Dynamic Policy Enforcement Dynamic Policy Enforcement in a Networked Environment in a Networked Environment Brandon Pollet Brandon Pollet Enterprise Security Group Enterprise Security Group Center for Information Security Center for Information Security University of Tulsa University of Tulsa This research was supported by MPO Contract MDA 904-02-R-0039 This research was supported by MPO Contract MDA 904-02-R-0039
Motivations and Objectives Motivations and Objectives • Dynamic Policy Enforcement Agent (DPEA) • Architecture that provides flexibility and security • Event driven run-time modification of security policy • Real-time response to both internal and external threats • User configurable response to security threats • Intuitive rules configuration through graphical or command line interface
Background – – Key Concepts Key Concepts Background • Conditional Policy – In 2004 Tresys extended the SELinux Policy with Conditional Policy – Conditional Policy allows sections of the policy to be turned on or off at run-time depending on the value of boolean variables • Expert Systems – Highly specialized computer systems that make decisions based on logic and reasoning – Expert systems are highly capable at solving data intensive problems in their specified domain of knowledge
DPEA Design Principles DPEA Design Principles • Separation from the SELinux policy – Separation is critical due to security concerns – If not separated the DPEA could pose a dire security threat – Utilizes the SELinux conditional policy extensions • Intuitive rule configuration – The DPEA is designed for two different user interfaces • Graphical configuration manager • Command line utility dpeconfig – Designed to allow administrators to quickly create rules that match security events with appropriate responses
Design – – Software Architecture Software Architecture Design • The architecture Intrusion Detection System Linux System Logs SELinux Audit Logs separates the Agent Logs from the SELinux security policy while still providing the required functionality SELinux Policy “Policy.conf” Agent Ruleset DPE Agent Program • Utilizes the conditional policy extensions to dynamically enforce the policy without having any direct Selinux Filesystem SELinux Security Server /selinux/booleans/ access to it.
Design – – Configuration Manager Configuration Manager Design SELMA Plug-in Generates System Specific Ruleset System SELinux Boolean Event Boolean Value • The DPEA Configuration Manager allows administrators to quickly create security response rules • By selecting a system event, a boolean to modify, and the boolean’s new value an administrator can instruct the DPEA to respond to security events
Design – – Low Level Program Low Level Program Design Interaction Interaction • Logging interaction takes SELinux Snort Alert System Logs place through a DPEA Security Alert Integration Integration Integration specific log file • Scans its log file for DPEA log file occurrences of specified system events DPE Agent Program with access to System Specific Ruleset • When events are found the security alerts, logs, and Ruleset ruleset is checked and the appropriate changes are made to the SELinux boolean files Selinux Filesystem /selinux/booleans/
Implementation Implementation • In order to fulfill its design requirements the DPEA must be – Highly configurable for administrators – It must interact with the system’s logging and alert functions – It must modify the SELinux Boolean files • To accomplish this the implementation of the DPEA is split into three main sections; – Agent System – Configuration Manager – SELinux Boolean Manager
Implementation – – Agent System Agent System Implementation • The decision making capabilities of the agent system are the core of the DPEA • CLIPS was used to produce a stable expert system tailored to the requirements of the DPEA • Rule Translation – The first step in DPEA implementation – Translate rules from the configuration manager into CLIPS- formatted rules – Rule parser that outputs CLIPS compatible rules into the DPEA Knowledge Base
Implementation – – Rule Example Rule Example Implementation (defrule user_disable_trans_rule • Represent logic in the (log auth_failure) expert system => • Each rule has two main (assert(true user_disable_trans))) sections – If section – Then section (defrule port_scan_rule (log port_scan) • Standard rules (true full_service) => • Conjunctive rules (assert(false inet_full_service)))
Implementation – – Agent System Agent System Implementation • Facts – Represent knowledge in an expert system • DPEA facts – Mainly constructed from log entries – Also constructed from boolean values, and system information • The Agent system constructs facts from logs by – Scanning the log file for any system events – When an event occurs it is parsed for fact information – Constructed into a CLIPS fact – Inserted into the Knowledge Base
Implementation – – Boolean Boolean Implementation Manager Manager • To facilitate the separation of the DPEA from the security policy all interaction take place through SELinux boolean files • When a rule fires that requires a boolean to be modified – A boolean fact is inserted into the DPEA knowledge base – The Boolean manager scans for newly created boolean facts – When a fact is found it removes the fact and calls a SELinux utility setsebool to make the change
Implementation – – Implementation Configuration Manager Configuration Manager • The DPEA Configuration Manager has two forms – Graphical Configuration utility – Command Line utility • Both utilities provide functionality for – Rule creation • Rules can require any number of if sections to fire – Rule deletion – Rule examination • Both utilities store rules in the same file
Implementation - GUI Implementation - GUI • Lists current rules • Create New Rules • Delete Rules
Implementation – – CLI CLI Implementation • Add a rule – dpeConfig –a <event> <boolean> <value> • Add a multi-part rule – dpeConfig –am <event1> <event2> .. –b <boolean> –v <value> • List current rules – dpeConfig –l • Delete a rule – dpeConfig –d <rule_number> • List Events – dpeConfig –le • List Booleans – dpeConfig -lb
System and Network System and Network Configuration Configuration • System Configuration – In its early state DPEA requires a large amount of initial configuration – Configuration requires • System logging system • Modifying the system’s SELinux policy to correspond with the DPEA Booleans • Writing the rule-set for the agent program – Rule-set Profiles help to alleviate this configuration across a network – Network hosts can be set up using a pre-defined profile. These profiles then serve as a baseline for DPEA rule sets – Profiles could be manually distributed to each host or pushed out from a centralized server using RSS
Examples Examples • Privilege Escalation – DPEA responds to an authorization failure event – This occurs when a user attempts to become root with an incorrect password • Example log entry Apr 4 13:33:03 localhost su(pam_unix)[24041]: authentication failure; logname=dpeTest uid=500 euid=0 tty= ruser=dpeTest rhost= user=root
Example – – Privilege Escalation Privilege Escalation Example Rule Rule • This rule sets the value of user_disable_trans to true when an authentication failure event occurs
Privilege Escalation Privilege Escalation Outcome Outcome
Example – – Unauthorized Access Unauthorized Access Example • Unauthorized Access – DPEA responds to an SELinux audit message – This occurred when a user attempted to access the shadow password file • Example log entry avc: denied {read} for pid=12999 exe=/usr/bin/gedit name=shadow dev=03:02 ino=391745 scontext=dpeTest:staff_r:staff_t tcontext=system_u:object_r:shadow_t tclass=file
Example – – Unauthorized Access Unauthorized Access Example Rule Rule • This rule sets the value of user_disable_type to true when an avc denied event occurs
Unauthorized Access Unauthorized Access Outcome Outcome
Example – – Malicious Use Malicious Use Example • Malicious Use of Services – The system is a web-server which also has ssh access for administrative purposes – DPEA responds to a port_scan event from its Intrusion Detection System • Example Log Entry spp_portscan: PORTSCAN DETECTED from 192.168.1.10 [**] 04/22- 18:48:53.681227
Example – – Malicious Use Rule Malicious Use Rule Example • This conjunctive rule sets the value of inet_full_service to false if a port-scan is detected and the systems full services are currently active
Malicious Use Malicious Use Outcome Outcome
Recommend
More recommend