Upload File

apparmor update 2018 - linux foundation events · 1 apparmor update 2018 2018 linux security summit...

  • Home
  • Documents
  • AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen [email protected] August
17
1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen [email protected] www.canonical.com August 2018

Upload: others

Post on 27-Sep-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

1

AppArmor Update 20182018 Linux Security Summit – North America

Presentation by

John Johansen

[email protected]

www.canonical.com

August 2018

http://www.canonical.com/
Page 2: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

2

New Logo

Page 3: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

3

Moved from launchpad to gitlab

Page 4: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

4

Wiki moved to gitlab too

Page 5: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

5

CII Best Practices

Page 6: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

6

Upstreaming

Everything except

af_unix

Page 7: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

7

Upstreaming cont.

● Secids – 4.18

● audit rule fltering (SUBJ_ROLE) – 4.18

● socket mediation – 4.17

● Profle attacment – 4.17

● IMA

● Improved overlapping exec attachment resolution

● nnp subset test

Page 8: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

8

4.14A New Direction

Page 9: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

9

Policy tagged with ABI info

profile ping /{usr/,}bin/ping { include <abstractions/base> include <abstractions/consoles> include <abstractions/nameservice>

capability net_raw, capability setuid, network inet raw, network inet6 raw,

file mixr /{,usr/}bin/ping, file r /etc/modules.conf,

Page 10: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

10

Policy tagged with ABI info

feature-abi=<features/upstream-4.18>

profile ping /{usr/,}bin/ping { include <abstractions/base> include <abstractions/consoles> include <abstractions/nameservice>

capability net_raw, capability setuid, network inet raw, network inet6 raw,

file mixr /{,usr/}bin/ping, file r /etc/modules.conf,

Page 11: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

11

Single Binary Policy Cache

bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...

/etc/apparmor.d/cache

Page 12: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

12

Per Kernel binary policy

bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...

bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...

bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...

$(location)/cache/7f01cf2e.1$(location)/7f01cf2e.0 $(location)/cache/a035ea11.0

Page 13: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

13

Binary Policy Overlay

bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...

skypeusr.bin.evinceusr.bin.firefox

usr.sbin.cupsd

...

$(loc1)/7f01cf2e.0 $(loc2)/7f01cf2e.0

bin.pingsbin.klogdsbin.syslogdsbin.syslog-ngskypeusr.bin.evinceusr.bin.firefoxusr.bin.pidginusr.sbin.cupsdusr.sbin.dnsmasqusr.sbin.dovecot...

skypeusr.bin.evinceusr.bin.firefox

usr.sbin.cupsd

...

$(loc1)/a035ea11.0 $(loc2)/a035ea11.0

Page 14: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

14

WIP

Page 15: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

15

Current WIP

● Internal cleanups and improvements

● Rework early policy loading

● Systemd integration

● Default profle

● initrd/initramfs hooks

● Fine grained networking

● af_unix

● ipv4/ipv6

● Improved mount mediation

● Missing mediation

● Keys mediation

● ioctl mediation

Page 16: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

16

WIP continued

● Improvements to auditing

● Get audit data of the stack

● Caching and grouping

● Improvements to complain/learning

● Caching of recently audited events

● Direct to daemon logging

● Daemon interaction

● Further attachment conditionals (user, …)

● Extended conditionals, and permissions

● Policy namespaces

● Separate scope & view work

● Open up policy to users and applications

● Delegation

Page 17: AppArmor Update 2018 - Linux Foundation Events · 1 AppArmor Update 2018 2018 Linux Security Summit – North America Presentation by John Johansen john.johansen@canonical.com August

17

Questions pleaseThank you

John Johansen

[email protected]

www.canonical.com


Linux+ Guide to Linux Certification Chapter Eleven Managing Linux Processes

Live Migration of Linux Containers Migration of Linux Containers Tycho Andersen, Canonical Ltd. [email protected] Sorry, no demos today :(Who is this guy? LXD LXC CRIU Kernel

E 30279 HOB · Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Win XP/Linux Option

Linux+ Guide to Linux Certification Chapter Fifteen Linux Networking

Analyzing and Comparing the Protection Quality of Security ... · the results of comparing SELinux with AppArmor in several Linux distributions. Section 6 concludes the pa-per. 2

Linux+ Guide to Linux Certification Chapter One Introduction to Linux

SELinux & AppArmor - Comparison of Secure OSes

linux training | linux training videos | linux training pdf | red hat linux (operating system)

Lic-Sec: an enhanced AppArmor Docker security pro le generator

UNIX ™ /Linux Overview Unix/LINUX Intro. UNIX/Linux History

The definiTive guide To Linux The Linux ... - Linux Tutorial

Linux Manual de Linux

Linux Environment- Linux Basics

Sitara Linux Training: uboot linux debug with ccsv5 Linux Training: uboot linux debug with ccsv5 1 Sitara Linux Training: uboot linux debug with ccsv5 Return to the Sitara Linux Training

How Juju makes cloud and Devops easy CloudOpen Japan 2014 · How Juju makes cloud and Devops easy CloudOpen Japan 2014 Yaguang Tang [email protected] 2014.05.20

Managing zVM and LInux Performance Best Practices 2€¦ · PTK CMD (Guest) Linux (Guest) Linux TEMA VM TEMA Linux (Guest) Linux TEMA Linux (Guest) Linux TEMA pHyp xHyp AIX on Power

Linux+ Guide to Linux Certification Chapter Four Exploring Linux Filesystems

Securing Linux Systems with AppArmor - Huihoo · AppArmor AppArmor is an open source application security tool that helps protect Linux systems from unknown security flaws • AppArmor

CIS Ubuntu Linux 14.04 LTS Benchmark · 2021. 1. 3. · 4 | P a g e 1.6.3 Ensure SELinux or AppArmor are installed (Scored)..... 82 1.7 Warning Banners..... 82

Linux 2.4 - Linux/VM

Linux: Basics OF Linux

Overview and Recent Developments AppArmor€¦ · 1 Overview and Recent Developments AppArmor 2018 Linux Security Summit – Europe Presentation by John Johansen [email protected]

Mandatory Access Controlsrn/mac_apparmor.pdf · Example AppArmor Messages # tail -f /var/log/syslog | grep apparmor Nov 1 19:17:11 localhost kernel: [6070087.303192] type=1400 audit(1478053031.105:4257):

CIS Ubuntu Linux 18.04 LTS Benchmarkgauss.ececs.uc.edu/Courses/c6056/lectures/ubuntu-18.04-LTS.pdf4 | P a g e 1.6.3 Ensure SELinux or AppArmor are installed (Scored)..... 92 1.7 Warning

Opens Use 111 Apparmor Admin 23

6177 Copyright © 2011 ACM It is posted here for your ... · AppArmor, previously known as SubDomain [Cowan et al. 2000], also implements mandatory controls for Linux, although using

immunizing applications 1 01novell › documentation › apparmor › pdfdoc › ... · Getting Started With Novell AppArmor The Novell AppArmor, powered by Immunix (Novell AppArmor)

AppArmor - University Manager Magazine with CAUBO Award

Linux Basics - Linux/VM

AppArmor crash course and workshop - cboltz.de · AppArmor crash course and workshop Christian Boltz openSUSE community ... The AppArmor tools • aa-unconfined - overview of protected/confined

Securing Linux Systems with AppArmor

An attempt at making you comfortable when you have to work ... · Git for bzr users October 2010 Aurélien Gâteau An attempt at making you comfortable

New PacketFence Administration Guide - Inverse · 2014. 9. 10. · ∏ Disable Firewall ∏ Disable SELinux ∏ Disable AppArmor ∏ Disable resolvconf Make sure your system is up

Securing your system with AppArmor & SELinuxrossano.pro.br/fatec/cursos/admsorede/apparmor_selinux.pdf · aa-easyprof: Easy to use tool. Results might be less restrictive than with

Unifying the Cloud Experience with Ubuntu Server · 1 Unifying the Cloud Experience Adam Gandelman Ubuntu Server Cloud Infrastructure Team [email protected] CloudOpen 2012