SELinux: Best Practices and What's New in Red Hat Enterprise Linux 5 Name Dan Walsh Date Wednesday May 9 th 2007.

Slides:

Advertisements

Similar presentations

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Advertisements

Trusted Ring: A Security Enhancing Software Architecture Michael DiRossi, Inventor The Johns Hopkins University Applied Physics Laboratory.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

Computer Viruses.

System Hardening Borrowed from the CLICS group. System Hardening How do we respond to problems? (e.g. operating system deadlock) Detect Detect (Detect.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Security Enhanced Linux (SELinux)

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.

SELinux US/Fedora/13/html/Security-Enhanced_Linux/

Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.

FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.

A Practical Guide to Fedora and Red Hat Enterprise Linux Unit 6: More Scripting in Linux Chapter 17: Configuring a LAN By Fred R. McClurg Linux Operating.

1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.

Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.

SELinux. The need for secure OS Increasing risk to valuable information Dependence on OS protection mechanisms Inadequacy of mainstream operating systems.

Trusted Operating Systems

The SELinux of First Look. Prologue After many discussions with a lot of Linux users, I’ve come to realize that most of them seem to disable SELinux rather.

Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

NETWORK SECURITY Definitions and Preventions Toby Wilson.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

1 Introduction to SELinux David P. Quigley National Security Agency National Information Assurance Research Laboratory (NIARL)

How to live with SELinux

MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

SELinux Update Karl MacMillan, Tresys Dan Walsh, Red Hat.

Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)

Overview of NSA Security Enhanced Linux Russell Coker.

SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh

Developing a Secure Internet Service SE Linux in Production Russell Coker Linux Consultant.

Red Hat Enterprise Linux 5 Security April Red Hat Development Model Collaboration with partners and open source contributors to develop technology.

Writing SELinux Policy Daniel Walsh Red Hat. Language M4 Macros Name ● module rwhod 1.0; ● policy_module(rwhod,1.0)

What is SELinux trying to tell me? The 4 key causes of SELinux errors.

SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Demystifying SELinux Part II: Who’s Policy Is It Anyway

Multi-Category Security (MCS)

Protecting Servers and Clients

OpenShift & SELinux Dan Walsh Twitter: #rhatdan

ITMT Windows 7 Configuration Chapter 10 – Securing Windows 7

Chapter 7. Identifying Assets and Activities to Be Protected

Chapter Objectives In this chapter, you will learn:

Writing SELinux Policy | Permissive Domains | Real bugs

Linux Containers Overview & Roadmap

SELinux for Dummies Dan Walsh.

Demystifying SELinux: WTF is it saying?

SELinux Daniel J Walsh SELinux Lead Engineer.

SELinux in 20 Minutes LCA Miniconf Jan. 28th, Canberra AU

SELinux RHEL5: A benchmark

Protect Your Computer Against Harmful Attacks!

NET 311 Information Security

Protecting Servers and Clients

Information Security Session October 24, 2005

An Overview Rick Anderson Pat Demko

Introduction to Systems Security

Computer Security.

Implementing Client Security on Windows 2000 and Windows XP Level 150

Chapter 22: Malicious Logic

Securing Windows 7 Lesson 10.

16. Account Monitoring and Control

NSA Security-Enhanced Linux (SELinux)

Operating System Concepts

Presentation transcript:

SELinux: Best Practices and What's New in Red Hat Enterprise Linux 5 Name Dan Walsh Date Wednesday May 9 th 2007

All Software SUCKS! MALWARE SPYWARE VIRUS WORMS Stolen Personal Data ● Marshalls ● Fidelity ● US Government Microsoft Windows

LEAVE SELinux On EVERYWHERE! STOP credit card data from being stolen STOP SPAM mail attacks from your compromised servers. STOP worms from attaching your web sites STOP trusting your Applications to do the Right thing. SELinux is your last line of DEFENSE.

S.M.U.T Secure Manageable Ultra Trusted

Secure Red Hat Enterprise Linux 4 ● 15 Targets ● Built on Fedora Core 2/3 Experience Red Hat Enterprise Linux 5 ● 200 Targets ● Built on Fedora Core 2/3/4/5/6 RHEL4 Experience All system applications minimal privilege Entire System Space is covered by SELinux policy All processes started during boot up have defined SELinux domains User space logins are still allowed to run execute Unconfined. ● Executable Memory checks confine user space to help prevent Buffer Overflow attacks.

Manageable - Troubleshooting What the H**L is going on???? tail /var/log/audit/audit.log type=AVC msg=audit( :2036): avc: denied { getattr } for pid=6705 comm="httpd" name="index.html" dev=dm-0 ino= scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file

Manageable - Troubleshooting Just make it work???? # grep httpd /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttpd.pp

Manageable - Configurable

Manageable - Customizable

Manageable - Bugzilla Module ====================== Policy ========================================== policy_module(bugzilla, 1.0) apache_content_template(bugzilla) allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; files_search_var_lib(httpd_bugzilla_script_t) optional_policy(` mysql_search_db(httpd_bugzilla_script_t) mysql_stream_connect(httpd_bugzilla_script_t) ') optional_policy(` postgresql_stream_connect(httpd_bugzilla_script_t) ') =============================== File context ========================= /usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) /usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) /var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)

Ultra Trusted

Collaborative Effort

Ultra Trusted Standards ● Controlled Access Protection Profile - EAL4/CAPP ● Labeled Security Protection Profile - EAL4+/LSPP ● Multi Level Security (MLS) ● SELinux is the only mainstream OS in the world with MLS AND Type Enforcement. ● SELinux is being used all over Department of Defense including War Zones. ● Unlike Trusted OS's ● SELinux == Red Hat Enterprise Linux

S.M.U.T Secure Manageable Ultra Trusted

If you want to protect your data. Run it on Red Hat Enterprise Linux 5 with SELinux

Leave SELinux running Everywhere