MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

Slides:



Advertisements
Similar presentations
Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Advertisements

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Chapter 3 Multics. Chapter Overview Multics contribution to technology Multics History Multics System – Fundamentals – Security Fundamentals – Protection.
Access Control Chapter 3 Part 3 Pages 209 to 227.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Access Control Intro, DAC and MAC System Security.
Security at the VMM Layer Theodore Winograd OWASP June 14, 2007.
6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Fall 2011 Nassau Community College ITE153 – Operating Systems Session 24 NTFS Permissions and Sharing Printers 1.
User Domain Policies.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
The University of Akron Summit College Business Technology Dept.
Enforcing Concurrent Logon Policies with UserLock.
SELinux US/Fedora/13/html/Security-Enhanced_Linux/
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Chapter 7: WORKING WITH GROUPS
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.
CS 390 Unix Programming Summer Unix Programming - CS 3902 Course Details Online Information Please check.
Chapter 10: Rights, User, and Group Administration.
Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.
SELinux. The need for secure OS Increasing risk to valuable information Dependence on OS protection mechanisms Inadequacy of mainstream operating systems.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:
Trusted Operating Systems
The SELinux of First Look. Prologue After many discussions with a lot of Linux users, I’ve come to realize that most of them seem to disable SELinux rather.
Privilege Management Chapter 22.
Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.
Computer Security: Principles and Practice
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Chapter 8: Principles of Security Models, Design, and Capabilities
4P13 Week 5 Talking Points 1. Security Provided by BSD a self-protecting Trusted Computing Base (TCB) spanning kernel and userspace; kernel isolation.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)
Overview of NSA Security Enhanced Linux Russell Coker.
SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh
Developing a Secure Internet Service SE Linux in Production Russell Coker Linux Consultant.
Red Hat Enterprise Linux 5 Security April Red Hat Development Model Collaboration with partners and open source contributors to develop technology.
Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.
SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.
OpenShift & SELinux Dan Walsh Twitter: #rhatdan
Access Control Model SAM-5.
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
Protection and Security
Operating Systems Protection Alok Kumar Jagadev.
Demystifying SELinux: WTF is it saying?
SE Linux Implementation
Official levels of Computer Security
Penetration Testing Computer Science and Software Engineering
An Overview Rick Anderson Pat Demko
OS Access Control Mauricio Sifontes.
Communications & Computer Networks Resource Notes - Introduction
Computer Security Access Control
Access Control and Audit
Presentation transcript:

MLS/MCS on SE Linux Russell Coker

What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses features of role-based and domain-type access control Removes the power of UID 0, I have run several machines with root as the guest account Offers restrictive controls only – can not grant any access that is denied by Unix permissions

What is wrong with Unix security? Programs have full control over the access given to files they create (DAC) Therefore no protection against malicious software, “social engineering”, and bugs in privileged software which may result in the software granting inappropriate access to files (EG creating a mode 777 file in /tmp) Too coarse grained - root vs non-root gives boolean security model for many cases Security model does not allow tracking of identity across change of UID Does not separate integrity and secrecy controls

Domain Type access control Every process has a domain, every object (file, directory, socket, etc) has a type. The domains are a sub-set of the types (IE types that can apply to processes). A domain is the type for a process, SE Linux does not strongly distinguish between domains and types. The domain of a process will be used as a target context for operations such as sending signals Each object that a process may act on has a type Policy rules determine what access every domain has to each type

Role Based Access Control Each role has a list of domains that may exist in it At login time the security context is changed (identity, role, and domain), also the newrole program may be used to change roles (comparable to an su operation) A role doesn’t often change, unlike the domain which may change often automatically without the user noticing The role determines which domains are permitted Roles may also be changed through role_transition rules in some situations, this is currently only used for the administrator to launch daemons

Identities The Identity is usually the Unix account name and is compiled into the policy database Identity controls the available roles which controls the available domains – but this level of control is not used in the Targetted policy

Policy Written at a high level with M4 macros In future it will be written in XML Compiled into a binary form that is understood by the kernel Loaded by /sbin/init at the start of the boot process before any other programs are executed A modified policy can be loaded at any time by the administrator

Multi Level Security SE Linux also includes support for Multi-Level Security (MLS) Implemented in a flexible manner which is under the control of policy Expected that the DT model protects the system integrity while MLS protects data secrecy MLS support includes levels (equivalent to Top Secret, Secret, Classified, and Unclassified), there may be an arbitrary number of levels which are numbered Also includes categories which may be used for departments, projects, etc. Categories are also numbered and there may be an arbitrary number of them. Support for preventing “read-up” and “write-down”

MLS data flows Squares are files, ellipses are processes

LSPP Certification Working with IBM and HP to get Common Criteria LSPP (Labeled Security Protection Profile) and RBAC (Role Based Access Control) certification for RHEL 5 at EAL 4+ level of assurance Roughly comparable to B1 in the old “Rainbow Book” Trusted Computer Systems evaluation Certification applies to hardware platform. Some customers will use RHEL on other hardware trusting that it is equivalent, but the certifications will strictly only be applied to HP and IBM hardware. Requires MLS support in the print server (labeled print jobs and controls to prevent an insecure printer from receiving classified data) Requires significantly greater auditing support (some of which is being put into RHEL4)

Auditing RHEL4U2 includes auditd, the daemon for storing audit data. In RHEL4 the kernel can be instructed to audit file/directory access based on the PID of the process, the name of the file/directory, and some other criteria. For RHEL5 we will have auditing functionality in every security critical application (for LSPP). A system process that runs a program on behalf of a user (mail server delivering or login program) will set the loginuid so that all actions can be audited to the user responsible. SE Linux audit messages go to the auditd in RHEL4 (if it is installed) and in RHEL5

Multi Category Security (MCS) Policy developed by James Morris of Red Hat using a sub-set of the MLS features MLS is too complex for most users and administrators. Most systems do not have the secrecy requirements to justify the work. Only has a single level so levels play no part in determining access Categories used to determine access, login programs will assign an appropriate set of categories to the user Only applies to file access at this time For each file the MCS policy will permit full read/write access to every process that has a set of capabilities that is a super-set of it’s capabilities. This allows information leaks, but is required by the expectations of most Unix administrators and users. MCS does not implement the Bell la Padula model (MLS), it is not a sub-set of the MLS functionality, it is a different policy that uses the same kernel and policy features that MLS uses

Q/A NSA SE Linux site SE Linux web pages Russell Coker