an introduction to mac rbac and lsm
TRANSCRIPT
![Page 1: An introduction to MAC RBAC and LSM](https://reader036.vdocuments.us/reader036/viewer/2022092622/587b23ce1a28ab736c8b7247/html5/thumbnails/1.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
An Introduction to MAC, RBAC and LSMThe theory behind hardening tools
![Page 2: An introduction to MAC RBAC and LSM](https://reader036.vdocuments.us/reader036/viewer/2022092622/587b23ce1a28ab736c8b7247/html5/thumbnails/2.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Before we start…
• each system has its own security requirements
• each system has different overriding security requirements
• sometimes you need to combine multiple solutions
• showed approaches are build into the system
![Page 3: An introduction to MAC RBAC and LSM](https://reader036.vdocuments.us/reader036/viewer/2022092622/587b23ce1a28ab736c8b7247/html5/thumbnails/3.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Information
Main security requirements
Confidentiality
Availability
Integrity
![Page 4: An introduction to MAC RBAC and LSM](https://reader036.vdocuments.us/reader036/viewer/2022092622/587b23ce1a28ab736c8b7247/html5/thumbnails/4.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Keywords
• roles
• subjects
• objects
• policy
• policy defines behaviour of roles / subjects / objects
as higher abstraction of users
as abstraction of executables
as abstraction of system resources
as a set of rules (usually system-wide)
![Page 5: An introduction to MAC RBAC and LSM](https://reader036.vdocuments.us/reader036/viewer/2022092622/587b23ce1a28ab736c8b7247/html5/thumbnails/5.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Available options
• DAC, Discretionary Access Control
• MAC, Mandatory Access Control
• RBAC, Role-Based Access Control
* DAC and MAC are mutually exclusive. RBAC can coexist with others.
![Page 6: An introduction to MAC RBAC and LSM](https://reader036.vdocuments.us/reader036/viewer/2022092622/587b23ce1a28ab736c8b7247/html5/thumbnails/6.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Discretionary Access Control
• focuses on availability
• user in control
• user can forward privileges
• user can revoke permissions
• can’t be used in hardening tools!
![Page 7: An introduction to MAC RBAC and LSM](https://reader036.vdocuments.us/reader036/viewer/2022092622/587b23ce1a28ab736c8b7247/html5/thumbnails/7.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Mandatory Access Control
• focuses on confidentiality
• acts system-wide
• by design: 1 trusted admin, no roles
• controls access to objects
• subjects can’t change the policy
• neither users at lower level can do
![Page 8: An introduction to MAC RBAC and LSM](https://reader036.vdocuments.us/reader036/viewer/2022092622/587b23ce1a28ab736c8b7247/html5/thumbnails/8.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Role-Based Access Control
• focuses on integrity
• needs authentication
• each role access only data who is allowed to (default is deny)
• not mandatory by design
• can coexist with MAC if the hierarchy is a tree
• policy tied to roles, roles tied to users
• usually implemented via ACL
![Page 9: An introduction to MAC RBAC and LSM](https://reader036.vdocuments.us/reader036/viewer/2022092622/587b23ce1a28ab736c8b7247/html5/thumbnails/9.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Hooking the kernel: LSM
• a framework embedded in the Linux kernel
• designed not to degrade system performance
• hardening tools via modules
• system resources have hooks
• hooks -> pointers to module functions (low-level API, kind of)
• table of (dummy) functions called security_ops
• dummy functions replaced at boot time with (e.g.) SELinux ones
![Page 10: An introduction to MAC RBAC and LSM](https://reader036.vdocuments.us/reader036/viewer/2022092622/587b23ce1a28ab736c8b7247/html5/thumbnails/10.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Hooking the kernel: LSM
Resource request
Sys call
DAC check
LSM hook
complete request
LSM module engine SELinux*
kernel space
user space
* as an example
![Page 11: An introduction to MAC RBAC and LSM](https://reader036.vdocuments.us/reader036/viewer/2022092622/587b23ce1a28ab736c8b7247/html5/thumbnails/11.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
LSM hooks
• hooks are divided into categories
• task hooks
• program loading hooks
• IPC hooks
• filesystem hooks
• network hooks
• and more…
![Page 12: An introduction to MAC RBAC and LSM](https://reader036.vdocuments.us/reader036/viewer/2022092622/587b23ce1a28ab736c8b7247/html5/thumbnails/12.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Questions?
Thank you!