diff options
| author | Holger Dengler <dengler@linutronix.de> | 2014-10-06 15:04:42 +0200 |
|---|---|---|
| committer | Holger Dengler <dengler@linutronix.de> | 2015-02-20 16:32:50 +0100 |
| commit | 6f1a0f8d9a272c953cb2ba6d7169b25412096c4e (patch) | |
| tree | fbd8ac14a3a4428720dfbc2f0142d633ee4288d0 /security/advanced | |
| parent | f328e684a274df1f820df5c5d9b685b8e6bd75d1 (diff) | |
security: Update
Signed-off-by: Holger Dengler <dengler@linutronix.de>
Diffstat (limited to 'security/advanced')
| -rw-r--r-- | security/advanced/pres_advanced_sec.tex | 117 |
1 files changed, 74 insertions, 43 deletions
diff --git a/security/advanced/pres_advanced_sec.tex b/security/advanced/pres_advanced_sec.tex index 5eb44c0..1a8c0b6 100644 --- a/security/advanced/pres_advanced_sec.tex +++ b/security/advanced/pres_advanced_sec.tex @@ -7,12 +7,6 @@ \def\lximg{none} -\subsection{} -\begin{frame} -\frametitle{Contents} -\tableofcontents -\end{frame} - % ---------------------------- \subsection{Basic Security Features} % ---------------------------- @@ -29,17 +23,17 @@ \begin{tiny} \begin{verbatim} # Add new user (interactive) -$ adduser <new_user> +adduser <new_user> # Remove existing user -$ deluser <user_name> +deluser <user_name> # Change password -$ passwd [<user_name>] +passwd [<user_name>] # Switch user ID -$ su <user_name> +su <user_name> # Run command as superuser (root) -$ sudo <command> +sudo <command> \end{verbatim} \end{tiny} \end{beamerboxesrounded} @@ -58,17 +52,17 @@ $ sudo <command> \begin{tiny} \begin{verbatim} # Add new group -$ addgroup <new_group> +addgroup <new_group> # Remove existing group -$ delgroup <group_name> +delgroup <group_name> # Add user to group -$ usermod <user_name> [-g <primary_gid>] [-G <list_of_supp_group_ids>] +usermod <user_name> [-g <primary_gid>] [-G <list_of_supp_group_ids>] # Show current user and group ID -$ id +id # Switch group ID -$ newgrp <group_name> +newgrp <group_name> \end{verbatim} \end{tiny} \end{beamerboxesrounded} @@ -87,7 +81,7 @@ $ newgrp <group_name> % ---------------------------- \subsubsection{Pluggable Authentication Modules (PAM)} \begin{frame}[fragile] -\frametitle{Users} +\frametitle{Pluggable Authentication Modules (PAM)} \begin{itemize} \item Pluggable shared libraries \item System-wide Authentication @@ -102,9 +96,6 @@ $ newgrp <group_name> \end{itemize} \end{frame} -% ---------------------------- -\subsection{Extended Security Features} -% ---------------------------- \subsubsection{File Access} \begin{frame}[fragile] @@ -122,6 +113,40 @@ $ newgrp <group_name> % ---------------------------- \begin{frame}[fragile] +\frametitle{UserIDs and GroupIDs of a Process} +\begin{itemize} +\item Real + \begin{itemize} + \item privileged: \\ + set to any value + \item unprivileged: \\ + set to real or effective + \end{itemize} +\item Effective + \begin{itemize} + \item privileged: \\ + set to any value + \item unprivileged: \\ + set to real, effective, saved + \end{itemize} +\item Saved + \begin{itemize} + \item normal: \\ + set to real UID/GID + \item s-Bit: \\ + set to file UID/GID + \item privileged: \\ + set to any value + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsection{Extended Security Features} +% ---------------------------- + +% ---------------------------- +\begin{frame}[fragile] \frametitle{Access Control List (ACL)} \begin{itemize} \item More Users and Groups @@ -148,11 +173,11 @@ and Henry? \begin{beamerboxesrounded}[shadow=true]{Alternative Solution:} \begin{tiny} \begin{verbatim} -$ mkdir /data/shared/project_x -$ chown pm_admin:pm_admin /data/shared/project_x -$ setfacl -m user:sue:rwx /data/shared/project_x -$ setfacl -m user:bob:rwx /data/shared/project_x -$ setfacl -m user:henry:rwx /data/shared/project_x +mkdir /data/shared/project_x +chown pm_admin:pm_admin /data/shared/project_x +setfacl -m user:sue:rwx /data/shared/project_x +setfacl -m user:bob:rwx /data/shared/project_x +setfacl -m user:henry:rwx /data/shared/project_x \end{verbatim} \end{tiny} \end{beamerboxesrounded} @@ -164,7 +189,7 @@ $ setfacl -m user:henry:rwx /data/shared/project_x \begin{beamerboxesrounded}[shadow=true]{Result:} \begin{tiny} \begin{verbatim} -$ getfacl /data/shared/project_x +getfacl /data/shared/project_x # file: data/shared/project_x/ # owner: pm_admin # group: pm_admin @@ -185,9 +210,11 @@ other::r-x \frametitle{Extended File Attributes} \begin{itemize} \item More File Attributes -\item a - append only -\item i - immutable -\item s - Override with zeros on delete + \begin{itemize} + \item a - append only + \item i - immutable + \item s - Override with zeros on delete + \end{itemize} \item Tools: \\ lsattr, chattr \item Requires: \\ @@ -204,15 +231,15 @@ other::r-x \item Q: You want to check what user Franz is typing on commandline? \item A: Look at /home/franz/.bash\_history \item But Franz is clever and deletes /home/franz/.bash\_history -\item Q: How can I prevent that? +\item Q: How can you prevent that? \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Solution:} \begin{tiny} \begin{verbatim} -$ sudo chattr +a /home/franz/.bash_history -$ lsattr /home/franz/.bash_history +sudo chattr +a /home/franz/.bash_history +lsattr /home/franz/.bash_history -----a-------e-- /home/franz/.bash_history -$ rm /home/franz/.bash_history +rm /home/franz/.bash_history rm: cannot remove `/home/franz/.bash_history': Operation not permitted \end{verbatim} \end{tiny} @@ -257,6 +284,7 @@ rm: cannot remove `/home/franz/.bash_history': Operation not permitted \begin{itemize} \item Application Isolation \item Lightweight Vitalization +\item Based on cgroups and namespaces \item Easy namespace configuration and management \end{itemize} \end{frame} @@ -268,12 +296,12 @@ rm: cannot remove `/home/franz/.bash_history': Operation not permitted \begin{tiny} \begin{verbatim} # Start: Better for single commands -$ lxc-execute -n cont_name [-f config] /bin/bash +lxc-execute -n cont_name [-f config] /bin/bash # Start: Better for container systems -$ lxc-start -n cont_name [-f config] +lxc-start -n cont_name [-f config] # Stop container -$ lxc-stop -n foo +lxc-stop -n foo \end{verbatim} \end{tiny} \end{beamerboxesrounded} @@ -282,14 +310,14 @@ $ lxc-stop -n foo \begin{tiny} \begin{verbatim} # Pause/resume container (controlling group of processes) -$ lxc-freeze -n cont_name -$ lxc-unfreeze -n cont_name +lxc-freeze -n cont_name +lxc-unfreeze -n cont_name # Monitor container states -$ lxc-monitor -n cont_name +lxc-monitor -n cont_name # Attach to container console -$ lxc-console -n cont_name +lxc-console -n cont_name \end{verbatim} \end{tiny} \end{beamerboxesrounded} @@ -379,9 +407,12 @@ lxc.cgroup.devices.allow = b 8:0 rw \item Profile Relation to Domain: n..m \item Up to 255 Profiles \item Profile Modes: -\begin{itemize} -\item disabled, learning, permissive, enforcing -\end{itemize} + \begin{itemize} + \item disabled + \item learning + \item permissive + \item enforcing + \end{itemize} \item Logging \end{itemize} \end{frame} |