Securing Data in a RHEL SELinux Multi-Level Secure Environment



Similar documents
White Paper Levels of Linux Operating System Security

Security Enhanced Linux and the Path Forward

Top Secret KVM, Lessons Learned from an ICD 503 Deployment

Red Hat Enterprise IPA Identity & Access Management for Linux and Unix Environments. Dragos Manac

BMC Client Management - SCAP Implementation Statement. Version 12.0

SELinux. Security Enhanced Linux

OF 1.3 Testing and Challenges

Common Criteria Evaluation Challenges for SELinux. Doc Shankar IBM Linux Technology Center

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

State of the Art Cloud Infrastructure

Red Hat. By Karl Wirth

Next Generation Now: Red Hat Enterprise Linux 6 Virtualization A Unique Cloud Approach. Jeff Ruby Channel Manager jruby@redhat.com

NSA Security-Enhanced Linux (SELinux)

RH033 Red Hat Linux Essentials or equivalent experience with Red Hat Linux..

SMB Direct for SQL Server and Private Cloud

Mandatory Access Control in Linux

RED HAT ENTERPRISE VIRTUALIZATION SCALING UP LOW LATENCY, VIRTUALIZATION, AND LINUX FOR WALL STREET OPERATIONS

Security and Integrity of a Distributed File Storage in a Virtual Environment

BM482E Introduction to Computer Security

Oracle Audit Vault and Database Firewall. Morana Kobal Butković Principal Sales Consultant Oracle Hrvatska

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Open Source Backup with Amanda

Certified Platinum Configurations

Taking the Open Source Road

FISMA / NIST REVISION 3 COMPLIANCE

Linux Security on HP Servers: Security Enhanced Linux. Abstract. Intended Audience. Technical introduction

Small Systems Solutions is the. Premier Red Hat and Professional. VMware Certified Partner and Reseller. in Saudi Arabia, as well a competent

Symantec Mobile Management Suite

Sun in HPC. Update for IDC HPC User Forum Tucson, AZ, Sept 2008

An Oracle White Paper June Oracle Database 11g: Cost-Effective Solutions for Security and Compliance

Trusted RUBIX TM. Version 6. Multilevel Security in Trusted RUBIX White Paper. Revision 2 RELATIONAL DATABASE MANAGEMENT SYSTEM TEL

Cloud storage reloaded:

<Insert Picture Here> Oracle Database Security Overview

Certification Report

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

APIs The Next Hacker Target Or a Business and Security Opportunity?

REDUCE RISK WITH ORACLE SOLARIS 11

Satish Mohan. Head Engineering. AMD Developer Conference, Bangalore

Distributed File System Choices: Red Hat Storage, GFS2 & pnfs

With Great Power comes Great Responsibility: Managing Privileged Users

Industrial Control Systems Security Guide

Panoramica su Cloud Computing targata Red Hat AIPSI Meeting 2010

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Qualys PC/SCAP Auditor

owncloud Architecture Overview

How To Achieve Pca Compliance With Redhat Enterprise Linux

EAC Decision on Request for Interpretation (Operating System Configuration)

Virtual Machine Security

Linux Technologies QUARTER 1 DESKTOP APPLICATIONS - ESSENTIALS QUARTER 2 NETWORKING AND OPERATING SYSTEMS ESSENTIALS. Module 1 - Office Applications

Risk Management Guide for Information Technology Systems. NIST SP Overview

SERENA SOFTWARE Serena Service Manager Security

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

RED HAT ENTERPRISE VIRTUALIZATION FOR SERVERS: COMPETITIVE FEATURES

Trusted RUBIX TM. Version 6. Installation and Quick Start Guide Red Hat Enterprise Linux 6 SELinux Platform. Revision 6

FISMA Cloud GovDataHosting Service Portfolio

Microsoft Technologies

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 Part Number: E April 2016

Enabling High performance Big Data platform with RDMA

SCALABLE FILE SHARING AND DATA MANAGEMENT FOR INTERNET OF THINGS

Building a better more secure Cloud RICHARD MORRELL

Mellanox Cloud and Database Acceleration Solution over Windows Server 2012 SMB Direct

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

PHASE 5: DESIGN PHASE

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

THE AUSTRALIAN SIGNALS DIRECTORATE (ASD) STRATEGIES TO MITIGATE TARGETED CYBER INTRUSIONS

D. Best Practices D.2. Administration The 6 th A

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Service Desk Best Practices

ORACLE OPS CENTER: PROVISIONING AND PATCH AUTOMATION PACK

How To Get The Most Out Of Redhat.Com

OpenStack in the Enterprise: From Strategy to Real Life. Radhesh Balakrishnan General Manager OpenStack

Deploying Ubuntu Server Edition. Training Course Overview. (Ubuntu LTS)

Specialized Programme on Internetworking Design and LAN WAN Administration

Implications of Security and Accreditation for 4DWX (Information Assurance) By Scott Halvorson Forecasters Training 26 February 2009

QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

ISSECO Syllabus Public Version v1.0

A REVIEW OF METHODS FOR SECURING LINUX OPERATING SYSTEM

Red Hat Enterprise Linux:

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data

California Department of Technology, Office of Technology Services AIX/LINUX PLATFORM GUIDELINE Issued: 6/27/2013 Tech.Ref No

Comparing SMB Direct 3.0 performance over RoCE, InfiniBand and Ethernet. September 2014

REDEFINING THE ENTERPRISE OS RED HAT ENTERPRISE LINUX 7

LAB FORWARD. WITH PROService RMS TECHNOLOGY, ARCHITECTURE AND SECURITY INFORMATION FOR IT PROFESSIONALS

Configuring DHCP Snooping

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Transcription:

Securing Data in a RHEL SELinux Multi-Level Secure Environment 201504

MLS Overview Red Hat Enterprise Linux (RHEL) forms the foundation of the Multi-Level Security (MLS) system Security Enhanced Linux (SELinux) provides the inner core of RHEL providing the addition security NSA develop SELinux & released open source December 2000 SELinux was merged with main Linux kernel August 2003 Fully commercially support since Introduces Mandatory Access Controls (MAC) Securely enforces separation of data and accesses Introduces Role Based Access Controls (RBAC) Introduces secure auditing All users, data, processes, and networks receive security context which is checked by kernel before interactions are allowed 2

Overview Red Hat Enterprise Linux with Multi-Level Secure policy enforcing Mandatory Access Control (MAC) labeling provides the only solid OS configuration framework currently available that supports protections including: Role Based Access Controls (RBAC) Mitigates insider threats Mandatory Access Controls (MAC) Allows out-of-the-box data fusion configuration Allows out-of-the-box multi-tenancy Automated Auditing RBAC restricts audit file access to those with Audit Admin General enterprise level configurations built from Government owned or commercially available parts 3

Overview Baseline configuration is highly modular and allows additional security as needed Add in encryption Point-to-point data in flight Data at rest Trusted system interchanges As enterprise computing expands, trusted system exchanges available Network file systems available Seagate Lustre allows MAC labeled and audited data exchanges between MLS and non-mls systems while maintaining security labels 4

MLS In-Depth Operating System RHEL 6.5 w/ SELinux enforcement mode & MLS policy applied MLS Policy All processes, users, data, networks are restricted by MLS policy Adjudicates interactions based MAC first If MAC approves, then DAC governance is validated Networking Trusted systems Defined as MLS enabled system with same data labeling scheme Accepts label applied to incoming traffic from trusted systems Un-Trusted systems Defined as any system not in the Trusted system list Apply level to incoming network traffic 5

MLS In-Depth Network Labeling Data labels from each trusted IP address are not overwritten Data from each untrusted system is labeled at the network interface (e.g. Sx:Cy) File Labeling For new file, uses MLS context of creator for initial label For existing files, compares MLS context to adjudicate interactions When an object of higher security context modifies an object, the system (MAC) applies the higher security context to the modified object 6

Role Based Access Controls RBAC used in SELinux Roles are based on least privilege Basic roles (modified from RH roles) at CSCF User Backup Admin Unix Admin Security Admin Audit Admin Provides additional security 7

ICD 503 Accreditation NIST 800-53 and associated documents define certification process for all federal systems Congress mandated ICD 503 derived from NIST 800-53 Controls tailored to IC community LM certifications based on ICD 503 with Cross Domain System (CDS) Overlay and several others CDS defined as a system with connections to different security level networks 8

Controls Application and Support Currently uses configuration managed scripts Certification Test Plan (CTP) is combination scripting and hand testing Security Content Automation Protocol (SCAP) Provides both installation automation and CTP automation Currently being used for testing documentation only Xml files are output 9

MLS Ecosystem MLS OS configuration is certified HW layer is handled through a different procurement layer Technical risk in different hardware May not support RHEL configuration Security body of evidence has to be recreated on the specific system Configuration owned by Government Configurations Single system image current and certified Cluster/Blade configuration current and in certification process 10

MLS Ecosystem Storage Direct attached Ext, xfs, zfs current and certified GPFS in certification process Parallel Network File System Lustre Seagate Secure Data Appliance Scales horizontally max single rack is 1.5 PB @ 42 GBs Resource Management Altair PBS Professional current and certified Audit Reduction Splunk current and certified IB HPC Interconnect Mellanox working to include security context in native IB 11

MLS Ecosystem System Monitoring and Metrics Altair PBS Analytics current and certified Splunk current and certified MLS Databases NSA funded and open source Postgres SQL through Crunchy Data Systems Integration to LM RHEL configuration kick off this week Accumulo through MIT-LL Seagate leading LM RHEL integration Enterprise Data Sharing Long Haul IB Bay Microsystems Campus IB Bay Microsystems and Mellanox 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information