secure enhanced linux
play

Secure Enhanced Linux Julian Richen SELinux? Started as a research - PowerPoint PPT Presentation

Dec 27, 2023 •183 likes •349 views

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National Security Agency (NSA) A set of patches using the Linux Security Modules (LSM) Hardening GNU/Linux systems with extra security policies and

  1. Secure Enhanced Linux Julian Richen

  2. SELinux? ● Started as a research project from the National Security Agency (NSA) ● A set of patches using the Linux Security Modules (LSM) – Hardening GNU/Linux systems with extra security policies and enforcing Mandatory Access Control (MAC) – Similar to modules like AppArmor, Smack, TOMOYO ● NSA published the code under the GPL in 2000 ● Upstream Linux kernel adopted patches in 2003 2

  3. Who develops it? ● NSA ● Red Hat ● MITRE Corporation ● Secure Computing Corporation (SSC) ● Individual contributors & companies – CUPS Project, SAMBA Project, IBM, Tresys T echnology, and more ● Full list: – https://www.nsa.gov/what-we- do/research/selinux/contributors.shtml 3

  4. Source? ● Source: – https://github.com/SELinuxProject/selinux ● Bugs – NSA: selinux@tycho.nsa.gov – Red Hat: https://bugzilla.redhat.com/ ● Policies – https://github.com/T resysT echnology/refpolicy 4

  5. Who uses it? ● Linux Distros – RHEL, Fedora, SuSE, CentOS, Debian, Ubuntu ● United States Government – NSA, DoD, etc… ● Enterprise – Data sensitive companies, healthcare, or anyone really ● Android – Google implemented SELinux in Android 4.3 (2015) 5

  6. What does it solve? ● Implements Mandatory Access Control (MAC) – Focus on process context instead of role-based security (think DAC) – Enhances Discretionary Access Control (DAC); aka Ownership (user, group, other) with read/write/exec permissions ● MAC policies can be set for: – Users – Files – Directories – Memory – Sockets – tcp/udp ports – And more! 6

  7. Discretionary Access Controls ● Access to objects is restricted based on the identity of a subject and/or group (ownership + permissions). ● Controls are “discretionary” because subjects have a level of permissions that allow them to reach a subject. 7

  8. Discretionary Access Controls Group Other User r w x r w x r w x 8

  9. Mandatory Access Control ● Operating Systems constrain the ability of the subject to access or perform operation on an object or target. ● Basically, access to objects is restricted based on the security levels set by the security context. 9

  10. How does SELinux work? ● It’s basically Mandatory Access Control – SELinux doesn’t replace DAC, MAC can work alongside DAC – SELinux can be enabled/disabled at anytime and system will fallback to DAC ● SELinux uses “Labels” for MAC – These labels are then followed with “T ype Enforcement” – SELinux needs extended attributes on fjle-system to work ● Labels are added as extended attributes ● Use or make security policies – Security policies are just pre-made lists of labels for lots of packages on a GNU/Linux system – SELinux ships with targeted, minimum and mls as defaults. 10

  11. Labeling & Type Enforcement ● Labeling – Every object (fjle, process, port, etc..) has a SELinux context/label ● Label’s job is to create logical groups/levels which the object may interact with – Format ● user:role:type:level(optional) – Labels should be logical, e.g a http servers & ports 80/443 should be grouped together because a http will use those ports ● Type Enforcement – The part of the policy that says a subject with “abc label” can interact with an object with “xyz label”. 11

  12. Label & Type Enforcement Example ● It makes sense that httpd_* labeled label Object objects should interact together. httpd process httpd ● It doesn’t make sense for httpd /usr/bin/httpd httpd_exec_t labeled content to access sensitive /etc/httpd/ httpd_config_t fjles like /etc/shadow or fjles in the home directory. /var/log/httpd/ httpd_log_t /var/www/html/ httpd_sys_content_t Port 80 & 443 httpd_port_t /etc/shadow shadow_t /home/<user>/* user_home_t 12

  13. SELinux Policies ● Policy – Enforcing ● Enforce all policies. – Permissive ● Prints warnings instead of enforcing. – Disabled ● No policy is loaded. ● Types – Targeted ● Support a greater number of confjned daemons, can confjne other users and areas. Good confjnement for most use-cases. – Minimum ● Support minimal set of confjned daemons, rest are set as unconfjned. Used for users to test SELinux and devices that only need to confjne a few daemons. – MLS ● Multi Level Security protection, lots of confjned daemons and users. Used in high-security environments (think Government). – Write your own ● You can write policies that fjt your machine, business, etc… 13

  14. cat /etc/selinux/confjg 14

  15. Attributions ● Docs on SELinux source – https://github.com/SELinuxProject/selinux ● Red Hat’s Thomas Cameron yearly SELinux presentation: – http://people.redhat.com/tcameron/Summit2017/SElinux/selinux_f or_mere_mortals_2017.pdf ● Fedora docs – https://docs-old.fedoraproject.org/en- US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/inde x.html ● SELinux intro by Digital Ocean – https://www.digitalocean.com/community/tutorials/an- introduction-to-selinux-on-centos-7-part-1-basic-concepts 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows Reinstall usually keeps personal files Advantages of Linux More secure Package manager Software installation is easy, fast and secure Keeps

528 views • 15 slides
Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer Science Department State University of New York at Stony Brook http://www.cs.sunysb.edu/stoller/ 1 Security-Enhanced Linux (SELinux) SELinux =

695 views • 21 slides
Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type

Security Enhanced Linux Thanks to David Quigley History SELinux Timeline 1985: LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999: 2.2 Linux Kernel (patch) 2000: 2001: 2.4 Linux Kernel (patch) 2002: LSM 2003:

764 views • 43 slides
ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin Bis http://bis-linux.com

ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin Bis http://bis-linux.com

ELCE 2013 - Secure Embedded Linux Product (A Success Story) Marcin Bis http://bis-linux.com marcin@bis-linux.com Edinburgh - 2013.10.25 1 / 31 About me Marcin Bis Entrepreneur Embedded Linux: system development, kernel

623 views • 31 slides
PROJECT: PROPOSAL TO THE UN ECE OF AN HARMONIZED, SECURE AND ENHANCED IDP By the FIA / AIT WP 1

PROJECT: PROPOSAL TO THE UN ECE OF AN HARMONIZED, SECURE AND ENHANCED IDP By the FIA / AIT WP 1

PROJECT: PROPOSAL TO THE UN ECE OF AN HARMONIZED, SECURE AND ENHANCED IDP By the FIA / AIT WP 1 73 rd session 2016 FIA / AIT INDEX 1. Introduction 2. Research &amp; actions taken 1. Research: stakeholders perception 2. Research:

710 views • 31 slides
M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco

M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco

M eeting Critical Security Objectives with Security-Enhanced Linux Peter A. Loscocco Information Assurance Research G roup National Security Agency Co-author: Stephen D. Smalley, NAI Labs 1 roup Inform ation A ssurance R esearch G

476 views • 43 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
LINUX SYSTEM ADMINISTRATION AND SECURITY SSH (The Secure Shell) -Lakshmana Rao Konda

LINUX SYSTEM ADMINISTRATION AND SECURITY SSH (The Secure Shell) -Lakshmana Rao Konda

LINUX SYSTEM ADMINISTRATION AND SECURITY SSH (The Secure Shell) -Lakshmana Rao Konda lkonda@cs.siu.edu Topics Covered Introduction Overview of features SSH Client and Server Model Cryptographic Keys Attacks SSH Agent

628 views • 24 slides
Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The

Secure Passwords Through Enhanced Hashing Benjamin Strahs, Chuan Yue, and Haining Wang The College of William and Mary Passwords The most common online authentication method Something you know instead of something you have (hardware

559 views • 29 slides
Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331:

Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331:

Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Review: Principle of Least Privilege Every user, thread, process, module needs permissions to run

459 views • 29 slides
IS THE LINUX DESKTOP LESS SECURE THAN WINDOWS 10? OR HOW SUPER MARIO MUSIC CAN OWN YOUR SYSTEM.

IS THE LINUX DESKTOP LESS SECURE THAN WINDOWS 10? OR HOW SUPER MARIO MUSIC CAN OWN YOUR SYSTEM.

IS THE LINUX DESKTOP LESS SECURE THAN WINDOWS 10? OR HOW SUPER MARIO MUSIC CAN OWN YOUR SYSTEM. Hanno Bck https://hboeck.de 1 This was too easy . It should not be possible to find a serious memory corruption vulnerability in the default

577 views • 31 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Oracle Buys Ksplice Oracle Linux Enhanced with Zero Downtime Software Updates July 21, 2011

Oracle Buys Ksplice Oracle Linux Enhanced with Zero Downtime Software Updates July 21, 2011

Oracle Buys Ksplice Oracle Linux Enhanced with Zero Downtime Software Updates July 21, 2011 Oracle is currently reviewing the existing Ksplice product roadmap and will be providing guidance to customers in accordance with Oracle's standard

699 views • 14 slides
Your First Guide to secure Linux August 12, 2010 Toshiharu Harada haradats@nttdata.co.jp

Your First Guide to secure Linux August 12, 2010 Toshiharu Harada haradats@nttdata.co.jp

Your First Guide to secure Linux August 12, 2010 Toshiharu Harada haradats@nttdata.co.jp NTT DATA CORPORATION Abstract There are two types of people in the world. Those who are security

872 views • 84 slides
Linux Security for Developers Insights for building a (more) secure world Michael Boelen

Linux Security for Developers Insights for building a (more) secure world Michael Boelen

Linux Security for Developers Insights for building a (more) secure world Michael Boelen michael.boelen@cisofy.com 14 January 2016 We Love Construction 2 Image source unknown And Magic! Turning data into: - Useful output - Stable

1.14k views • 85 slides
SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1,

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1,

SCONE: Secure Linux Containers with Intel SGX Sergei Arnautov1, Bohdan Trach1, Franz Gregor1, Thomas Knauth1, Andre MarGn1, ChrisGan Priebe2, Joshua Lind2, Divya Muthukumaran2, Dan OKeeffe2, Mark L SGllwell2, David Goltzsche3, David Eyers4,

351 views • 24 slides
Spark: A Coding Joyride Visualizing and plotting data Create a machine-learning pipeline

Spark: A Coding Joyride Visualizing and plotting data Create a machine-learning pipeline

11/16/2015 Objectives Show Spark's ability to rapidly process Big Data Extracting information with RDDs Querying data using DataFrames Spark: A Coding Joyride Visualizing and plotting data Create a machine-learning pipeline

173 views • 6 slides
Be Fast Or Stay Behind Building a Continuous Delivery Platform Schlomo Schapiro, Systems

Be Fast Or Stay Behind Building a Continuous Delivery Platform Schlomo Schapiro, Systems

www.immobilienscout24.de Be Fast Or Stay Behind Building a Continuous Delivery Platform Schlomo Schapiro, Systems Architect &amp; Open Source Evangelist Ingmar Krusch, Team Lead in Operations License:

552 views • 37 slides
Software Security Economics: Theory, in Practice An Exploratory Analysis Stephan

Software Security Economics: Theory, in Practice An Exploratory Analysis Stephan

Software Security Economics: Theory, in Practice An Exploratory Analysis Stephan Neuhaus&lt;neuhaust@tik.ee.ethz.ch&gt; Bernhard Plattner &lt;plattner@tik.ee.ethz.ch&gt; Thursday, June 28, 12 Making the Best Use of Cybersecurity Economic

498 views • 30 slides
Database Management Systems Session 8 Instructor: Vinnie Costa vcosta@optonline.net CSC056-Z1

Database Management Systems Session 8 Instructor: Vinnie Costa vcosta@optonline.net CSC056-Z1

Database Management Systems Session 8 Instructor: Vinnie Costa vcosta@optonline.net CSC056-Z1 Database Management Systems Vinnie Costa Hofstra University 1 Its All In The Presentation!!! After a summer-long delay, Eastman

697 views • 59 slides
Great Lakes Observing System GLOS DMAC Infrastructure Hardware Server

Great Lakes Observing System GLOS DMAC Infrastructure Hardware Server

IOOS Regional Product Developers Workshop Great Lakes Observing System GLOS DMAC Infrastructure Hardware Server 1(Web/FTP/Application) x86_64 2* 4 Xeon CPU, 16GB RAM 300 GB RAID 1 Server 2(New Purchase) x86_64 4* 4 Xeon CPU,

351 views • 18 slides
ACMS Version 1.0.1 A System for Academic Course Management and Scheduling via the World Wide

ACMS Version 1.0.1 A System for Academic Course Management and Scheduling via the World Wide

ACMS v1.0.1 Project Presentation ACMS Version 1.0.1 A System for Academic Course Management and Scheduling via the World Wide Web CS 190 Spring 1997 Matthew J. Ho Page 1 of 15 ACMS v1.0.1 Project Presentation Problem Statement No

604 views • 15 slides
DAY 4 - INTERACTIVITY Robby Seitz 121 Powers Hall 915-7822 rseitz@olemiss.edu Interactive Web

DAY 4 - INTERACTIVITY Robby Seitz 121 Powers Hall 915-7822 rseitz@olemiss.edu Interactive Web

DAY 4 - INTERACTIVITY Robby Seitz 121 Powers Hall 915-7822 rseitz@olemiss.edu Interactive Web Pages Some pages are designed for visitor interaction: Search the site Register for something Post a comment Vote in a poll Edit

538 views • 20 slides
Design Patterns Leveraging Spark in PDI Chris Skirde Pentaho Director of Sales Engineering,

Design Patterns Leveraging Spark in PDI Chris Skirde Pentaho Director of Sales Engineering,

Design Patterns Leveraging Spark in PDI Chris Skirde Pentaho Director of Sales Engineering, Hitachi Vantara Rakesh Saha Pentaho Senior Product Manager, Hitachi Vantara Quiz Time! What is Spark? A. A good way to start a fire. B. Necessary

696 views • 17 slides

More recommend