insight into selinux- securing linux
Post on 30-May-2018
221 Views
Preview:
TRANSCRIPT
-
8/9/2019 Insight into SELInux- Securing Linux
1/28
SELinuxSELinuxSecurity Enhanced Linux
-
8/9/2019 Insight into SELInux- Securing Linux
2/28
Patience !!!
SELinux is a different way of handling access control than many
administrators and users are familiar with.
-
8/9/2019 Insight into SELInux- Securing Linux
3/28
Agenda
Introduction
What is SELinux?
Background
Terminology
Access Control Philosophies
LSM Architecture
SELinux Policy
SELinux Modes
Controlling SELinux
-
8/9/2019 Insight into SELInux- Securing Linux
4/28
Introduction
Wikipedia says:
..SecuritySecurity--Enhanced Linux (SELinux) is an implementationEnhanced Linux (SELinux) is an implementationofofmandatory access controlmandatory access control usingusing Linux Security ModulesLinux Security Modules(LSM) in the Linux kernel, based on the principle of least privilege. It(LSM) in the Linux kernel, based on the principle of least privilege. Itis not a Linux distribution, but rather a set of modifications that canis not a Linux distribution, but rather a set of modifications that canbe applied to Unixbe applied to Unix--like operating systems, such as Linux and BSD.like operating systems, such as Linux and BSD.
-
8/9/2019 Insight into SELInux- Securing Linux
5/28
What is SELinux?
A kernel level MAC (Mandatory Access Control) implementation forA kernel level MAC (Mandatory Access Control) implementation for
LinuxLinux
Originally commissioned and built by/for the NSAOriginally commissioned and built by/for the NSA
A headA head--ache for the uninitiatedache for the uninitiated
Very effective if done rightVery effective if done right
Adopted into 2.6 kernel seriesAdopted into 2.6 kernel series
-
8/9/2019 Insight into SELInux- Securing Linux
6/28
Background
1985: LOCK system(early Type Enforcement)
Secure Ada project through Honeywell
1990: DTMach / DTOS
DTMach Mach-based prototypeDTOS (Distributed Trusted Operating System)
1995: Utah Fluke / Flask
Fluke* - University of Utah's research operating system
1999: 2.2 Linux Kernel (patch)2001: 2.4 Linux Kernel (patch)
2002: LSM
2003: 2.6 Linux Kernel (mainline)
2006: Full network labeling
-
8/9/2019 Insight into SELInux- Securing Linux
7/28
Terminology
Subject:Subject: A domain or process.A domain or process.
Object:Object: A resource (file, directory, socket, etc.).A resource (file, directory, socket, etc.).
Types:Types: A security attribute for files and other objects.A security attribute for files and other objects.
Roles:Roles: A way to define what types a user can use.A way to define what types a user can use.
Identities:Identities: Like a username, but specific to SELinux.Like a username, but specific to SELinux.
Contexts:Contexts: Using a type, role and identity is a Context.Using a type, role and identity is a Context.
-
8/9/2019 Insight into SELInux- Securing Linux
8/28
Access Control Philosophies
DAC
A traditional permission model
The owner of a particular file can changethe permissions of an object.
Can be changed at the discretionary of the
owner. Inherent security flaws
-
8/9/2019 Insight into SELInux- Securing Linux
9/28
Access Control Philosophies
DAC
Used to control access by restricting a subject's access to an object.Subject object
Processes file,network socket
A user can expose a file or directory to a security or confidentiality breach with amisconfigured chmod command and an unexpected propagation of access rights.
there are really only two major categories of users, administrators and non-administrators
It is generally used to limit a user's access to a file.
In this type of access control it is the owner of the file who controls other users'accesses to the file.
Ex: ls l-rw-rw-r 1 vmware vmware 2645 May 05 08:48 personnel.txt
-
8/9/2019 Insight into SELInux- Securing Linux
10/28
Access Control Philosophies
MAC
Acess control decisions are not at the descretion of individual users or evensystem administrators.
allows you to define permissions for how all processes (called subjects) interactwith other parts of the system such as files, devices, sockets, ports, and otherprocesses (called objects in SELinux).
This is done through an administratively-defined security policy over allprocesses and object .
MACs cannot be overridden by the owner of the object.
-
8/9/2019 Insight into SELInux- Securing Linux
11/28
LSM architecture
-
8/9/2019 Insight into SELInux- Securing Linux
12/28
SELinux Complete Diagram
-
8/9/2019 Insight into SELInux- Securing Linux
13/28
SELinux Complete Diagram
1. The policy server gathers the security context from the subject andobject, and sends the pair of labels to the security server, which isresponsible for policy decision making.
2. The policy server first checks the AVC, and returns a decision to theenforcement server.
3. If the AVC does not have a policy decision cached, it turns to thesecurity server, which uses the binary policy that is loaded into thekernel during initialization. The AVC caches the decision, andreturns the decision to the policy server.
4. If the policy permits the subject to perform the desired operation onthe object, the operation is allowed to proceed.
5. If the policy does not permit the subject to perform the desiredoperation, the action is denied, and one or more avc: deniedmessages are logged to $AUDIT_LOG, which is typically/var/log/messages.
-
8/9/2019 Insight into SELInux- Securing Linux
14/28
SELinux Complete Diagram
Object management includes labeling objects with a securitycontext, managing object labels in memory.
Object managers are there to obtain security policy decisions fromthe security server and to apply the decisions to label and control
access to their objects
-
8/9/2019 Insight into SELInux- Securing Linux
15/28
SELinux Complete Diagram
Object management includes labelingobjects with a security context, managingobject labels in memory.
Object managers are there to obtainsecurity policy decisions from the securityserver and to apply the decisions to label
and control access to their objects
-
8/9/2019 Insight into SELInux- Securing Linux
16/28
Type Enforcement
Certain attributes are applied to all objectsand subjects.
These attributes are termed as SecurityContexts.
Each process and file/directory/port on thesystem is assigned a Security Contextbased on which the Type Enforcementpolicy allow/disallow access.
-
8/9/2019 Insight into SELInux- Securing Linux
17/28
Type Enforcement Security context are stored in Extended Attributes(xattrs) on
ext2/ext3 filesystem.
A typical SELinux security context is of the form:
User Identity:Role:Type/Domain
Users ( 3 in number)
Roles ( 6 in number)
Types(1,513 in number)
Any object or subject in the SELinux Policy installed in the systemcan have one of these user identities,one of six roles and one of theavailable 1,513 types
-
8/9/2019 Insight into SELInux- Securing Linux
18/28
Targeted Policy To list user identities defined in the SELinux Targeted Policy:
#seinfo u
Users:3
system_u
root
user_u
To check the available roles:
# seinfo r
Roles:6
Staff_rUser_rObject_r
secadm_rSysadm_rSystem_r
-
8/9/2019 Insight into SELInux- Securing Linux
19/28
SELinux Modes
DisabledSELinux is not implemented on the hostACommon choice during the installation,
PermissiveSimilar to Debugging ModePolicies and Rules are applied to objects and subjects, but actions are not effected.Examples:If SELInux policy would prevent the httpd subject from accessing the object folder/webdata on my system,implementing SELinux in Permissive mode would let ApacheWebServer access the folder /webdata but log a denial in the log files.
Enforcing
SELinux in actionAll the production servers ,when hardened, should enable SELinux in Enforcing Mode
-
8/9/2019 Insight into SELInux- Securing Linux
20/28
SELinux Modes
Enforcing
SELinux in action
All the production servers ,when hardened, should enable SELinux in
Enforcing Mode.
-
8/9/2019 Insight into SELInux- Securing Linux
21/28
Controlling SELinux
getenforce:gets the current mode of SELinux.
Example:
#getenforce
Disabled
Setenforce:modifes the mode SELinux is running in.It toggles in between Permissive and Enforcing mode when SELinux is enabled.
Example:
#setenforce 0It activates Permissive SELinux Mode
#setenforce 1It activates Enforcing SELinux Mode.
-
8/9/2019 Insight into SELInux- Securing Linux
22/28
Controlling SELinux
Sestatus:
Used to get the status of a system running SELinux.
Displays more information about SELinux Policy
Example:#sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissiveMode from config file: permissive
Policy version: 21
Policy from config file: targeted
-
8/9/2019 Insight into SELInux- Securing Linux
23/28
Controlling SELinux
#echo 1 > /selinux/enforce
You can change the run parameters of the SELinux system.
#echo 0 > /selinux/enforce
To return back to Permissive Mode.
-
8/9/2019 Insight into SELInux- Securing Linux
24/28
Understanding the targeted policy
Seinfo: to view the various rules defined in an SELinux Policy
#seinfo
-
8/9/2019 Insight into SELInux- Securing Linux
25/28
Default policy loaded in my system:
82,756Allow Rules
1,399 Type Transition Rules
5,086 Dont Audit Rules
Understanding the targeted policy
-
8/9/2019 Insight into SELInux- Securing Linux
26/28
Allow Rules
Specifically allow access to an object by a subject
access defined by
- Access permission read, write,execute
Object defined by:
- The security context called the target context (tcontext)
- Class of the object called the target class(tclass)
Subject defined by:
- The security context called the source context(scontext)
Understanding the targeted policy
-
8/9/2019 Insight into SELInux- Securing Linux
27/28
A typical allow rule
Allow the Web process (Apache server) to read the file
(/var/www/html/index.html)
Evaluation Factor:
Access Permission Required: read
Target Context (tcontext): ls Z /var/www/html/index.html
=> system_u:object_r:httpd_sys_content_t:s0Target Class(tclass): file
Source context(scontext): ps axZ | grep httpd
=> user_u:system_r:httpd_t:s0
Understanding the targeted policy
-
8/9/2019 Insight into SELInux- Securing Linux
28/28
Allow the Source Context user_u:system_r:httpd_t:s0 permission toread on the class file bearing a TargetContext ofsystem_u:object_r:httpd_sys_content_t:s0
Understanding the targeted policy
top related