path: root/security/advanced/pres_advanced_sec.tex

\def\lximg{/usr/share/lx/icons/fueller.png}

\input{configpres}

\subsection{Extended Security Features}

\title{Extended Security Features}
\maketitle

\def\lximg{none}

\begin{frame}
\frametitle{Contents}
\tableofcontents
\end{frame}

% ----------------------------
\subsubsection{File Access}

\begin{frame}[fragile]
\frametitle{Basic File Permissions}
\begin{itemize}
\item For each File or Directory
\item Access Mode: \\
      Read, Write, Execute (Entry)
\item Access Role: \\
      User, Group, Other
\item Special: \\
      Set UID, Set GID, Sticky
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Access Control List (ACL)}
\begin{itemize}
\item More Users and Groups
\item Round up Groups
\item Tools: \\
      setfacl, getfacl
\item Requires: \\
      mount \dots -o acl
\item Pitfalls: \\
      Not all tools like tar support ACLs
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{ACL: Example}
\begin{itemize}
\item Sue, Bob and Henry working together on ProjectX. Sue and Henry are
members of group \emph{dept\_a}, and Bob is member of group \emph{dept\_b}.
\item Q: Do we really need another group \emph{project\_x} with members Sue, Bob
and Henry?
\item A: Not mandatorily.
\end{itemize}
\begin{beamerboxesrounded}[shadow=true]{Alternative Solution:}
\begin{tiny}
\begin{verbatim}
$ mkdir /data/shared/project_x
$ chown pm_admin:pm_admin /data/shared/project_x
$ setfacl -m user:sue:rwx /data/shared/project_x
$ setfacl -m user:bob:rwx /data/shared/project_x
$ setfacl -m user:henry:rwx /data/shared/project_x
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{ACL: Example (2)}
\begin{beamerboxesrounded}[shadow=true]{Result:}
\begin{tiny}
\begin{verbatim}
$ getfacl /data/shared/project_x
# file: data/shared/project_x/
# owner: pm_admin
# group: pm_admin
user::rwx
user:sue:rwx
user:bob:rwx
user:henry:rwx
group::r-x
mask::rwx
other::r-x
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Extended File Attributes}
\begin{itemize}
\item More File Attributes
\item a - append only
\item i - immutable
\item s - Override with zeros on delete
\item Tools: \\
      lsattr, chattr 
\item Requires: \\
      root or mount \dots -o user\_xattr
\item Pitfalls: \\
      Not all tools like tar support xattr
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{xattr: Example}
\begin{itemize}
\item Q: You want to check what user Franz is typing on commandline?
\item A: Look at /home/franz/.bash\_history
\item But Franz is clever and deletes /home/franz/.bash\_history 
\item Q: How can I prevent that?
\end{itemize}
\begin{beamerboxesrounded}[shadow=true]{Solution:}
\begin{tiny}
\begin{verbatim}
$ sudo chattr +a /home/franz/.bash_history
$ lsattr /home/franz/.bash_history
-----a-------e-- /home/franz/.bash_history
$ rm /home/franz/.bash_history
rm: cannot remove `/home/franz/.bash_history': Operation not permitted
\end{verbatim}
\end{tiny}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\subsubsection{Process}

\begin{frame}[fragile]
\frametitle{Process Isolation}
\begin{itemize}
\item Separate Address Space
\item Isolated Filesystem (chroot)
\item Address Space Layout Randomization
\item Namespaces (Mount, UTS, IPC, PID, Network, and User)
\end{itemize}
\end{frame}

% ----------------------------
\subsubsection{Advanced Resource Access Control}

\begin{frame}[fragile]
\frametitle{Linux Security Modules}
\begin{itemize}
\item Implement Mandatory Access Control
\item SELinux, AppArmor, Tomoyo \dots
\item Context sensitive Resource Access
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Domain}
\begin{itemize}
\item Domain transition for each starting Process
\item Default: Inherit previous Domain
\item Note: Domains are unique
\end{itemize}
\begin{beamerboxesrounded}[shadow=true]{Example:}
\begin{small}
\begin{verbatim}
<kernel> /sbin/init /etc/rc.d/rc
<kernel> /sbin/init /etc/rc.d/rc.sysinit /etc/rc.d/rc
\end{verbatim}
\end{small}
\end{beamerboxesrounded}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Domain Transition Management}
\begin{itemize}
\item Control Domain Transition Behavior
\item Syntax: \\
\begin{verbatim}
<directive> <domain> from <domain>
\end{verbatim}
\item Directives:
\begin{itemize}
\item initialize\_domain / no\_initialize\_domain
\item keep\_domain / no\_keep\_domain
\end{itemize}
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Profile}
\begin{itemize}
\item Profiles define Domain restriction behavior
\item Profile Relation to Domain: n..m
\item Up to 255 Profiles
\item Profile Modes:
\begin{itemize}
\item disabled, learning, permissive, enforcing
\end{itemize}
\item Logging
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Policy}
\begin{itemize}
\item Policies describe Domain restrictions
\item Policy for each Domain
\item Directives:
\begin{itemize}
\item file (read, write, execute, append, chown, chgrp, create, mkfifo, \dots)
\item misc env
\item network inet (stream, dgram, raw)
\item network unix (stream, dgram, seqpacket)
\end{itemize}
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}[fragile]
\frametitle{Tools}
\begin{itemize}
\item tomoyo-editpolicy
\item tomoyo-selectpolicy
\item tomoyo-patternize
\item tomoyo-diffpolicy
\item tomoyo-sortpolicy
\item tomoyo-loadpolicy
\end{itemize}
\end{frame}

% ----------------------------
\subsubsection{Others}

\begin{frame}[fragile]
\frametitle{Others}
\begin{itemize}
\item Linux Integrity Subsystem (IMA/EVM)
\item Signed Kernel Modules
\item Singed Repositories (apt, yum, \dots)
\end{itemize}
\end{frame}

% ----------------------------
\subsection{}
\input{tailpres}