: +1 (703) 815 5675 Copyright 1999-2004
More informationOperating System Structure
Operating System Structure Lecture 3 Disclaimer: some slides are adopted from the book authors slides with permission Recap Computer architecture CPU, memory, disk, I/O devices Memory hierarchy Architectural
More informationRed Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.
Red Hat Enterprise Linux 7- RH124 Red Hat System Administration I Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux. This course will actively engage students
More informationOracle Database Security. Nathan Aaron ICTN 4040 Spring 2006
Oracle Database Security Nathan Aaron ICTN 4040 Spring 2006 Introduction It is important to understand the concepts of a database before one can grasp database security. A generic database definition is
More informationRH033 Red Hat Linux Essentials or equivalent experience with Red Hat Linux..
RH131 Red Hat Linux System Administration Course Summary For users of Linux (or UNIX) who want to start building skills in systems administration on Red Hat Linux, to a level where they can attach and
More informationDirectory and File Transfer Services. Chapter 7
Directory and File Transfer Services Chapter 7 Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP over traditional authentication systems Identify major
More informationWHITEPAPER INTRODUCTION TO CONTAINER SECURITY. Introduction to Container Security
Introduction to Container Security Table of Contents Executive Summary 3 The Docker Platform 3 Linux Best Practices and Default Docker Security 3 Process Restrictions 4 File & Device Restrictions 4 Application
More informationBypassing Firewalls: Tools and Techniques
Bypassing Firewalls: Tools and Techniques Jake Hill jah@alien.bt.co.uk March 23, 2000 Abstract This paper highlights a very important problem with network perimeter firewalls. The threat discussed is not
More informationVirtualization System Security
Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability
More informationCIS433/533 - Computer and Network Security Operating System Security
CIS433/533 - Computer and Network Security Operating System Security Professor Kevin Butler Winter 2010 Computer and Information Science OS Security An secure OS should provide (at least) the following
More informationEncrypted File Transfer - Customer Testing
Encrypted File Transfer - Customer Testing V1.0 David Wickens McKesson CLASSIFICATION McKesson Technical Guidance Documentation: NOT PROTECTIVELY MARKED VERSION 1.0 SCOPE This guidance document is aimed
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationUsing Likewise Enterprise to Boost Compliance with Sarbanes-Oxley
Likewise Enterprise Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley IMPROVE SOX COMPLIANCE WITH CENTRALIZED ACCESS CONTROL AND AUTHENTICATION With Likewise Enterprise, you get one user,
More informationSecurity Overview of the Integrity Virtual Machines Architecture
Security Overview of the Integrity Virtual Machines Architecture Introduction... 2 Integrity Virtual Machines Architecture... 2 Virtual Machine Host System... 2 Virtual Machine Control... 2 Scheduling
More informationCMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis
CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems
More informationLinux Operating System Security
Linux Operating System Security Kenneth Ingham and Anil Somayaji September 29, 2009 1 Course overview This class is for students who want to learn how to configure systems to be secure, test the security
More informationNixu SNS Security White Paper May 2007 Version 1.2
1 Nixu SNS Security White Paper May 2007 Version 1.2 Nixu Software Limited Nixu Group 2 Contents 1 Security Design Principles... 3 1.1 Defense in Depth... 4 1.2 Principle of Least Privilege... 4 1.3 Principle
More informationDeploying Ubuntu Server Edition. Training Course Overview. (Ubuntu 10.04 LTS)
Deploying Ubuntu Server Edition Training Course Overview (Ubuntu 10.04 LTS) 1. Deploying Ubuntu Server Edition Course Overview About the Course and Objectives This advanced 40-hour course will provide
More informationSYSTEM ADMINISTRATION MTAT.08.021 LECTURE 8 SECURITY
SYSTEM ADMINISTRATION MTAT.08.021 LECTURE 8 SECURITY Prepared By: Amnir Hadachi and Artjom Lind University of Tartu, Institute of Computer Science amnir.hadachi@ut.ee / artjom.lind@ut.ee 1 OUTLINE 1.Is
More informationIntroduction to Endpoint Security
Chapter Introduction to Endpoint Security 1 This chapter provides an overview of Endpoint Security features and concepts. Planning security policies is covered based on enterprise requirements and user
More informationA Survey of Access Control Policies
A Survey of Access Control Policies Amanda Crowell University of Maryland acrowell@cs.umd.edu ABSTRACT Modern operating systems each have different implementations of access controls and use different
More informationThe Case for SE Android. Stephen Smalley sds@tycho.nsa.gov Trust Mechanisms (R2X) National Security Agency
The Case for SE Android Stephen Smalley sds@tycho.nsa.gov Trust Mechanisms (R2X) National Security Agency 1 Android: What is it? Linux-based software stack for mobile devices. Very divergent from typical
More informationGL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III
QWERTYUIOP{ GL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III This GL254 course is designed to follow an identical set of topics as the Red Hat RH254, RH255 RHCE exam prep courses with the added
More informationShellshock Security Patch for X86
Shellshock Security Patch for X86 Guide for Using the FFPS Update Manager October 2014 Version 1.0. Page 1 Page 2 This page is intentionally blank Table of Contents 1.0 OVERVIEW - SHELLSHOCK/BASH SHELL
More informationSecure Network Filesystem (Secure NFS) By Travis Zigler
Secure Network Filesystem (Secure NFS) By Travis Zigler Overview of Secure NFS Problems with NFS Security of Basic NFS Configurations Securing NFS with SSH Tutorial Securing NFS with SSL Overview Conclusions
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationHardened Hosting. Quintin Russ. OWASP New Zealand Chapter 2011 6th December 2011
Hardened Hosting Quintin Russ OWASP New Zealand Chapter 2011 6th December 2011 1 About Me Quintin Russ Technical Director, SiteHost http://www.sitehost.co.nz quintin@sitehost.co.nz Web Developer in previous
More informationSCP - Strategic Infrastructure Security
SCP - Strategic Infrastructure Security Lesson 1 - Cryptogaphy and Data Security Cryptogaphy and Data Security History of Cryptography The number lock analogy Cryptography Terminology Caesar and Character
More informationProject 2: Penetration Testing (Phase II)
Project 2: Penetration Testing (Phase II) CS 161 - Joseph/Tygar November 17, 2006 1 Edits If we need to make clarifications or corrections to this document after distributing it, we will post a new version
More informationSecuring your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation
Securing your Virtual Datacenter Part 1: Preventing, Mitigating Privilege Escalation Before We Start... Today's discussion is by no means an exhaustive discussion of the security implications of virtualization
More informationCloud Security with Stackato
Cloud Security with Stackato 1 Survey after survey identifies security as the primary concern potential users have with respect to cloud computing. Use of an external computing environment raises issues
More informationCyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014
Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014 Introduction: Cyber attack is an unauthorized access to a computer
More informationUnit 10 : An Introduction to Linux OS
Unit 10 : An Introduction to Linux OS Linux is a true 32/64-bit operating system that run on different platforms. It is a multi-user, multi-tasking and time sharing operating system. Linux is a very stable
More informationThanks for choosing sentora-paranoid for your sentora hosting environment security solution
Sentora-paranoid version 1.0.1 by: Mario Rodríguez Somohano sentora-paranoid@open-source.tk Official web site: http://sentora-paranoid.open-source.tk Forum: http://forum.sentora-paranoid.open-source.tk
More informationSamba in the Enterprise : Samba 3.0 and beyond
Samba in the Enterprise : Samba 3.0 and beyond By Jeremy Allison jra@samba.org jeremy.allison@hp.com Where we are now : Samba 2.2 The current Samba is a credible replacement for a Windows server providing
More informationNetwork Security and Firewall 1
Department/program: Networking Course Code: CPT 224 Contact Hours: 96 Subject/Course WEB Access & Network Security: Theoretical: 2 Hours/week Year Two Semester: Two Prerequisite: NET304 Practical: 4 Hours/week
More informationIntroduction to Android 5 Security
Introduction to Android 5 Security Lukáš Aron and Petr Hanáček Faculty of Information Technology, Department of Intelligent Systems, Brno University of Technology lukas.aron@gmail.com Abstract. This paper
More informationACL Compliance Director FAQ
Abstract Cyber Operations, Inc., Cyber Operations, Inc. Copyright 2008 Cyber Operations, Inc. This document contains frequently asked questions about ACL Compliance Director with answers. Table of Contents...
More informationHP Education Services
HP Education Services HP-UX Security (H3541S) Concerned about system security? HP s updated and enhanced HP-UX Security course can help you secure your systems and mitigate risks. Designed for experienced
More informationHost Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)
Host Hardening (March 21, 2011) Abdou Illia Spring 2011 CERT Report on systems vulnerabilities Source: CERT Report @ http://www.kb.cert.org/vuls/bymetric 2 OS Vulnerability test Source: http://www.omninerd.com/articles/2006_operating_system_vulnerabilit
More informationObjectives. Windows 7 Security. Desktop OS Market Share. Windows Background. CS140M Fall 2014. Lake
Objectives Windows 7 Security By Al Fall 2014 CS 140M LBCC Background Windows Security Architecture Windows Vulnerabilities Means of Evaluating Metrics System Hardening Windows Defenses OS Security Capabilities
More informationOperating System Security Hardening for SAP HANA
Operating System Security Hardening for SAP HANA Peter Schinagl Technical Architect Global SAP Alliance peters@suse.com Markus Gürtler Architect & Technical Manager SAP Linux Lab mguertler@suse.com Corporate
More informationNext Generation Now: Red Hat Enterprise Linux 6 Virtualization A Unique Cloud Approach. Jeff Ruby Channel Manager jruby@redhat.com
Next Generation Now: Virtualization A Unique Cloud Approach Jeff Ruby Channel Manager jruby@redhat.com Introducing Extensive improvements in every dimension Efficiency, scalability and reliability Unprecedented
More informationRed Hat Enterprise Linux 7 Virtualization Security Guide
Red Hat Enterprise Linux 7 Virtualization Security Guide Securing your virtual environment Scott Radvan Tahlia Richardson Thanks go to the following people for enabling the creation of this guide: Paul
More informationAccess Control Fundamentals
C H A P T E R 2 Access Control Fundamentals An access enforcement mechanism authorizes requests (e.g., system calls) from multiple subjects (e.g., users, processes, etc.) to perform operations (e.g., read,,
More informationAccess Control. 1 Overview of Access Control. Lecture Notes (Syracuse University) Access Control: 1. What is Access Control?
Lecture Notes (Syracuse University) Access Control: 1 Access Control 1 Overview of Access Control What is Access Control? The ability to allow only authorized users, programs or processes system or resource
More information2 Purpose. 3 Hardware enablement 4 System tools 5 General features. www.redhat.com
A Technical Introduction to Red Hat Enterprise Linux 5.4 The Enterprise LINUX Team 2 Purpose 3 Systems Enablement 3 Hardware enablement 4 System tools 5 General features 6 Virtualization 7 Conclusion www.redhat.com
More informationHAProxy. Free, Fast High Availability and Load Balancing. Adam Thornton 10 September 2014
HAProxy Free, Fast High Availability and Load Balancing Adam Thornton 10 September 2014 What? HAProxy is a proxy for Layer 4 (TCP) or Layer 7 (HTTP) traffic GPLv2 http://www.haproxy.org Disclaimer: I don't
More informationWhitepaper. The Top 10 Advantages of 3CX Phone System. Why your next phone system should be software based and by 3CX
Whitepaper The Top 10 Advantages of 3CX Phone System Why your next phone system should be software based and by 3CX This whitepaper outlines the top 10 advantages of choosing 3CX Phone System, a Windows
More informationQuickBooks Enterprise Solutions. Linux Database Server Manager Installation and Configuration Guide
QuickBooks Enterprise Solutions Linux Database Server Manager Installation and Configuration Guide Copyright Copyright 2007 Intuit Inc. All rights reserved. STATEMENTS IN THIS DOCUMENT REGARDING THIRD-PARTY
More informationAdobe Flash Player and Adobe AIR security
Adobe Flash Player and Adobe AIR security Both Adobe Flash Platform runtimes Flash Player and AIR include built-in security and privacy features to provide strong protection for your data and privacy,
More informationSecurity and Integrity of a Distributed File Storage in a Virtual Environment
Security and Integrity of a Distributed File Storage in a Virtual Environment Gaspare Sala 1 Daniele Sgandurra 1 Fabrizio Baiardi 2 1 Department of Computer Science, University of Pisa, Italy 2 Polo G.
More informationMalware Analysis Quiz 6
Malware Analysis Quiz 6 1. Are these files packed? If so, which packer? The file is not packed, as running the command strings shelll reveals a number of interesting character sequences, such as: irc.ircnet.net
More informationDo Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi, 2015-09-16
Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi, 2015-09-16 Overview What are Containers? Containers and The Cloud Containerization vs. H/W Virtualization
More information