secure enhanced linux
play

Secure Enhanced Linux Julian Richen SELinux? Started as a research - PowerPoint PPT Presentation

Dec 27, 2023 •183 likes •349 views

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National Security Agency (NSA) A set of patches using the Linux Security Modules (LSM) Hardening GNU/Linux systems with extra security policies and

  1. Secure Enhanced Linux Julian Richen

  2. SELinux? ● Started as a research project from the National Security Agency (NSA) ● A set of patches using the Linux Security Modules (LSM) – Hardening GNU/Linux systems with extra security policies and enforcing Mandatory Access Control (MAC) – Similar to modules like AppArmor, Smack, TOMOYO ● NSA published the code under the GPL in 2000 ● Upstream Linux kernel adopted patches in 2003 2

  3. Who develops it? ● NSA ● Red Hat ● MITRE Corporation ● Secure Computing Corporation (SSC) ● Individual contributors & companies – CUPS Project, SAMBA Project, IBM, Tresys T echnology, and more ● Full list: – https://www.nsa.gov/what-we- do/research/selinux/contributors.shtml 3

  4. Source? ● Source: – https://github.com/SELinuxProject/selinux ● Bugs – NSA: selinux@tycho.nsa.gov – Red Hat: https://bugzilla.redhat.com/ ● Policies – https://github.com/T resysT echnology/refpolicy 4

  5. Who uses it? ● Linux Distros – RHEL, Fedora, SuSE, CentOS, Debian, Ubuntu ● United States Government – NSA, DoD, etc… ● Enterprise – Data sensitive companies, healthcare, or anyone really ● Android – Google implemented SELinux in Android 4.3 (2015) 5

  6. What does it solve? ● Implements Mandatory Access Control (MAC) – Focus on process context instead of role-based security (think DAC) – Enhances Discretionary Access Control (DAC); aka Ownership (user, group, other) with read/write/exec permissions ● MAC policies can be set for: – Users – Files – Directories – Memory – Sockets – tcp/udp ports – And more! 6

  7. Discretionary Access Controls ● Access to objects is restricted based on the identity of a subject and/or group (ownership + permissions). ● Controls are “discretionary” because subjects have a level of permissions that allow them to reach a subject. 7

  8. Discretionary Access Controls Group Other User r w x r w x r w x 8

  9. Mandatory Access Control ● Operating Systems constrain the ability of the subject to access or perform operation on an object or target. ● Basically, access to objects is restricted based on the security levels set by the security context. 9

  10. How does SELinux work? ● It’s basically Mandatory Access Control – SELinux doesn’t replace DAC, MAC can work alongside DAC – SELinux can be enabled/disabled at anytime and system will fallback to DAC ● SELinux uses “Labels” for MAC – These labels are then followed with “T ype Enforcement” – SELinux needs extended attributes on fjle-system to work ● Labels are added as extended attributes ● Use or make security policies – Security policies are just pre-made lists of labels for lots of packages on a GNU/Linux system – SELinux ships with targeted, minimum and mls as defaults. 10

  11. Labeling & Type Enforcement ● Labeling – Every object (fjle, process, port, etc..) has a SELinux context/label ● Label’s job is to create logical groups/levels which the object may interact with – Format ● user:role:type:level(optional) – Labels should be logical, e.g a http servers & ports 80/443 should be grouped together because a http will use those ports ● Type Enforcement – The part of the policy that says a subject with “abc label” can interact with an object with “xyz label”. 11

  12. Label & Type Enforcement Example ● It makes sense that httpd_* labeled label Object objects should interact together. httpd process httpd ● It doesn’t make sense for httpd /usr/bin/httpd httpd_exec_t labeled content to access sensitive /etc/httpd/ httpd_config_t fjles like /etc/shadow or fjles in the home directory. /var/log/httpd/ httpd_log_t /var/www/html/ httpd_sys_content_t Port 80 & 443 httpd_port_t /etc/shadow shadow_t /home/<user>/* user_home_t 12

  13. SELinux Policies ● Policy – Enforcing ● Enforce all policies. – Permissive ● Prints warnings instead of enforcing. – Disabled ● No policy is loaded. ● Types – Targeted ● Support a greater number of confjned daemons, can confjne other users and areas. Good confjnement for most use-cases. – Minimum ● Support minimal set of confjned daemons, rest are set as unconfjned. Used for users to test SELinux and devices that only need to confjne a few daemons. – MLS ● Multi Level Security protection, lots of confjned daemons and users. Used in high-security environments (think Government). – Write your own ● You can write policies that fjt your machine, business, etc… 13

  14. cat /etc/selinux/confjg 14

  15. Attributions ● Docs on SELinux source – https://github.com/SELinuxProject/selinux ● Red Hat’s Thomas Cameron yearly SELinux presentation: – http://people.redhat.com/tcameron/Summit2017/SElinux/selinux_f or_mere_mortals_2017.pdf ● Fedora docs – https://docs-old.fedoraproject.org/en- US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/inde x.html ● SELinux intro by Digital Ocean – https://www.digitalocean.com/community/tutorials/an- introduction-to-selinux-on-centos-7-part-1-basic-concepts 15

Recommend

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows Reinstall usually keeps personal files Advantages of Linux More secure Package manager Software installation is easy, fast and secure Keeps

528 views • 15 slides
Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer Science Department State University of New York at Stony Brook http://www.cs.sunysb.edu/stoller/ 1 Security-Enhanced Linux (SELinux) SELinux =

695 views • 21 slides
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4 Linux Kernel (patch) 2002: LSM 2003:

764 views • 43 slides
ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin Bis http://bis-linux.com

ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin Bis http://bis-linux.com

ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin Bis http://bis-linux.com marcin@bis-linux.com Edinburgh - 2013.10.25 1 / 31 About me Marcin Bis Entrepreneur Embedded Linux: system development, kernel

623 views • 31 slides
PROJECT: PROPOSAL TO THE UN ECE OF AN HARMONIZED, SECURE AND ENHANCED IDP By the FIA / AIT WP 1

PROJECT: PROPOSAL TO THE UN ECE OF AN HARMONIZED, SECURE AND ENHANCED IDP By the FIA / AIT WP 1

PROJECT: PROPOSAL TO THE UN ECE OF AN HARMONIZED, SECURE AND ENHANCED IDP By the FIA / AIT WP 1 73 rd session 2016 FIA / AIT INDEX 1. Introduction 2. Research &amp; actions taken 1. Research: stakeholders perception 2. Research:

710 views • 31 slides
M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco

M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco

M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco Information Assurance Research G roup National Security Agency Co-author: Stephen D. Smalley, NAI Labs 1 roup Inform ation A ssurance R esearch G

476 views • 43 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
LINUX SYSTEM ADMINISTRATION AND SECURITY SSH (The Secure Shell) -Lakshmana Rao Konda

LINUX SYSTEM ADMINISTRATION AND SECURITY SSH (The Secure Shell) -Lakshmana Rao Konda

LINUX SYSTEM ADMINISTRATION AND SECURITY SSH (The Secure Shell) -Lakshmana Rao Konda lkonda@cs.siu.edu Topics Covered Introduction Overview of features SSH Client and Server Model Cryptographic Keys Attacks SSH Agent

628 views • 24 slides
Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The College of William and Mary Passwords The most common online authentication method Something you know instead of something you have (hardware

559 views • 29 slides
Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331:

Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331:

Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Review: Principle of Least Privilege Every user, thread, process, module needs permissions to run

459 views • 29 slides
IS THE LINUX DESKTOP LESS SECURE THAN WINDOWS 10? OR HOW SUPER MARIO MUSIC CAN OWN YOUR SYSTEM.

IS THE LINUX DESKTOP LESS SECURE THAN WINDOWS 10? OR HOW SUPER MARIO MUSIC CAN OWN YOUR SYSTEM.

IS THE LINUX DESKTOP LESS SECURE THAN WINDOWS 10? OR HOW SUPER MARIO MUSIC CAN OWN YOUR SYSTEM. Hanno Bck https://hboeck.de 1 This was too easy . It should not be possible to find a serious memory corruption vulnerability in the default

577 views • 31 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Oracle Buys Ksplice Oracle Linux Enhanced with Zero Downtime Software Updates July 21, 2011

Oracle Buys Ksplice Oracle Linux Enhanced with Zero Downtime Software Updates July 21, 2011

Oracle Buys Ksplice Oracle Linux Enhanced with Zero Downtime Software Updates July 21, 2011 Oracle is currently reviewing the existing Ksplice product roadmap and will be providing guidance to customers in accordance with Oracle's standard

699 views • 14 slides
Your First Guide to secure Linux August 12, 2010 Toshiharu Harada haradats@nttdata.co.jp

Your First Guide to secure Linux August 12, 2010 Toshiharu Harada haradats@nttdata.co.jp

Your First Guide to secure Linux August 12, 2010 Toshiharu Harada haradats@nttdata.co.jp NTT DATA CORPORATION Abstract There are two types of people in the world. Those who are security

872 views • 84 slides
Linux Security for Developers Insights for building a (more) secure world Michael Boelen

Linux Security for Developers Insights for building a (more) secure world Michael Boelen

Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 We Love Construction 2 Image source unknown And Magic! Turning data into: - Useful output - Stable

1.14k views • 85 slides
SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1,

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1,

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1, Thomas Knauth1, Andre MarGn1, ChrisGan Priebe2, Joshua Lind2, Divya Muthukumaran2, Dan OKeeffe2, Mark L SGllwell2, David Goltzsche3, David Eyers4,

351 views • 24 slides
Public clouds and vulnerable CPUs: are we secure? FOSDEM 2020 Vitaly Kuznetsov

Public clouds and vulnerable CPUs: are we secure? FOSDEM 2020 Vitaly Kuznetsov

Public clouds and vulnerable CPUs: are we secure? FOSDEM 2020 Vitaly Kuznetsov &lt;vkuznets@redhat.com&gt; About About myself Focusing (mostly) on Linux kernel My areas of interest include: Linux as guest on public clouds (AWS,

498 views • 39 slides
Open Source secure software updates for Linux-based IVI systems Arthur Taylor, CTO, ATS Advanced

Open Source secure software updates for Linux-based IVI systems Arthur Taylor, CTO, ATS Advanced

Open Source secure software updates for Linux-based IVI systems Arthur Taylor, CTO, ATS Advanced Telematic Systems Abstract Cyber security and vehicle recalls are two of the hottest topics in automotive software development right now.

351 views • 23 slides
Performance Analysis Superpowers with Linux BPF Brendan Gregg Sep 2017 bcc/BPF tools DEMO

Performance Analysis Superpowers with Linux BPF Brendan Gregg Sep 2017 bcc/BPF tools DEMO

Performance Analysis Superpowers with Linux BPF Brendan Gregg Sep 2017 bcc/BPF tools DEMO Agenda 1. eBPF &amp; bcc 2. bcc/BPF CLI Tools 3. bcc/BPF Visualizations Take aways 1. Understand Linux tracing and enhanced BPF 2. How to use BPF

971 views • 68 slides
Snappy Ubuntu Core Enabling secure devices with app stores We are the company behind Ubuntu.

Snappy Ubuntu Core Enabling secure devices with app stores We are the company behind Ubuntu.

Snappy Ubuntu Core Enabling secure devices with app stores We are the company behind Ubuntu. Canonical and Ubuntu | Best of both worlds CANONICAL Ubuntu Commercial backing #1 Linux Desktop for the #1 general purpose Linux OS: #1 Cloud OS

1.41k views • 26 slides
Time to retire Linux (and C) in IoT Lin Zhong http://www.recg.org By analyzing the problems of

Time to retire Linux (and C) in IoT Lin Zhong http://www.recg.org By analyzing the problems of

Time to retire Linux (and C) in IoT Lin Zhong http://www.recg.org By analyzing the problems of Linux, create a software systems research agenda for secure, efficient IoT devices. 2 Our mission better computers http://www.recg.org BIG World

1.11k views • 90 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range

Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range

Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range of systems ! CC BY-SA 2.0 FHKE, Flickr 2 Whats the difference between Linux on a big thing and Linux on a little thing? ! 3 ! Whats the

900 views • 52 slides
Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

High Performance Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the supercomputers today run Linux. All of the computational clusters in corporations that I know of run Linux. Support for

419 views • 12 slides

More recommend