Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview of NSA Security Enhanced Linux Russell Coker.

Published byElizabeth Boyd Modified over 7 years ago

Similar presentations

Presentation on theme: "Overview of NSA Security Enhanced Linux Russell Coker."— Presentation transcript:

1 Overview of NSA Security Enhanced Linux Russell Coker

2 Features of SE Linux Mandatory Access Control (MAC). Administrator fully controls access granted to user resources. The user can not grant more access to their files than the administrator desires. Fully configurable by policy – no need to recompile programs to change the access granted to resources. All access is controlled by SE Linux, a root user with low SE Linux privileges can not do anything exciting – I have run machines on the Internet with an open root password to demonstrate this.

3 Isolation of Security Domains

4 Strict vs Targeted Policy Strict policy aims to restrict all access as much as possible. Restricts all daemons and all user login sessions. Usually requires some configuration and customisation. Often requires custom policy for daemons or setuid programs for which there is currently no policy. Targeted policy aims to restrict only programs that can be restricted without much risk. No restrictions on user login sessions and some daemons are not restricted. In most situations it will work with no customisation. Daemons which lack policy run with no restrictions.

5 Security Policy Kernel stores a database which for each combination of domain and type specifies what access is to be granted and whether it is to be logged Security policy database is loaded into the kernel by init early in the boot process Policy database can be re-loaded at any time to change the security policy (if permitted) Every file/directory on disk must be labeled with a security context in accordance with the policy (the policy package includes a file which lists the default contexts for files)

6 Domain Type The core of SE Linux access control is the “Domain Type” model (DT) Every process has a security domain Every object a process may access has a type Domains and types not strongly differentiated, a domain is a type that applies to a process

7 MLS SE Linux also includes support for Multi-Level Security (MLS) Implemented in a flexible manner which is under the control of policy Expected that the DT model protects the system integrity while MLS protects data secrecy MLS support includes levels (equivalent to Top Secret, Secret, Classified, and Unclassified), there may be an arbitrary number of levels which are numbered Also includes categories such as for departments, projects, etc Support for preventing “read-up” and “write-down”

8 MCS Multi Category Security (MCS) meets the needs of commercial organizations Provides a set of categories to determine access to each file Process can access a file if it's categories are a super-set of the categories of the file MCS is a variant of MLS

9 Q/A http://www.nsa.gov/selinux/http://www.nsa.gov/selinux/ Main SE Linux web site http://www.coker.com.au/selinux/http://www.coker.com.au/selinux/ My SE Linux web pages (includes notes from this talk

Download ppt "Overview of NSA Security Enhanced Linux Russell Coker."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.

Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Access Control Methodologies

Access Control Methodologies
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Linux Security.

Linux Security.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.
Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.

Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.
Secure Operating Systems

Secure Operating Systems
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.

© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
Copyright 2000 eMation SECURITY - Controlling Data Access with

Copyright 2000 eMation SECURITY - Controlling Data Access with

Similar presentations

Ads by Google