security: Update

Signed-off-by: Holger Dengler <dengler@linutronix.de>
author: Holger Dengler <dengler@linutronix.de> 2014-10-06 15:04:42 +0200
committer: Holger Dengler <dengler@linutronix.de> 2015-02-20 16:32:50 +0100
commit: 6f1a0f8d9a272c953cb2ba6d7169b25412096c4e (patch)
tree: fbd8ac14a3a4428720dfbc2f0142d633ee4288d0 /security
parent: f328e684a274df1f820df5c5d9b685b8e6bd75d1 (diff)
8 files changed, 78 insertions, 77 deletions
diff --git a/security/advanced/pres_advanced_sec.tex b/security/advanced/pres_advanced_sec.tex
index 5eb44c0..1a8c0b6 100644
--- a/security/advanced/pres_advanced_sec.tex
+++ b/security/advanced/pres_advanced_sec.tex
@@ -7,12 +7,6 @@
 
 \def\lximg{none}
 
-\subsection{}
-\begin{frame}
-\frametitle{Contents}
-\tableofcontents
-\end{frame}
-
 % ----------------------------
 \subsection{Basic Security Features}
 % ----------------------------
@@ -29,17 +23,17 @@
 \begin{tiny}
 \begin{verbatim}
 # Add new user (interactive)
-$ adduser <new_user>
+adduser <new_user>
 # Remove existing user
-$ deluser <user_name>
+deluser <user_name>
 
 # Change password
-$ passwd  [<user_name>]
+passwd  [<user_name>]
 
 # Switch user ID
-$ su <user_name>
+su <user_name>
 # Run command as superuser (root)
-$ sudo <command>
+sudo <command>
 \end{verbatim}
 \end{tiny}
 \end{beamerboxesrounded}
@@ -58,17 +52,17 @@ $ sudo <command>
 \begin{tiny}
 \begin{verbatim}
 # Add new group
-$ addgroup <new_group>
+addgroup <new_group>
 # Remove existing group
-$ delgroup <group_name>
+delgroup <group_name>
 
 # Add user to group
-$ usermod <user_name> [-g <primary_gid>] [-G <list_of_supp_group_ids>]
+usermod <user_name> [-g <primary_gid>] [-G <list_of_supp_group_ids>]
 
 # Show current user and group ID
-$ id
+id
 # Switch group ID
-$ newgrp <group_name>
+newgrp <group_name>
 \end{verbatim}
 \end{tiny}
 \end{beamerboxesrounded}
@@ -87,7 +81,7 @@ $ newgrp <group_name>
 % ----------------------------
 \subsubsection{Pluggable Authentication Modules (PAM)}
 \begin{frame}[fragile]
-\frametitle{Users}
+\frametitle{Pluggable Authentication Modules (PAM)}
 \begin{itemize}
 \item Pluggable shared libraries
 \item System-wide Authentication
@@ -102,9 +96,6 @@ $ newgrp <group_name>
 \end{itemize}
 \end{frame}
 
-% ----------------------------
-\subsection{Extended Security Features}
-% ----------------------------
 \subsubsection{File Access}
 
 \begin{frame}[fragile]
@@ -122,6 +113,40 @@ $ newgrp <group_name>
 
 % ----------------------------
 \begin{frame}[fragile]
+\frametitle{UserIDs and GroupIDs of a Process}
+\begin{itemize}
+\item Real
+ \begin{itemize}
+ \item privileged: \\
+       set to any value
+ \item unprivileged: \\
+       set to real or effective
+ \end{itemize}
+\item Effective
+ \begin{itemize}
+ \item privileged: \\
+       set to any value
+ \item unprivileged: \\
+       set to real, effective, saved
+ \end{itemize}
+\item Saved
+ \begin{itemize}
+ \item normal: \\
+       set to real UID/GID
+ \item s-Bit: \\
+       set to file UID/GID
+ \item privileged: \\
+       set to any value
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsection{Extended Security Features}
+% ----------------------------
+
+% ----------------------------
+\begin{frame}[fragile]
 \frametitle{Access Control List (ACL)}
 \begin{itemize}
 \item More Users and Groups
@@ -148,11 +173,11 @@ and Henry?
 \begin{beamerboxesrounded}[shadow=true]{Alternative Solution:}
 \begin{tiny}
 \begin{verbatim}
-$ mkdir /data/shared/project_x
-$ chown pm_admin:pm_admin /data/shared/project_x
-$ setfacl -m user:sue:rwx /data/shared/project_x
-$ setfacl -m user:bob:rwx /data/shared/project_x
-$ setfacl -m user:henry:rwx /data/shared/project_x
+mkdir /data/shared/project_x
+chown pm_admin:pm_admin /data/shared/project_x
+setfacl -m user:sue:rwx /data/shared/project_x
+setfacl -m user:bob:rwx /data/shared/project_x
+setfacl -m user:henry:rwx /data/shared/project_x
 \end{verbatim}
 \end{tiny}
 \end{beamerboxesrounded}
@@ -164,7 +189,7 @@ $ setfacl -m user:henry:rwx /data/shared/project_x
 \begin{beamerboxesrounded}[shadow=true]{Result:}
 \begin{tiny}
 \begin{verbatim}
-$ getfacl /data/shared/project_x
+getfacl /data/shared/project_x
 # file: data/shared/project_x/
 # owner: pm_admin
 # group: pm_admin
@@ -185,9 +210,11 @@ other::r-x
 \frametitle{Extended File Attributes}
 \begin{itemize}
 \item More File Attributes
-\item a - append only
-\item i - immutable
-\item s - Override with zeros on delete
+ \begin{itemize}
+ \item a - append only
+ \item i - immutable
+ \item s - Override with zeros on delete
+ \end{itemize}
 \item Tools: \\
       lsattr, chattr 
 \item Requires: \\
@@ -204,15 +231,15 @@ other::r-x
 \item Q: You want to check what user Franz is typing on commandline?
 \item A: Look at /home/franz/.bash\_history
 \item But Franz is clever and deletes /home/franz/.bash\_history 
-\item Q: How can I prevent that?
+\item Q: How can you prevent that?
 \end{itemize}
 \begin{beamerboxesrounded}[shadow=true]{Solution:}
 \begin{tiny}
 \begin{verbatim}
-$ sudo chattr +a /home/franz/.bash_history
-$ lsattr /home/franz/.bash_history
+sudo chattr +a /home/franz/.bash_history
+lsattr /home/franz/.bash_history
 -----a-------e-- /home/franz/.bash_history
-$ rm /home/franz/.bash_history
+rm /home/franz/.bash_history
 rm: cannot remove `/home/franz/.bash_history': Operation not permitted
 \end{verbatim}
 \end{tiny}
@@ -257,6 +284,7 @@ rm: cannot remove `/home/franz/.bash_history': Operation not permitted
 \begin{itemize}
 \item Application Isolation
 \item Lightweight Vitalization
+\item Based on cgroups and namespaces
 \item Easy namespace configuration and management
 \end{itemize}
 \end{frame}
@@ -268,12 +296,12 @@ rm: cannot remove `/home/franz/.bash_history': Operation not permitted
 \begin{tiny}
 \begin{verbatim}
 # Start: Better for single commands
-$ lxc-execute -n cont_name [-f config] /bin/bash
+lxc-execute -n cont_name [-f config] /bin/bash
 # Start: Better for container systems
-$ lxc-start -n cont_name [-f config]
+lxc-start -n cont_name [-f config]
 
 # Stop container
-$ lxc-stop -n foo
+lxc-stop -n foo
 \end{verbatim}
 \end{tiny}
 \end{beamerboxesrounded}
@@ -282,14 +310,14 @@ $ lxc-stop -n foo
 \begin{tiny}
 \begin{verbatim}
 # Pause/resume container (controlling group of processes)
-$ lxc-freeze -n cont_name
-$ lxc-unfreeze -n cont_name
+lxc-freeze -n cont_name
+lxc-unfreeze -n cont_name
 
 # Monitor container states
-$ lxc-monitor -n cont_name
+lxc-monitor -n cont_name
 
 # Attach to container console
-$ lxc-console -n cont_name
+lxc-console -n cont_name
 \end{verbatim}
 \end{tiny}
 \end{beamerboxesrounded}
@@ -379,9 +407,12 @@ lxc.cgroup.devices.allow = b 8:0 rw
 \item Profile Relation to Domain: n..m
 \item Up to 255 Profiles
 \item Profile Modes:
-\begin{itemize}
-\item disabled, learning, permissive, enforcing
-\end{itemize}
+ \begin{itemize}
+ \item disabled
+ \item learning
+ \item permissive
+ \item enforcing
+ \end{itemize}
 \item Logging
 \end{itemize}
 \end{frame}
diff --git a/security/basics/pres_concept.tex b/security/basics/pres_concept.tex
index d021f0c..c3b5682 100644
--- a/security/basics/pres_concept.tex
+++ b/security/basics/pres_concept.tex
@@ -9,11 +9,6 @@
 
 \def\lximg{none}
 
-\begin{frame}
-\frametitle{Contents}
-\tableofcontents
-\end{frame}
-
 % ----------------------------
 \subsubsection{Terminology}
 
@@ -32,7 +27,7 @@ Separate Issues
 After Delivery
 \begin{itemize}
 \item Safety: No Changes allowed
-\item Security: Prompt Changes required
+\item Security: Continuous Service required (pro-active)
 \end{itemize}
 \end{frame}
 
@@ -83,7 +78,7 @@ How to protect:
 \begin{frame}[fragile]
 \frametitle{Access Control}
 \begin{itemize}
-\item General Access
+\item Least-required Privilege
 \item Role-based Access to Data
 \item Role-based Access to Functionality
 \item Role-based Access to Resources
diff --git a/security/crypto/Makefile b/security/crypto/Makefile
index a9a4b6c..a1a28af 100644
--- a/security/crypto/Makefile
+++ b/security/crypto/Makefile
@@ -1,2 +1,2 @@
-iobj-$(CONFIG_SECURITY_CRYPTO) += pres_crypto_en.pdf
-iobj-$(CONFIG_SECURITY_PKI) += pres_pki_en.pdf
+obj-$(CONFIG_SECURITY_CRYPTO) += pres_crypto_en.pdf
+obj-$(CONFIG_SECURITY_PKI) += pres_pki_en.pdf
diff --git a/security/crypto/pres_crypto_en.tex b/security/crypto/pres_crypto_en.tex
index f2ab286..8fa19ce 100644
--- a/security/crypto/pres_crypto_en.tex
+++ b/security/crypto/pres_crypto_en.tex
@@ -12,11 +12,6 @@
 
 \def\lximg{none}
 
-\begin{frame}
-\frametitle{Contents}
-\tableofcontents
-\end{frame}
-
 % ----------------------------
 \subsubsection{Fundamentals}
 
diff --git a/security/crypto/pres_pki_en.tex b/security/crypto/pres_pki_en.tex
index e24226a..ff0133b 100644
--- a/security/crypto/pres_pki_en.tex
+++ b/security/crypto/pres_pki_en.tex
@@ -12,11 +12,6 @@
 
 \def\lximg{none}
 
-\begin{frame}
-\frametitle{Contents}
-\tableofcontents
-\end{frame}
-
 % ----------------------------
 \subsubsection{Fundamentals}
 
diff --git a/security/examples/pres_ex_firewall.tex b/security/examples/pres_ex_firewall.tex
index 84e384a..e6bc755 100644
--- a/security/examples/pres_ex_firewall.tex
+++ b/security/examples/pres_ex_firewall.tex
@@ -9,11 +9,6 @@
 
 \def\lximg{none}
 
-\begin{frame}
-\frametitle{Contents}
-\tableofcontents
-\end{frame}
-
 % ----------------------------
 \subsubsection{Initialization}
 
diff --git a/security/firewall/pres_iptables.tex b/security/firewall/pres_iptables.tex
index 7b49ed0..1a99feb 100644
--- a/security/firewall/pres_iptables.tex
+++ b/security/firewall/pres_iptables.tex
@@ -9,11 +9,6 @@
 
 \def\lximg{none}
 
-\begin{frame}
-\frametitle{Contents}
-\tableofcontents
-\end{frame}
-
 % ----------------------------
 \subsubsection{Basics}
 
diff --git a/security/vpn/pres_vpn-fasttrack_en.tex b/security/vpn/pres_vpn-fasttrack_en.tex
index 0e831e5..d8d8338 100644
--- a/security/vpn/pres_vpn-fasttrack_en.tex
+++ b/security/vpn/pres_vpn-fasttrack_en.tex
@@ -9,11 +9,6 @@
 
 \def\lximg{none}
 
-\begin{frame}
-\frametitle{Contents}
-\tableofcontents
-\end{frame}
-
 % ----------------------------
 \subsubsection{Fundamentals}
author	Holger Dengler <dengler@linutronix.de>	2014-10-06 15:04:42 +0200
committer	Holger Dengler <dengler@linutronix.de>	2015-02-20 16:32:50 +0100
commit	6f1a0f8d9a272c953cb2ba6d7169b25412096c4e (patch)
tree	fbd8ac14a3a4428720dfbc2f0142d633ee4288d0 /security
parent	f328e684a274df1f820df5c5d9b685b8e6bd75d1 (diff)