Lessons Learned from running SE Linux Play Machines Russell Coker Please note that the play machines are not an official Red Hat service. I run them on.

Slides:



Advertisements
Similar presentations
ITR3 lecture 7: more introduction to UNIX Thomas Krichel
Advertisements

Basic Unix system administration
Cosc 5/4765 Protecting against ssh attacks And is this secure?
Linux can be generally divided into four major components: 1. KERNEL – OS, ultimate boss The kernel is the core program that runs programs and manages.
Operating-System Structures
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
Guide To UNIX Using Linux Third Edition
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.
Introduction to UNIX/Linux Exercises Dan Stanzione.
Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.
W2000 at Saclay Joël Surget CEA/Saclay DAPNIA/SEI.
1 Network File Sharing. 2 Module - Network File Sharing ♦ Overview This module focuses on configuring Network File System (NFS) for servers and clients.
CIS 191 – Lesson 2 System Administration. CIS 191 – Lesson 2 System Architecture Component Architecture –The OS provides the simple components from which.
Essential Unix at ACEnet Joey Bernard, Computational Research Consultant.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
Unix Basics Chapter 4.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
TELE 301 Lecture 10: Scheduled … 1 Overview Last Lecture –Post installation This Lecture –Scheduled tasks and log management Next Lecture –DNS –Readings:
PROGRAMMING PROJECT POLICIES AND UNIX INTRO Sal LaMarca CSCI 1302, Fall 2009.
Chapter Two Exploring the UNIX File System and File Security.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
Chapter Two Exploring the UNIX File System and File Security.
Chapter 10: Rights, User, and Group Administration.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
Λειτουργικά Συστήματα - Lab1 Γιάννης Πετράκης. The Operating System  Unix is a layered operating system  The innermost layer is the hardware that provides.
Basic UNIX Concepts. Why We Need an Operating System (OS) OS interacts with hardware and manages programs. A safe environment for programs to run is required.
CS 245 – Part 1 Using Operating Systems and Networks for Programmers Jiang Guo Dept. of Computer Science California State University Los Angeles.
Introduction to UNIX CS 2204 Class meeting 1 *Notes by Doug Bowman and other members of the CS faculty at Virginia Tech. Copyright
SCSC 455 Computer Security Chapter 3 User Security.
Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.
PTA Linux Series Copyright Professional Training Academy, CSIS, University of Limerick, 2006 © Workshop I Introduction to Linux Professional Training Academy.
CSC414 “Introduction to UNIX/ Linux” Lecture 6. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
Lecture 02 File and File system. Topics Describe the layout of a Linux file system Display and set paths Describe the most important files, including.
5/7/2007CoreMcClug/SELinux 1 By: Corey McClurg. Outline A History of SELinux What is SELinux and how do I get it? Getting Started Mandatory Access Control.
2.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition System Programs (p73) System programs provide a convenient environment.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Course : PGClass : MCA Subject: Operating SystemSub.Code : 3CT11 Staff Name : S.SomasundaramYear & Sem : II nd & III rd.
MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.
CHAP-1 INTRODUCTION TO LINUX 1 Created By: Asst. Prof. Ashish Shah, J.M.Patel College of Commerce.
Overview of NSA Security Enhanced Linux Russell Coker.
Developing a Secure Internet Service SE Linux in Production Russell Coker Linux Consultant.
Getting Started with Linux
SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
OpenShift & SELinux Dan Walsh Twitter: #rhatdan
SYSTEM ADMINISTRATION PART I by İlker Korkmaz and Kaya Oğuz
Guide to Linux Installation and Administration, 2e
Welcome to Linux Chap#1 Hanin Abdulrahman.
Demystifying SELinux: WTF is it saying?
Chapter 11: Managing Users
Chapter 2: System Structures
SE Linux Implementation
IS3440 Linux Security Unit 6 Using Layered Security for Access Control
Exploring the UNIX File System and File Security
SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast
IS3440 Linux Security Unit 2 Securing a Linux Platform―Core Components
SELinux (Security Enhanced Linux)
Chapter 2: The Linux System Part 1
UNIX/LINUX Commands Using BASH Copyright © 2017 – Curt Hill.
Outline Chapter 2 (cont) OS Design OS structure
Chapter 2: Operating-System Structures
Welcome to Linux Chap#1 Hanin Abdulrahman.
System calls….. C-program->POSIX call
Welcome to Linux Chap#1.
Crisis and Aftermath Morris worm.
Presentation transcript:

Lessons Learned from running SE Linux Play Machines Russell Coker Please note that the play machines are not an official Red Hat service. I run them on my own time and my own hardware.

Community Development Much of the SE Linux community formed around my first play machine in 2002 #selinux irc channel was created at the insistence of the users of the play machine. File thanks.txt created by a user to send messages back to me (I created a new type to give it read/append access) Play machine gave a lot of publicity for SE Linux. AFAIK it was the first such hardened Linux machine to have open root access as a demonstration.

Policy Development Initial NSA sample policy had no type for /etc/shadow Had only two roles user_r and sysadm_r – needed staff_r for secure logins to run newrole and for file storage at LinuxTag Allowed wide access to device nodes that had no special type EG /dev/nvram Locked down /boot (boot loader password) Reduced privs of crontab, it was used to win a “capture the flag” contest at FOSDEM. Crontab is permitted to read files from other user's home directories (it needs capability DAC_OVERRIDE to write to the cron spool). Now when it runs an editor there is a domain_auto_trans() to the user domain, EG domain_auto_trans(user_crontab_t, bin_t, user_t)

Cracking Play Machines I forgot to lock down /etc/shadow when I initially put a play machine online, that was fixed in less than 24 hours... Two play machines have been insecure due to using the “root” account for administrator logins, in one case a shell function named “newrole” was used to send the administrator password over the net, in another case one of the scripts executed by the shell was modified to echo a warning to the owner of the machine. As far as I am aware no play machine has ever been taken over by an attacker. A kernel bug could be used to attack a play machine, but a play machine is not any more at risk than any other shell server machine in this regard.

Stupid Users ssh/scp to (presumably a cracked Wanting to pay for more access to play machine with stolen credit card numbers, root shells on other machines, and other things. Try to do port scanning. Sometimes running a scan for several hours without running dmesg to see that iptables was blocking every packet. Thinking that UID 0 means that they can do what they want (EG taking over the machine by killing the shell of all other users). Several users have claimed to have cracked my play machine because they could kill the shells of other users, one ran a shell script to kill the shell of everyone who didn't come from his IP address. Naturally I login with a different role and they can't kill my shell... Many users think that a DOS attack (using up Inodes, disk space, CPU time, memory) achieves something. /etc/motd explains clearly that DOS attacks are not in the scope of the exercise. One user claimed to have cracked my play machine but had attempted to login with X forwarding enabled...

Full Points for Trying One used kill -11 to get a core file from bash, ran strings on the core file and then proudly informed me that they could read the bash history! They could have run “cat.bash_history” or just used the “history” built-in command. Several users had assembly programs to call the getuid() system call because they believed that they were not really running programs as “root”. Of course I could have modified the kernel to hack the return value of getuid(), or I could have modified the compiler. Many users believed that I was trying other tricks to do things other than what I appeared to be doing. It was really strange, the source was always available so they could reproduce my results on their own hardware if they desired. While I have not yet fully documented how to create a play machine I have never obscured any aspects of the configuration of such machines. It would be quite easy for any user to recreate my configuration after copying files from one of my machines.

Broken Applications Some applications believe that UID == 0 means that the application deserves full access. crontab and locate are two examples (they are now fixed). Many other programs will have similar issues, expect problems in this regard if you run a machine with unprivileged root. NB The same issues apply on non-SE systems, some systems that use “secure” chroot environments may have similar issues. As an experiment I ran “chmod -R u=rwx,g=rwx,o=rwx /”. The machine was still secure but many things failed. Many programs would look at the Unix permissions (not using access(1) or access(2)) to determine whether a file was a config file or a shell script. Cron jobs and system boot scripts broke badly and I had to reinstall the machine. Only tried this on Debian not on other distributions.

Configuring a Play Machine Users attacking users No writable.bashrc etc, no writable.ssh/rc Allow ssh client to be seen in ps so that “ssh localhost” can't obscure the identity of a user sshd not supporting X or auth forwarding Users attacking machine owner Use a separate subnet for play machine Firewall almost everything Don't allow changing password Throttle bandwidth to reduce the impact of DOS attacks

Recommendations Don't run a serious server in this manner! The “defense in depth” principle means that you want both DAC and MAC permissions to be required for all operations. Many applications use UID==0 to mean that all access controls should be skipped. Don't run any machine in this manner! If you do run a play machine configure it carefully. Try to make it difficult for users to attack each other. Document the use of the machine (IE not allowing X or auth forwarding when logging in). Most users won't read the documents but you have to try. Firewall everything, don't want to be a source of spam or have your machine user to hack other machines. Only grant read/append access to.bash_history for the users. If nothing else it's amusing to see “FORMAT C:” and similar commands.

Other play machines Recently I've been running play machines on Fedora, but most of the time I have not had one online due to lack of time. My early play machines ran Debian. Gentoo developers have had the most continuous operation of play machines recently. They lock their machine down more tightly than I do – I want to teach people about SE Linux and permit them to read the kernel message log while the Gentoo people aim for the absolute maximum security.

Conclusion My SE Linux play machines are my personal project. It's not a Red Hat project. Running SE Linux play machines have given many positive benefits including improvements in the sample policy (many of which would have been done eventually anyway), development of the SE Linux community, and teaching people about SE Linux. You will learn a lot from running a play machine, both about computer security and about psychology. I recommend that you don't run a play machine. Getting it right is difficult and almost everyone who does it makes mistakes in the start. Not that it matters, the type of person who would run such a machine won't take recommendations anyway.

Q/A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.