Red Hat Enterprise Linux 5 Security April 2007. 2 Red Hat Development Model Collaboration with partners and open source contributors to develop technology.

Slides:



Advertisements
Similar presentations
JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.
Advertisements

Access Control Methodologies
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Access Control Intro, DAC and MAC System Security.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
Chapter 9 Building a Secure Operating System for Linux.
SELinux (Security Enhanced Linux) By: Corey McClurg.
Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.
Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.
User Domain Policies.
SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)
Linux Security.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Database Security Managing Users and Security Models.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
Security Enhanced Linux (SELinux)
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Secure Operating Systems
SELinux US/Fedora/13/html/Security-Enhanced_Linux/
Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.
Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.
FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
Chapter 7 Securing Commercial Operating Systems. Chapter Overview Retrofitting Security into a Commercial OS History of Retrofitting Commercial OS's Commercial.
SELinux. The need for secure OS Increasing risk to valuable information Dependence on OS protection mechanisms Inadequacy of mainstream operating systems.
Multics CysecLab Graduate School of Information Security KAIST.
Trusted Operating Systems
The SELinux of First Look. Prologue After many discussions with a lot of Linux users, I’ve come to realize that most of them seem to disable SELinux rather.
Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.
5/7/2007CoreMcClug/SELinux 1 By: Corey McClurg. Outline A History of SELinux What is SELinux and how do I get it? Getting Started Mandatory Access Control.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.
How to live with SELinux
MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.
SELinux Overview ● Permissions historically – Why is unix or ACL permissions not good enough? ● DAC vs. MAC ● SELinux ID, objects, roles and types ● Policy.
SELinux Update Karl MacMillan, Tresys Dan Walsh, Red Hat.
Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)
Server Security 1 SE Linux, Systrace Lars Noodén March – April 2009.
Overview of NSA Security Enhanced Linux Russell Coker.
SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh
Developing a Secure Internet Service SE Linux in Production Russell Coker Linux Consultant.
Writing SELinux Policy Daniel Walsh Red Hat. Language M4 Macros Name ● module rwhod 1.0; ● policy_module(rwhod,1.0)
SELinux: Best Practices and What's New in Red Hat Enterprise Linux 5 Name Dan Walsh Date Wednesday May 9 th 2007.
SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.
TOPIC: Web Security Models
CS703 - Advanced Operating Systems
Access Control Model SAM-5.
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
Writing SELinux Policy | Permissive Domains | Real bugs
SELinux for Dummies Dan Walsh.
Demystifying SELinux: WTF is it saying?
Computer Data Security & Privacy
SELinux Daniel J Walsh SELinux Lead Engineer.
SE Linux Implementation
SELinux RHEL5: A benchmark
IS3440 Linux Security Unit 6 Using Layered Security for Access Control
Chapter 2: System Structures
SELinux (Security Enhanced Linux)
An Overview Rick Anderson Pat Demko
SELinux
SECURITY IN THE LINUX OPERATING SYSTEM
OS Access Control Mauricio Sifontes.
Operating System Security
NSA Security-Enhanced Linux (SELinux)
Access Control What’s New?
Access Control and Audit
Presentation transcript:

Red Hat Enterprise Linux 5 Security April 2007

2 Red Hat Development Model Collaboration with partners and open source contributors to develop technology Deliver complete distributions in two stages for two users ● First stage ● Fedora: The development vehicle ● New versions approximately twice each year ● Unsupported ● Fast moving, latest technology ● Second stage ● Red Hat Enterprise Linux ● New versions approximately every months ● Supported and certified ● Stable, mature, commercially focused technologies

3 Security: SELinux Security-Enhanced Linux – Strong, flexible MAC architecture Initially a research prototype out of NSA; now part of the Linux 2.6 kernel Initial focus on Type Enforcement (TE) ● Principle of least privilege

4 Security: SELinux Example ● Basic example SELinux httpd policy ● Listen on port 80 on eth1 ● Read /etc/httpd/httpd.conf ● Read/append /var/log/httpd/* ● Read /var/www/html/* ● Successful attacker is limited to these actions Without SELinuxWith SELinux

5 SELinux Key Components Kernel ● Makes all access decisions ● Access Checks ● Loadable Security Module Applications ● Most applications are not SELinux aware ● Less then 50 SELinux aware applications Policy ● Rules database that defines what is “allowed” ● Flexible rules that allows you to protect everything from the laptop in general use to the Highest levels of Security in DOD.

6 How does SELinux enforce policy? Every process and file tagged with a security context ● Files tagged via extended attributes. New files get assigned context via default policy ● Defaults to directory context ● Policy might state files created in /var/log by named get named_log_t Kernel assigns context to processes via policy Certain Applications (login) allowed by policy to set the context of the next executed program.

7 How SELinux Enforces Security Policy SELinux Kernel Security Policy Security Enforcement Module Permits or denies accesses to all objects Process Pa Process Pb File Fa File Fb Device Da Device Db SC User Ua SC User Ub SC Subject Requests Access to File or Device Permission Granted to Object

8 Security: SELinux Enhancements in RHEL 5 Supports multiple MAC models: TE, RBAC, MLS/MCS ● TE ensures system integrity ● MLS/MCS ensures data confidentiality Expanded SELinux targeted policy coverage ● Provides coverage for all core system services, versus 11 in Red Hat Enterprise Linux 4 Includes support for Multi Level Security (MLS) enforcement model ● In addition to existing RBAC and TE models ● Uses Bell-LaPadula model - “no read up, no write down” ● In addition to TE ● LSPP Security Certification and support with IBM and TCS ● Common Criteria EAL4+/CAPP/LSPP/RBACPP ● Partnered with IBM and TCS deliver MLS and cross-domain solutions

9 Security: SELinux Enhancements Greatly improved logging, with easy-to-decipher information time->Thu Aug 24 15:50: type=AVC_PATH msg=audit( :552): path="/var/www/html/index.html" type=SYSCALL msg=audit( :552): arch= syscall=196 success=no exi t=-13 a0=8d4d4d0 a1=bfb5e97c a2=434ff4 a3= items=0 ppid=23799 pid=23805 auid=3267 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit( :552): avc: denied { getattr } for pid=23805 com m="httpd" name="index.html" dev=dm-0 ino= scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file Aug 24 15:53:10 localhost /usr/sbin/setroubleshootd: SELinux is preventing /usr/sbin/httpd "getattr" access to /var/www/html/index.html. See audit.log for complete SELinux messages. OLD: Red Hat Enterprise Linux 4 /var/log/messages entry NEW: Red Hat Enterprise Linux 5 /var/log/messages entry

10 Security: SELinux Enhancements setroubleshoot provides clear, easy-to-understand, GUI-based, security violation notifications Over 60 events defined today

11 Security: SELinux Enhancements system-config- selinux provides a GUI tool for configuring and managing SELinux

12 Ultra Secure Standards ● Controlled Access Protection Profile - EAL4/CAPP ● Labeled Security Protection Profile - EAL4+/LSPP ● Multi Level Security (MLS) ● SELinux is the only mainstream OS in the world with MLS AND Type Enforcement. ● SELinux is being used all over Department of Defense including War Zones. ● Unlike Trusted OS's ● SELinux == Red Hat Enterprise Linux

13

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.