SELinux in 20 Minutes LCA Miniconf Jan. 28th, Canberra AU

Slides:

Advertisements

Similar presentations

Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.

Advertisements

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

SELinux (Security Enhanced Linux) By: Corey McClurg.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

SELinux For Dummies Gary Smith, EMSL, Pacific Northwest National Laboratory.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Security Enhanced Linux (SELinux)

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

Hands-On Microsoft Windows Server 2008

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

SELinux US/Fedora/13/html/Security-Enhanced_Linux/

system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:

Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.

CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Two Installing and Configuring Exchange Server 2003.

Review Please turn in any homework/practicals you may have Jobs Job IDs Backgrounding Runlevels HDDs Partitions.

SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.

Reset and Recycle IIS Reset Application Pool Management Error Codes New HTTP Sub-status codes Custom/Detailed Errors Tracing in IIS7 and.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

TCOM Information Assurance Management System Hacking.

Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,

Servo Motors Precise angular motion. Servo Motors Raspberry Pi Webcam Interfaces Keeping track of things.

Trusted Operating Systems

The SELinux of First Look. Prologue After many discussions with a lot of Linux users, I’ve come to realize that most of them seem to disable SELinux rather.

system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.

5/7/2007CoreMcClug/SELinux 1 By: Corey McClurg. Outline A History of SELinux What is SELinux and how do I get it? Getting Started Mandatory Access Control.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.

system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.

1 Introduction to SELinux David P. Quigley National Security Agency National Information Assurance Research Laboratory (NIARL)

How to live with SELinux

Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)

Server Security 1 SE Linux, Systrace Lars Noodén March – April 2009.

SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh

SELinux: Best Practices and What's New in Red Hat Enterprise Linux 5 Name Dan Walsh Date Wednesday May 9 th 2007.

What is SELinux trying to tell me? The 4 key causes of SELinux errors.

SELinux Overview DAC vs MAC Discretionary Access Control Mandatory

Multi-Category Security (MCS)

Topic 2: Hardware and Software

Chapter 9 Intruders.

ITIS 3110 System Hardening.

Essentials of UrbanCode Deploy v6.1 QQ147

Linux Security Presenter: Dolev Farhi |

What are they? The Package Repository Client is a set of Tcl scripts that are capable of locating, downloading, and installing packages for both Tcl and.

Writing SELinux Policy | Permissive Domains | Real bugs

CSE 451 Section 4 Project 1 Notes Looking ahead: Project 2.

SELinux for Dummies Dan Walsh.

Demystifying SELinux: WTF is it saying?

A Fast Track into Device Guard

Introduction to SQL Server 2000 Security

SELinux Daniel J Walsh SELinux Lead Engineer.

Vulnerability Scanning With 'lynis'

Modularity and Memory Clearly, programs must have access to memory

SELinux RHEL5: A benchmark

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

SELinux (Security Enhanced Linux)

OPS235: Week 1 Installing Linux (Lab1: Investigations 4 - )

Chapter 9 Intruders.

Chapter 8, pp 171 – pp 200 Web Security, by Lincoln D. Stein

Convergence IT Services Pvt. Ltd

Using the FAST Page Builder

Implementing Advanced Server and Client Security

OSL150 – Get Hands on with Ivanti Endpoint Security

Presentation transcript:

SELinux in 20 Minutes LCA Miniconf Jan. 28th, Canberra AU

Who's talking? Sander van Vugt Author, technical trainer and consultant High Availability, Performance and trying to understand SELinux mail@sandervanvugt.com Www.sandervanvugt.com Check my SELinux article on http://www.sandervanvugt.com/index.php?site=vi ew&topic=88

Who's listening? This talk is for sysadmins that normally would just switch off SELinux because they don't know how to handle it

Without SELinux How are you going to ensure that a web server that's running hundreds of scripts is secure? Intruders just could break in through a script, get shell access and do nasty things from there

The purpose of SELinux Block all syscalls Allow only those syscalls that have been specifically allowed Which probably blocks many services that you actually need

The core element: the Policy Used to define which object gets access to which other object Implemented by working with contexts User Role Type Rules define which source objects get access to which target objects Different policies for different environments

The modular policy Input files are in /etc/selinux/refpolicy/policy .te files contain everything a module should have .if files define how other modules get access to this module .fc files contain labeling instructions Compiled policy files have the .pp extension and can be managed with semodule

Managing SELinux Use sestatus [-v] to see if it's alive Set permissive mode to start from scratch Use semanage to set context Use setsebool to switch on/off specific rules Use semodule to work with modules Switch on auditing and check the /var/log/audit/audit.log Use audit2allow to convert denials into something that works

And do not use setenforce to turn it off!

Just use audit2allow instead audit2allow -w -a presents the audit information in a more readable way audit2allow -a shows the type enforcement rule that allows the denied access audit2allow -a -M blah creates a .te file and a compiled .pp file that will allow the denied access Use semodule -i to enable this module

Common admin commands semanage -a -t httpd_sys_content_t “/web/(.*)?” restorecon -Rv /web getsebool -a | grep something setsebool -P something_setting = on

Installing SELinux Easy on distributions that have it by default A bit complicated on distributions that don't do SELinux by default A generic policy cannot set context for all objects on an unknown distribution

Enabling SELinux on OpenSUSE 12.2 Switch on kernel options: security=selinux selinux=1 enforcing=0 Download and install the source policy Compile the source policy Modify /etc/selinux/refpolicy/build.conf Don't forget /etc/selinux/config

Continuing the configuration Use the selinux-ready command Relabel the file system Start analyzing and modifying to make it match (audit2why is useful!) Once it all works, use setenforce 1 to enable SELinux protection Tip: use unconfined_t on services that you want to run without selinux protection

Mail me at mail@sander.fr Additional questions? Mail me at mail@sander.fr