Dynamic Policy Enforcement Dynamic Policy Enforcement in a - - PowerPoint PPT Presentation

Dynamic Policy Enforcement Dynamic Policy Enforcement in a Networked Environment in a Networked Environment

Brandon Pollet Brandon Pollet Enterprise Security Group Enterprise Security Group Center for Information Security Center for Information Security University of Tulsa University of Tulsa

This research was supported by MPO Contract MDA 904-02-R-0039 This research was supported by MPO Contract MDA 904-02-R-0039

Motivations and Objectives Motivations and Objectives

• Dynamic Policy Enforcement Agent (DPEA)
• Architecture that provides flexibility and security
• Event driven run-time modification of security

policy

• Real-time response to both internal and external

threats

• User configurable response to security threats
• Intuitive rules configuration through graphical or

command line interface

Background Background – – Key Concepts Key Concepts

• Conditional Policy

– In 2004 Tresys extended the SELinux Policy with Conditional Policy – Conditional Policy allows sections of the policy to be turned on or

• ff at run-time depending on the value of boolean variables
• Expert Systems

– Highly specialized computer systems that make decisions based on logic and reasoning – Expert systems are highly capable at solving data intensive problems in their specified domain of knowledge

DPEA Design Principles DPEA Design Principles

• Separation from the SELinux policy

– Separation is critical due to security concerns – If not separated the DPEA could pose a dire security threat – Utilizes the SELinux conditional policy extensions

• Intuitive rule configuration

– The DPEA is designed for two different user interfaces

• Graphical configuration manager
• Command line utility dpeconfig

– Designed to allow administrators to quickly create rules that match security events with appropriate responses

Design Design – – Software Architecture Software Architecture

• The architecture

separates the Agent from the SELinux security policy while still providing the required functionality

• Utilizes the conditional

policy extensions to dynamically enforce the policy without having any direct access to it.

Selinux Filesystem /selinux/booleans/ SELinux Policy “Policy.conf” Agent Ruleset Intrusion Detection System Logs Linux System Logs SELinux Audit Logs DPE Agent Program SELinux Security Server

Design Design – – Configuration Manager Configuration Manager

• The DPEA Configuration Manager allows administrators

to quickly create security response rules

• By selecting a system event, a boolean to modify, and the

boolean’s new value an administrator can instruct the DPEA to respond to security events

System Specific Ruleset Boolean Value System Event SELinux Boolean SELMA Plug-in Generates

Design Design – – Low Level Program Low Level Program Interaction Interaction

• Logging interaction takes

place through a DPEA specific log file

• Scans its log file for
• ccurrences of specified

system events

• When events are found the

ruleset is checked and the appropriate changes are made to the SELinux boolean files

DPE Agent Program with access to security alerts, logs, and Ruleset Selinux Filesystem /selinux/booleans/ System Specific Ruleset Snort Alert Integration System Logs Integration SELinux Security Alert Integration

DPEA log file

Implementation Implementation

• In order to fulfill its design requirements the

DPEA must be

– Highly configurable for administrators – It must interact with the system’s logging and alert functions – It must modify the SELinux Boolean files

• To accomplish this the implementation of the

DPEA is split into three main sections;

– Agent System – Configuration Manager – SELinux Boolean Manager

Implementation Implementation – – Agent System Agent System

• The decision making capabilities of the agent

system are the core of the DPEA

• CLIPS was used to produce a stable expert system

tailored to the requirements of the DPEA

• Rule Translation

– The first step in DPEA implementation – Translate rules from the configuration manager into CLIPS- formatted rules – Rule parser that outputs CLIPS compatible rules into the DPEA Knowledge Base

Implementation Implementation – – Rule Example Rule Example

(defrule user_disable_trans_rule (log auth_failure) => (assert(true user_disable_trans))) (defrule port_scan_rule (log port_scan) (true full_service) => (assert(false inet_full_service)))

• Represent logic in the

expert system

• Each rule has two main

sections

– If section – Then section

• Standard rules
• Conjunctive rules

Implementation Implementation – – Agent System Agent System

• Facts

– Represent knowledge in an expert system

• DPEA facts

– Mainly constructed from log entries – Also constructed from boolean values, and system information

• The Agent system constructs facts from logs by

– Scanning the log file for any system events – When an event occurs it is parsed for fact information – Constructed into a CLIPS fact – Inserted into the Knowledge Base

Implementation Implementation – – Boolean Boolean Manager Manager

• To facilitate the separation of the DPEA from the

security policy all interaction take place through SELinux boolean files

• When a rule fires that requires a boolean to be

modified

– A boolean fact is inserted into the DPEA knowledge base – The Boolean manager scans for newly created boolean facts – When a fact is found it removes the fact and calls a SELinux utility setsebool to make the change

Implementation Implementation – – Configuration Manager Configuration Manager

• The DPEA Configuration Manager has two forms

– Graphical Configuration utility – Command Line utility

• Both utilities provide functionality for

– Rule creation

• Rules can require any number of if sections to fire

– Rule deletion – Rule examination

• Both utilities store rules in the same file

Implementation - GUI Implementation - GUI

• Lists current rules
• Create New Rules
• Delete Rules

Implementation Implementation – – CLI CLI

• Add a rule

– dpeConfig –a <event> <boolean> <value>

• Add a multi-part rule

– dpeConfig –am <event1> <event2> .. –b <boolean> –v <value>

• List current rules

– dpeConfig –l

• Delete a rule

– dpeConfig –d <rule_number>

• List Events

– dpeConfig –le

• List Booleans

– dpeConfig -lb

System and Network System and Network Configuration Configuration

• System Configuration

– In its early state DPEA requires a large amount of initial configuration – Configuration requires

• System logging system
• Modifying the system’s SELinux policy to correspond with the DPEA

Booleans

• Writing the rule-set for the agent program

– Rule-set Profiles help to alleviate this configuration across a network – Network hosts can be set up using a pre-defined profile. These profiles then serve as a baseline for DPEA rule sets – Profiles could be manually distributed to each host or pushed out from a centralized server using RSS

Examples Examples

• Privilege Escalation

– DPEA responds to an authorization failure event – This occurs when a user attempts to become root with an incorrect password

• Example log entry

Apr 4 13:33:03 localhost su(pam_unix)[24041]: authentication failure; logname=dpeTest uid=500 euid=0 tty= ruser=dpeTest rhost= user=root

Example Example – – Privilege Escalation Privilege Escalation Rule Rule

• This rule sets the

value of user_disable_trans to true when an authentication failure event occurs

Privilege Escalation Privilege Escalation Outcome Outcome

Example Example – – Unauthorized Access Unauthorized Access

• Unauthorized Access

– DPEA responds to an SELinux audit message – This occurred when a user attempted to access the shadow password file

• Example log entry

avc: denied {read} for pid=12999 exe=/usr/bin/gedit name=shadow

dev=03:02 ino=391745 scontext=dpeTest:staff_r:staff_t tcontext=system_u:object_r:shadow_t tclass=file

Example Example – – Unauthorized Access Unauthorized Access Rule Rule

• This rule sets the

value of user_disable_type to true when an avc denied event occurs

Unauthorized Access Unauthorized Access Outcome Outcome

Example Example – – Malicious Use Malicious Use

• Malicious Use of Services

– The system is a web-server which also has ssh access for administrative purposes – DPEA responds to a port_scan event from its Intrusion Detection System

• Example Log Entry

spp_portscan: PORTSCAN DETECTED from 192.168.1.10 [**] 04/22- 18:48:53.681227

Example Example – – Malicious Use Rule Malicious Use Rule

• This conjunctive rule

sets the value of inet_full_service to false if a port-scan is detected and the systems full services are currently active

Malicious Use Malicious Use Outcome Outcome

Network Intrusion Response Network Intrusion Response

• Network Intrusion Response

– In a commercial network it is impractical to require every host to run its own Intrusion Detection System – Current research is aimed at providing alerts to the Host systems through a central IDS and server configuration

• Example Network Configuration

– Network sensors report intrusion attempts to a central DPEA aware server – The rule-set for this server is configured to alert network hosts to threats – Alerts are pushed out to specific hosts or a class of hosts that are likely to be effected

Conclusion and Future Work Conclusion and Future Work

• The examples shown today are only the beginning
• Future Enhancements

– More powerful rule language – Self-update and configure feature – Policy Configuration expert system

• The Dynamic Policy Enforcement Agent offers

– Security – Flexibility – Intuitive Configuration – Self-defense system

Questions? Questions?