Linux OS-Level Security Nikitas Angelinas MSST 2015

Similar documents
Technical Report. Analysis of the Linux Audit System. Bruno Morisson. RHUL MA April 2015

The Linux Audit Subsystem Deep Dive. SHARE Denver Colorado Convention Center, Korbel 4b 24-Aug Noon

Analysis of the Linux Audit System 1

SELinux. Security Enhanced Linux

Using an Open Source Framework to Catch the Bad Guy. Norman Mark St. Laurent Senior Solutions Architect, Red Hat

Auditing in the VNX Control Station P/N REV A01 February, 2011

Secure computing: SELinux

Intrusion Detection using the Linux Audit Framework. Stephen Quinney School of Informatics University of Edinburgh

issh v. Auditd: Intrusion Detection in High Performance Computing

Safety measures in Linux

How To Harden An Hp Server For A Long Time

Security Enhanced Linux and the Path Forward

Mandatory Access Control in Linux

NSA Security-Enhanced Linux (SELinux)

Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi,

The Case for SE Android. Stephen Smalley Trust Mechanisms (R2X) National Security Agency

Networking in NSA Security-Enhanced Linux

Linux Security on HP Servers: Security Enhanced Linux. Abstract. Intended Audience. Technical introduction

Native Host Intrusion Detection with RHEL6 and the Audit Subsystem. Steve Grubb Red Hat

Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley

Protection of Components based on a Smart Card Enhanced Security Module

Audit and IDS Steve Grubb, Red Hat

Linux Audit Quick Start SUSE Linux Enterprise 10 SP1

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

Linux Boot Camp. Our Lady of the Lake University Computer Information Systems & Security Department Kevin Barton Artair Burnett

Hardened Hosting. Quintin Russ. OWASP New Zealand Chapter th December 2011

Case Study: Access control 1 / 39

Guide to Snare for Linux v4.1

Case Studies. Joint software development Mail 1 / 38. Case Studies Joint Software Development. Mailers

CIS 551 / TCOM 401 Computer and Network Security

Object Classes and Permissions

Linux Distributed Security Module 1

Windows and Linux Security Audit

Linux Security Ideas and Tips

BM482E Introduction to Computer Security

Common Criteria Evaluation Challenges for SELinux. Doc Shankar IBM Linux Technology Center

SCP - Strategic Infrastructure Security

Fedora 13 Managing Confined Services. Scott Radvan

Adjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006

NETWORK SECURITY HACKS *

ENTERPRISE LINUX SECURITY ADMINISTRATION

GL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

We mean.network File System

CAPP-Compliant Security Event Audit System for Mac OS X and FreeBSD

Computer Security DD2395

RSBAC - a framework for enhanced Linux system security

Securing Linux Containers

SSSD and OpenSSH Integration

System Management. Leif Nixon. a security perspective 1/37

GL550 - Enterprise Linux Security Administration

2: Do not use vendor-supplied defaults for system passwords and other security parameters

ENTERPRISE LINUX SECURITY ADMINISTRATION

Information Security Measures and Monitoring System at BARC. - R.S.Mundada Computer Division B.A.R.C., Mumbai-85

KVM Security - Where Are We At, Where Are We Going

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study

What s New in Centrify Server Suite 2014

SELinux course. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant, Nethemba s.r.o.

Confining the Apache Web Server with Security-Enhanced Linux

Clustered Data ONTAP 8.2

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

Practical Solaris 10 Security Glenn Brunette

Best Practices, Procedures and Methods for Access Control Management. Michael Haythorn

WHITEPAPER INTRODUCTION TO CONTAINER SECURITY. Introduction to Container Security

Security Enhanced (SE) Android: Bringing Flexible MAC to Android

Contents III: Contents II: Contents: Rule Set Based Access Control (RSBAC) 4.2 Model Specifics 5.2 AUTH

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data

A Firewall Model of File System Security

Using the Flask Security Architecture to Facilitate Risk Adaptable Access Controls

File Management. COMP3231 Operating Systems. Kevin Elphinstone. Tanenbaum, Chapter 4

Achieving PCI-Compliance through Cyberoam

How To Achieve Pca Compliance With Redhat Enterprise Linux

Secure to the Core: The Next Generation Secure Operating System from CyberGuard

Secure Shell Demon setup under Windows XP / Windows Server 2003

Chapter 11 Distributed File Systems. Distributed File Systems

Operating System Structure

Introduction to Computer Security

Configuring CQ Security

How To Manage File Access On Data Ontap On A Pc Or Mac Or Mac (For A Mac) On A Network (For Mac) With A Network Or Ipad (For An Ipad) On An Ipa (For Pc Or

CSE 120 Principles of Operating Systems. Modules, Interfaces, Structure

IDENTITIES, ACCESS TOKENS, AND THE ISILON ONEFS USER MAPPING SERVICE

Host Event Based Network Monitoring

FreeBSD Developer Summit TrustedBSD: Audit + priv(9)

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Host Hardening. OS Vulnerability test. CERT Report on systems vulnerabilities. (March 21, 2011)

Incremental Backup Script. Jason Healy, Director of Networks and Systems

Transcription:

Linux OS-Level Security Nikitas Angelinas MSST 2015

Agenda SELinux SELinux issues Audit subsystem Audit issues Further OS hardening 2

SELinux Security-Enhanced Linux Is NOT a Linux distribution A kernel feature A Linux Security Module (LSM) security fields in kernel data structures processes, files, directories, sockets, IPC, and other OS objects hooks on all paths from userspace return a binary predicate: allowed or not allowed (e.g. EACCES) 3

SELinux SELinux is a labeling system Every process has a label Every OS object has a label Policy rules control access between processes and objects, based on their labels Policy rules are enforced by the kernel The objective is to contain misbehaving/compromised userspace applications 4

SELinux policy management interface application userspace open(2) kernel error checks selinuxfs DAC checks Allowed? LSM hook Access Vector Cache cache miss? (Policy Rules and Access Decision Logic) Yes/No return Security Server SELinux 5

SELinux Mandatory Access Control vs. Discretionary Access Control (file ownership, permissions) Labels are of the form user:role:type:level e.g. process: /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 e.g. file: /root/ssh/* root:object_r:ssh_home_t SELinux implements LSM hooks and offers: Role-based Access Control Type Enforcement Multi-Level Security 6

SELinux labels and rules ls -Z /usr/sbin/sshd -rwxr-xr-x. root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd ls -Z /root/.ssh/id_rsa -rw-------. root root root:object_r:ssh_home_t ls -Z /etc/ssh/sshd_config -rw-------. root root system_u:object_r:etc_t ls -Z /var/run/sshd.pid -rw-------. root root system_u:object_r:sshd_var_run_t /var/run/sshd.pid ps -ez grep ssh sesearch --allow -t sshd_var_run_t /etc/selinux/clip/policy/policy.24 grep sshd_t system_u:system_r:sshd_t /root/.ssh/id_rsa /etc/ssh/sshd_config 5142? 00:18:57 sshd allow sshd_t sshd_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; sesearch --allow -t sshd_exec_t /etc/selinux/clip/policy/policy.24 grep sshd_t allow sshd_t sshd_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ; 7

SELinux policies Policy rules defined in a high-level language Conditionals, booleans, m4 support, etc. Compiled in userspace Inserted in the kernel Policies are stackable Large collection of off-the-shelf policies Custom software will need custom policy rules audit2allow(1) can help 8

SELinux issues SELinux I/O checks and auditing occur at the VFS Networked filesystems might not use the VFS Exporting SELinux hooks is a software layer violation LSM hooks add overhead Potential for policy mismatch in a distributed environment Writing policy rules can be tedious, error-prone Can be difficult to verify Object stores 9

Audit subsystem Generates a system audit trail timestamp, user, LSM labels, authentication details, etc. Meets or exceeds CAPP, LSPP, RSBAC, NISPOM, FISMA, PCI-DSS, etc. certifications Highly capable Watches on individual files and syscalls Filters on uid, syscall #, LSM labels, and other attributes Integrated with other kernel subsystems Message types: PATH, SYSCALL, USER_*, DAEMON_*, AVC, etc. Log rotation Email notifications 10

Audit subsystem audit.rules auditd.conf aureport auditctl auditd audit.log ausearch control, status, audit rules audit records kernel Netlink socket interface kauditd userspace rule database 11

Audit issues Audit logs are not generated by remote fs operations Additional tools needed for log aggregation Log integrity might mean blocking operations Possible performance impact Mitigate with solid-state storage 12

Putting the two together SELinux is a user of audit SELinux denials log AVC-type messages # ausearch -m avc -ts recent type=syscall msg=audit(1431684482.612:67019): arch=c000003e syscall=2 success=yes exit=9 a0=4076db a1=50000 a2=3cdf a3=3b8ff28d60 items=0 ppid=120622 pid=120628 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11085 comm="updatedb" exe="/usr/bin/updatedb" subj=system_u:system_r:locate_t:s0-s15:c0.c1023 key=(null) type=avc msg=audit(1431684482.612:67019): avc: denied { read } for pid=120628 comm="updatedb" name="audit" dev=dm-0 ino=15583 scontext=system_u:system_r:locate_t:s0s15:c0.c1023 tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=dir 13

Kernel hardening SELinux only handles userspace Kernel vulnerabilities assume root, LSM reset Reduce kernel attack surface Remove unnecessary drivers, device nodes, filesystems, protocols, syscalls, etc. seccomp BPF/libseccomp Reduce predictability and harden Use non-stock distribution kernels Restrict /proc/kallsyms, System.map permissions kaslr/base address randomization kernel config options: NX, etc grsecurity, PaX 14

Best practices Minimise Remove cruft Read-only virtual filesystems Least privileges for daemons Make good use of: permissions, PAM, capabilities, namespaces, containers, etc. Disable module loading or whitelist ASLR/NX for userspace Timely updates (can be a challenge for some sites) Rely on OS distributor or follow CVEs Pentest internally and externally 15

Thank You! Linux OS-Level Security Nikitas Angelinas MSST 2015

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information