linux system hardening thanks to systemd
play

Linux system hardening thanks to systemd Timothe Ravier French - PowerPoint PPT Presentation

May 14, 2023 •12 likes •382 views

Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security Agency (ANSSI) RMLL 2017 Goal of this talk Goal of this talk Increase the security of standard Linux distributions Use security features

  1. Linux system hardening thanks to systemd Timothée Ravier French Network and Information Security Agency (ANSSI) RMLL 2017

  2. Goal of this talk

  3. Goal of this talk ◮ Increase the security of standard Linux distributions ◮ Use security features made available to userspace by the Linux kernel ◮ Take advantage of their integration into systemd ◮ Simplify deployments and help system maintenance ANSSI Linux system hardening thanks to systemd 3/25

  4. systemd “how-to” in three slides

  5. systemd? ◮ Integrated in most Linux distributions as a replacement for SysVinit ◮ Handle system boot up and manage system services ◮ Responsible for environment setup for system daemons ◮ Init scripts are replaced by declarative configuration files: units ANSSI Linux system hardening thanks to systemd 5/25

  6. Unit? To display the current configuration of a service: Command # systemctl cat php -fpm.service # /usr/lib/systemd/system/php -fpm.service [Unit] Description=The PHP FastCGI Process Manager After=network.target [Service] Type=notify PIDFile =/run/php -fpm/php -fpm.pid ExecStart =/usr/bin/php -fpm --nodaemonize PrivateTmp=true [Install] WantedBy=multi -user.target ANSSI Linux system hardening thanks to systemd 6/25

  7. Unit? To display the current configuration of a service: # systemctl cat php -fpm.service Corresponding file # /usr/lib/systemd/system/php -fpm.service [Unit] Description=The PHP FastCGI Process Manager After=network.target [Service] Type=notify PIDFile =/run/php -fpm/php -fpm.pid ExecStart =/usr/bin/php -fpm --nodaemonize PrivateTmp=true [Install] WantedBy=multi -user.target ANSSI Linux system hardening thanks to systemd 6/25

  8. Unit? To display the current configuration of a service: # systemctl cat php -fpm.service # /usr/lib/systemd/system/php -fpm.service Who? [Unit] When? Description=The PHP FastCGI Process Manager After=network.target [Service] Type=notify PIDFile =/run/php -fpm/php -fpm.pid ExecStart =/usr/bin/php -fpm --nodaemonize PrivateTmp=true [Install] WantedBy=multi -user.target ANSSI Linux system hardening thanks to systemd 6/25

  9. Unit? To display the current configuration of a service: # systemctl cat php -fpm.service # /usr/lib/systemd/system/php -fpm.service [Unit] Description=The PHP FastCGI Process Manager After=network.target [Service] What? Type=notify How? PIDFile =/run/php -fpm/php -fpm.pid ExecStart =/usr/bin/php -fpm --nodaemonize PrivateTmp=true [Install] WantedBy=multi -user.target ANSSI Linux system hardening thanks to systemd 6/25

  10. Unit? To display the current configuration of a service: # systemctl cat php -fpm.service # /usr/lib/systemd/system/php -fpm.service [Unit] Description=The PHP FastCGI Process Manager After=network.target [Service] Type=notify PIDFile =/run/php -fpm/php -fpm.pid ExecStart =/usr/bin/php -fpm --nodaemonize PrivateTmp=true [Install] Why? WantedBy=multi -user.target ANSSI Linux system hardening thanks to systemd 6/25

  11. Example: switching to an unprivileged user and group Edit the service configuration: # systemctl edit php -fpm.service ANSSI Linux system hardening thanks to systemd 7/25

  12. Example: switching to an unprivileged user and group Edit the service configuration: # systemctl edit php -fpm.service add the following content: [Service] User=http Group=www ANSSI Linux system hardening thanks to systemd 7/25

  13. Example: switching to an unprivileged user and group Edit the service configuration: # systemctl edit php -fpm.service add the following content: [Service] User=http Group=www and make those changes effective: # systemctl daemon -reload # systemctl restart php -fpm.service ANSSI Linux system hardening thanks to systemd 7/25

  14. Taking advantage of security features from the Linux kernel

  15. Filtering access to system calls using seccomp-bpf Concept ◮ Restrict which system calls are available to a process ◮ Also applies to child processes ANSSI Linux system hardening thanks to systemd 9/25

  16. Filtering access to system calls using seccomp-bpf Concept ◮ Restrict which system calls are available to a process ◮ Also applies to child processes Example [Service] SystemCallFilter =~ chroot SystemCallFilter =~ @obsolete ANSSI Linux system hardening thanks to systemd 9/25

  17. Filtering access to system calls using seccomp-bpf Concept ◮ Restrict which system calls are available to a process ◮ Also applies to child processes Example [Service] SystemCallFilter =~ chroot SystemCallFilter =~ @obsolete Beware ◮ Can be bypassed with ptrace on kernels < 4.8 ◮ Solution: add a filter for the ptrace system call: [Service] SystemCallFilter =~ ptrace ANSSI Linux system hardening thanks to systemd 9/25

  18. Linux capabilities Concept ◮ Restrict privileges granted to a process (potentially running as root) ◮ Grant a subset of root privileges to an unprivileged process ANSSI Linux system hardening thanks to systemd 10/25

  19. Linux capabilities Concept ◮ Restrict privileges granted to a process (potentially running as root) ◮ Grant a subset of root privileges to an unprivileged process Example [Service] CapabilityBoundingSet = CAP_NET_BIND_SERVICE AmbientCapabilities = CAP_NET_BIND_SERVICE ANSSI Linux system hardening thanks to systemd 10/25

  20. Linux capabilities Concept ◮ Restrict privileges granted to a process (potentially running as root) ◮ Grant a subset of root privileges to an unprivileged process Example [Service] CapabilityBoundingSet = CAP_NET_BIND_SERVICE AmbientCapabilities = CAP_NET_BIND_SERVICE Beware ◮ Some capabilities are equivalent to full root privileges ◮ Avoid blacklists. Whitelist only the capabilities effectively used For more details, see: https://forums.grsecurity.net/viewtopic.php?f=7&t=2522 ANSSI Linux system hardening thanks to systemd 10/25

  21. Mount namespaces Concept ◮ Each service can get its own filesystem hierarchy ◮ Hide arbitrary paths or turn them read-only ANSSI Linux system hardening thanks to systemd 11/25

  22. Mount namespaces Concept ◮ Each service can get its own filesystem hierarchy ◮ Hide arbitrary paths or turn them read-only Example [Service] InaccessiblePaths =/etc/secrets ProtectSystem =full ANSSI Linux system hardening thanks to systemd 11/25

  23. Mount namespaces Concept ◮ Each service can get its own filesystem hierarchy ◮ Hide arbitrary paths or turn them read-only Example [Service] InaccessiblePaths =/etc/secrets ProtectSystem =full Beware ◮ Reversible if CAP_SYS_ADMIN or mount system call is available: [Service] CapabilityBoundingSet =~ CAP_SYS_ADMIN SystemCallFilter =~ @mount ANSSI Linux system hardening thanks to systemd 11/25

  24. Getting your hands dirty (cow?)

  25. Practical example: sandboxing the Dirty CoW ◮ Vulnerability CVE-2016-5195 ◮ Local root made public in October 2016 ◮ Impacted every kernel from the version 2.6.22, released in 2007 ◮ Race condition in the memory management code handling Copy-on-Write ANSSI Linux system hardening thanks to systemd 13/25

  26. Practical example: sandboxing the Dirty CoW Exploit vector ◮ Race condition triggered by the madvise system call Options to mitigate the impact ◮ Block the madvise system call Configuration [Service] SystemCallFilter =~ madvise ANSSI Linux system hardening thanks to systemd 14/25

  27. Practical example: sandboxing the Dirty CoW Exploit vector ◮ Indirect access to memory using the ptrace system call and /proc/self/mem Options to mitigate the impact ◮ Block the ptrace system call ◮ Remove access to the proc virtual filesystem Configuration [Service] SystemCallFilter =~ ptrace InaccessiblePaths =/ proc See https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html and https://github.com/systemd/systemd/pull/5985 for more details. ANSSI Linux system hardening thanks to systemd 15/25

  28. Practical example: sandboxing the Dirty CoW Exploit vector ◮ Vulnerable code may be reachable from drivers exposed in /dev Options to mitigate the impact ◮ Remove access to most hardware drivers available from /dev Configuration [Service] PrivateDevices =yes ANSSI Linux system hardening thanks to systemd 16/25

  29. Practical example: The Good, the Bad and the socket ◮ Vulnerability CVE-2016-8655 ◮ Local root ◮ Race condition in AF_PACKET type sockets leading to Use-After-Free in kernel context ◮ Creating AF_PACKET sockets requires CAP_NET_RAW ◮ May be obtained via unprivileged user namespace (Linux � 3.8) ANSSI Linux system hardening thanks to systemd 17/25

  30. Practical example: The Good, the Bad and the socket Exploit vector ◮ AF_PACKET sockets Options to mitigate the impact ◮ Restrict socket type availability Configuration Minimal version with a blacklist: [Service] RestrictAddressFamilies =~ AF_PACKET Better option using a whitelist: [Service] RestrictAddressFamilies =AF_INET AF_INET6 AF_UNIX ANSSI Linux system hardening thanks to systemd 18/25

  31. Practical example: The Good, the Bad and the socket Exploit vector ◮ CAP_NET_RAW capability Options to mitigate the impact ◮ Block acquisition of the CAP_NET_RAW capability Configuration [Service] CapabilityBoundingSet =~ CAP_NET_RAW ANSSI Linux system hardening thanks to systemd 19/25

Recommend

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
systemd chenshh 1 Computer Center, CS, NCTU Before we start systemd is only for linux ONLY

systemd chenshh 1 Computer Center, CS, NCTU Before we start systemd is only for linux ONLY

systemd chenshh 1 Computer Center, CS, NCTU Before we start systemd is only for linux ONLY FOR LINUX NO UNIX 2 2 Computer Center, CS, NCTU History 1.BSD Style init 2.sysvinit 3.upstart 4.systemd 3 3 Computer Center, CS, NCTU BSD

700 views • 42 slides
UNDERSTANDING SYSTEMD THE MODERN LINUX SERVICE MANAGER GARRET ARCORACI, ROCHESTER INST . OF

UNDERSTANDING SYSTEMD THE MODERN LINUX SERVICE MANAGER GARRET ARCORACI, ROCHESTER INST . OF

UNDERSTANDING SYSTEMD THE MODERN LINUX SERVICE MANAGER GARRET ARCORACI, ROCHESTER INST . OF TECHNOLOGY INTRODUCTION ME AND SYSTEMD WHERE DOES SYSTEMD FIT http://www.uefj.org/ IN THE BEGINNING TRADITIONAL BIOS UEFI WHERE IS THE

355 views • 18 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com s-Hertogenbosch, 1 March 2016 Meetup: Den Bosch Linux User Group Goals 1. Learn what to protect 2. Know some strategies 3. Learn tooling Focus

912 views • 60 slides
Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

995 views • 29 slides
systemd, the modern Linux service and resource manager Alison Chaiken Sept. 8, 2015

systemd, the modern Linux service and resource manager Alison Chaiken Sept. 8, 2015

systemd, the modern Linux service and resource manager Alison Chaiken Sept. 8, 2015 mentor.com/automo tive Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. Linux is the registered trademark of

947 views • 21 slides
Uplift your Li Linux systems pr progr gramming s amming skills kills w wit ith sy systemd

Uplift your Li Linux systems pr progr gramming s amming skills kills w wit ith sy systemd

Uplift your Li Linux systems pr progr gramming s amming skills kills w wit ith sy systemd and D and D-Bu Bus FOSDEM 2020, Go Devroom (2 nd Feb, 2020) Leonid Vasilyev, &lt;vsleonid@gmail.com&gt; Ag Agenda Scope of this talk

1.26k views • 25 slides
An Introduction to systemd Erik Johnson What is systemd? Replacement for sysvinit Manages

An Introduction to systemd Erik Johnson What is systemd? Replacement for sysvinit Manages

An Introduction to systemd Erik Johnson What is systemd? Replacement for sysvinit Manages your services/daemons Integrated logging (journal) Easy-to-write service files (units) Aims to standardize management of several

478 views • 32 slides
Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect Mender.io Session overview Case-studies of 3 botnets Mirai (August 2016) Hajime (October 2016) BrickerBot (March 2017) Common security

902 views • 28 slides
Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables http://outflux.net/slides/2013/drupal/tunables.pdf R0Ng DrupalCon Portland 2013 Kees Cook &lt;keescook@google.com&gt; (pronounced Case) Who is

474 views • 33 slides
Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP PGP 101 public/private keyrings Roman, John PGP PGP 101

471 views • 43 slides
Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP PGP 101 public/private keyrings Roman, John PGP PGP 101

690 views • 42 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Zero-effort Monitoring Support University of Amsterdam Network and System Engineering Julien

Zero-effort Monitoring Support University of Amsterdam Network and System Engineering Julien

Zero-effort Monitoring Support University of Amsterdam Network and System Engineering Julien Nyczak Supervisor: Rick van Rein, ARPA2.net 2 Introduction Linux shipped with large amount of packages systemd, the new init system

431 views • 16 slides
Fantastic DNS records and where to find them Demystifying systemd-resolved and how it is

Fantastic DNS records and where to find them Demystifying systemd-resolved and how it is

Fantastic DNS records and where to find them Demystifying systemd-resolved and how it is integrated on Ubuntu Dimitri John Ledkov &lt;xnox@ubuntu.com&gt; What is systemd-resolved? Local, caching, DNS resolver Per-link nameserver

277 views • 15 slides
Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux

Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux

Linux, whats that? The pieces of a Linux system Linux Concepts Distributions Desktop environments Switching to Linux Epilogue Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux system Linux

767 views • 57 slides
What is GNU/Linux? GNU/Linux is a free operating system Other operating systems:

What is GNU/Linux? GNU/Linux is a free operating system Other operating systems:

What is GNU/Linux? GNU/Linux is a free operating system Other operating systems: Microsoft windows Apple Mac OS X Sun Solaris FreeBSD/OpenBSD AIX And many more..... GNU/Linux history GNU project started by

330 views • 9 slides
Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as

Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as

1 Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as an open-source (&quot;free&quot;) alternative by Linux Torvalds and several others starting in 1991 Originally only for Intel based processors

785 views • 16 slides
TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux

CE Linux Forum Worldwide Embedded Linux Conference 2007 April 17-19, 2007 TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux http://tomoyo.sourceforge.jp/ Toshiharu Harada Tetsuo Handa NTT DATA

654 views • 47 slides
Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles Virtualization Security Team 1 Preface This talk is x86 and KVM centric 2 Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening

884 views • 41 slides
Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National Security Agency (NSA) A set of patches using the Linux Security Modules (LSM) Hardening GNU/Linux systems with extra security policies and

349 views • 15 slides
World of Tanks Linux and Open Source Inside Maksim Melnikau Im developer in Wargaming

World of Tanks Linux and Open Source Inside Maksim Melnikau Im developer in Wargaming

World of Tanks Linux and Open Source Inside Maksim Melnikau Im developer in Wargaming (Belarus, Minsk) Order of War Order of War: Challenge World of Tanks Linux Mobile hobbyist Openmoko systemd telepathy

1.04k views • 29 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides

More recommend