Overview SELinux Policy CMSC 426/626 Background Includes Some Review from last talk Motivation for MAC SELinux Policy Type Enforcement RBAC SELinux Big Picture for Access Control Security Services Describe the Inner Dependencies of The Security Mechanisms for Information Assurance I&A IA Paradigm The Ying & Yang of Information Assurance CND MAC Audit DAC Think Dependency Lines. Not a DAG. CNE CNA IA Paradigm Computer Network Attack The Big Ds Deny Degrade Disrupt Deceive Damage Destroy Recent Trend Got BotNet? Raise of the Bots Viruses are Out; Bots are In! Example presentation titles from this past summer s ARO Workshop. 1
Security Quotes If I own your machine and you patch it, I still own your machine. PDR Defensive Model Protect Corollary: A popped box patched is still popped Response Detect IMHO, Recovery Response Protect Defensive Model Detect Patch: today s Response to new vulnerabilities. IDS, IPS response Quarantine Recovery Response Discover Patch Prepare Publish Motivation Discretionary Access Control Not Sufficient Malicious software runs with all the privilege of the compromised application or user The classical Trojan Horse Example from last class Consider today s Active Content PDF, PS, DOC, XLS, JPEG, HTML Javascript, Java Applets, email attachments Truly a Threat Motivation DAC is not sufficient Need systems with MAC Least Privilege Principle MAC limits what can be accessed Subjects Program vs. Process A process has state A program in motion Subjects Active entities that access objects. Process State includes identity of the user 2
Objects Entity to which access is granted Regular files, directories, file descriptors, block & char devices, FIFO pipes, links, sockets, memory Processes Can be objects too SELinux 2 Types: Transient Object (processes, data) Persistent Object Example Security Classes for Objects blk_file, dir, fd, fifo_file, file, filesystem, link_file Subject & Objects Subjects act upon objects Security Quotes Security Bake it in don t Brush it on SELinux Policy SELinux Commands SELinux Administrator commands chcon, checkpolicy, getenforce, newrole, run_init, setenforce, setfiles Modified Linux commands cp, mv,, id, ls, ps, ssh, etc. SELinux policy builder & analysis Additional tools apol SELinux Additional Tools apol analyze a SELinux policy. sediff policy semantic diff tool for SELinux. seaudit analyze audit messages from SELinux. seaudit-report generate highly-customized audit log reports. 3
SELinux Additional Tools SELinux Apol secmds command-line tool to analyze and search SELinux policy. sechecker A command line tool for performing modular checks on an SELinux policy. [Tresys] SELinux Apol Security Quotes There are no bugs, just un documented features. --Anonymous, Humor [Tresys] Classically, TE used A Note First Type Domain SELinux calls everything a Type Then discusses Domains and Types For clarity. E.g., snort_t <-- This is a Domain! There are also type commands to define Domains (and Types) ;-( SELinux Policy Access Control policy decision is a Hybrid Access Control Model of TE MAC and RBAC With Classical Unix DAC 4
Security Context Equivalency Classes for related Subjects Objects Similar Subjects can be grouped and similar objects can be grouped. [McCarty] Security Attributes Specific attributes are assigned to subjects and objects to clarify how their control and access to them. Three attributes: Type (Domain) User Role See these in the policy files Security Attributes Security Attributes Security Attribute Type (Domain) User Role Suffix (policy file token) _t (no suffix) _r Example snort_t root sysadm_r Type Most common Security Attribute Look for Allow statements In the policy files Type is from Type Enforcement (TE) Classically: Domain and Type, but SELinux uses them synonymously Contrary to the classical intent of TE Security Phrases You cannot do security through righteous indignation The process of security must blend well into the business practices of the organization. Never, force the need for security after an incident. The organization will resent your actions.» What does this say for Red Teaming? Customizable SELinux Policy File Local, and flexible security policy Binary File loaded at boot Makefile to build /etc/security/selinux/src/policy policy.conf Compiled to binary Make checkpolicy 5
Policy Build Process SELinux Policy Files Object classes TE Files RBAC Files User Declarations Security Context Constraints CAT Policy.conf file checkpolicy Binary Policy Load_policy [McCarty] % wc policy.conf ~250,000 Kernel File Context (FC) File Defines the Domain Recall principle from Type Enforcement Lists the security context for objects Files and directories By convention Name of the program or server Type Enforcement (TE) Files SELinux FC & TE Files SELinux FC File Distribute Handout # SNORT /usr/(s)?bin/snort /etc/snort(/.*)? /var/log/snort(/.*)? Flag Column -- ordinary file -- system_u:object_r:snort_exec_t system_u:object_r:snort_etc_t system_u:object_r:snort_log_t The Objects In Columns of Regex Label assigned to each object SELinux TE File Type command Like a C type statement Use this to define TE Types Allow command Default: fail closed Thus, allow quite common to grant access Can expressly prohibit E.g, auditdeny Macros M4 macro processor Any sendmail admins? SELinux TE File Type snort_etc_t, file_type, sysadmfile; Defines a Type Look @ 3rd line of FC Snort snort_t etc_t:file {getattr read }; Processes in this Domain have access to read and can get attributes To files labeled with the etc_t. { a list of access rights} 6
Question Assume that the Unix init process is Assigned to initrc_t domain What access does init have to snort protected files? Macro # can_network(domain define(`can_network',` allow $1 self:udp_socket create_socket_perms; allow $1 self:tcp_socket create_stream_socket_perms; allow $1 netif_type:netif { tcp_send udp_send rawip_send }; allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv }; allow $1 node_type:node { tcp_send udp_send rawip_send }; allow $1 node_type:node { tcp_recv udp_recv rawip_recv }; allow $1 port_type:{ tcp_socket udp_socket } \ { send_msg recv_msg };... allow $1 net_conf_t:file r_file_perms; ')dnl end can_network definition Security Phrases Write once distribute many An adversary s response to a defenders No attacker will reverse engineering my system. RBAC Role Based Access Control Limits a user (and thus a process) to certain domains. For example, the Role sysadmin_r Is accessible to only the Administrator and not other users. RBAC Transitions 1. Users have Roles, and thus, their processes too 2. Transition to assigned roles only, and authorized Role 1 Role 2 Role 1 1 N X 1 Unassigned Role X RBAC User attribute Associates SELinux users with roles user root roles { staff_r system_r }; user admin roles sysadmin; user ordinary roles { user_r }; 7
RBAC Roles are associated with Domains To permit access In the.te file Example, both permitted to ping_t Domain role sysadm_r types ping_t; role system_r types ping_t; SELinux Access Control A user is assigned to roles DAC rolex_r Protection Bits Roles are associated with Domains ping_t Snort_t MAC Snort_log_t When access to an object is attempted. The access rights for the type are consulted. Security Quotes References Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.) --Kaufman, Perlman, and Spencer Private Communication in a Public World, 1995. [McCarty] Bill McCarty, SELinux: NSA s Open Source Security Enhanced Linux, O Reilly, 2004. [Tresys] Apol: Analyze a SELinux Policy, 2006 http://oss.tresys.com/projects/setools Fini Thanks! 8