proactive security in linux
play

Proactive Security in Linux Lukas Vrabec About me Lukas Vrabec - PowerPoint PPT Presentation

Proactive Security in Linux Lukas Vrabec About me Lukas Vrabec Software Engineer Member of Security Technologies team at Red Hat Fedora Contributor (selinux-policy, xguest, udica, netlabel_tools) lvrabec@redhat.com


  1. Proactive Security in Linux Lukas Vrabec

  2. About me ● Lukas Vrabec ● Software Engineer ● Member of Security Technologies team at Red Hat ● Fedora Contributor (selinux-policy, xguest, udica, netlabel_tools) ● lvrabec@redhat.com ● https://lukas-vrabec.com ● https://github.com/wrabcak ● https://twitter.com/mynamewrabcak

  3. Agenda ● Proactive Security ● Traditional Linux Security ● SELinux Security Policy ● Updated Userspace with Easier Policy Customization ● SELinux and Containers ● AVC Messages

  4. Proactive Security

  5. WHEN DO PEOPLE CARE ABOUT SECURITY?

  6. WHERE DO SECURITY ISSUES COME FROM?

  7. HOW ARE THEY FIXED?

  8. REACTIVE SECURITY

  9. YOUR SYSTEM IS NOT PROTECTED DURING THE WINDOW OF VULNERABILITY!

  10. PROACTIVE SECURITY

  11. PROACTIVE SECURITY HELPS TO PROTECT YOUR SYSTEM DURING THE WINDOW OF VULNERABILITY!

  12. SECURITY ENHANCED LINUX IS A SECURITY MECHANISM BRINGING PROACTIVE SECURITY FOR YOUR SYSTEM.

  13. TECHNOLOGY FOR PROCESS ISOLATION TO MITIGATE ATTACKS VIA PRIVILEGE ESCALATION

  14. EXPLOIT EXAMPLES WHERE SELINUX HELPED TO PROTECT YOUR SYSTEM

  15. VENOM

  16. VENOM DOCKER CVE-2016-9962

  17. VENOM DOCKER CVE-2016-9962 SHELLSHOCK

  18. HACKING TIME!

  19. DEMO TIME!

  20. CONCLUSION?

  21. Traditional Linux Security

  22. $ ls -dl /var/www/html/ drwx r-x r-x. 2 root root /var/www/html/ USER GROUP ALL

  23. $ ps -ef | grep NetworkManager root 11781 1 0 Feb27 00:01:24 /usr/sbin/NetworkManager --no-daemon

  24. PROBLEMS ROOT BYPASSING THIS SECURITY SETUID BIT

  25. SELinux Security Policy

  26. CORE COMPONENT OF SELINUX

  27. CORE COMPONENT OF SELINUX COLLECTION OF SELINUX POLICY RULES

  28. CORE COMPONENT OF SELINUX COLLECTION OF SELINUX POLICY RULES LOADED INTO THE KERNEL BY SELINUX USERSPACE TOOLS

  29. ENFORCED BY THE KERNEL

  30. ENFORCED BY THE KERNEL USED TO AUTHORIZE ACCESS REQUESTS ON THE SYSTEM

  31. BY DEFAULT EVERYTHING IS DENIED AND YOU DEFINE POLICY RULES TO ALLOW CERTAIN REQUESTS.

  32. SELINUX POLICY RULES

  33. DESCRIBE AN INTERACTION BETWEEN PROCESSES AND SYSTEM RESOURCES

  34. SELINUX POLICY RULE IN HUMAN LANGUAGE

  35. "APACHE process can READ its LOGGING FILE"

  36. SELINUX VIEW OF THAT INTERACTION

  37. ALLOW apache_process apache_log:FILE READ;

  38. apache_process apache_log ARE LABELS

  39. LABELS

  40. ASSIGNED TO PROCESSES

  41. ASSIGNED TO PROCESSES ASSIGNED TO SYSTEM RESOURCES

  42. ASSIGNED TO PROCESSES ASSIGNED TO SYSTEM RESOURCES BY SELINUX SECURITY POLICY

  43. ASSIGNED TO PROCESSES ASSIGNED TO SYSTEM RESOURCES BY SELINUX SECURITY POLICY MAP REAL SYSTEM ENTITIES INTO THE SELINUX WORLD

  44. LABELS IN REALITY

  45. STORED IN EXTENDED ATTRIBUTES OF FILE SYSTEMS - EXT2,EXT3, EXT4 ...

  46. # getfattr -n security.selinux /etc/passwd getfattr: Removing leading '/' from absolute path names # file: etc/passwd security.selinux=" system_u:object_r:passwd_file_t:s0 " # ls -Z /etc/passwd system_u:object_r:passwd_file_t:s0 /etc/passwd

  47. SELINUX LABELS CONSIST OF FOUR PARTS

  48. <user>:<role>:<type>:<MLS/MCS>

  49. <user> :<role>:<type>:<MLS/MCS> Not the same as Linux users Several Linux users can be mapped to a single SELinux user object_u is a placeholder for Linux system resources system_u is a placeholder for Linux processes Can be limited to a set of SELinux roles

  50. <user> :<role>:<type>:<MLS/MCS> <user>: <role> :<type>:<MLS/MCS>

  51. <user>: <role> :<type>:<MLS/MCS> SELinux users can have multiple roles but only one can be active object_r is a placeholder for Linux system resources system_r is a placeholder for system processes Can be limited to a set of SELinux types

  52. <user>: <role> :<type>:<MLS/MCS> <user>:<role>: <type> :<MLS/MCS>

  53. <user>:<role>:< type> :<MLS/MCS> Security model known as TYPE ENFORCEMENT In 99% you care only about TYPES policy rules and interactions between types

  54. <user>:<role>:<type>:< MLS/MCS> Multi Level Security Only the MCS part is used in Targeted Policy with the default s0 level Allow users to mark resources with compartment tags (MCS1 , MCS2 ) Used for RHEL virtualization and for container security s0:c1 can not access s0:c2

  55. IN RHEL7 WE SHIP THE TARGETED SELINUX POLICY BY DEFAULT

  56. WE MOSTLY CARE ONLY ABOUT TYPES

  57. SELINUX ALLOW RULE SYNTAX WITH TYPES

  58. ALLOW TYPE1 TYPE2:OBJECT_CLASS PERMISSION;

  59. ALLOW APACHE_T APACHE_LOG_T:FILE READ;

  60. DOMAIN TRANSITION RULES

  61. TYPE_TRANSITION TYPE1 TYPE2:PROCESS NEW_DOMAIN;

  62. TYPE_TRANSITION INIT_T HTTPD_EXEC_T:PROCESS HTTPD_T;

  63. FILE TRANSITION RULES

  64. TYPE_TRANSITION TYPE1 TYPE2:OBJECT_CLASS NEW_TYPE;

  65. TYPE_TRANSITION HTTPD_T VAR_LOG_T:FILE HTTPD_LOG_T;

  66. SELINUX MODES

  67. ENFORCING

  68. ENFORCING SELINUX SECURITY POLICY IS ENFORCED BY KERNEL

  69. PERMISSIVE

  70. PERMISSIVE SELINUX SECURITY POLICY IS NOT ENFORCED BY KERNEL

  71. PERMISSIVE SELINUX SECURITY POLICY IS NOT ENFORCED BY KERNEL ACCESSES ARE LOGGED

  72. UPDATED USERSPACE WITH EASIER POLICY CUSTOMIZATION

  73. NEW COMMON INTERMEDIATE LANGUAGE - CIL

  74. ” M4+COMPILATION ” VS. CIL

  75. PERFORMANCE IMPROVEMENTS

  76. PERFORMANCE IMPROVEMENTS NEW POSSIBILITY FOR HLL

  77. PERFORMANCE IMPROVEMENTS NEW POSSIBILITY FOR HLL USABILITY

  78. LOCAL POLICY IN TWO STEPS

  79. # cat myapache.cil (allow httpd_t httpd_log_t (file (open read getattr)))

  80. # semodule -i myapache.cil

  81. HOW DO WE DO IT WITH M4 + COMPILATION?

  82. # cat myapache.te require { type httpd_t; type httpd_log_t; } allow httpd_t httpd_log_t:file { open read getattr };

  83. # make -f /usr/share/selinux/devel/Makefile # semodule -i myapache.pp

  84. SELINUX VS. CONTAINERS

  85. APPLIES MAC TO IMPROVE SECURITY WHEN USING VIRTUAL MACHINES

  86. container_t:s0:c1,c2 container_t:s0:c2,c3 container_file_t:s0:c1 container_file_t:s0:c2 container_file_t:s0:c3

  87. container_t:s0:c1,c2 container_t:s0:c2,c3 container_file_t:s0:c1 container_file_t:s0:c2 container_file_t:s0:c3

  88. Granted access: ● container_t:s0:c1,c2 ○ container_file_t:s0 ○ container_file_t:s0:c1 ○ container_file_t:s0:c2 ○ container_file_t:s0:c1,c2 ● container_t:s0:c2,c3 ○ container_file_t:s0 ○ container_file_t:s0:c2 ○ container_file_t:s0:c3 ○ container_file_t:s0:c2,c3

Recommend


More recommend