Shane Jahnke CS591 December 7, 2009.  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Slides:

Advertisements

Similar presentations

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Advertisements

JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.

Access Control Methodologies

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

Vulnerability Assessments with Nessus 3 Columbia Area LUG January

VLab Web Application Architecture Xinyi Dong 10/1/

1 Flexible Mandatory Access Control (MAC) in Modern Operating Systems Jeffrey H. Jewell CS 591 December 7, 2009 Jeffrey H. Jewell CS 591 December 7, 2009.

SELinux (Security Enhanced Linux) By: Corey McClurg.

Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.

SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

Implementing SELinux as a Linux Security Module By Stephen Smalley Chris Vance & Wayne Salamon Presentation by: KASHIF HASAN

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Guide to Network Defense and Countermeasures Second Edition Chapter 11 Strengthening and Managing Firewalls.

SELinux US/Fedora/13/html/Security-Enhanced_Linux/

Linux kernel security Professor: Mahmood Ranjbar Authors: mohammad Heydari Mahmood ZafarArjmand Zohre Alihoseyni Maryam Sabaghi.

Security Enhanced Linux David Quigley. History SELinux Timeline 1985:LOCK (early Type Enforcement) 1990: DTMach / DTOS 1995: Utah Fluke / Flask 1999:

Security-Enhanced Linux. References  Implementation of Security-Enhanced Linux by Yue Cui, Xiang Sha, Li Song  Security Enhanced Linux by David Quigley.

Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.

FOSS Security through SELinux (Security Enhanced Linux) M.B.G. Suranga De Silva Information Security Specialist TECHCERT c/o Department of Computer Science.

Module 15: Manage the Windows ® Small Business Server 2008 Environment Using Group Policy.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.

CIS 290 Linux Security Program Authentication Module and Security Enhanced LINUX.

© Copyright 2009 Sysgem AG, 8002 Zurich, Switzerland Sysgem Products Sysgem Enterprise Manager (SEM)  Identity & Access Management  System Management.

Module 11: Implementing ISA Server 2004 Enterprise Edition.

SELinux - What the hell does that mean? disoray thelug : DC214

Module 5: Configuring Internet Explorer and Supporting Applications.

11 WORKING WITH PRINTERS Chapter 10. Chapter 10: WORKING WITH PRINTERS2 TERMINOLOGY PrinterLogical object Print DevicePhysical object Printer DriversSoftware.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.

SELinux. The need for secure OS Increasing risk to valuable information Dependence on OS protection mechanisms Inadequacy of mainstream operating systems.

Module 8: Managing Software Distribution. Collections Packages Programs Advertisements Collections Packages Programs Advertisements How Software.

Module 10: Windows Firewall and Caching Fundamentals.

The SELinux of First Look. Prologue After many discussions with a lot of Linux users, I’ve come to realize that most of them seem to disable SELinux rather.

Chapter 2 BAI517 Chris Redford.  Different version of Linux are called Distributions or Distros. Each one has its strengths and focus: Red Hat / Fedora.

Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

5/7/2007CoreMcClug/SELinux 1 By: Corey McClurg. Outline A History of SELinux What is SELinux and how do I get it? Getting Started Mandatory Access Control.

Lecture 3 Page 1 CS 236 Online Prolog to Lecture 3 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

IBM Express Runtime Quick Start Workshop © 2007 IBM Corporation Deploying a Solution.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.

Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.

How to live with SELinux

MLS/MCS on SE Linux Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework Uses.

SELinux Overview ● Permissions historically – Why is unix or ACL permissions not good enough? ● DAC vs. MAC ● SELinux ID, objects, roles and types ● Policy.

Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)

Server Security 1 SE Linux, Systrace Lars Noodén March – April 2009.

SELinux Overview Dan Walsh SELinux for Dummies Dan Walsh

Red Hat Enterprise Linux 5 Security April Red Hat Development Model Collaboration with partners and open source contributors to develop technology.

SE Linux Implementation Russell Coker. What is SE Linux? A system for Mandatory Access Control (MAC) based on the Linux Security Modules (LSM) framework.

Packaging and Deploying Windows Applications

SmartCenter for Pointsec - MI

Demystifying SELinux: WTF is it saying?

SELinux in 20 Minutes LCA Miniconf Jan. 28th, Canberra AU

SELinux RHEL5: A benchmark

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

SELinux (Security Enhanced Linux)

An Overview Rick Anderson Pat Demko

Manage Security Settings with Group Policy

Mandatory Access Control and the Real World

Presentation transcript:

Shane Jahnke CS591 December 7, 2009

 What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration  Irssi Example  Conclusions

 SELinux (Security-enhanced Linux)  Developed by the NSA ▪ Research Partners: NAI Labs, SCC, MITRE  Reference policy of the Flask security architecture  Enforces mandatory access control policies ▪ Type Enforcement (TE) ▪ Role-based Access Control (RBAC) ▪ Multi-level Security (MLS)  Availability ▪ Mainstreamed into Debian, Ubuntu, RHEL, Fedora, Gentoo ▪ Ported to Solaris and FreeBSD

 Processes and files are assigned a context.  User: identity known to policy that is authorized for a specific set of rules  Role: users are authorized for roles, and roles are authorized for domains  Type: defines a domain for processes, and a type for files.  Level: (optional) used with MLS restrictions

 To make policy changes:  Use Booleans, if possible ▪ Runtime change, no need to reload/recompile ▪ Configurable without knowledge of policy writing ▪ Example: httpd using NFS/Samba file types  Match file context with domain ▪ Use man _selinux ▪ Example: sharing directory using Samba

 To make policy changes:  Audit2allow ▪ Allows rule from logs of denied by Access Vector Cache (AVC) ▪ Example: audit2allow -w -a (creates packaged policy file for installation)  Create policy (using SLIDE)

 SELinux Policy Integrated Development Environment  Developed by Tresys Technology  Eclipse Plugin  Integrates with Reference Policy  Makes SELinux policy development easier

 Project/Module creation wizards  Auto-completion of interface names  Simplifies compilation and building module packages  Integrated remote policy installation and audit log monitoring  Supports both modular and monolithic policy development

 Based on NSA example policy  Actively developed by Tresys Technology  Complete SELinux policy  Basis for creating policies within SLIDE

 Installed Fedora 12 distribution  Packages Needed:  eclipse-slide (Eclipse with plugin)  slideRemote-moduler (for policy testing)  SSH Server (for policy testing)  setools-console (optional GUI console)  Used selinux-policy  Downloaded src (refpolicy) for use with SLIDE

 Text-mode IRC client  Create new “irssi” policy module using reference policy

Editor Tabs Policy Explorer Layer Module Build Output

 SELinux is complicated and requires extensive knowledge of the reference policy.  SLIDE indeed makes developing policies by performing difficult tasks such as compiling, packaging, and installing policies remotely.

  guide/f11/en-US/ guide/f11/en-US/   to-create-integrate-and-rebuild.html to-create-integrate-and-rebuild.html  es es