Embed Size (px)
Citation preview
Security Enchanced Linux
VimalSenior Linux Trainer
96777 42828
Outline
• What is SELinux?• What is it trying to do?• How does it work?• Mandatory Access Control (MAC)• Using Type Enforcement to provide access
Control• Creating rules with example• Roles (RBAC)
The Issue
• Patch cycle• Attackers find a vulnerability and develop an
exploit• Users / testers discover an exploit and develop
a patch to negate the exploit• Protecting the systems in the period between
when the exploit is developed and when the patch is distributed is called the 0-Day problem
The Issue
• The Problem: -How do you defend against an exploit that hasn’t been developed?• A Possible Solution: -Control access to resources to limit exposure and thus the chances for an exploit -Also manage access controls such that, if an exploit is successful, there is a strict limit on the resources available to the exploit
Access Control
• Linux (and most other OSs) implement discretionary access control over resources
• Users have the discretion to allow or deny access to resources that they control
• If a process is compromised, it operates with the access controls given to that process (those of the user/owner).
• Higher level security implements access control in the system (mandatory access control).
• Access to resources is managed by a security policy, not user decisions.
SELinux History
• Mandatory access controls (MAC) used in high security systems (military) for years.
• NSA began work on embedding MAC into existing operating systems
• 1991 -1992 – Mach OS• 1993 -1995 – Distributed Trusted OS• 1998 -1999 – Flux Advanced Security Kernel
(FLASK)• 2000 - ? – Security Enhanced Linux
• An example of how mandatory access controls can be added into Linux (Confining the actions of a process, including a superuser process)
• The security mechanisms implemented in the system provide flexible support for a wide range of security policies.
• Make it possible to configure the system to meet a wide range of security requirements.
• Documentation and source code is provided.
Security Context• A combination of user, role and type• Who is the user?• What is their role?• What can they do?• Example• [rcotter@kc-sce-450p2 ~]$ ls -l ssh.ps-rw-r----- 1 rcotter rcotter 67014 Feb 10 14:16 ssh.ps• [rcotter@kc-sce-450p2 ~]$ ls -Z ssh.ps-rw-r----- rcotter rcotter user_u:object_r:user_home_t ssh.ps
Security Model
• Security Context analysis: -Similar to sentence diagramming
Mandatory Access Control (MAC)
• A means of restricting access to objects based on the sensitivity of the information contained in the objects and whether they are authorized to access information of such sensitivity
• Authorization is based on prerequisites being met, resulting in an individual gaining access
• Enables the ability to deny users full control over the access to resources that they create
• access control is based on the compatibility of the security properties of the data and the clearance properties of the individual
Type Enforcement
• In order to grant access to something, an allow rule must be created, such as:
allow user_t bin_t : file {read execute getattr};This means a process with a domain type of
user_t can read, execute, or get attributes for a file object with a type of bin_t, there is no significance in the “_t” portion.• This rule might be in a policy to allow users to execute
shell programs such as the bash shell (/bin/bash).
Example • Execute the command “ls -Z /usr/bin/passwd”
– This will produce the output: -r-s—x—x root root system_u:object_r:passwd_exec_t /usr/bin/passwd
– Using this provided information, we can then create TE rules to have a domain transition.
• Three rules are required to give the user the ability to do a domain transition to the password file:– allow user_t passwd_exec_t : file {getattr execute};
• Lets user_t execute an execve() system call on passwd_exec_t– allow passwd_t passwd_exec_t : file entrypoint;
• This rule provides entrypoint access to the passwd_t domain, entrypoint defines which executable files can “enter” a domain.
– allow user_t passwd_t : process transition;• The original type (user_t) must have transition permission to the new
type (passwd_t) for the domain transition to be allowed.
Another Option
• In addition to Type Enforcement, SELinux also provides a form of role-based access control (RBAC).
• Roles build on type enforcement to limit the types to which a process may transition based on the role identifier in the process' security context.
• Using roles is just a way to be even more specific about what access rights are given.
Changing current selinux mode
Changing selinux context value of a file
Defining selinux default context rules
Changing current selinux mode
Lets do this
SELinux Booleans
Changing SELinux Booleans
• Have a web server that publishes web content from user’s home directory
1. log in as root enable apache feature that permits the users to publish the web content by editing the /etc/httpd/conf.d/userdir.conf and change the line with UserDir as UserDir public_hmtl
• Login as a user and create a sample web file change the permission of that file as chmod 711,and change the boolean value of on to enable home directory
Commands that have to remmber
• Getenfore & Setenforec• Ls –Zd,ps Z,cp –Z, mkdir –Z• Chcon ,Restorecon ,Semanage,• Sestatus • We can give sudo user’s context value to a new user
when you add useradd –m –G wheel –Z student newuser you can check it by semanage login –listGetsebool,Setsebool,sealert
Conclusion
• When used properly, SELinux can make a system much more secure
• There are a few different routes that can be used to achieve the level of desired security using SELinux.
• Debugging the security issues in selinux is much easy than other security related applications.
Thank you
