linux system security tunables linux system security
play

Linux System Security Tunables Linux System Security Tunables Linux - PowerPoint PPT Presentation

Nov 10, 2023 •127 likes •474 views

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables http://outflux.net/slides/2013/drupal/tunables.pdf R0Ng DrupalCon Portland 2013 Kees Cook <keescook@google.com> (pronounced Case) Who is

  1. Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables http://outflux.net/slides/2013/drupal/tunables.pdf R0Ng DrupalCon Portland 2013 Kees Cook <keescook@google.com> (pronounced “Case”)

  2. Who is this guy? ● Fun: – DefCon CTF ● team won in 2006 & 2007 – Debian – Ubuntu ● Jobs: – OSDL (proto Linux Foundation) – Canonical (Ubuntu Security) – Google (Chrome OS Security) Linux System Security Tunables 2/33 DrupalCon Portland May 21, 2013

  3. Overview ● Background – What do you mean, “post-intrusion”? – Layered defenses (aka “everything has bugs”) ● Best practices – Privilege separation (more than just root) – Kernel tunables (quick fixes) ● Start today Linux System Security Tunables 3/33 DrupalCon Portland May 21, 2013

  4. What do you mean, “post-intrusion”? ● It all started with a bug ... – … to gain remote execution – … to gain privilege escalation – … to gain kernel modification – … to gain more remote execution – rinse/repeat ● For example: – kernel.org penetration – http://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/ ● Advanced Persistent Threat Linux System Security Tunables 4/33 DrupalCon Portland May 21, 2013

  5. Layered defenses ● Everything has bugs ● There is no such thing as “perfect security” – Any who thinks it exists hasn't had to deal with real-world attacks. – Best example: kernel bugs ● Bypassing interfaces ● Disregarding defenses because a bug “can't happen there” Linux System Security Tunables 5/33 DrupalCon Portland May 21, 2013

  6. Privilege separation ● Authentication hygiene (e.g. SSH keys) ● Discretionary Access Control (user-defined) – Separate users/roles – Strict permissions ● Mandatory Access Control (admin-defined) – AppArmor – SELinux ● Multi-factor authentication Linux System Security Tunables 6/33 DrupalCon Portland May 21, 2013

  7. Authentication hygiene ● Know where your credential storage lives – Keep away from devices with remote access – Store encrypted, tied to specific device Linux System Security Tunables 7/33 DrupalCon Portland May 21, 2013

  8. Authentication hygiene $ hostname local-device $ ls ~/.ssh/id_* id_rsa_device id_rsa_device.pub $ ssh-keygen -f ~/.ssh/id_rsa_foo -p Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase. $ hostname some-remote-system $ ls ~/.ssh/id_* ls: cannot access /home/kees/.ssh/id_* $ cat ~/.ssh/authorized_keys ssh-rsa A...== kees@phone ssh-rsa A...wB kees@laptop ... Linux System Security Tunables 8/33 DrupalCon Portland May 21, 2013

  9. Authentication hygiene ● Actually check host keys $ ssh-keygen -f /etc/ssh/ssh_host_rsa.pub -lv 1024 2b:29:a9:20:6f:9e:4a:de:b2:a3:b7:6b:31:bc:7f:f2 root@hostname (RSA) +--[ RSA 1024]----+ | | | | | | | . | | .. . E | | +o . o o | | o oo + + | |+.=+. .. . | |=***So | +-----------------+ Linux System Security Tunables 9/33 DrupalCon Portland May 21, 2013

  10. Discretionary Access Control ● Separate Unix users for: – Personal accounts ● no direct access – Web services ● cannot change execution – Service maintainers ● no access to personal acct, limited system access – System admin ● extremely powerful Linux System Security Tunables 10/33 DrupalCon Portland May 21, 2013

  11. Discretionary Access Control ● Pay attention to file system permissions – Clear lines between data and execution ● Control access via sudo or other keys $ sudo cat /etc/sudoers ... User_Alias SOME_SERVICE = kees, gchaix, pholcomb ... SOME_SERVICE ALL = (some-maint) ALL $ sudo cat ~some-maint/.ssh/authorized_keys ... ssh-rsa AA...dF kees@laptop ssh-rsa AA...e= gchaix@desktop ssh-rsa AA...J1 pholcomb@phone Linux System Security Tunables 11/33 DrupalCon Portland May 21, 2013

  12. Mandatory Access Control ● Specify precisely what access the service has. – AppArmor – SELinux – SMACK – Tomoyo Linux System Security Tunables 12/33 DrupalCon Portland May 21, 2013

  13. Mandatory Access Control ● AppArmor profile “hats” with Apache – http://wiki.apparmor.net/index.php/Mod_apparmor_example – /etc/apparmor.d/usr.lib/apache2.mpm-prefork.apache2 $ cat /etc/apparmor.d/apache2.d/spaces.org ^spaces.org { #include <abstractions/apache2-common> #include <abstractions/base> #include <abstractions/php5> /srv/www/spaces.org/{html,private}/ r, /srv/www/spaces.org/{html,private}/** r, owner /srv/www/spaces.org/private/** wkl, /home/jcook/scripts/spaces.hits r, /srv/www/spaces.org/logs/* w, } Linux System Security Tunables 13/33 DrupalCon Portland May 21, 2013

  14. Multi-factor authentication ● Downside of sudo: 1 password for 2 accounts ● Add a physical token – HID – RSA token – yubi-key – google-authenticator – duo-unix ● https://www.duosecurity.com/pricing Linux System Security Tunables 14/33 DrupalCon Portland May 21, 2013

  15. Multi-factor authentication ● PAM with duo-unix $ sudo apt-get -y install libpam-duo ... $ sudo vi /etc/security/pam_duo.conf ... ikey = ... skey = ... $ sudo pam-auth-update ... $ sudo -K -K $ sudo -s sudo -s [sudo] password for kees: Duo two-factor login for kees Enter a passcode or select one of the following options: 1. Phone call to XXX-XXX-5694 2. SMS passcodes to XXX-XXX-5694 (next code starts with: J) Passcode or option (1-2): Linux System Security Tunables 15/33 DrupalCon Portland May 21, 2013

  16. Kernel tunables ● Network – tcp_syncookies ● Debug – perf_event_paranoid – ptrace_scope – kptr_restrict – dmesg_restrict ● Virtual Memory – mmap_min_addr ● Filesystem – protected_hardlinks – protected_symlinks ● Kernel Execution – modules_disabled Linux System Security Tunables 16/33 DrupalCon Portland May 21, 2013

  17. Kernel tunables ● Tree of items in /proc/sys/ ● Configure either directly or via “sysctl” tool ● Boot-time configured from /etc/sysctl.d ● Documented in kernel source (and a bit in man-pages) – Documentation/sysctl/ $ find /proc/sys -type f | wc -l 1272 $ cat /proc/sys/kernel/randomize_va_space 2 $ sysctl kernel.randomize_va_space 2 $ sudo sysctl kernel.randomize_va_space=2 kernel.randomize_va_space = 2 Linux System Security Tunables 17/33 DrupalCon Portland May 21, 2013

  18. net.ipv4.tcp_syncookies=1 ● Encodes connection details in TCP options ● Self-regulating ● Downside is loss of options that don't matter Linux System Security Tunables 18/33 DrupalCon Portland May 21, 2013

  19. kernel.yama.ptrace_scope=1 ● Block “sibling” processes from modifying each other – SSH hijacking ● Disrupts attach (“strace -p”, “gdb -p”) but not debugging of launched child processes ● Could also get crazy and use higher modes: – 2: root only (CAP_SYS_PTRACE) – 3: nothing can use ptrace Linux System Security Tunables 19/33 DrupalCon Portland May 21, 2013

  20. vm.mmap_min_addr=65536 $ cat runme.c #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> int main(void) { struct stat *info = NULL; printf(“%ld\n”, info->st_ino); return 0; } $ make runme $ ./runme Segmentation fault (core dumped) Linux System Security Tunables 20/33 DrupalCon Portland May 21, 2013

  21. vm.mmap_min_addr=65536 $ cat runme.c #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #include <sys/mman.h> int main(void) { struct stat *info = NULL; mmap(0, 4096, PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); printf(“%ld\n”, info->st_ino); return 0; } $ make runme $ ./runme 0 Linux System Security Tunables 21/33 DrupalCon Portland May 21, 2013

  22. kernel.kptr_restrict=1 ● Kernel addresses are useful to attackers $ grep tcp_transport /proc/kallsyms ffffffffa045b180 d xs_tcp_transport [sunrpc] ffffffffa045b1e0 d xs_bc_tcp_transport [sunrpc] $ sudo grep ^nfsv3 /proc/modules nfsv3 34322 1 - Live 0xffffffffa0582000 (F) Linux System Security Tunables 22/33 DrupalCon Portland May 21, 2013

  23. kernel.kptr_restrict=1 ● Kernel addresses are useful to attackers $ grep tcp_transport /proc/kallsyms 0000000000000000 d xs_tcp_transport [sunrpc] 0000000000000000 d xs_bc_tcp_transport [sunrpc] $ sudo grep ^nfsv3 /proc/modules nfsv3 34322 1 - Live 0x0000000000000000 (F) Linux System Security Tunables 23/33 DrupalCon Portland May 21, 2013

  24. kernel.dmesg_restrict=1 ● So much handy information for an attacker $ dmesg dmesg: klogctl failed: Operation not permitted Linux System Security Tunables 24/33 DrupalCon Portland May 21, 2013

  25. fs.protected_symlinks=1 ● Classic Time-of-Check-vs-Time-of-Use attack – “/tmp symlink attack” $ cd /tmp $ ln -s /etc/cron.d/evil predictable-filename $ readlink predictable-filename /etc/cron.d/evil #!/bin/bash if [ ! -e /tmp/predictable-filename ]; then echo “eeek” >/tmp/predictable-filename fi # /the/buggy/script $ cat /etc/cron.d/evil eeek Linux System Security Tunables 25/33 DrupalCon Portland May 21, 2013

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux

CE Linux Forum Worldwide Embedded Linux Conference 2007 April 17-19, 2007 TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux http://tomoyo.sourceforge.jp/ Toshiharu Harada Tetsuo Handa NTT DATA

654 views • 47 slides
TOMOYO Linux News! A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux News! A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux News! A Lightweight and Manageable Security System for PC and Embedded Linux PDF version of ELC2007 slide is available: CE Linux Forum Wiki TomoyoLinux http://tree.celinuxforum.org/CelfPubWiki/TomoyoLinux (bookmark and

890 views • 48 slides
Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
Tizen, Security and The Internet of Things Casey Schaufler 1 Casey Schaufler Security

Tizen, Security and The Internet of Things Casey Schaufler 1 Casey Schaufler Security

Tizen, Security and The Internet of Things Casey Schaufler 1 Casey Schaufler Security Dinosaur Smack Linux Security Module Manager Tizen and Linux Kernel Security 2 Tizen Linux based operating system Project of the Linux

486 views • 23 slides
Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security

Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security

Linux system hardening thanks to systemd Timothe Ravier French Network and Information Security Agency (ANSSI) RMLL 2017 Goal of this talk Goal of this talk Increase the security of standard Linux distributions Use security features

382 views • 37 slides
Integrating Flexible Support for Security Policies into the Linux Operating System

Integrating Flexible Support for Security Policies into the Linux Operating System

Integrating Flexible Support for Security Policies into the Linux Operating System http://www.nsa.gov/selinux Stephen D. Smalley sds@tycho.nsa.gov Information Assurance Research Group National Security Agency (Slight modifications by David

542 views • 19 slides
Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux Distributions Linux vs Windows Linux Architecture Linux Security 2 What is Linux? Similar Operating System To Microsoft Windows, Sun

1.11k views • 55 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
LINUX SYSTEM ADMINISTRATION AND SECURITY SSH (The Secure Shell) -Lakshmana Rao Konda

LINUX SYSTEM ADMINISTRATION AND SECURITY SSH (The Secure Shell) -Lakshmana Rao Konda

LINUX SYSTEM ADMINISTRATION AND SECURITY SSH (The Secure Shell) -Lakshmana Rao Konda lkonda@cs.siu.edu Topics Covered Introduction Overview of features SSH Client and Server Model Cryptographic Keys Attacks SSH Agent

628 views • 24 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 9 Linux Security &amp; Logging Linux Security Real-World Linux Security RHEL

739 views • 41 slides
BPF Turning Linux into a Microservices-aware Operating System About the Speaker Thomas Graf

BPF Turning Linux into a Microservices-aware Operating System About the Speaker Thomas Graf

BPF Turning Linux into a Microservices-aware Operating System About the Speaker Thomas Graf Linux kernel developer for ~15 years working on networking and security Helped write one of the biggest monoliths ever Worked on many

520 views • 27 slides
Basic Linux Original slides from GTFO Security outline Linux What it is? Commands

Basic Linux Original slides from GTFO Security outline Linux What it is? Commands

Basic Linux Original slides from GTFO Security outline Linux What it is? Commands Filesystem / Shell Package Management Services run on Linux mail dns web central authentication router

1.55k views • 23 slides
Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux

Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux

Linux, whats that? The pieces of a Linux system Linux Concepts Distributions Desktop environments Switching to Linux Epilogue Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux system Linux

766 views • 57 slides
What is GNU/Linux? GNU/Linux is a free operating system Other operating systems:

What is GNU/Linux? GNU/Linux is a free operating system Other operating systems:

What is GNU/Linux? GNU/Linux is a free operating system Other operating systems: Microsoft windows Apple Mac OS X Sun Solaris FreeBSD/OpenBSD AIX And many more..... GNU/Linux history GNU project started by

330 views • 9 slides
Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as

Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as

1 Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as an open-source (&quot;free&quot;) alternative by Linux Torvalds and several others starting in 1991 Originally only for Intel based processors

785 views • 16 slides
Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/lss/kspp.pdf Agenda Background Security in the context of

652 views • 52 slides
Security and Authorization Access to large databases is generally selective: Distinct users

Security and Authorization Access to large databases is generally selective: Distinct users

Security and Authorization Access to large databases is generally selective: Distinct users have distinct privileges. The process of defining and granting these privileges is called authorization. Authorization is generally a positive

514 views • 22 slides
Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix security model. See how general security principles are implemented in an actual

733 views • 59 slides
Parameterizing Access Control for Heterogeneous Peer-to-Peer Applications Ashish Gehani Surendar

Parameterizing Access Control for Heterogeneous Peer-to-Peer Applications Ashish Gehani Surendar

Parameterizing Access Control for Heterogeneous Peer-to-Peer Applications Ashish Gehani Surendar Chandra SRI University of Notre Dame 1 INTRODUCTION : Heterogeneous Applications Name resolution - CoDNS Scientific citations - OverCite

441 views • 17 slides
Semidefinite Approximations of Reachable Sets for Discrete-time Polynomial Systems Victor Magron ,

Semidefinite Approximations of Reachable Sets for Discrete-time Polynomial Systems Victor Magron ,

Semidefinite Approximations of Reachable Sets for Discrete-time Polynomial Systems Victor Magron , CNRS VERIMAG Joint work with Pierre-Loc Garoche (ONERA) Didier Henrion (LAAS) Xavier Thirioux (IRIT) SMAI-MODE 23 March 2016 Victor Magron

912 views • 61 slides
Current Research and Open Problems in Attribute-Based Access Control Daniel Servos

Current Research and Open Problems in Attribute-Based Access Control Daniel Servos

Current Research and Open Problems in Attribute-Based Access Control Daniel Servos dservos5@uwo.ca Department of Computer Science Topics Survey/Proposal Daniel Servos TSP: ABAC February 10th 1 / 31 1. Talk Outline Outline 1 Background

1.23k views • 90 slides
Markov Decision Process Assumption: agent gets to observe the state [Drawing from Sutton and

Markov Decision Process Assumption: agent gets to observe the state [Drawing from Sutton and

Discretization Pieter Abbeel UC Berkeley EECS Markov Decision Process Assumption: agent gets to observe the state [Drawing from Sutton and Barto, Reinforcement Learning: An Introduction, 1998] Markov Decision Process (S, A, T, R, H) Given S:

381 views • 26 slides
Finite elements discretizations of the total variation Antonin Chambolle CMAP, Ecole

Finite elements discretizations of the total variation Antonin Chambolle CMAP, Ecole

Finite elements discretizations of the total variation Antonin Chambolle CMAP, Ecole Polytechnique, CNRS, Palaiseau, France joint with T. Pock (T.U. Graz, Austria) Variational methods and optimization in imaging , IHP, Paris, 4 Feb., 2019

811 views • 41 slides
Fast approximate inference in hybrid Bayesian networks using dynamic discretisation Helge Langseth

Fast approximate inference in hybrid Bayesian networks using dynamic discretisation Helge Langseth

Fast approximate inference in hybrid Bayesian networks using dynamic discretisation Helge Langseth 1 , David Marquez 2 , Martin Neil 2 1 Dept. of Computer and Information Science, The Norwegian University of Science and Technology, Norway 2 School

509 views • 16 slides

More recommend