...e SELinux fosse più sicuro?...and if Linux was more secure? (Play on words with the Italian language)

Transcription

1 ...e SELinux fosse più sicuro?...and if Linux was more secure? (Play on words with the Italian language) Marco Pizzoli IMOLUG: Imola e Faenza Linux Users Group 1

2 About the speaker... System and network administrator IT Security enthusiast Computer Science degree Thesys: Digital Identities and PKI Computer Networks and Systems Security degree Thesys: Centralization of information with LDAP Computer Networks and Systems Security degree (II level) (Future) Thesys: Identity, Policy and Auditing... IMOLUG: Imola e Faenza Linux Users Group 2

3 New terms IMOLUG: Imola e Faenza Linux Users Group 3

4 What's the need for a security framework inside the kernel? To enforce Mandatory Access Control (MAC) To better protect against malicious software To limit the vulnerability surface exposed by bugged / not-so-secure software: Buffer overflow Heap overflow The next thing... To better maintain a complex system, by delegating to a single component all security decisions IMOLUG: Imola e Faenza Linux Users Group 4

5 What could be an example of malicious software running on my machine? Bugged software could be exploited to do something not wanted. I.e. a webserver: could open a connection to another host inside the same network could read each file on the file system on which it has read permission could truncate his access logs IMOLUG: Imola e Faenza Linux Users Group 5

6 What could be an example of malicious software running on my machine? Bugged software could be exploited to do something not wanted. I.e. a webserver: Possible solutions: could open a connection to another host inside the same network webserver running with a dedicated user, webserver user prohibited to open network connections with iptables could read each file on the file system on which it has read permission webserver running chroot-ed could truncate his access logs????? IMOLUG: Imola e Faenza Linux Users Group 6

7 The need for a fine-grained control Let's have a look at our open()-syscall flags: O_APPEND, O_ASYNC, O_CREAT, O_DIRECT, O_EXCL,O_LARGEFILE, O_NOATIME, O_NOCTTY, O_NOFOLLOW, O_NONBLOCK or O_NDELAY, O_SYNC, O_TRUNC And now, let's have a look at our httpd_access.log file permissions: -rw-r--r-- 1 root root 0 Oct 1 23:59 httpd_access.log Uh? It seems that, given w permission to the log file, we are not able to limit what can be done on it... and actually it is!!! This is where the Mandatory Access Control (MAC) comes in help IMOLUG: Imola e Faenza Linux Users Group 7

8 DAC versus MAC - DAC Discretionary Access Control is the more familiar to most people: Access to resources is based on user's identity A user is granted permissions to a resource by being placed on an access control list (ACL) associated with resource The DAC model is based on resource ownership It's discretionary in the sense that when a user (or group) is the owner of an object in the DAC model, the user can grant permission to other users and groups. Example: Unix user-group-other (ugo) permission bits IMOLUG: Imola e Faenza Linux Users Group 8

9 DAC versus MAC - MAC Mandatory Access Control is not so common in everyday computers: Users are given permissions to resources by an administrator Only an administrator can grant permissions or rights to objects and resources Access to resources is based on an object's security level, while users are granted security clearance. Only administrators can modify an object's security label or a user's security clearance. To make concepts easier, I like to think to a fashion similar to a network firewall, I.e. SystemA is entitled to connect to systemb, to TCP port x On my FW, I will add a permit rule to let it do...and a deny rule to each other traffic having source SystemA All of this applied to the whole system (over-simplification) IMOLUG: Imola e Faenza Linux Users Group 9

10 DAC coupled to MAC It works! :-) Access is granted as long as both models agree MAC will always have the last word This is the default in SELinux IMOLUG: Imola e Faenza Linux Users Group 10

11 What's the origin of SELinux? Flux Advanced Security Kernel (FLASK) IMOLUG: Imola e Faenza Linux Users Group 11

12 What's the story of NSA and Linux? NSA developed SELinux as patches to Linux Kernel 2.4.x 2001: NSA proposal to integrate SELinux into the official kernel Linus Torvalds refuses: Other security frameworks under active development inside the community Each security framework model was different from each other No formal consensus on the right one to be adopted Need for the devel of Linux Security Modules (LSM): Creation of a large number of hooks throughout the kernel Re-development of SELinux and all other possible security frameworks as modules IMOLUG: Imola e Faenza Linux Users Group 12

13 Linux Security Modules IMOLUG: Imola e Faenza Linux Users Group 13

14 What's the story of LSM? In the official 2.6 kernel since December 2003 For a long time there has been only one implementation: SELinux It has been subject to several criticisms: It imposes a little computational cost (overhead), even if no modules are actually loaded It has been developed to provide for access control but does not actually prevent to be (ab)used for other reasons The LSM API is a moving target, so it is difficult to keep-in-sync IMOLUG: Imola e Faenza Linux Users Group 14

15 What about other security models? AppArmor: Same purpose, different approach (path-based) PRO: simpler configuration CONS: not as secure as SELinux Initially created by Immunix, Inc. Novell acquired Immunix (2005) and continued to develop and sponsor the project until Semptember 2007: they laid off all the AppArmor team Since 2009 active development from Canonical In the official kernel only since release (October 2010) GRSecurity: Set of security patches for the Linux kernel Path-based security model (same of AppArmor) Not an LSM not in the official kernel Some components could be used on a SELinux system Poor documentation RSBAC: Dedicated hooking mechanism not an LSM not in the official Kernel Similar design of SELinux More functionality than SELinux IMOLUG: Imola e Faenza Linux Users Group 15

16 SELinux: how does it works? Based on the concept of security context First distinction: Objects: files, ipc channels, sockets, network hosts, etc... Subjects: processes All objects and subjects have a single security context associated A security context consists of 3 elements: user:role:type We will say that each file has a type and each process has a domain IMOLUG: Imola e Faenza Linux Users Group 16

17 Everything has a security context Files and directories: Saved as extended attributes As a consequence of a mount option mount -t iso9660 -o context=%s As a consequence of a mount option (network fs) mount -t [nfs cifs] -o context=%s Network packets: IMOLUG: Imola e Faenza Linux Users Group 17

18 Everything has a security context - continued Processes: IMOLUG: Imola e Faenza Linux Users Group 18

19 Caveats Working with SELinux entails particular attention to pay on each activity. E.g. IMOLUG: Imola e Faenza Linux Users Group 19

20 A practical example: password change Remember that SELinux adds type enforcement to standard Linux: Both have to be granted, to access the resource Let's look at the standard Linux behaviour: User joe invokes /usr/bin/passwd, which is SUID Digits the new password /usr/bin/passwd, acting as root EUID, changes joe's pw on /etc/shadow IMOLUG: Imola e Faenza Linux Users Group 20

21 A practical example: password change A graph could be of help: IMOLUG: Imola e Faenza Linux Users Group 21

22 Privileges the old way vs. the new We were used to think about user privileges But now we have to think about Type Enforcement IMOLUG: Imola e Faenza Linux Users Group 22

23 A practical example: password change We have seen how the passwd_t type can change the password of a user We have not yet seen how a user can acquire the passwd_t type!! IMOLUG: Imola e Faenza Linux Users Group 23

24 A practical example: password change We have to explicit some other rules... IMOLUG: Imola e Faenza Linux Users Group 24

25 And finally, if something not allowed happens... IMOLUG: Imola e Faenza Linux Users Group 25

26 SELinux operative modes We have the flexibility to enable/test/disable SELinux enforcing Let's see our current mode: IMOLUG: Imola e Faenza Linux Users Group 26

27 Obtaining initial context: pam_selinux.so IMOLUG: Imola e Faenza Linux Users Group 27

28 A question of policy The policy is responsible for the majority of what is allowed and what is not It is comprised of a set of rules to be checked against It leads all access control decisions It could implement any kind of MAC Each time you encounter an access denial... it's due to the policy!* :-) Each system could load a completely different policy: keep it in mind! * over-simplification IMOLUG: Imola e Faenza Linux Users Group 28

29 The Strict Policy Definition: A system where everything is denied by default You must specify allow rule to grant privileges SELinux designed to be a strict policy: The policy rules have only allows, no denies Minimal privileges for every daemon Separate user domains for programs like GPG, X, ssh, etc... Default policy provided by NSA Difficult to enforce in general purpose operating systems Fedora Core 2 Experience: Bogged down handling incredible permutations of Linux Analysis of Strict policy becoming impossible Strict Policy becoming less strict Fixing userspace problems while ignoring server space Caused hundreds of bugs to be reported #1 Question How do I turn off SELinux? Don't want to become Trusted Solaris IMOLUG: Imola e Faenza Linux Users Group 29

30 The Targeted Policy IMOLUG: Imola e Faenza Linux Users Group 30

31 The MLS Policy IMOLUG: Imola e Faenza Linux Users Group 31

32 The Reference Policy IMOLUG: Imola e Faenza Linux Users Group 32

33 The Minimum Policy IMOLUG: Imola e Faenza Linux Users Group 33

34 Extending the target: virtualization svirt: IMOLUG: Imola e Faenza Linux Users Group 34

35 Let's write a policy! It could be not so simple... let's call for help! :-) IMOLUG: Imola e Faenza Linux Users Group 35

36 Let's write a policy! - continued IMOLUG: Imola e Faenza Linux Users Group 36

37 SELinux: How much does it cost? Those guys at Phoronix asked themselves: They actually tested 2 different distributions They compared the performance in different use cases To allow them to have measurable differences they deliberately chose a low-profile platform IMOLUG: Imola e Faenza Linux Users Group 37

38 How much does it cost? - Hardware platform [...] To look for the greatest impact, a low-power netbook was used for testing. This netbook was the Samsung NC10 with an Intel Atom N270 CPU, i945 graphics, 2GB of system memory, and a 32GB OCZ Core Series SSD. A clean install of Fedora 15 (i686) with the Linux kernel, GNOME Shell 3.0.1, X Server , xf86-video-intel , Mesa 7.11-devel, GCC 4.6.0, and an EXT4 file-system were used. [...] IMOLUG: Imola e Faenza Linux Users Group 38

39 How much does it cost? - Apache test IMOLUG: Imola e Faenza Linux Users Group 39

40 How much does it cost? - 7-zip test IMOLUG: Imola e Faenza Linux Users Group 40

41 How much does it cost? - RHEL 5 (2007 version) IMOLUG: Imola e Faenza Linux Users Group 41

42 SELinux and PostgreSQL Attempt to make PostgreSQL SELinux-aware Efficient way to centralize security decisions and to take them out of the DBMS engine. Part of a more challenging target (see later) I want to publicly thank Kohei NEC for permitting me to leverage his images and slides IMOLUG: Imola e Faenza Linux Users Group 42

43 SELinux and PostgreSQL - Concepts 1/2 IMOLUG: Imola e Faenza Linux Users Group 43

44 SELinux and PostgreSQL - Concepts 2/2 IMOLUG: Imola e Faenza Linux Users Group 44

45 SE-PostgreSQL - How does it works? IMOLUG: Imola e Faenza Linux Users Group 45

46 SE-PostgreSQL What could we expect in the future? IMOLUG: Imola e Faenza Linux Users Group 46

47 A more challenging target: A SELinux-aware LAPP stack IMOLUG: Imola e Faenza Linux Users Group 47

48 Apache/SELinux Plus IMOLUG: Imola e Faenza Linux Users Group 48

49 mod_selinux.conf IMOLUG: Imola e Faenza Linux Users Group 49

50 Sviluppi futuri: SELinux e Android IMOLUG: Imola e Faenza Linux Users Group 50

51 To learn SELinux, how can I start? Buy a good book on the topic: Currently there's only one that I'm aware of: Many pictures in these slides have been taken from this book Subscribe to Fedora/SELinux and ReferencePolicy mailing lists: Read each article you find on the web by Dan RedHat: IMOLUG: Imola e Faenza Linux Users Group 51

52 Questions? IMOLUG: Imola e Faenza Linux Users Group 52

53 Grazie per l'attenzione IMOLUG: Imola e Faenza Linux Users Group 53