Download presentation
Presentation is loading. Please wait.
2
Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi
3
why kernel is important? why security in kernel is important? l Every thing in operation system runs above the kernel l If a kernel denies an action... no one can over right from that
4
Access control… most important security concept in kernel security Access control... Access to files Access to ports Access to processes If we secure all above items, almost every thing is done!
5
Access control methods DAC Discretionary Access Control MAC Mandatory Access Control
6
l -rw-rw-r-- 1 ted ted 0 May 6 01:14 1.txt l | perm codes| | user| |group| | name| DAC
7
DAC problems prone to malware/malicious setuid/setgid files are vulnerable Access to objects (files) are based solely on user identity(uid/gid) default policy is liberal where are only 2 user privileges: Admin Non-Admin
8
MAC benefits More systems administration/expertise is required offers more granular/fine control of security The ability to restrict at a lower-level access to objects SELinux is compiled into the kernel and supported via LSMs Ideal for Internet-facing systems httpd,mysqld,etc. SELinux denies interaction between Subjects & Objects by default
9
security check order MAC-based checks occurr AFTER DAC-based checks. If DAC denies an access, MAC will nor check. MAC is only processed if DAC permits.
10
Security Enhanced Linux From Wikipedia: The United States National Security Agency (NSA), the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000.[3] The software merged into the mainline Linux kernel 2.6.0- test3, released on 8 August 2003. A Linux kernel integrating SELinux enforces mandatory access-control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs.
![Security Enhanced Linux From Wikipedia: The United States National Security Agency (NSA), the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000.[3] The software merged into the mainline Linux kernel test3, released on 8 August 2003.](http://images.slideplayer.com/24/7358814/slides/slide_10.jpg "A Linux kernel integrating SELinux enforces mandatory access-control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs..")
11
Installation - centos Just use YUM: Yum install selinux setools-console Yum search selinux Yum provides */semanage
12
SELinux Modes Enforcing policy(targeted) is applied Permissive policy(targeted) is applied, but simply logged Disabled policy(targeted)/SELinux is DISABLED
13
permissive Programs will still run as expected Violations to the security policy will appear in /var/log/audit/audit.log Using for troubleshooting SELinux configs SELinux logger agent
14
Object and Subjects Objects on the system are abstracted into 2 classes Subjects - user, processes Objects - files(text/binary/sockets/)
15
exploring common tools sestatus (-v) setenforce /selinux setsebool (-P) getsebool Restorecon chcon
16
exploring common tools - sestatus Display current status -v for verbose mode SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
17
setenforce / getenforce Get`s or Set`s enforcing modes changes are not persistent In /etc/selinux/config enforcing type can be define prepersistent
18
/selinux /proc like FS(virtual) maintains selinux information All in formation in current status of running SELinux can find here... just as files Example /selinux/enforce when changing enforcing type
19
getsebool l List Booleans that can be set in SELinux l Use -a to see all available Booleans
20
setsebool Sets boolian values for selinux Use –P to make changes persistent Example is setsebool httpd_can_network_connect on To prevent Linux users in the user_t domain from executing applications in their home directories and /tmp/: /usr/sbin/setsebool -P allow_user_exec_content off
21
[Command] -Z ps -Z - reveals the various sandboxes/domains (subjects) ls -Z - reveals security context of files/directories(objects) cp -Z - new file with NEW security context(Type) is created mv -Z - preserves SELinux security tuple/context/label id -Z - reveals current security context of user (tuple)
![[Command] -Z ps -Z - reveals the various sandboxes/domains (subjects) ls -Z - reveals security context of files/directories(objects) cp -Z - new file with NEW security context(Type) is created mv -Z - preserves SELinux security tuple/context/label id -Z - reveals current security context of user (tuple)](http://images.slideplayer.com/24/7358814/slides/slide_21.jpg "[Command] -Z ps -Z - reveals the various sandboxes/domains (subjects) ls -Z - reveals security context of files/directories(objects) cp -Z - new file with NEW security context(Type) is created mv -Z - preserves SELinux security tuple/context/label id -Z - reveals current security context of user (tuple)")
22
id -Z SEuser:SErole:SEtype Field/Degree #1 - User Label: Non-privileged User: user_u privileged User (root): system_u Field/Degree #2 - RBAC Role-Based Access Control Privileged/Non-privileged Users: unconfined_r privileged User (root): system_r Field/Degree #3 - Type(Objects(files))/Domain(Subjects(programs/users)) Privileged/Non-privileged Users: unconfined_t Processes i.e. (httpd): httpd_t, dhcpd_t
23
chcon The 'chcon' command may be used to change SELinux security context of a file or files/directories in a similar way to how 'chown' or 'chmod' may be used to change the ownership or standard file permissions of a file.
24
restorecon The 'restorecon' command may be used to restore file(s) default SELinux security contexts. I Dont want to change type by hand
25
Extended attibutes On a typical Linux disk based file system, each file is identified uniquely by an inode containing critical metadata for the file, including UNIX ownership and access control information. When the kernel references a file, its inode is read from disk into memory. A standard UNIX permission check simply uses the information present within the inode. SELinux extends standard UNIX security and uses security context labels to make extended access control decisions.
26
labels behavior during CP, MV and file creation File create with parent metadata CP work with file creation MV fust change the parent
27
Roles ALL objects(files) MUST be properly labeled Files that are improperly labeled will NOT be protected Roles define which SELinux user identities can have access to what domains For example, the domains named_t and squid_t are both in the role system_r. However, named_t cannot transition to squid_t without an allow rule
28
role example View SELinux user mappings $ semanage user -l Allow joe to login as staff_u $ semanage login -a -s staff_u joe Add file-context for everything under /web (used by restorecon) $ semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?' Allow Apache to listen on port 81 $ semanage port -a -t http_port_t -p tcp 81
29
Add role example semanage fcontext -a -t httpd_user_content_t '/path/to/mediawiki/install(/.*)?' semanage fcontext -a -t httpd_user_script_exec_t '/path/to/mediawiki/install/.*\/php5?' semanage fcontext -a -t httpd_user_script_exec_t '/path/to/mediawiki/install/includes/.*\.php5?' semanage fcontext -a -t httpd_user_script_rw_t '/path/to/mediawiki/install/images(/.*)?'
Similar presentations
