dynamic policy enforcement dynamic policy enforcement in
play

Dynamic Policy Enforcement Dynamic Policy Enforcement in a - PowerPoint PPT Presentation

Mar 22, 2023 •379 likes •671 views

Dynamic Policy Enforcement Dynamic Policy Enforcement in a Networked Environment in a Networked Environment Brandon Pollet Brandon Pollet Enterprise Security Group Enterprise Security Group Center for Information Security Center for

  1. Dynamic Policy Enforcement Dynamic Policy Enforcement in a Networked Environment in a Networked Environment Brandon Pollet Brandon Pollet Enterprise Security Group Enterprise Security Group Center for Information Security Center for Information Security University of Tulsa University of Tulsa This research was supported by MPO Contract MDA 904-02-R-0039 This research was supported by MPO Contract MDA 904-02-R-0039

  2. Motivations and Objectives Motivations and Objectives • Dynamic Policy Enforcement Agent (DPEA) • Architecture that provides flexibility and security • Event driven run-time modification of security policy • Real-time response to both internal and external threats • User configurable response to security threats • Intuitive rules configuration through graphical or command line interface

  3. Background – – Key Concepts Key Concepts Background • Conditional Policy – In 2004 Tresys extended the SELinux Policy with Conditional Policy – Conditional Policy allows sections of the policy to be turned on or off at run-time depending on the value of boolean variables • Expert Systems – Highly specialized computer systems that make decisions based on logic and reasoning – Expert systems are highly capable at solving data intensive problems in their specified domain of knowledge

  4. DPEA Design Principles DPEA Design Principles • Separation from the SELinux policy – Separation is critical due to security concerns – If not separated the DPEA could pose a dire security threat – Utilizes the SELinux conditional policy extensions • Intuitive rule configuration – The DPEA is designed for two different user interfaces • Graphical configuration manager • Command line utility dpeconfig – Designed to allow administrators to quickly create rules that match security events with appropriate responses

  5. Design – – Software Architecture Software Architecture Design • The architecture Intrusion Detection System Linux System Logs SELinux Audit Logs separates the Agent Logs from the SELinux security policy while still providing the required functionality SELinux Policy “Policy.conf” Agent Ruleset DPE Agent Program • Utilizes the conditional policy extensions to dynamically enforce the policy without having any direct Selinux Filesystem SELinux Security Server /selinux/booleans/ access to it.

  6. Design – – Configuration Manager Configuration Manager Design SELMA Plug-in Generates System Specific Ruleset System SELinux Boolean Event Boolean Value • The DPEA Configuration Manager allows administrators to quickly create security response rules • By selecting a system event, a boolean to modify, and the boolean’s new value an administrator can instruct the DPEA to respond to security events

  7. Design – – Low Level Program Low Level Program Design Interaction Interaction • Logging interaction takes SELinux Snort Alert System Logs place through a DPEA Security Alert Integration Integration Integration specific log file • Scans its log file for DPEA log file occurrences of specified system events DPE Agent Program with access to System Specific Ruleset • When events are found the security alerts, logs, and Ruleset ruleset is checked and the appropriate changes are made to the SELinux boolean files Selinux Filesystem /selinux/booleans/

  8. Implementation Implementation • In order to fulfill its design requirements the DPEA must be – Highly configurable for administrators – It must interact with the system’s logging and alert functions – It must modify the SELinux Boolean files • To accomplish this the implementation of the DPEA is split into three main sections; – Agent System – Configuration Manager – SELinux Boolean Manager

  9. Implementation – – Agent System Agent System Implementation • The decision making capabilities of the agent system are the core of the DPEA • CLIPS was used to produce a stable expert system tailored to the requirements of the DPEA • Rule Translation – The first step in DPEA implementation – Translate rules from the configuration manager into CLIPS- formatted rules – Rule parser that outputs CLIPS compatible rules into the DPEA Knowledge Base

  10. Implementation – – Rule Example Rule Example Implementation (defrule user_disable_trans_rule • Represent logic in the (log auth_failure) expert system => • Each rule has two main (assert(true user_disable_trans))) sections – If section – Then section (defrule port_scan_rule (log port_scan) • Standard rules (true full_service) => • Conjunctive rules (assert(false inet_full_service)))

  11. Implementation – – Agent System Agent System Implementation • Facts – Represent knowledge in an expert system • DPEA facts – Mainly constructed from log entries – Also constructed from boolean values, and system information • The Agent system constructs facts from logs by – Scanning the log file for any system events – When an event occurs it is parsed for fact information – Constructed into a CLIPS fact – Inserted into the Knowledge Base

  12. Implementation – – Boolean Boolean Implementation Manager Manager • To facilitate the separation of the DPEA from the security policy all interaction take place through SELinux boolean files • When a rule fires that requires a boolean to be modified – A boolean fact is inserted into the DPEA knowledge base – The Boolean manager scans for newly created boolean facts – When a fact is found it removes the fact and calls a SELinux utility setsebool to make the change

  13. Implementation – – Implementation Configuration Manager Configuration Manager • The DPEA Configuration Manager has two forms – Graphical Configuration utility – Command Line utility • Both utilities provide functionality for – Rule creation • Rules can require any number of if sections to fire – Rule deletion – Rule examination • Both utilities store rules in the same file

  14. Implementation - GUI Implementation - GUI • Lists current rules • Create New Rules • Delete Rules

  15. Implementation – – CLI CLI Implementation • Add a rule – dpeConfig –a <event> <boolean> <value> • Add a multi-part rule – dpeConfig –am <event1> <event2> .. –b <boolean> –v <value> • List current rules – dpeConfig –l • Delete a rule – dpeConfig –d <rule_number> • List Events – dpeConfig –le • List Booleans – dpeConfig -lb

  16. System and Network System and Network Configuration Configuration • System Configuration – In its early state DPEA requires a large amount of initial configuration – Configuration requires • System logging system • Modifying the system’s SELinux policy to correspond with the DPEA Booleans • Writing the rule-set for the agent program – Rule-set Profiles help to alleviate this configuration across a network – Network hosts can be set up using a pre-defined profile. These profiles then serve as a baseline for DPEA rule sets – Profiles could be manually distributed to each host or pushed out from a centralized server using RSS

  17. Examples Examples • Privilege Escalation – DPEA responds to an authorization failure event – This occurs when a user attempts to become root with an incorrect password • Example log entry Apr 4 13:33:03 localhost su(pam_unix)[24041]: authentication failure; logname=dpeTest uid=500 euid=0 tty= ruser=dpeTest rhost= user=root

  18. Example – – Privilege Escalation Privilege Escalation Example Rule Rule • This rule sets the value of user_disable_trans to true when an authentication failure event occurs

  19. Privilege Escalation Privilege Escalation Outcome Outcome

  20. Example – – Unauthorized Access Unauthorized Access Example • Unauthorized Access – DPEA responds to an SELinux audit message – This occurred when a user attempted to access the shadow password file • Example log entry avc: denied {read} for pid=12999 exe=/usr/bin/gedit name=shadow dev=03:02 ino=391745 scontext=dpeTest:staff_r:staff_t tcontext=system_u:object_r:shadow_t tclass=file

  21. Example – – Unauthorized Access Unauthorized Access Example Rule Rule • This rule sets the value of user_disable_type to true when an avc denied event occurs

  22. Unauthorized Access Unauthorized Access Outcome Outcome

  23. Example – – Malicious Use Malicious Use Example • Malicious Use of Services – The system is a web-server which also has ssh access for administrative purposes – DPEA responds to a port_scan event from its Intrusion Detection System • Example Log Entry spp_portscan: PORTSCAN DETECTED from 192.168.1.10 [**] 04/22- 18:48:53.681227

  24. Example – – Malicious Use Rule Malicious Use Rule Example • This conjunctive rule sets the value of inet_full_service to false if a port-scan is detected and the systems full services are currently active

  25. Malicious Use Malicious Use Outcome Outcome

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

No! In fact, dynamic enforcement is as secure as Denning-style enforcement Trick: termination

No! In fact, dynamic enforcement is as secure as Denning-style enforcement Trick: termination

No! In fact, dynamic enforcement is as secure as Denning-style enforcement Trick: termination public:=0 channel Denning-style if secret enforcement termination-insensitive No assignments to public Monitor blocks variables

277 views • 11 slides
Planning Enforcement Adrian Duffield Head of Planning 1 The planning process Enforcement

Planning Enforcement Adrian Duffield Head of Planning 1 The planning process Enforcement

Planning Enforcement Adrian Duffield Head of Planning 1 The planning process Enforcement Policy Applications 2 National Planning Policy NPPF Paragraph 207 Important in maintaining public confidence in planning system Discretionary

171 views • 14 slides
Enforcement Policy Presented by Cris Carrigan David Boyers, &amp; Dr. Matthew Buffleben State

Enforcement Policy Presented by Cris Carrigan David Boyers, &amp; Dr. Matthew Buffleben State

2017 Update: Enforcement Policy Presented by Cris Carrigan David Boyers, &amp; Dr. Matthew Buffleben State Water Resources Control Board Office of Enforcement February 7, 2017 Board Meeting Item 5 2017 Enforcement Policy Highlights

570 views • 20 slides
FPPC Enforcement Retrospective &amp; Prospective Policy Meeting November 22, 2019 2019

FPPC Enforcement Retrospective &amp; Prospective Policy Meeting November 22, 2019 2019

FPPC Enforcement Retrospective &amp; Prospective Policy Meeting November 22, 2019 2019 Enforcement Trends Resource Allocation 2019/2020 Penalties 2019/2020 Streamline/WL Discussion Program Roadblocks to Enforcement Legislative Proposals

633 views • 39 slides
Deriving Enforcement Mechanisms from H. Janicke, et.al. Policies Motivation ITL Policy Rules

Deriving Enforcement Mechanisms from H. Janicke, et.al. Policies Motivation ITL Policy Rules

Deriving Enforcement Mechanisms from Policies Deriving Enforcement Mechanisms from H. Janicke, et.al. Policies Motivation ITL Policy Rules Helge Janicke, Antonio Cau, Fran cois Siewe, Enforcement Hussein Zedan Summary Software

550 views • 16 slides
Efficient CFI Enforcement for C++ Dynamic Dispatch Dimitar Bounov , Rami Kici, Sorin Lerner UCSD

Efficient CFI Enforcement for C++ Dynamic Dispatch Dimitar Bounov , Rami Kici, Sorin Lerner UCSD

Efficient CFI Enforcement for C++ Dynamic Dispatch Dimitar Bounov , Rami Kici, Sorin Lerner UCSD Why A:ack Dynamic Dispatch? Valuable targets (e.g. browsers) 11M LOC ~30M LOC 7M LOC ?M LOC C/C++ C/C++ C/C++ C/C++ Why A:ack Dynamic

922 views • 53 slides
The Irish Waste Management Conference Waste policy and enforcement: update Alison Fanagan 28

The Irish Waste Management Conference Waste policy and enforcement: update Alison Fanagan 28

The Irish Waste Management Conference Waste policy and enforcement: update Alison Fanagan 28 November 2019 M-47824253-1 Introduction Waste policy Waste enforcement 2012 A resource opportunity: up for review What are Irelands

400 views • 28 slides
GAMING POLICY AND ENFORCEMENT BRANCH SAM MACLEOD, ASSISTANT DEPUTY MINISTER AND GENERAL MANAGER

GAMING POLICY AND ENFORCEMENT BRANCH SAM MACLEOD, ASSISTANT DEPUTY MINISTER AND GENERAL MANAGER

GAMING POLICY AND ENFORCEMENT BRANCH SAM MACLEOD, ASSISTANT DEPUTY MINISTER AND GENERAL MANAGER German Report Implementation: Addressing Money Laundering in BCs Casinos Presentation for UBCM GAMING POLICY AND ENFORCEMENT BRANCH (GPEB)

830 views • 11 slides
Enforcement Policy for the Processing of Penalty Charge Notices Civil Parking Enforcement

Enforcement Policy for the Processing of Penalty Charge Notices Civil Parking Enforcement

Civil Parking Enforcement Policy for the Processing of Penalty Charge Notices Civil Parking Enforcement Guidance for the processing of Penalty Charge Notices in the County of Staffordshire June 2007 Revised February 2008 Introduction In

828 views • 64 slides
in Hungary Enforcement procedure Procedure after Ordering enforcement enforcement order

in Hungary Enforcement procedure Procedure after Ordering enforcement enforcement order

Monitoring of enforcement in Hungary Enforcement procedure Procedure after Ordering enforcement enforcement order Ordering enforcement Authorities court notary public Enforcement order certificate of enforcement

540 views • 12 slides
Corporate Tax - USA Enhanced IRS Enforcement and the Voluntary Disclosure Policy Contributed by

Corporate Tax - USA Enhanced IRS Enforcement and the Voluntary Disclosure Policy Contributed by

Newsletters | Law Directory | Deals | News | Subscribe | Home Corporate Tax - USA Enhanced IRS Enforcement and the Voluntary Disclosure Policy Contributed by Caplin &amp; Drysdale August 26 2005 During the 1990s, the level and intensity of US

364 views • 3 slides
Agenda Provisions Policy Punishable Acts Penalties Penalties Enforcement Issues Status

Agenda Provisions Policy Punishable Acts Penalties Penalties Enforcement Issues Status

Agenda Provisions Policy Punishable Acts Penalties Penalties Enforcement Issues Status SEC. 2. Declaration of Policy. The State recognizes the vital role of information and communications industries such as content production,

406 views • 22 slides
Law Enforcement Solutions for Reducing Racial Disparities &amp; Disproportionate Minority Contact

Law Enforcement Solutions for Reducing Racial Disparities &amp; Disproportionate Minority Contact

PENNSYLVANIA COMMISSION ON CRIME AND DELINQUENCY(PCCD) DMC SUBCOMMITTEES PHILADELPHIA WORKING GROUP PHILADELPHIA MINORITY YOUTH LAW ENFORCEMENT RELATIONS POLICY Law Enforcement Solutions for Reducing Racial Disparities &amp;

860 views • 28 slides
Cit itizen Enforcement and IG IGP Compliance Matt OMalley Waterkeeper and Legal &amp;

Cit itizen Enforcement and IG IGP Compliance Matt OMalley Waterkeeper and Legal &amp;

Cit itizen Enforcement and IG IGP Compliance Matt OMalley Waterkeeper and Legal &amp; Policy Director San Diego Coastkeeper Clea ean Water Act ct Citiz tizen In Involv lvement t and and Enforcement En 1972 Act passed to

829 views • 23 slides
14.471: Public Economics Tax Enforcement Emmanuel Saez MIT: Fall 2009 1 Tax Enforcement

14.471: Public Economics Tax Enforcement Emmanuel Saez MIT: Fall 2009 1 Tax Enforcement

14.471: Public Economics Tax Enforcement Emmanuel Saez MIT: Fall 2009 1 Tax Enforcement Problem Most models of optimal taxation (income or commodity) as- sume away enforcement issues. In practice: 1) Enforcement is costly (eats up around 10%

1.12k views • 45 slides
IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos

IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos

IoT-Flows: Lightweight Policy Enforcement of Information Flows in IoT Infrastructures Jos Augusto Suruagy Monteiro Centro de Informtica - UFPE IoT-Flows: US Subteam (PIs) Prof. Atul Prakash (UMich) Expert on security and IoT Prof. Darko

455 views • 24 slides
It Can Understand the Logs, Literally Aidi Pi , Wei Chen, Will Zeller and Xiaobo Zhou IPDPSW19

It Can Understand the Logs, Literally Aidi Pi , Wei Chen, Will Zeller and Xiaobo Zhou IPDPSW19

It Can Understand the Logs, Literally Aidi Pi , Wei Chen, Will Zeller and Xiaobo Zhou IPDPSW19 @ Rio de Janeiro Outline Introduction to distributed system logs Challenges NLog: A NLP based log analysis approach Evaluation

197 views • 18 slides
fjlesystems 3 1 last time hard drives seek time rotational latency block remapping by disk

fjlesystems 3 1 last time hard drives seek time rotational latency block remapping by disk

fjlesystems 3 1 last time hard drives seek time rotational latency block remapping by disk controller solid state disks wear leveling move data to new block when written work around limitations of large erasure blocks (that cant be

1.67k views • 110 slides
Disease Control System DiCon Sebastian Goll, Ned Dimitrov University of Texas at Austin November

Disease Control System DiCon Sebastian Goll, Ned Dimitrov University of Texas at Austin November

Disease Control System DiCon Sebastian Goll, Ned Dimitrov University of Texas at Austin November 24, 2009 Goll, Dimitrov (Texas) November 24, 2009 1 / 14 Introduction DiCon What is DiCon? DiCon is the Disease Control System. Procedure

348 views • 14 slides
Log-Structured File System CS 416: Operating Systems Design, Spring 2011 Department of Computer

Log-Structured File System CS 416: Operating Systems Design, Spring 2011 Department of Computer

CS416 File System Log-Structured File System CS 416: Operating Systems Design, Spring 2011 Department of Computer Science Rutgers University Rutgers Sakai: 01:198:416 Sp11 (https://sakai.rutgers.edu) Log Structured Filesystem LFS Basic

675 views • 15 slides
Inferring Models of Concurrent Systems from Logs of Their Behavior with CSight A?a-1 timeout s0

Inferring Models of Concurrent Systems from Logs of Their Behavior with CSight A?a-1 timeout s0

Inferring Models of Concurrent Systems from Logs of Their Behavior with CSight A?a-1 timeout s0 send(m) s1 M!m-0 s2 A?a-1 Sender Receiver A?a-0 A?a-1 2,1 M?m-0 1,0 send(m) A?a-0 s5 M!m-1 s4 send(m) s3 2,2 recv(m) 2,0 M!m-0

1.22k views • 75 slides
Detecting Large-Scale System Problems by Mining Console Logs Author : Wei Xu, Ling Huang,

Detecting Large-Scale System Problems by Mining Console Logs Author : Wei Xu, Ling Huang,

Detecting Large-Scale System Problems by Mining Console Logs Author : Wei Xu, Ling Huang, Armando Fox, David Patterson, Michael Jordan Conference: ICML 2010 SOSP2009, ICDM 2009 Reporter: Zhe Fu Outline SOSP 09 ICML 10 Offline Analysis

935 views • 48 slides
Log all the things! Honza Krl @honzakral Logs? Events! Log lines Twitter feed Invoices

Log all the things! Honza Krl @honzakral Logs? Events! Log lines Twitter feed Invoices

Log all the things! Honza Krl @honzakral Logs? Events! Log lines Twitter feed Invoices Metrics Why? What happened last Tuesday? Grep? Multiple machines Multiple logs Analysis/Discovery Time period Time? Time?! Time! apache

592 views • 33 slides
Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log

Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log

Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log Analyzer kees@neo4j.com Query Log dbms.logs.query.enabled=true # If the execution of query takes more time than this threshold, # the query is

1.12k views • 27 slides

More recommend