linux kernel security professor: mahmood ranjbar authors: mohammad heydari mahmood zafararjmand...
TRANSCRIPT
Linux kernel security
Professor:Mahmood Ranjbar
Authors:mohammad Heydari
Mahmood ZafarArjmandZohre AlihoseyniMaryam Sabaghi
why kernel is important?why security in kernel is important?
lEvery thing in operation system runs above the kernellIf a kernel denies an action... no one can over right from that
Access control …most important security concept in kernel security• Access control...
• Access to files• Access to ports• Access to processes
• If we secure all above items, almost every thing is done!
Access control methods
• DAC• Discretionary Access Control
• MAC• Mandatory Access Control
l -rw-rw-r-- 1 ted ted 0 May 6 01:14 1.txtl|perm codes| |user| |group| |name|
DAC
DAC problems
• prone to malware/malicious • setuid/setgid files are vulnerable• Access to objects (files) are based solely on
user identity(uid/gid)• default policy is liberal• where are only 2 user privileges:
• Admin• Non-Admin
MAC benefits
• More systems administration/expertise is required• offers more granular/fine control of security• The ability to restrict at a lower-level access to objects
• SELinux is compiled into the kernel and supported via LSMs
• Ideal for Internet-facing systems httpd,mysqld,etc.• SELinux denies interaction between Subjects & Objects
by default
security check order
• MAC-based checks occurr AFTER DAC-based
checks.
• If DAC denies an access, MAC will nor check.
• MAC is only processed if DAC permits.
Security Enhanced Linux• From Wikipedia:• The United States National Security Agency (NSA), the
original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000.[3] The software merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003.
• A Linux kernel integrating SELinux enforces mandatory access-control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs.
Installation - centos
• Just use YUM:
• Yum install selinux setools-console
• Yum search selinux
• Yum provides */semanage
SELinux Modes
• Enforcing • policy(targeted) is applied
• Permissive• policy(targeted) is applied, but simply logged
• Disabled
• policy(targeted)/SELinux is DISABLED
permissive
• Programs will still run as expected
• Violations to the security policy will appear
in /var/log/audit/audit.log
• Using for troubleshooting SELinux configs
• SELinux logger agent
Object and Subjects
• Objects on the system are abstracted into 2 classes• Subjects - user, processes• Objects - files(text/binary/sockets/)
exploring common tools
• sestatus (-v)
• setenforce
• /selinux
• setsebool (-P)
• getsebool
• Restorecon
• chcon
exploring common tools - sestatus
• Display current status• -v for verbose mode• SELinux status: enabled• SELinuxfs mount: /selinux• Current mode: permissive• Mode from config file: enforcing• Policy version: 24• Policy from config file: targeted
setenforce / getenforce
Get`s or Set`s enforcing modes
changes are not persistent
In /etc/selinux/config enforcing type can be
define prepersistent
/selinux
• /proc like FS(virtual) maintains selinux information
• All in formation in current status of running SELinux can find here... just as files
• Example /selinux/enforce when changing enforcing type
getseboollList Booleans that can be set in SELinuxlUse -a to see all available Booleans
setsebool
• Sets boolian values for selinux • Use –P to make changes persistent• Example is • setsebool httpd_can_network_connect on
• To prevent Linux users in the user_t domain from executing applications in their home directories and /tmp/:
• /usr/sbin/setsebool -P allow_user_exec_content off
[Command]- Z
• ps -Z - reveals the various sandboxes/domains (subjects)
• ls -Z - reveals security context of files/directories(objects)
• cp -Z - new file with NEW security context(Type) is created
• mv -Z - preserves SELinux security tuple/context/label
• id -Z - reveals current security context of user (tuple)
id -Z• SEuser:SErole:SEtype
• Field/Degree #1 - User Label:• Non-privileged User: user_u• privileged User (root): system_u
• Field/Degree #2 - RBAC Role-Based Access Control• Privileged/Non-privileged Users: unconfined_r• privileged User (root): system_r
• Field/Degree #3 - Type(Objects(files))/Domain(Subjects(programs/users))
• Privileged/Non-privileged Users: unconfined_t• Processes i.e. (httpd): httpd_t, dhcpd_t
chcon
• The 'chcon' command may be used to change
SELinux security context of a file or
files/directories in a similar way to how
'chown' or 'chmod' may be used to change
the ownership or standard file permissions of
a file.
restorecon
• The 'restorecon' command may be used to
restore file(s) default SELinux security
contexts.
I Dont want to change type by hand
Extended attibutes
On a typical Linux disk based file system, each file is identified uniquely by an inode containing critical metadata for the file, including UNIX ownership and access control information. When the kernel references a file, its inode is read from disk into memory. A standard UNIX permission check simply uses the information present within the inode. SELinux extends standard UNIX security and uses security context labels to make extended access control decisions.
labels behavior during CP, MV and file creation
• File create with parent metadata
• CP work with file creation
• MV fust change the parent
Roles• ALL objects(files) MUST be properly labeled• Files that are improperly labeled will NOT be
protected• Roles define which SELinux user identities
can have access to what domains• For example, the domains named_t and
squid_t are both in the role system_r. However, named_t cannot transition to squid_t without an allow rule
role exampleView SELinux user mappings$ semanage user -l
Allow joe to login as staff_u$ semanage login -a -s staff_u joe
Add file-context for everything under /web (used by restorecon)$ semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?'
Allow Apache to listen on port 81$ semanage port -a -t http_port_t -p tcp 81
Add role example
• semanage fcontext -a -t httpd_user_content_t '/path/to/mediawiki/install(/.*)?'
• semanage fcontext -a -t httpd_user_script_exec_t '/path/to/mediawiki/install/.*\/php5?'
• semanage fcontext -a -t httpd_user_script_exec_t '/path/to/mediawiki/install/includes/.*\.php5?'
• semanage fcontext -a -t httpd_user_script_rw_t '/path/to/mediawiki/install/images(/.*)?'