From 6f5c4cecf57957921c9722d3ca31d780f346634f Mon Sep 17 00:00:00 2001 From: Holger Dengler Date: Fri, 5 Apr 2013 00:38:19 +0200 Subject: Add presentation for advanced Security Mechanisms Signed-off-by: Holger Dengler --- security/advanced/pres_advanced_sec.tex | 247 ++++++++++++++++++++++++++++++++ 1 file changed, 247 insertions(+) create mode 100644 security/advanced/pres_advanced_sec.tex (limited to 'security/advanced/pres_advanced_sec.tex') diff --git a/security/advanced/pres_advanced_sec.tex b/security/advanced/pres_advanced_sec.tex new file mode 100644 index 0000000..863980b --- /dev/null +++ b/security/advanced/pres_advanced_sec.tex @@ -0,0 +1,247 @@ +\def\lximg{/usr/share/lx/icons/fueller.png} + +\input{configpres} + +\subsection{Extended Security Features} + +\title{Extended Security Features} +\maketitle + +\def\lximg{none} + +\begin{frame} +\frametitle{Contents} +\tableofcontents +\end{frame} + +% ---------------------------- +\subsubsection{File Access} + +\begin{frame}[fragile] +\frametitle{Basic File Permissions} +\begin{itemize} +\item For each File or Directory +\item Access Mode: \\ + Read, Write, Execute (Entry) +\item Access Role: \\ + User, Group, Other +\item Special: \\ + Set UID, Set GID, Sticky +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Access Control List (ACL)} +\begin{itemize} +\item More Users and Groups +\item Round up Groups +\item Tools: \\ + setfacl, getfacl +\item Requires: \\ + mount \dots -o acl +\item Pitfalls: \\ + Not all tools like tar support ACLs +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{ACL: Example} +\begin{itemize} +\item Sue, Bob and Henry working together on ProjectX. Sue and Henry are +members of group \emph{dept\_a}, and Bob is member of group \emph{dept\_b}. +\item Q: Do we really need another group \emph{project\_x} with members Sue, Bob +and Henry? +\item A: Not mandatorily. +\end{itemize} +\begin{beamerboxesrounded}[shadow=true]{Alternative Solution:} +\begin{tiny} +\begin{verbatim} +$ mkdir /data/shared/project_x +$ chown pm_admin:pm_admin /data/shared/project_x +$ setfacl -m user:sue:rwx /data/shared/project_x +$ setfacl -m user:bob:rwx /data/shared/project_x +$ setfacl -m user:henry:rwx /data/shared/project_x +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{ACL: Example (2)} +\begin{beamerboxesrounded}[shadow=true]{Result:} +\begin{tiny} +\begin{verbatim} +$ getfacl /data/shared/project_x +# file: data/shared/project_x/ +# owner: pm_admin +# group: pm_admin +user::rwx +user:sue:rwx +user:bob:rwx +user:henry:rwx +group::r-x +mask::rwx +other::r-x +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Extended File Attributes} +\begin{itemize} +\item More File Attributes +\item a - append only +\item i - immutable +\item s - Override with zeros on delete +\item Tools: \\ + lsattr, chattr +\item Requires: \\ + root or mount \dots -o user\_xattr +\item Pitfalls: \\ + Not all tools like tar support xattr +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{xattr: Example} +\begin{itemize} +\item Q: You want to check what user Franz is typing on commandline? +\item A: Look at /home/franz/.bash\_history +\item But Franz is clever and deletes /home/franz/.bash\_history +\item Q: How can I prevent that? +\end{itemize} +\begin{beamerboxesrounded}[shadow=true]{Solution:} +\begin{tiny} +\begin{verbatim} +$ sudo chattr +a /home/franz/.bash_history +$ lsattr /home/franz/.bash_history +-----a-------e-- /home/franz/.bash_history +$ rm /home/franz/.bash_history +rm: cannot remove `/home/franz/.bash_history': Operation not permitted +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\subsubsection{Process} + +\begin{frame}[fragile] +\frametitle{Process Isolation} +\begin{itemize} +\item Separate Address Space +\item Isolated Filesystem (chroot) +\item Address Space Layout Randomization +\item Namespaces (Mount, UTS, IPC, PID, Network, and User) +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Advanced Resource Access Control} + +\begin{frame}[fragile] +\frametitle{Linux Security Modules} +\begin{itemize} +\item Implement Mandatory Access Control +\item SELinux, AppArmor, Tomoyo \dots +\item Context sensitive Resource Access +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Domain} +\begin{itemize} +\item Domain transition for each starting Process +\item Default: Inherit previous Domain +\item Note: Domains are unique +\end{itemize} +\begin{beamerboxesrounded}[shadow=true]{Example:} +\begin{small} +\begin{verbatim} + /sbin/init /etc/rc.d/rc + /sbin/init /etc/rc.d/rc.sysinit /etc/rc.d/rc +\end{verbatim} +\end{small} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Domain Transition Management} +\begin{itemize} +\item Control Domain Transition Behavior +\item Syntax: from +\item Directives: +\begin{itemize} +\item initialize\_domain / no\_initialize\_domain +\item keep\_domain / no\_keep\_domain +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Profile} +\begin{itemize} +\item Profiles define Domain restriction behavior +\item Profile Relation to Domain: n..m +\item Up to 255 Profiles +\item Profile Modes: +\begin{itemize} +\item disabled, learning, permissive, enforcing +\end{itemize} +\item Logging +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Policy} +\begin{itemize} +\item Policies describe Domain restrictions +\item Policy for each Domain +\item Directives: +\begin{itemize} +\item file (read, write, execute, append, chown, chgrp, create, mkfifo, \dots) +\item misc env +\item network inet (stream, dgram, raw) +\item network unix (stream, dgram, seqpacket) +\end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Tools} +\begin{itemize} +\item tomoyo-editpolicy +\item tomoyo-selectpolicy +\item tomoyo-patternize +\item tomoyo-diffpolicy +\item tomoyo-sortpolicy +\item tomoyo-loadpolicy +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Others} + +\begin{frame}[fragile] +\frametitle{Others} +\begin{itemize} +\item Linux Integrity Subsystem (IMA/EVM) +\item Signed Kernel Modules +\item Singed Repositories (apt, yum, \dots) +\end{itemize} +\end{frame} + +% ---------------------------- +\subsection{} +\input{tailpres} -- cgit v1.2.3