From 6f1a0f8d9a272c953cb2ba6d7169b25412096c4e Mon Sep 17 00:00:00 2001 From: Holger Dengler Date: Mon, 6 Oct 2014 15:04:42 +0200 Subject: security: Update Signed-off-by: Holger Dengler --- security/advanced/pres_advanced_sec.tex | 117 ++++++++++++++++++++------------ 1 file changed, 74 insertions(+), 43 deletions(-) (limited to 'security/advanced/pres_advanced_sec.tex') diff --git a/security/advanced/pres_advanced_sec.tex b/security/advanced/pres_advanced_sec.tex index 5eb44c0..1a8c0b6 100644 --- a/security/advanced/pres_advanced_sec.tex +++ b/security/advanced/pres_advanced_sec.tex @@ -7,12 +7,6 @@ \def\lximg{none} -\subsection{} -\begin{frame} -\frametitle{Contents} -\tableofcontents -\end{frame} - % ---------------------------- \subsection{Basic Security Features} % ---------------------------- @@ -29,17 +23,17 @@ \begin{tiny} \begin{verbatim} # Add new user (interactive) -$ adduser +adduser # Remove existing user -$ deluser +deluser # Change password -$ passwd [] +passwd [] # Switch user ID -$ su +su # Run command as superuser (root) -$ sudo +sudo \end{verbatim} \end{tiny} \end{beamerboxesrounded} @@ -58,17 +52,17 @@ $ sudo \begin{tiny} \begin{verbatim} # Add new group -$ addgroup +addgroup # Remove existing group -$ delgroup +delgroup # Add user to group -$ usermod [-g ] [-G ] +usermod [-g ] [-G ] # Show current user and group ID -$ id +id # Switch group ID -$ newgrp +newgrp \end{verbatim} \end{tiny} \end{beamerboxesrounded} @@ -87,7 +81,7 @@ $ newgrp % ---------------------------- \subsubsection{Pluggable Authentication Modules (PAM)} \begin{frame}[fragile] -\frametitle{Users} +\frametitle{Pluggable Authentication Modules (PAM)} \begin{itemize} \item Pluggable shared libraries \item System-wide Authentication @@ -102,9 +96,6 @@ $ newgrp \end{itemize} \end{frame} -% ---------------------------- -\subsection{Extended Security Features} -% ---------------------------- \subsubsection{File Access} \begin{frame}[fragile] @@ -120,6 +111,40 @@ $ newgrp \end{itemize} \end{frame} +% ---------------------------- +\begin{frame}[fragile] +\frametitle{UserIDs and GroupIDs of a Process} +\begin{itemize} +\item Real + \begin{itemize} + \item privileged: \\ + set to any value + \item unprivileged: \\ + set to real or effective + \end{itemize} +\item Effective + \begin{itemize} + \item privileged: \\ + set to any value + \item unprivileged: \\ + set to real, effective, saved + \end{itemize} +\item Saved + \begin{itemize} + \item normal: \\ + set to real UID/GID + \item s-Bit: \\ + set to file UID/GID + \item privileged: \\ + set to any value + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsection{Extended Security Features} +% ---------------------------- + % ---------------------------- \begin{frame}[fragile] \frametitle{Access Control List (ACL)} @@ -148,11 +173,11 @@ and Henry? \begin{beamerboxesrounded}[shadow=true]{Alternative Solution:} \begin{tiny} \begin{verbatim} -$ mkdir /data/shared/project_x -$ chown pm_admin:pm_admin /data/shared/project_x -$ setfacl -m user:sue:rwx /data/shared/project_x -$ setfacl -m user:bob:rwx /data/shared/project_x -$ setfacl -m user:henry:rwx /data/shared/project_x +mkdir /data/shared/project_x +chown pm_admin:pm_admin /data/shared/project_x +setfacl -m user:sue:rwx /data/shared/project_x +setfacl -m user:bob:rwx /data/shared/project_x +setfacl -m user:henry:rwx /data/shared/project_x \end{verbatim} \end{tiny} \end{beamerboxesrounded} @@ -164,7 +189,7 @@ $ setfacl -m user:henry:rwx /data/shared/project_x \begin{beamerboxesrounded}[shadow=true]{Result:} \begin{tiny} \begin{verbatim} -$ getfacl /data/shared/project_x +getfacl /data/shared/project_x # file: data/shared/project_x/ # owner: pm_admin # group: pm_admin @@ -185,9 +210,11 @@ other::r-x \frametitle{Extended File Attributes} \begin{itemize} \item More File Attributes -\item a - append only -\item i - immutable -\item s - Override with zeros on delete + \begin{itemize} + \item a - append only + \item i - immutable + \item s - Override with zeros on delete + \end{itemize} \item Tools: \\ lsattr, chattr \item Requires: \\ @@ -204,15 +231,15 @@ other::r-x \item Q: You want to check what user Franz is typing on commandline? \item A: Look at /home/franz/.bash\_history \item But Franz is clever and deletes /home/franz/.bash\_history -\item Q: How can I prevent that? +\item Q: How can you prevent that? \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Solution:} \begin{tiny} \begin{verbatim} -$ sudo chattr +a /home/franz/.bash_history -$ lsattr /home/franz/.bash_history +sudo chattr +a /home/franz/.bash_history +lsattr /home/franz/.bash_history -----a-------e-- /home/franz/.bash_history -$ rm /home/franz/.bash_history +rm /home/franz/.bash_history rm: cannot remove `/home/franz/.bash_history': Operation not permitted \end{verbatim} \end{tiny} @@ -257,6 +284,7 @@ rm: cannot remove `/home/franz/.bash_history': Operation not permitted \begin{itemize} \item Application Isolation \item Lightweight Vitalization +\item Based on cgroups and namespaces \item Easy namespace configuration and management \end{itemize} \end{frame} @@ -268,12 +296,12 @@ rm: cannot remove `/home/franz/.bash_history': Operation not permitted \begin{tiny} \begin{verbatim} # Start: Better for single commands -$ lxc-execute -n cont_name [-f config] /bin/bash +lxc-execute -n cont_name [-f config] /bin/bash # Start: Better for container systems -$ lxc-start -n cont_name [-f config] +lxc-start -n cont_name [-f config] # Stop container -$ lxc-stop -n foo +lxc-stop -n foo \end{verbatim} \end{tiny} \end{beamerboxesrounded} @@ -282,14 +310,14 @@ $ lxc-stop -n foo \begin{tiny} \begin{verbatim} # Pause/resume container (controlling group of processes) -$ lxc-freeze -n cont_name -$ lxc-unfreeze -n cont_name +lxc-freeze -n cont_name +lxc-unfreeze -n cont_name # Monitor container states -$ lxc-monitor -n cont_name +lxc-monitor -n cont_name # Attach to container console -$ lxc-console -n cont_name +lxc-console -n cont_name \end{verbatim} \end{tiny} \end{beamerboxesrounded} @@ -379,9 +407,12 @@ lxc.cgroup.devices.allow = b 8:0 rw \item Profile Relation to Domain: n..m \item Up to 255 Profiles \item Profile Modes: -\begin{itemize} -\item disabled, learning, permissive, enforcing -\end{itemize} + \begin{itemize} + \item disabled + \item learning + \item permissive + \item enforcing + \end{itemize} \item Logging \end{itemize} \end{frame} -- cgit v1.2.3