linux system hardening thanks to systemd
play

Linux system hardening thanks to systemd Timothe Ravier French - PowerPoint PPT Presentation

May 14, 2023 •12 likes •382 views

Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security Agency (ANSSI) RMLL 2017 Goal of this talk Goal of this talk Increase the security of standard Linux distributions Use security features

  1. Linux system hardening thanks to systemd Timothée Ravier French Network and Information Security Agency (ANSSI) RMLL 2017

  2. Goal of this talk

  3. Goal of this talk ◮ Increase the security of standard Linux distributions ◮ Use security features made available to userspace by the Linux kernel ◮ Take advantage of their integration into systemd ◮ Simplify deployments and help system maintenance ANSSI Linux system hardening thanks to systemd 3/25

  4. systemd “how-to” in three slides

  5. systemd? ◮ Integrated in most Linux distributions as a replacement for SysVinit ◮ Handle system boot up and manage system services ◮ Responsible for environment setup for system daemons ◮ Init scripts are replaced by declarative configuration files: units ANSSI Linux system hardening thanks to systemd 5/25

  6. Unit? To display the current configuration of a service: Command # systemctl cat php -fpm.service # /usr/lib/systemd/system/php -fpm.service [Unit] Description=The PHP FastCGI Process Manager After=network.target [Service] Type=notify PIDFile =/run/php -fpm/php -fpm.pid ExecStart =/usr/bin/php -fpm --nodaemonize PrivateTmp=true [Install] WantedBy=multi -user.target ANSSI Linux system hardening thanks to systemd 6/25

  7. Unit? To display the current configuration of a service: # systemctl cat php -fpm.service Corresponding file # /usr/lib/systemd/system/php -fpm.service [Unit] Description=The PHP FastCGI Process Manager After=network.target [Service] Type=notify PIDFile =/run/php -fpm/php -fpm.pid ExecStart =/usr/bin/php -fpm --nodaemonize PrivateTmp=true [Install] WantedBy=multi -user.target ANSSI Linux system hardening thanks to systemd 6/25

  8. Unit? To display the current configuration of a service: # systemctl cat php -fpm.service # /usr/lib/systemd/system/php -fpm.service Who? [Unit] When? Description=The PHP FastCGI Process Manager After=network.target [Service] Type=notify PIDFile =/run/php -fpm/php -fpm.pid ExecStart =/usr/bin/php -fpm --nodaemonize PrivateTmp=true [Install] WantedBy=multi -user.target ANSSI Linux system hardening thanks to systemd 6/25

  9. Unit? To display the current configuration of a service: # systemctl cat php -fpm.service # /usr/lib/systemd/system/php -fpm.service [Unit] Description=The PHP FastCGI Process Manager After=network.target [Service] What? Type=notify How? PIDFile =/run/php -fpm/php -fpm.pid ExecStart =/usr/bin/php -fpm --nodaemonize PrivateTmp=true [Install] WantedBy=multi -user.target ANSSI Linux system hardening thanks to systemd 6/25

  10. Unit? To display the current configuration of a service: # systemctl cat php -fpm.service # /usr/lib/systemd/system/php -fpm.service [Unit] Description=The PHP FastCGI Process Manager After=network.target [Service] Type=notify PIDFile =/run/php -fpm/php -fpm.pid ExecStart =/usr/bin/php -fpm --nodaemonize PrivateTmp=true [Install] Why? WantedBy=multi -user.target ANSSI Linux system hardening thanks to systemd 6/25

  11. Example: switching to an unprivileged user and group Edit the service configuration: # systemctl edit php -fpm.service ANSSI Linux system hardening thanks to systemd 7/25

  12. Example: switching to an unprivileged user and group Edit the service configuration: # systemctl edit php -fpm.service add the following content: [Service] User=http Group=www ANSSI Linux system hardening thanks to systemd 7/25

  13. Example: switching to an unprivileged user and group Edit the service configuration: # systemctl edit php -fpm.service add the following content: [Service] User=http Group=www and make those changes effective: # systemctl daemon -reload # systemctl restart php -fpm.service ANSSI Linux system hardening thanks to systemd 7/25

  14. Taking advantage of security features from the Linux kernel

  15. Filtering access to system calls using seccomp-bpf Concept ◮ Restrict which system calls are available to a process ◮ Also applies to child processes ANSSI Linux system hardening thanks to systemd 9/25

  16. Filtering access to system calls using seccomp-bpf Concept ◮ Restrict which system calls are available to a process ◮ Also applies to child processes Example [Service] SystemCallFilter =~ chroot SystemCallFilter =~ @obsolete ANSSI Linux system hardening thanks to systemd 9/25

  17. Filtering access to system calls using seccomp-bpf Concept ◮ Restrict which system calls are available to a process ◮ Also applies to child processes Example [Service] SystemCallFilter =~ chroot SystemCallFilter =~ @obsolete Beware ◮ Can be bypassed with ptrace on kernels < 4.8 ◮ Solution: add a filter for the ptrace system call: [Service] SystemCallFilter =~ ptrace ANSSI Linux system hardening thanks to systemd 9/25

  18. Linux capabilities Concept ◮ Restrict privileges granted to a process (potentially running as root) ◮ Grant a subset of root privileges to an unprivileged process ANSSI Linux system hardening thanks to systemd 10/25

  19. Linux capabilities Concept ◮ Restrict privileges granted to a process (potentially running as root) ◮ Grant a subset of root privileges to an unprivileged process Example [Service] CapabilityBoundingSet = CAP_NET_BIND_SERVICE AmbientCapabilities = CAP_NET_BIND_SERVICE ANSSI Linux system hardening thanks to systemd 10/25

  20. Linux capabilities Concept ◮ Restrict privileges granted to a process (potentially running as root) ◮ Grant a subset of root privileges to an unprivileged process Example [Service] CapabilityBoundingSet = CAP_NET_BIND_SERVICE AmbientCapabilities = CAP_NET_BIND_SERVICE Beware ◮ Some capabilities are equivalent to full root privileges ◮ Avoid blacklists. Whitelist only the capabilities effectively used For more details, see: https://forums.grsecurity.net/viewtopic.php?f=7&t=2522 ANSSI Linux system hardening thanks to systemd 10/25

  21. Mount namespaces Concept ◮ Each service can get its own filesystem hierarchy ◮ Hide arbitrary paths or turn them read-only ANSSI Linux system hardening thanks to systemd 11/25

  22. Mount namespaces Concept ◮ Each service can get its own filesystem hierarchy ◮ Hide arbitrary paths or turn them read-only Example [Service] InaccessiblePaths =/etc/secrets ProtectSystem =full ANSSI Linux system hardening thanks to systemd 11/25

  23. Mount namespaces Concept ◮ Each service can get its own filesystem hierarchy ◮ Hide arbitrary paths or turn them read-only Example [Service] InaccessiblePaths =/etc/secrets ProtectSystem =full Beware ◮ Reversible if CAP_SYS_ADMIN or mount system call is available: [Service] CapabilityBoundingSet =~ CAP_SYS_ADMIN SystemCallFilter =~ @mount ANSSI Linux system hardening thanks to systemd 11/25

  24. Getting your hands dirty (cow?)

  25. Practical example: sandboxing the Dirty CoW ◮ Vulnerability CVE-2016-5195 ◮ Local root made public in October 2016 ◮ Impacted every kernel from the version 2.6.22, released in 2007 ◮ Race condition in the memory management code handling Copy-on-Write ANSSI Linux system hardening thanks to systemd 13/25

  26. Practical example: sandboxing the Dirty CoW Exploit vector ◮ Race condition triggered by the madvise system call Options to mitigate the impact ◮ Block the madvise system call Configuration [Service] SystemCallFilter =~ madvise ANSSI Linux system hardening thanks to systemd 14/25

  27. Practical example: sandboxing the Dirty CoW Exploit vector ◮ Indirect access to memory using the ptrace system call and /proc/self/mem Options to mitigate the impact ◮ Block the ptrace system call ◮ Remove access to the proc virtual filesystem Configuration [Service] SystemCallFilter =~ ptrace InaccessiblePaths =/ proc See https://lists.freedesktop.org/archives/systemd-devel/2017-April/038634.html and https://github.com/systemd/systemd/pull/5985 for more details. ANSSI Linux system hardening thanks to systemd 15/25

  28. Practical example: sandboxing the Dirty CoW Exploit vector ◮ Vulnerable code may be reachable from drivers exposed in /dev Options to mitigate the impact ◮ Remove access to most hardware drivers available from /dev Configuration [Service] PrivateDevices =yes ANSSI Linux system hardening thanks to systemd 16/25

  29. Practical example: The Good, the Bad and the socket ◮ Vulnerability CVE-2016-8655 ◮ Local root ◮ Race condition in AF_PACKET type sockets leading to Use-After-Free in kernel context ◮ Creating AF_PACKET sockets requires CAP_NET_RAW ◮ May be obtained via unprivileged user namespace (Linux � 3.8) ANSSI Linux system hardening thanks to systemd 17/25

  30. Practical example: The Good, the Bad and the socket Exploit vector ◮ AF_PACKET sockets Options to mitigate the impact ◮ Restrict socket type availability Configuration Minimal version with a blacklist: [Service] RestrictAddressFamilies =~ AF_PACKET Better option using a whitelist: [Service] RestrictAddressFamilies =AF_INET AF_INET6 AF_UNIX ANSSI Linux system hardening thanks to systemd 18/25

  31. Practical example: The Good, the Bad and the socket Exploit vector ◮ CAP_NET_RAW capability Options to mitigate the impact ◮ Block acquisition of the CAP_NET_RAW capability Configuration [Service] CapabilityBoundingSet =~ CAP_NET_RAW ANSSI Linux system hardening thanks to systemd 19/25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
systemd chenshh 1 Computer Center, CS, NCTU Before we start systemd is only for linux ONLY

systemd chenshh 1 Computer Center, CS, NCTU Before we start systemd is only for linux ONLY

systemd chenshh 1 Computer Center, CS, NCTU Before we start systemd is only for linux ONLY FOR LINUX NO UNIX 2 2 Computer Center, CS, NCTU History 1.BSD Style init 2.sysvinit 3.upstart 4.systemd 3 3 Computer Center, CS, NCTU BSD

700 views • 42 slides
UNDERSTANDING SYSTEMD THE MODERN LINUX SERVICE MANAGER GARRET ARCORACI, ROCHESTER INST . OF

UNDERSTANDING SYSTEMD THE MODERN LINUX SERVICE MANAGER GARRET ARCORACI, ROCHESTER INST . OF

UNDERSTANDING SYSTEMD THE MODERN LINUX SERVICE MANAGER GARRET ARCORACI, ROCHESTER INST . OF TECHNOLOGY INTRODUCTION ME AND SYSTEMD WHERE DOES SYSTEMD FIT http://www.uefj.org/ IN THE BEGINNING TRADITIONAL BIOS UEFI WHERE IS THE

355 views • 18 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com s-Hertogenbosch, 1 March 2016 Meetup: Den Bosch Linux User Group Goals 1. Learn what to protect 2. Know some strategies 3. Learn tooling Focus

912 views • 60 slides
Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

995 views • 29 slides
systemd, the modern Linux service and resource manager Alison Chaiken Sept. 8, 2015

systemd, the modern Linux service and resource manager Alison Chaiken Sept. 8, 2015

systemd, the modern Linux service and resource manager Alison Chaiken Sept. 8, 2015 mentor.com/automo tive Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. Linux is the registered trademark of

947 views • 21 slides
Uplift your Li Linux systems pr progr gramming s amming skills kills w wit ith sy systemd

Uplift your Li Linux systems pr progr gramming s amming skills kills w wit ith sy systemd

Uplift your Li Linux systems pr progr gramming s amming skills kills w wit ith sy systemd and D and D-Bu Bus FOSDEM 2020, Go Devroom (2 nd Feb, 2020) Leonid Vasilyev, &lt;vsleonid@gmail.com&gt; Ag Agenda Scope of this talk

1.26k views • 25 slides
An Introduction to systemd Erik Johnson What is systemd? Replacement for sysvinit Manages

An Introduction to systemd Erik Johnson What is systemd? Replacement for sysvinit Manages

An Introduction to systemd Erik Johnson What is systemd? Replacement for sysvinit Manages your services/daemons Integrated logging (journal) Easy-to-write service files (units) Aims to standardize management of several

478 views • 32 slides
Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect Mender.io Session overview Case-studies of 3 botnets Mirai (August 2016) Hajime (October 2016) BrickerBot (March 2017) Common security

902 views • 28 slides
Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables http://outflux.net/slides/2013/drupal/tunables.pdf R0Ng DrupalCon Portland 2013 Kees Cook &lt;keescook@google.com&gt; (pronounced Case) Who is

474 views • 33 slides
Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP PGP 101 public/private keyrings Roman, John PGP PGP 101

471 views • 43 slides
Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP PGP 101 public/private keyrings Roman, John PGP PGP 101

690 views • 42 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Zero-effort Monitoring Support University of Amsterdam Network and System Engineering Julien

Zero-effort Monitoring Support University of Amsterdam Network and System Engineering Julien

Zero-effort Monitoring Support University of Amsterdam Network and System Engineering Julien Nyczak Supervisor: Rick van Rein, ARPA2.net 2 Introduction Linux shipped with large amount of packages systemd, the new init system

431 views • 16 slides
Fantastic DNS records and where to find them Demystifying systemd-resolved and how it is

Fantastic DNS records and where to find them Demystifying systemd-resolved and how it is

Fantastic DNS records and where to find them Demystifying systemd-resolved and how it is integrated on Ubuntu Dimitri John Ledkov &lt;xnox@ubuntu.com&gt; What is systemd-resolved? Local, caching, DNS resolver Per-link nameserver

277 views • 15 slides
Simple Scalable Architectures bud@thinkcube.com | twitter @geekaholic In terms of scaling the web

Simple Scalable Architectures bud@thinkcube.com | twitter @geekaholic In terms of scaling the web

9/3/11 11:13 AM Simple Scalable Architectures bud@thinkcube.com | twitter @geekaholic In terms of scaling the web server there are few options. Basically the easiest to setup. Scaling is a matter of buying a better server or upgrading it!

465 views • 8 slides
How to Speak at a Conference Beth Tucker Long @e3betht Who am I? Beth Tucker Long PHP

How to Speak at a Conference Beth Tucker Long @e3betht Who am I? Beth Tucker Long PHP

How to Speak at a Conference Beth Tucker Long @e3betht Who am I? Beth Tucker Long PHP Developer Stay-at-home mom User group leader Mentor &amp; Apprentice e3betht Audience Participation? Completely fine. Ask me

760 views • 36 slides
F inanc ial Re c or ds Wa shing to n Sta te Arc hive s re c o rdsma na g e me nt@ so s.wa .g o

F inanc ial Re c or ds Wa shing to n Sta te Arc hive s re c o rdsma na g e me nt@ so s.wa .g o

Basic s of Managing F inanc ial Re c or ds Wa shing to n Sta te Arc hive s re c o rdsma na g e me nt@ so s.wa .g o v (360) 586-4901 1 Ove rvie w Re c o rds Ma na g e me nt Ba sic s F ina nc ia l F AQs Re te ntio n Sc he dule s

643 views • 27 slides
IDO Trainings FAQs by Topic 7 Parts IDO Trainings 1. General Provisions 2. Zone

IDO Trainings FAQs by Topic 7 Parts IDO Trainings 1. General Provisions 2. Zone

IDO Training Admin &amp; Enforcement April 6 &amp; 18, 2018 City of Albuquerque Integrated Development Ordinance (IDO) Training Administration &amp; Enforcement April 6 &amp; 18, 2018 www.abc-zone.com IDO Trainings FAQs by Topic 7

563 views • 14 slides
Setting up a LAMP server Created by : Nate Levesque (Feb. 2016) Updated by : Justin W. Flory (Oct.

Setting up a LAMP server Created by : Nate Levesque (Feb. 2016) Updated by : Justin W. Flory (Oct.

Setting up a LAMP server Created by : Nate Levesque (Feb. 2016) Updated by : Justin W. Flory (Oct. 2016) CC-BY-SA 4.0 What is LAMP? Duh. Actually, were interested in... L inux, A pache, M ySQL, and P HP A standard web server

498 views • 28 slides
Cheap, Fast, and Good You can have it all with Ruby on Rails Brian McCallister

Cheap, Fast, and Good You can have it all with Ruby on Rails Brian McCallister

Cheap, Fast, and Good You can have it all with Ruby on Rails Brian McCallister brianm@ninginc.com http://www.ning.com/ (c) 2005, Brian McCallister What is Ruby? Dynamic and Interpreted Strong support for OO programming Everything

933 views • 61 slides
FAMP FreeBSD/Apache/MySQL/PHP zswu Computer Center, CS, NCTU Introduction Web service

FAMP FreeBSD/Apache/MySQL/PHP zswu Computer Center, CS, NCTU Introduction Web service

FAMP FreeBSD/Apache/MySQL/PHP zswu Computer Center, CS, NCTU Introduction Web service Apache GWS, Nginx, IIS SQL service MySQL, MariaDB MS SQL, Oracle DB, PostgreSQL NoSQL service MongoDB Web backend language

1.53k views • 57 slides
THE LEADER IN DRUPAL PLATFORM DESIGN AND DEVELOPMENT Friday, November 16, 12 SHORT STACK

THE LEADER IN DRUPAL PLATFORM DESIGN AND DEVELOPMENT Friday, November 16, 12 SHORT STACK

THE LEADER IN DRUPAL PLATFORM DESIGN AND DEVELOPMENT Friday, November 16, 12 SHORT STACK INGREDIENTS FOR A SHORTER, SWEETER DRUPAL HOSTING STACK Friday, November 16, 12 http://www.flickr.com/photos/crobj/3306760492/ Friday, November 16, 12

1.02k views • 85 slides

More recommend