Add presentation for advanced Security Mechanisms

Signed-off-by: Holger Dengler <dengler@linutronix.de>

2 files changed, 256 insertions, 0 deletions

diff --git a/security/advanced/Makefile b/security/advanced/Makefile
new file mode 100644
index 0000000..257d70d
--- /dev/null
+++ b/security/advanced/Makefile
@@ -0,0 +1,9 @@
+all:
+	for pdf in `ls -1 handout_*.tex pres_*.tex 2> /dev/null` ; do \
+		TEXINPUTS=`pwd`/../..:.:..:$(TEXINPUTS) pdflatex $$pdf; \
+		TEXINPUTS=`pwd`/../..:.:..:$(TEXINPUTS) pdflatex $$pdf; \
+	done
+
+clean:
+	rm -f *.aux *.log *.pdf *.log *.snm *.toc *.vrb *.nav *.out
+
diff --git a/security/advanced/pres_advanced_sec.tex b/security/advanced/pres_advanced_sec.tex
new file mode 100644
index 0000000..863980b
--- /dev/null
+++ b/security/advanced/pres_advanced_sec.tex
@@ -0,0 +1,247 @@
+\def\lximg{/usr/share/lx/icons/fueller.png}
+
+\input{configpres}
+
+\subsection{Extended Security Features}
+
+\title{Extended Security Features}
+\maketitle
+
+\def\lximg{none}
+
+\begin{frame}
+\frametitle{Contents}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\subsubsection{File Access}
+
+\begin{frame}[fragile]
+\frametitle{Basic File Permissions}
+\begin{itemize}
+\item For each File or Directory
+\item Access Mode: \\
+      Read, Write, Execute (Entry)
+\item Access Role: \\
+      User, Group, Other
+\item Special: \\
+      Set UID, Set GID, Sticky
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Access Control List (ACL)}
+\begin{itemize}
+\item More Users and Groups
+\item Round up Groups
+\item Tools: \\
+      setfacl, getfacl
+\item Requires: \\
+      mount \dots -o acl
+\item Pitfalls: \\
+      Not all tools like tar support ACLs
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{ACL: Example}
+\begin{itemize}
+\item Sue, Bob and Henry working together on ProjectX. Sue and Henry are
+members of group \emph{dept\_a}, and Bob is member of group \emph{dept\_b}.
+\item Q: Do we really need another group \emph{project\_x} with members Sue, Bob
+and Henry?
+\item A: Not mandatorily.
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Alternative Solution:}
+\begin{tiny}
+\begin{verbatim}
+$ mkdir /data/shared/project_x
+$ chown pm_admin:pm_admin /data/shared/project_x
+$ setfacl -m user:sue:rwx /data/shared/project_x
+$ setfacl -m user:bob:rwx /data/shared/project_x
+$ setfacl -m user:henry:rwx /data/shared/project_x
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{ACL: Example (2)}
+\begin{beamerboxesrounded}[shadow=true]{Result:}
+\begin{tiny}
+\begin{verbatim}
+$ getfacl /data/shared/project_x
+# file: data/shared/project_x/
+# owner: pm_admin
+# group: pm_admin
+user::rwx
+user:sue:rwx
+user:bob:rwx
+user:henry:rwx
+group::r-x
+mask::rwx
+other::r-x
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Extended File Attributes}
+\begin{itemize}
+\item More File Attributes
+\item a - append only
+\item i - immutable
+\item s - Override with zeros on delete
+\item Tools: \\
+      lsattr, chattr 
+\item Requires: \\
+      root or mount \dots -o user\_xattr
+\item Pitfalls: \\
+      Not all tools like tar support xattr
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{xattr: Example}
+\begin{itemize}
+\item Q: You want to check what user Franz is typing on commandline?
+\item A: Look at /home/franz/.bash\_history
+\item But Franz is clever and deletes /home/franz/.bash\_history 
+\item Q: How can I prevent that?
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{tiny}
+\begin{verbatim}
+$ sudo chattr +a /home/franz/.bash_history
+$ lsattr /home/franz/.bash_history
+-----a-------e-- /home/franz/.bash_history
+$ rm /home/franz/.bash_history
+rm: cannot remove `/home/franz/.bash_history': Operation not permitted
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Process}
+
+\begin{frame}[fragile]
+\frametitle{Process Isolation}
+\begin{itemize}
+\item Separate Address Space
+\item Isolated Filesystem (chroot)
+\item Address Space Layout Randomization
+\item Namespaces (Mount, UTS, IPC, PID, Network, and User)
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Advanced Resource Access Control}
+
+\begin{frame}[fragile]
+\frametitle{Linux Security Modules}
+\begin{itemize}
+\item Implement Mandatory Access Control
+\item SELinux, AppArmor, Tomoyo \dots
+\item Context sensitive Resource Access
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Domain}
+\begin{itemize}
+\item Domain transition for each starting Process
+\item Default: Inherit previous Domain
+\item Note: Domains are unique
+\end{itemize}
+\begin{beamerboxesrounded}[shadow=true]{Example:}
+\begin{small}
+\begin{verbatim}
+<kernel> /sbin/init /etc/rc.d/rc
+<kernel> /sbin/init /etc/rc.d/rc.sysinit /etc/rc.d/rc
+\end{verbatim}
+\end{small}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Domain Transition Management}
+\begin{itemize}
+\item Control Domain Transition Behavior
+\item Syntax: <directive> <domain> from <domain>
+\item Directives:
+\begin{itemize}
+\item initialize\_domain / no\_initialize\_domain
+\item keep\_domain / no\_keep\_domain
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Profile}
+\begin{itemize}
+\item Profiles define Domain restriction behavior
+\item Profile Relation to Domain: n..m
+\item Up to 255 Profiles
+\item Profile Modes:
+\begin{itemize}
+\item disabled, learning, permissive, enforcing
+\end{itemize}
+\item Logging
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Policy}
+\begin{itemize}
+\item Policies describe Domain restrictions
+\item Policy for each Domain
+\item Directives:
+\begin{itemize}
+\item file (read, write, execute, append, chown, chgrp, create, mkfifo, \dots)
+\item misc env
+\item network inet (stream, dgram, raw)
+\item network unix (stream, dgram, seqpacket)
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Tools}
+\begin{itemize}
+\item tomoyo-editpolicy
+\item tomoyo-selectpolicy
+\item tomoyo-patternize
+\item tomoyo-diffpolicy
+\item tomoyo-sortpolicy
+\item tomoyo-loadpolicy
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Others}
+
+\begin{frame}[fragile]
+\frametitle{Others}
+\begin{itemize}
+\item Linux Integrity Subsystem (IMA/EVM)
+\item Signed Kernel Modules
+\item Singed Repositories (apt, yum, \dots)
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsection{}
+\input{tailpres}