\def\lximg{/usr/share/lx/icons/fueller.png} \input{configpres} \title{Linux Security Features} \maketitle \def\lximg{none} % ---------------------------- \subsection{Basic Security Features} % ---------------------------- \subsubsection{Users and Groups} \begin{frame}[fragile] \frametitle{Users} \begin{itemize} \item Multiple Users per System \item Login spawn shell with user privileges \item Process(es) inherit user privileges \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Tools:} \begin{tiny} \begin{verbatim} # Add new user (interactive) adduser # Remove existing user deluser # Change password passwd [] # Switch user ID su # Run command as superuser (root) sudo \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Groups} \begin{itemize} \item Group contain 0..n users (static) \item Default group for each user \item 0..n supplementary groups for each user \item User can change group dynamically (password required) \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Tools:} \begin{tiny} \begin{verbatim} # Add new group addgroup # Remove existing group delgroup # Add user to group usermod [-g ] [-G ] # Show current user and group ID id # Switch group ID newgrp \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Local Authentication Databases} \begin{itemize} \item User Database: /etc/passwd \item Group Database: /etc/group \item Password Database: /etc/shadow \end{itemize} \end{frame} % ---------------------------- \subsubsection{Pluggable Authentication Modules (PAM)} \begin{frame}[fragile] \frametitle{Pluggable Authentication Modules (PAM)} \begin{itemize} \item Pluggable shared libraries \item System-wide Authentication \item Plugins available for: \begin{itemize} \item UserID and Password (local) \item LDAP \item Kerberos (e.g. NIS, Windows Domain Controller) \item Hardware-based Authentication (e.g. SmartCard) \end{itemize} \item Extendable with own PAM modules \end{itemize} \end{frame} \subsubsection{File Access} \begin{frame}[fragile] \frametitle{Basic File Permissions} \begin{itemize} \item For each File or Directory \item Access Mode: \\ Read, Write, Execute (Entry) \item Access Role: \\ User, Group, Other \item Special: \\ Set UID, Set GID, Sticky \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{UserIDs and GroupIDs of a Process} \begin{itemize} \item Real \begin{itemize} \item privileged: \\ set to any value \item unprivileged: \\ set to real or effective \end{itemize} \item Effective \begin{itemize} \item privileged: \\ set to any value \item unprivileged: \\ set to real, effective, saved \end{itemize} \item Saved \begin{itemize} \item normal: \\ set to real UID/GID \item s-Bit: \\ set to file UID/GID \item privileged: \\ set to any value \end{itemize} \end{itemize} \end{frame} % ---------------------------- \subsection{Extended Security Features} % ---------------------------- % ---------------------------- \begin{frame}[fragile] \frametitle{Access Control List (ACL)} \begin{itemize} \item More Users and Groups \item Round up Groups \item Tools: \\ setfacl, getfacl \item Requires: \\ mount \dots -o acl \item Pitfalls: \\ Not all tools like tar support ACLs \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{ACL: Example} \begin{itemize} \item Sue, Bob and Henry working together on ProjectX. Sue and Henry are members of group \emph{dept\_a}, and Bob is member of group \emph{dept\_b}. \item Q: Do we really need another group \emph{project\_x} with members Sue, Bob and Henry? \item A: Not mandatorily. \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Alternative Solution:} \begin{tiny} \begin{verbatim} mkdir /data/shared/project_x chown pm_admin:pm_admin /data/shared/project_x setfacl -m user:sue:rwx /data/shared/project_x setfacl -m user:bob:rwx /data/shared/project_x setfacl -m user:henry:rwx /data/shared/project_x \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{ACL: Example (2)} \begin{beamerboxesrounded}[shadow=true]{Result:} \begin{tiny} \begin{verbatim} getfacl /data/shared/project_x # file: data/shared/project_x/ # owner: pm_admin # group: pm_admin user::rwx user:sue:rwx user:bob:rwx user:henry:rwx group::r-x mask::rwx other::r-x \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Extended File Attributes} \begin{itemize} \item More File Attributes \begin{itemize} \item a - append only \item i - immutable \item s - Override with zeros on delete \end{itemize} \item Tools: \\ lsattr, chattr \item Requires: \\ root or mount \dots -o user\_xattr \item Pitfalls: \\ Not all tools like tar support xattr \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{xattr: Example} \begin{itemize} \item Q: You want to check what user Franz is typing on commandline? \item A: Look at /home/franz/.bash\_history \item But Franz is clever and deletes /home/franz/.bash\_history \item Q: How can you prevent that? \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Solution:} \begin{tiny} \begin{verbatim} sudo chattr +a /home/franz/.bash_history lsattr /home/franz/.bash_history -----a-------e-- /home/franz/.bash_history rm /home/franz/.bash_history rm: cannot remove `/home/franz/.bash_history': Operation not permitted \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Process} \begin{frame}[fragile] \frametitle{Process Isolation} \begin{itemize} \item Separate Address Space \item Isolated Filesystem (chroot) \item Address Space Layout Randomization \item Namespaces (Mount, UTS, IPC, PID, Network, and User) \end{itemize} \end{frame} % ---------------------------- \subsubsection{Namespaces} \begin{frame}[fragile] \frametitle{Namespaces} \begin{itemize} \item Mount: \\ Provide different filesystem \item IPC: \\ Provide isolated inter process communication entities \item Network: \\ Provide isolated networking environment \item User: \\ Provide different User/UID mapping \item UTS: \\ Provide different hostname \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Containers} \begin{itemize} \item Application Isolation \item Lightweight Vitalization \item Based on cgroups and namespaces \item Easy namespace configuration and management \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Linux Containers (LXC)} \begin{beamerboxesrounded}[shadow=true]{Start/Stop container:} \begin{tiny} \begin{verbatim} # Start: Better for single commands lxc-execute -n cont_name [-f config] /bin/bash # Start: Better for container systems lxc-start -n cont_name [-f config] # Stop container lxc-stop -n foo \end{verbatim} \end{tiny} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Control container:} \begin{tiny} \begin{verbatim} # Pause/resume container (controlling group of processes) lxc-freeze -n cont_name lxc-unfreeze -n cont_name # Monitor container states lxc-monitor -n cont_name # Attach to container console lxc-console -n cont_name \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Linux Container (LXC): Configuration} \begin{beamerboxesrounded}[shadow=true]{Networking example:} \begin{tiny} \begin{verbatim} lxc.utsname = myhostname lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.name = eth0 lxc.network.hwaddr = 4a:49:43:49:79:bf lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255 \end{verbatim} \end{tiny} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Controlgroup example:} \begin{tiny} \begin{verbatim} lxc.cgroup.cpuset.cpus = 0,1 lxc.cgroup.devices.deny = a lxc.cgroup.devices.allow = c 1:3 rw lxc.cgroup.devices.allow = b 8:0 rw \end{verbatim} \end{tiny} \end{beamerboxesrounded} \end{frame} % ---------------------------- \subsubsection{Advanced Resource Access Control} \begin{frame}[fragile] \frametitle{Linux Security Modules} \begin{itemize} \item Implement Mandatory Access Control \item SELinux, AppArmor, Tomoyo \dots \item Context sensitive Resource Access \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Domain} \begin{itemize} \item Domain transition for each starting Process \item Default: Inherit previous Domain \item Note: Domains are unique \end{itemize} \begin{beamerboxesrounded}[shadow=true]{Example:} \begin{small} \begin{verbatim} /sbin/init /etc/rc.d/rc /sbin/init /etc/rc.d/rc.sysinit /etc/rc.d/rc \end{verbatim} \end{small} \end{beamerboxesrounded} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Domain Transition Management} \begin{itemize} \item Control Domain Transition Behavior \item Syntax: \\ \begin{verbatim} from \end{verbatim} \item Directives: \begin{itemize} \item initialize\_domain / no\_initialize\_domain \item keep\_domain / no\_keep\_domain \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Profile} \begin{itemize} \item Profiles define Domain restriction behavior \item Profile Relation to Domain: n..m \item Up to 255 Profiles \item Profile Modes: \begin{itemize} \item disabled \item learning \item permissive \item enforcing \end{itemize} \item Logging \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Policy} \begin{itemize} \item Policies describe Domain restrictions \item Policy for each Domain \item Directives: \begin{itemize} \item file (read, write, execute, append, chown, chgrp, create, mkfifo, \dots) \item misc env \item network inet (stream, dgram, raw) \item network unix (stream, dgram, seqpacket) \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Tools} \begin{itemize} \item tomoyo-editpolicy \item tomoyo-selectpolicy \item tomoyo-patternize \item tomoyo-diffpolicy \item tomoyo-sortpolicy \item tomoyo-loadpolicy \end{itemize} \end{frame} % ---------------------------- \subsubsection{Others} \begin{frame}[fragile] \frametitle{Others} \begin{itemize} \item Linux Integrity Subsystem (IMA/EVM) \item Signed Kernel Modules \item Singed Repositories (apt, yum, \dots) \end{itemize} \end{frame} % ---------------------------- \subsection{} \input{tailpres}