Presentation is loading. Please wait.

Presentation is loading. Please wait.

Red Hat Enterprise Linux 5 Security April 2007. 2 Red Hat Development Model Collaboration with partners and open source contributors to develop technology.

Published byDerrick Holmes Modified over 8 years ago

Similar presentations

Presentation on theme: "Red Hat Enterprise Linux 5 Security April 2007. 2 Red Hat Development Model Collaboration with partners and open source contributors to develop technology."— Presentation transcript:

1 Red Hat Enterprise Linux 5 Security April 2007

2 2 Red Hat Development Model Collaboration with partners and open source contributors to develop technology Deliver complete distributions in two stages for two users ● First stage ● Fedora: The development vehicle ● New versions approximately twice each year ● Unsupported ● Fast moving, latest technology ● Second stage ● Red Hat Enterprise Linux ● New versions approximately every 18-24 months ● Supported and certified ● Stable, mature, commercially focused technologies

3 3 Security: SELinux Security-Enhanced Linux – Strong, flexible MAC architecture Initially a research prototype out of NSA; now part of the Linux 2.6 kernel Initial focus on Type Enforcement (TE) ● Principle of least privilege

4 4 Security: SELinux Example ● Basic example SELinux httpd policy ● Listen on port 80 on eth1 ● Read /etc/httpd/httpd.conf ● Read/append /var/log/httpd/* ● Read /var/www/html/* ● Successful attacker is limited to these actions Without SELinuxWith SELinux

5 5 SELinux Key Components Kernel ● Makes all access decisions ● Access Checks ● Loadable Security Module Applications ● Most applications are not SELinux aware ● Less then 50 SELinux aware applications Policy ● Rules database that defines what is “allowed” ● Flexible rules that allows you to protect everything from the laptop in general use to the Highest levels of Security in DOD.

6 6 How does SELinux enforce policy? Every process and file tagged with a security context ● Files tagged via extended attributes. New files get assigned context via default policy ● Defaults to directory context ● Policy might state files created in /var/log by named get named_log_t Kernel assigns context to processes via policy Certain Applications (login) allowed by policy to set the context of the next executed program.

7 7 How SELinux Enforces Security Policy SELinux Kernel Security Policy Security Enforcement Module Permits or denies accesses to all objects Process Pa Process Pb File Fa File Fb Device Da Device Db SC User Ua SC User Ub SC Subject Requests Access to File or Device Permission Granted to Object

8 8 Security: SELinux Enhancements in RHEL 5 Supports multiple MAC models: TE, RBAC, MLS/MCS ● TE ensures system integrity ● MLS/MCS ensures data confidentiality Expanded SELinux targeted policy coverage ● Provides coverage for all core system services, versus 11 in Red Hat Enterprise Linux 4 Includes support for Multi Level Security (MLS) enforcement model ● In addition to existing RBAC and TE models ● Uses Bell-LaPadula model - “no read up, no write down” ● In addition to TE ● LSPP Security Certification and support with IBM and TCS ● Common Criteria EAL4+/CAPP/LSPP/RBACPP ● Partnered with IBM and TCS deliver MLS and cross-domain solutions

9 9 Security: SELinux Enhancements Greatly improved logging, with easy-to-decipher information time->Thu Aug 24 15:50:58 2006 type=AVC_PATH msg=audit(1156449058.917:552): path="/var/www/html/index.html" type=SYSCALL msg=audit(1156449058.917:552): arch=40000003 syscall=196 success=no exi t=-13 a0=8d4d4d0 a1=bfb5e97c a2=434ff4 a3=2008171 items=0 ppid=23799 pid=23805 auid=3267 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1156449058.917:552): avc: denied { getattr } for pid=23805 com m="httpd" name="index.html" dev=dm-0 ino=6260297 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file Aug 24 15:53:10 localhost /usr/sbin/setroubleshootd: SELinux is preventing /usr/sbin/httpd "getattr" access to /var/www/html/index.html. See audit.log for complete SELinux messages. OLD: Red Hat Enterprise Linux 4 /var/log/messages entry NEW: Red Hat Enterprise Linux 5 /var/log/messages entry

10 10 Security: SELinux Enhancements setroubleshoot provides clear, easy-to-understand, GUI-based, security violation notifications Over 60 events defined today

11 11 Security: SELinux Enhancements system-config- selinux provides a GUI tool for configuring and managing SELinux

12 12 Ultra Secure Standards ● Controlled Access Protection Profile - EAL4/CAPP ● Labeled Security Protection Profile - EAL4+/LSPP ● Multi Level Security (MLS) ● SELinux is the only mainstream OS in the world with MLS AND Type Enforcement. ● SELinux is being used all over Department of Defense including War Zones. ● Unlike Trusted OS's ● SELinux == Red Hat Enterprise Linux

13 13

Download ppt "Red Hat Enterprise Linux 5 Security April 2007. 2 Red Hat Development Model Collaboration with partners and open source contributors to develop technology."

Similar presentations

JENNIS SHRESTHA CSC 345 April 22, 2014. Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.

JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.
Access Control Methodologies

Access Control Methodologies
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.

Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
Chapter 9 Building a Secure Operating System for Linux.

Chapter 9 Building a Secure Operating System for Linux.
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.

Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.
Shane Jahnke CS591 December 7, 2009.  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.
User Domain Policies.

User Domain Policies.
SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)

SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)
Linux Security.

Linux Security.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.

Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
Security Enhanced Linux (SELinux)

Security Enhanced Linux (SELinux)
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Secure Operating Systems

Secure Operating Systems
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/

Similar presentations

Ads by Google