Security Enhanced Linux and the Path Forward

Transcription

1 Security Enhanced Linux and the Path Forward April 2006 Justin Nemmers Engineer, Red Hat

2 Agenda System security in an insecure world Red Hat Enterprise Linux Security Features An overview of Discretionary Access Control and Mandatory Access Control What is Security Enhanced Linux? Security Enhanced Linux in Red Hat Enterprise Linux 4 GUI based SELinux utilities The Path Forward: Multi Level Security Futures Additional resources

3 System security in an insecure world What are crackers after? Resources for sending bulk Personal information credit card numbers and identity theft Classified secrets and trade secrets Any other information or resources of value New challenges forced by regulatory compliance Sarbanes Oxley HIPAA Authorized users can be just as dangerous as unauthorized users Intentional and unintentional actions 0 Day Exploits

4 Red Hat Enterprise Linux Security Features (non SELinux) Built in firewall Modular OS architecture Kickstart %post Support for No execute (NX) and execute Disable (XD) technologies Exec Shield Position Independent Executables (PIE) GCC and GLIBC enhancements New audit subsystem

5 An overview of DAC and MAC Discretionary Access Control Mandatory Access Control model used by most operating systems secure applications require a secure OS users have control (discretion) over their files principle of least privilege and programs supplements DAC programs run as a user have that user's privileges security policy is the final arbiter of all access decisions; users cannot override the policy root/superuser has complete control Multiple models: Type Enforcement, RBAC, attacker's goal is to exploit program running Multi Level Security with root privileges Benefits: integrity and/or confidentiality

6 What is Security Enhanced Linux? Security Enhanced Linux Strong, flexible MAC architecture Flask architecture allows for alternative security policies and models Initially a research prototype out of NSA; now part of the upstream Linux 2.6 kernel Growing community of use and development Without SELinux With SELinux

7 SELinux in Red Hat Enterprise Linux 4 Fully integrated into Red Hat Enterprise Linux 4 Benefits of MAC in a modern, mainstream operating system Not a separate set of extensions or a completely separate OS Provides Type Enforcement (TE) flexible policy model Map security policy to operational and functionality requirements example applications Lock down web servers, DNS servers, and other networklistening services Cross Domain Solutions (guards) Default Targeted Policy targets 10 different daemons Future releases target 50+ services

8 SELinux in Red Hat Enterprise Linux 4 Default targeted policy isolate commonly attacked, network listening services e.g., Apache, BIND, portmap, NTP, etc. By default, enabled in enforcing mode Useful compromise between enhanced security while not overly impacting functionality Optional strict policy locks down additional applications and user privileges

9 GUI based SELinux Utilities system config security Change booleans Select policy Enable relabeling setool gui package seaudit Audit log file analysis Create specific views using filters apol SELinux policy analysis Investigate all aspects of a running or non loaded policy

10 The path forward: Multi Level Security Some critical scenarios require Multi Level Security (MLS) Bell LaPadula (BLP) model Focus is on confidentiality Ensures users and programs on a system can only access resources for which they have been appropriately cleared Maintains the separation between different sensitivity (Top Secret, Secret, Confidential, Unclassified) and categorization levels No read up; no write down Formerly the exclusive province of expensive, niche trusted operating systems

11 MLS in Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 5 will include support for Multi Level Security SELinux will be used as the foundation Pursuing a Common Criteria evaluation EAL4+/CAPP/LSPP/RBACPP Incorporated in the main product no separate trusted version Users will be able to choose the security policy that meets their functional and operational requirements targeted strict MLS Users requiring MLS or other MAC capabilities no longer have to choose between a fully featured OS and a separate trusted version One OS, rather than multiple, can be used for a variety of roles

12 MLS Futures Targeted policy: 50+ services with policy Data Labeling Audit sensitive data access Control printing of data Network Labeling Multiple data classifications over single link Protocol not expected to be compatible with CIPSO, which is used in other Trusted OSs

13 Additional Resources Red Hat Global Learning Services RHS427 Introduction to SELinux and Red Hat Targeted Policy RHS429 Red Hat Enterprise SELinux Policy Administration Whitepapers Red Hat Enterprise Linux 4 Security Features The Path to Multi Level Security in Red Hat Enterprise Linux Mailing List lspp

14