Linux kernel security

Professor:Mahmood Ranjbar

Authors:mohammad Heydari

Mahmood ZafarArjmandZohre AlihoseyniMaryam Sabaghi

why kernel is important?why security in kernel is important?

lEvery thing in operation system runs above the kernellIf a kernel denies an action... no one can over right from that

Access control …most important security concept in kernel security• Access control...

• Access to files• Access to ports• Access to processes

• If we secure all above items, almost every thing is done!

Access control methods

• DAC• Discretionary Access Control

• MAC• Mandatory Access Control

l -rw-rw-r-- 1 ted ted 0 May 6 01:14 1.txtl|perm codes| |user| |group| |name|

DAC

DAC problems

• prone to malware/malicious • setuid/setgid files are vulnerable• Access to objects (files) are based solely on

user identity(uid/gid)• default policy is liberal• where are only 2 user privileges:

• Admin• Non-Admin

MAC benefits

• More systems administration/expertise is required• offers more granular/fine control of security• The ability to restrict at a lower-level access to objects

• SELinux is compiled into the kernel and supported via LSMs

• Ideal for Internet-facing systems httpd,mysqld,etc.• SELinux denies interaction between Subjects & Objects

by default

security check order

• MAC-based checks occurr AFTER DAC-based

checks.

• If DAC denies an access, MAC will nor check.

• MAC is only processed if DAC permits.

Security Enhanced Linux• From Wikipedia:• The United States National Security Agency (NSA), the

original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000.[3] The software merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003.

• A Linux kernel integrating SELinux enforces mandatory access-control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs.

Installation - centos

• Just use YUM:

• Yum install selinux setools-console

• Yum search selinux

• Yum provides */semanage

SELinux Modes

• Enforcing • policy(targeted) is applied

• Permissive• policy(targeted) is applied, but simply logged

• Disabled

• policy(targeted)/SELinux is DISABLED

permissive

• Programs will still run as expected

• Violations to the security policy will appear

in /var/log/audit/audit.log

• Using for troubleshooting SELinux configs

• SELinux logger agent

Object and Subjects

• Objects on the system are abstracted into 2 classes• Subjects - user, processes• Objects - files(text/binary/sockets/)

exploring common tools

• sestatus (-v)

• setenforce

• /selinux

• setsebool (-P)

• getsebool

• Restorecon

• chcon

exploring common tools - sestatus

• Display current status• -v for verbose mode• SELinux status: enabled• SELinuxfs mount: /selinux• Current mode: permissive• Mode from config file: enforcing• Policy version: 24• Policy from config file: targeted

setenforce / getenforce

Get`s or Set`s enforcing modes

changes are not persistent

In /etc/selinux/config enforcing type can be

define prepersistent

/selinux

• /proc like FS(virtual) maintains selinux information

• All in formation in current status of running SELinux can find here... just as files

• Example /selinux/enforce when changing enforcing type

getseboollList Booleans that can be set in SELinuxlUse -a to see all available Booleans

setsebool

• Sets boolian values for selinux • Use –P to make changes persistent• Example is • setsebool httpd_can_network_connect on

• To prevent Linux users in the user_t domain from executing applications in their home directories and /tmp/:

• /usr/sbin/setsebool -P allow_user_exec_content off

[Command]- Z

• ps -Z - reveals the various sandboxes/domains (subjects)

• ls -Z - reveals security context of files/directories(objects)

• cp -Z - new file with NEW security context(Type) is created

• mv -Z - preserves SELinux security tuple/context/label

• id -Z - reveals current security context of user (tuple)

id -Z• SEuser:SErole:SEtype

• Field/Degree #1 - User Label:• Non-privileged User: user_u• privileged User (root): system_u

• Field/Degree #2 - RBAC Role-Based Access Control• Privileged/Non-privileged Users: unconfined_r• privileged User (root): system_r

• Field/Degree #3 - Type(Objects(files))/Domain(Subjects(programs/users))

• Privileged/Non-privileged Users: unconfined_t• Processes i.e. (httpd): httpd_t, dhcpd_t

chcon

• The 'chcon' command may be used to change

SELinux security context of a file or

files/directories in a similar way to how

'chown' or 'chmod' may be used to change

the ownership or standard file permissions of

a file.

restorecon

• The 'restorecon' command may be used to

restore file(s) default SELinux security

contexts.

I Dont want to change type by hand

Extended attibutes

On a typical Linux disk based file system, each file is identified uniquely by an inode containing critical metadata for the file, including UNIX ownership and access control information. When the kernel references a file, its inode is read from disk into memory. A standard UNIX permission check simply uses the information present within the inode. SELinux extends standard UNIX security and uses security context labels to make extended access control decisions.

labels behavior during CP, MV and file creation

• File create with parent metadata

• CP work with file creation

• MV fust change the parent

Roles• ALL objects(files) MUST be properly labeled• Files that are improperly labeled will NOT be

protected• Roles define which SELinux user identities

can have access to what domains• For example, the domains named_t and

squid_t are both in the role system_r. However, named_t cannot transition to squid_t without an allow rule

role exampleView SELinux user mappings$ semanage user -l

Allow joe to login as staff_u$ semanage login -a -s staff_u joe

Add file-context for everything under /web (used by restorecon)$ semanage fcontext -a -t httpd_sys_content_t '/web(/.*)?'

Allow Apache to listen on port 81$ semanage port -a -t http_port_t -p tcp 81

Add role example

• semanage fcontext -a -t httpd_user_content_t '/path/to/mediawiki/install(/.*)?'

• semanage fcontext -a -t httpd_user_script_exec_t '/path/to/mediawiki/install/.*\/php5?'

• semanage fcontext -a -t httpd_user_script_exec_t '/path/to/mediawiki/install/includes/.*\.php5?'

• semanage fcontext -a -t httpd_user_script_rw_t '/path/to/mediawiki/install/images(/.*)?'